【ハニーポット簡易分析】Honeypot簡易分析(404-405日目:9/27-28)
Honeypot簡易分析となります。
◾️Honeytrap
※80ポートは除く
<国別検知数および検知数>
<ポート検知数>
| ポート番号 | サービス | 件数 |
| 445 | smb | 8070 |
| 22 | ssh | 5824 |
| 23 | telnet | 3593 |
| 5900 | vnc | 813 |
| 3389 | rdp | 627 |
| 1433 | ms-sql-s | 622 |
| 8080 | proxy | 250 |
| 18022 | Unknown | 194 |
| 9600 | micromuse-ncpw | 146 |
| 81 | hosts2-ns | 140 |
<マルウェアダウンロード>
| malware_url | VT_link | statuscode | hash | virus name |
| hxxp://31[.]13[.]195[.]109/jaws[.]sh | https://www.virustotal.com/url/bdd12fe0171ecb51d25443c0c09f183b134a8271022b7e9651866e9742eca0c6/analysis/1568526339/ | 404 | ||
| hxxp://switchnets[.]net/unstable | https://www.virustotal.com/url/aacd30e68a31b91742fbe5a9078ae0823f13255018ab65efe39a0e4a6c48f89b/analysis/1568526555/ | Unknown | ||
| hxxp://185[.]244[.]25[.]122/203Xmi39S[.]arm6 | https://www.virustotal.com/file/ae8809da10614eb5383aa0615e2f474834ace949925a248062138cc88fb6d788/analysis/1569654277/ | 200 | 750802a5d159b199dbaa985a6b82d0fac7a5b8ee | MicroWorld-eScan:Gen:Variant.Trojan.Linux.Gafgyt.5, McAfee:GenericRXIQ-JN!9449BD936320, Symantec:Trojan.Gen.MBT, ESET-NOD32:a variant of Linux/Gafgyt.ARN, TrendMicro-HouseCall:Backdoor.Linux.BASHLITE.SMJC2, Avast:ELF:DDoS-S [Trj], ClamAV:Unix.Dropper.Mirai-7139232-0, Kaspersky:HEUR:Backdoor.Linux.Gafgyt.a, BitDefender:Gen:Variant.Trojan.Linux.Gafgyt.5, NANO-Antivirus:Trojan.ElfArm32.Gafgyt.gauugs, Rising:Backdoor.Gafgyt/Linux!1.BC44 (CLASSIC), Ad-Aware:Gen:Variant.Trojan.Linux.Gafgyt.5, F-Secure:Malware.LINUX/Gafgyt.opnd, DrWeb:Linux.BackDoor.Fgt.2579, TrendMicro:Backdoor.Linux.BASHLITE.SMJC2, McAfee-GW-Edition:GenericRXIQ-JN!9449BD936320, FireEye:Gen:Variant.Trojan.Linux.Gafgyt.5, Emsisoft:Gen:Variant.Trojan.Linux.Gafgyt.5 (B), Ikarus:Trojan.Linux.Fgt, Jiangmin:Backdoor.Linux.dqcv, Avira:LINUX/Gafgyt.opnd, Fortinet:ELF/Gafgyt.BJ!tr, Arcabit:Trojan.Trojan.Linux.Gafgyt.5, AegisLab:Trojan.Linux.Gafgyt.m!c, ZoneAlarm:HEUR:Backdoor.Linux.Gafgyt.a, Avast-Mobile:ELF:DDoS-S [Trj], Microsoft:DDoS:Linux/Mirai.PA!MTB, AhnLab-V3:Linux/Gafgyt.Gen28, ALYac:Gen:Variant.Trojan.Linux.Gafgyt.5, MAX:malware (ai score=86), Tencent:Backdoor.Linux.Gafgyt.ff, GData:Gen:Variant.Trojan.Linux.Gafgyt.5, AVG:ELF:DDoS-S [Trj], Qihoo-360:Win32/Backdoor.812 |
| hxxp://174[.]128[.]226[.]101/mps | https://www.virustotal.com/file/65d5a289f33ab2bbb3e9c37b30d89ac175e5a6fede4f4ce51703f9d5034ebfff/analysis/1569535088/ | 200 | 4fe19ac96f6e65716db789692a8d462285edb6eb | MicroWorld-eScan:Gen:Variant.Backdoor.Linux.Tsunami.1, FireEye:Gen:Variant.Backdoor.Linux.Tsunami.1, ALYac:Gen:Variant.Backdoor.Linux.Tsunami.1, Symantec:Linux.Backdoor.Kaiten, ESET-NOD32:a variant of Linux/Tsunami.NDJ, TrendMicro-HouseCall:Backdoor.Linux.BASHLITE.SMJC10, Avast:ELF:DDoS-Y [Trj], Kaspersky:HEUR:Backdoor.Linux.Tsunami.cb, BitDefender:Gen:Variant.Backdoor.Linux.Tsunami.1, Tencent:Backdoor.Linux.Tsunami.x, Ad-Aware:Gen:Variant.Backdoor.Linux.Tsunami.1, Sophos:Linux/Tsunami-A, DrWeb:Linux.BackDoor.Tsunami.239, TrendMicro:Backdoor.Linux.BASHLITE.SMJC10, Emsisoft:Gen:Variant.Backdoor.Linux.Tsunami.1 (B), Fortinet:ELF/Tsunami.NDJ!tr, Arcabit:Trojan.Backdoor.Linux.Tsunami.1, ZoneAlarm:HEUR:Backdoor.Linux.Tsunami.cb, Avast-Mobile:ELF:Tsunami-EQ [Trj], AhnLab-V3:Linux/Tsunami.Gen3, MAX:malware (ai score=84), Rising:Backdoor.Tsunami!1.A1B2 (CLASSIC), Ikarus:Trojan.Linux.Gafgyt, GData:Gen:