◾️Honeytrap

※80ポートは除く

＜国別検知数および検知数＞

＜ポート検知数＞

ポート番号	サービス	件数
1433	ms-sql-s	21371
445	smb	9209
22	ssh	4027
23	telnet	3225
3307	opsession-prxy	3135
3306	mysql	3057
10022		1053
3389	rdp	861
5900	vnc	398
2323	telnet	278

＜マルウェアダウンロード＞

malware_url	VT_link	status code	hash	total	positives	Vt_malware
hxxp://pm[.]cpuminerpool[.]com/pm[.]sh	https://www.virustotal.com/file/81de9fc33ab05928f9abca627435b3fa40a3470e01dc435dddae0e7bec640274/analysis/1568621852/	200	cd3af8bc58dc26936a02e1598992dffe586b3475	55	0
hxxp://188[.]241[.]73[.]110	https://www.virustotal.com/file/d01984d5f581bbb2100fe65e5c677563a9150fe22edbdf875601d86c63862f3d/analysis/1568618881/	200	042f495f7f6adefc7b376f9d00f9e64f04cadcee	50	0
hxxp://45[.]35[.]0[.]213	https://www.virustotal.com/url/0119b2efd7e5884ac109008e28c4f318eafd571930f56a7fb8281f7c942c2a05/analysis/1568727354/	Unknown
hxxp://174[.]128[.]226[.]101/mips	https://www.virustotal.com/file/c51c776b3aff1533eaf680473d5292cee0fc6d7a8c2821971fc56a781ead56e6/analysis/1568738331/	200	81542728b7d0ed176f7e9e965880c661ebe72bb0	57	26	MicroWorld-eScan:Gen:Variant.Backdoor.Linux.Tsunami.1, FireEye:Gen:Variant.Backdoor.Linux.Tsunami.1, Symantec:Linux.Backdoor.Kaiten, ESET-NOD32:a variant of Linux/Tsunami.NDJ, TrendMicro-HouseCall:Backdoor.Linux.BASHLITE.SMJC10, Avast:ELF:DDoS-Y [Trj], Kaspersky:HEUR:Backdoor.Linux.Tsunami.cb, BitDefender:Gen:Variant.Backdoor.Linux.Tsunami.1, Tencent:Backdoor.Linux.Tsunami.x, Ad-Aware:Gen:Variant.Backdoor.Linux.Tsunami.1, Emsisoft:Gen:Variant.Backdoor.Linux.Tsunami.1 (B), DrWeb:Linux.BackDoor.Tsunami.239, TrendMicro:Backdoor.Linux.BASHLITE.SMJC10, Sophos:Linux/Tsunami-A, Ikarus:Trojan.Linux.Gafgyt, Fortinet:ELF/Tsunami.NDJ!tr, Arcabit:Trojan.Backdoor.Linux.Tsunami.1, AhnLab-V3:Linux/Tsunami.Gen3, ZoneAlarm:HEUR:Backdoor.Linux.Tsunami.cb, Avast-Mobile:ELF:Tsunami-EQ [Trj], ALYac:Gen:Variant.Backdoor.Linux.Tsunami.1, MAX:malware (ai score=94), Rising:Backdoor.Tsunami!1.A1B2 (CLASSIC), GData:Gen:Variant.Backdoor.Linux.Tsunami.1, AVG:ELF:DDoS-Y [Trj], Qihoo-360:virus.elf.tsunami.gen
hxxp://31[.]13[.]195[.]49/x	https://www.virustotal.com/url/65071584ab70a5353da1eeec090311e3fb8c2c1de103387b2c94cb29d32ac4b3/analysis/1568512414/	Unknown
hxxp://192[.]192[.]78[.]216:9090/gH/S0[.]php	https://www.virustotal.com/url/07466b58d709592dfc1e445fb22646e3c2eeca25231b24f810178f073a550057/analysis/1534499163/	Unknown
hxxp://142[.]11[.]199[.]235/mips	https://www.virustotal.com/file/af18cd19287cdf764418b4212cbcd64e5bba8e8632a3990026f6f5c0b54f3fce/analysis/1567916002/	200	8bc0fcd0b5f456938cf6db535316146359ea02a8	56	19	ESET-NOD32:a variant of Linux/Mirai.AEL, TrendMicro-HouseCall:Backdoor.Linux.MIRAI.SMMR1, Avast:ELF:Hajime-R [Trj], ClamAV:Unix.Trojan.Gafgyt-6748839-0, Kaspersky:HEUR:Backdoor.Linux.Mirai.ad, Rising:Backdoor.Mirai/Linux!1.BAF6 (CLASSIC), DrWeb:Linux.Mirai.1443, TrendMicro:Backdoor.Linux.MIRAI.SMMR1, McAfee-GW-Edition:Linux/Mirai-FDXO!249E607F736C, Sophos:Mal/Generic-S, Fortinet:ELF/Mirai.AE!tr, Microsoft:DDoS:Linux/Gafgyt.YA!MTB, ZoneAlarm:HEUR:Backdoor.Linux.Mirai.ad, Avast-Mobile:ELF:Mirai-UM [Trj], AhnLab-V3:Linux/Exploit.Gen2, McAfee:Linux/Mirai-FDXO!249E607F736C, Tencent:Backdoor.Linux.Mirai.wao, GData:Linux.Trojan.Mirai.E, AVG:ELF:Hajime-R [Trj]
hxxp://185[.]35[.]138[.]156/c	https://www.virustotal.com/url/43c2691ddea4cc59176e8bdadf79c46967439412806c4ba3bb143188ba3bd47e/analysis/1568565075/	Unknown
hxxp://192[.]227[.]176[.]14/switchware[.]mips	https://www.virustotal.com/url/896860379164d73565c89e61492e6838c5407880e5f3c3e54642b5ae35596c1f/analysis/1569039476/	Unknown
hxxp://switchnets[.]net/unstable	https://www.virustotal.com/url/aacd30e68a31b91742fbe5a9078ae0823f13255018ab65efe39a0e4a6c48f89b/analysis/1568526555/	Unknown
hxxp://31[.]13[.]195[.]109/jaws[.]sh	https://www.virustotal.com/url/bdd12fe0171ecb51d25443c0c09f183b134a8271022b7e9651866e9742eca0c6/analysis/1568526339/	404

