【ハニーポット簡易分析】Honeypot簡易分析(384-396日目:9/19-20)
Honeypotの簡易分析となります。
◾️Honeytrap
※80ポートは除く
<国別検知数および検知数>
<ポート検知数>
ポート番号 | サービス | 件数 |
1433 | ms-sql-s | 21371 |
445 | smb | 9209 |
22 | ssh | 4027 |
23 | telnet | 3225 |
3307 | opsession-prxy | 3135 |
3306 | mysql | 3057 |
10022 | 1053 | |
3389 | rdp | 861 |
5900 | vnc | 398 |
2323 | telnet | 278 |
<マルウェアダウンロード>
malware_url | VT_link | status code | hash | total | positives | Vt_malware |
hxxp://pm[.]cpuminerpool[.]com/pm[.]sh | https://www.virustotal.com/file/81de9fc33ab05928f9abca627435b3fa40a3470e01dc435dddae0e7bec640274/analysis/1568621852/ | 200 | cd3af8bc58dc26936a02e1598992dffe586b3475 | 55 | 0 | |
hxxp://188[.]241[.]73[.]110 | https://www.virustotal.com/file/d01984d5f581bbb2100fe65e5c677563a9150fe22edbdf875601d86c63862f3d/analysis/1568618881/ | 200 | 042f495f7f6adefc7b376f9d00f9e64f04cadcee | 50 | 0 | |
hxxp://45[.]35[.]0[.]213 | https://www.virustotal.com/url/0119b2efd7e5884ac109008e28c4f318eafd571930f56a7fb8281f7c942c2a05/analysis/1568727354/ | Unknown | ||||
hxxp://174[.]128[.]226[.]101/mips | https://www.virustotal.com/file/c51c776b3aff1533eaf680473d5292cee0fc6d7a8c2821971fc56a781ead56e6/analysis/1568738331/ | 200 | 81542728b7d0ed176f7e9e965880c661ebe72bb0 | 57 | 26 | MicroWorld-eScan:Gen:Variant.Backdoor.Linux.Tsunami.1, FireEye:Gen:Variant.Backdoor.Linux.Tsunami.1, Symantec:Linux.Backdoor.Kaiten, ESET-NOD32:a variant of Linux/Tsunami.NDJ, TrendMicro-HouseCall:Backdoor.Linux.BASHLITE.SMJC10, Avast:ELF:DDoS-Y [Trj], Kaspersky:HEUR:Backdoor.Linux.Tsunami.cb, BitDefender:Gen:Variant.Backdoor.Linux.Tsunami.1, Tencent:Backdoor.Linux.Tsunami.x, Ad-Aware:Gen:Variant.Backdoor.Linux.Tsunami.1, Emsisoft:Gen:Variant.Backdoor.Linux.Tsunami.1 (B), DrWeb:Linux.BackDoor.Tsunami.239, TrendMicro:Backdoor.Linux.BASHLITE.SMJC10, Sophos:Linux/Tsunami-A, Ikarus:Trojan.Linux.Gafgyt, Fortinet:ELF/Tsunami.NDJ!tr, Arcabit:Trojan.Backdoor.Linux.Tsunami.1, AhnLab-V3:Linux/Tsunami.Gen3, ZoneAlarm:HEUR:Backdoor.Linux.Tsunami.cb, Avast-Mobile:ELF:Tsunami-EQ [Trj], ALYac:Gen:Variant.Backdoor.Linux.Tsunami.1, MAX:malware (ai score=94), Rising:Backdoor.Tsunami!1.A1B2 (CLASSIC), GData:Gen:Variant.Backdoor.Linux.Tsunami.1, AVG:ELF:DDoS-Y [Trj], Qihoo-360:virus.elf.tsunami.gen |
hxxp://31[.]13[.]195[.]49/x | https://www.virustotal.com/url/65071584ab70a5353da1eeec090311e3fb8c2c1de103387b2c94cb29d32ac4b3/analysis/1568512414/ | Unknown | ||||
hxxp://192[.]192[.]78[.]216:9090/gH/S0[.]php | https://www.virustotal.com/url/07466b58d709592dfc1e445fb22646e3c2eeca25231b24f810178f073a550057/analysis/1534499163/ | Unknown | ||||
hxxp://142[.]11[.]199[.]235/mips | https://www.virustotal.com/file/af18cd19287cdf764418b4212cbcd64e5bba8e8632a3990026f6f5c0b54f3fce/analysis/1567916002/ | 200 | 8bc0fcd0b5f456938cf6db535316146359ea02a8 | 56 | 19 | ESET-NOD32:a variant of Linux/Mirai.AEL, TrendMicro-HouseCall:Backdoor.Linux.MIRAI.SMMR1, Avast:ELF:Hajime-R [Trj], ClamAV:Unix.Trojan.Gafgyt-6748839-0, Kaspersky:HEUR:Backdoor.Linux.Mirai.ad, Rising:Backdoor.Mirai/Linux!1.BAF6 (CLASSIC), DrWeb:Linux.Mirai.1443, TrendMicro:Backdoor.Linux.MIRAI.SMMR1, McAfee-GW-Edition:Linux/Mirai-FDXO!249E607F736C, Sophos:Mal/Generic-S, Fortinet:ELF/Mirai.AE!tr, Microsoft:DDoS:Linux/Gafgyt.YA!MTB, ZoneAlarm:HEUR:Backdoor.Linux.Mirai.ad, Avast-Mobile:ELF:Mirai-UM [Trj], AhnLab-V3:Linux/Exploit.Gen2, McAfee:Linux/Mirai-FDXO!249E607F736C, Tencent:Backdoor.Linux.Mirai.wao, GData:Linux.Trojan.Mirai.E, AVG:ELF:Hajime-R [Trj] |