◾️WoWHoneypot

＜国別検知数および検知数＞

検知数が増加していますが、こちらはWordpressをターゲットにしたブルートフォース攻撃となります。

検知したペイロードは以下であり、攻撃が成功した場合、WordpressのAdminページへリダイレクトされるものとなっています。

 

＜ペイロード＞
POST //wp-login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP+Cookie+check

log=admin&pwd=blah&wp-submit=Log In&redirect_to=hxxp://taget-url//wp-admin/&testcookie=1

送信元IPは184[.]168[.]200[.]238および46[.]252[.]205[.]154からでした。

 

＜ターゲット一覧＞

target	count
WordPress	1565
-	119
FreePBX	16
MySQL	3
ThinkPHP	3
phpMyAdmin	3
SSL certificate	2
Unauthorized Relay	2
xml sitemap	2
D-Link DIR-850L	1
DGN1000 Netgea Router	1
Tomcat	1
Yealink	1
git	1

 

＜マルウェアダウンロード＞

なし

 

 

＜検知パス一覧＞

wow_path_research	target	CVE	reference	count
//wp-login.php	WordPress	-	-	719
/blog//wp-login.php	WordPress	-	-	264
/wordpress//wp-login.php	WordPress	-	-	264
/wp//wp-login.php	WordPress	-	-	264
/	-	-	-	91
/blog/	-	-	-	20
/wordpress/	WordPress	-	-	20
/wp/	WordPress	-	-	20
/admin/assets/js/views/login.js	FreePBX	-	https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743	16
//xmlrpc.php	WordPress	-	-	14
/TP/public/index.php	ThinkPHP	-	-	3
/favicon.ico	-	-	-	3
/.well-known/security.txt	SSL certificate	-	https://qiita.com/comefigo/items/e9b1bce93c1b615e5934	2
/phpmyadmin/index.php	phpMyAdmin	-	-	2
/robots.txt	-	-	-	2
/sitemap.xml	xml sitemap	-	-	2
www.baidu.com:443	Unauthorized Relay	-	-	2
/.git/config	git	-	-	1
/HNAP1/	D-Link DIR-850L	CVE-2015-2051	https://www.morihi-soc.net/?p=981	1
/aastra.cfg	Yealink	-	https://wiki.ipitomy.com/wiki/Yealink	1
/cm/	-	-	-	1
/index.php	-	-	-	1
/manager/html	Tomcat	-	-	1
/mysql/admin/index.php	phpMyAdmin	-	-	1
/mysql/dbadmin/index.php	MySQL	-	-	1
/mysql/mysqlmanager/index.php	MySQL	-	-	1
/mysql/sqlmanager/index.php	MySQL	-	-	1
/phpMyAdmin/index.php				1
/phpMyadmin/index.php				1
/setup.cgi	DGN1000 Netgea Router	-	-	1
/status	-	-	-	1