hxxp://185[.]35[.]138[.]156/c | https://www.virustotal.com/url/43c2691ddea4cc59176e8bdadf79c46967439412806c4ba3bb143188ba3bd47e/analysis/1568565075/ | Unknown | ||||
hxxp://192[.]227[.]176[.]14/switchware[.]mips | https://www.virustotal.com/url/896860379164d73565c89e61492e6838c5407880e5f3c3e54642b5ae35596c1f/analysis/1569039476/ | Unknown | ||||
hxxp://switchnets[.]net/unstable | https://www.virustotal.com/url/aacd30e68a31b91742fbe5a9078ae0823f13255018ab65efe39a0e4a6c48f89b/analysis/1568526555/ | Unknown | ||||
hxxp://31[.]13[.]195[.]109/jaws[.]sh | https://www.virustotal.com/url/bdd12fe0171ecb51d25443c0c09f183b134a8271022b7e9651866e9742eca0c6/analysis/1568526339/ | 404 | ||||
◾️WoWHoneypot
<国別検知数および検知数>
検知数が増加していますが、こちらはWordpressをターゲットにしたブルートフォース攻撃となります。
<ペイロード>
POST //wp-login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP+Cookie+check
log=admin&pwd=blah&wp-submit=Log In&redirect_to=hxxp://taget-url//wp-admin/&testcookie=1
POST //wp-login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP+Cookie+check
log=admin&pwd=blah&wp-submit=Log In&redirect_to=hxxp://taget-url//wp-admin/&testcookie=1
送信元IPは184[.]168[.]200[.]238および46[.]252[.]205[.]154からでした。
<ターゲット一覧>
target | count |
WordPress | 1565 |
- | 119 |
FreePBX | 16 |
MySQL | 3 |
ThinkPHP | 3 |
phpMyAdmin | 3 |
SSL certificate | 2 |
Unauthorized Relay | 2 |
xml sitemap | 2 |
D-Link DIR-850L | 1 |
DGN1000 Netgea Router | 1 |
Tomcat | 1 |
Yealink | 1 |
git | 1 |
<マルウェアダウンロード>
なし
<検知パス一覧>
wow_path_research | target | CVE | reference | count |
//wp-login.php | WordPress | - | - | 719 |
/blog//wp-login.php | WordPress | - | - | 264 |
/wordpress//wp-login.php | WordPress | - | - | 264 |
/wp//wp-login.php | WordPress | - | - | 264 |
/ | - | - | - | 91 |
/blog/ | - | - | - | 20 |
/wordpress/ | WordPress | - | - | 20 |
/wp/ | WordPress | - | - | 20 |
/admin/assets/js/views/login.js | FreePBX | - | https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 | 16 |
//xmlrpc.php | WordPress | - | - | 14 |
/TP/public/index.php | ThinkPHP | - | - | 3 |
/favicon.ico | - | - | - | 3 |
/.well-known/security.txt | SSL certificate | - | https://qiita.com/comefigo/items/e9b1bce93c1b615e5934 | 2 |
/phpmyadmin/index.php | phpMyAdmin | - | - | 2 |
/robots.txt | - | - | - | 2 |
/sitemap.xml | xml sitemap | - | - | 2 |
www.baidu.com:443 | Unauthorized Relay | - | - | 2 |
/.git/config | git | - | - | 1 |
/HNAP1/ | D-Link DIR-850L | CVE-2015-2051 | https://www.morihi-soc.net/?p=981 | 1 |
/aastra.cfg | Yealink | - | https://wiki.ipitomy.com/wiki/Yealink | 1 |
/cm/ | - | - | - | 1 |
/index.php | - | - | - | 1 |
/manager/html | Tomcat | - | - | 1 |
/mysql/admin/index.php | phpMyAdmin | - | - | 1 |
/mysql/dbadmin/index.php | MySQL | - | - | 1 |
/mysql/mysqlmanager/index.php | MySQL | - | - | 1 |
/mysql/sqlmanager/index.php | MySQL | - | - | 1 |
/phpMyAdmin/index.php | 1 | |||
/phpMyadmin/index.php | 1 | |||
/setup.cgi | DGN1000 Netgea Router | - | - | 1 |
/status | - | - | - | 1 |
以上となります。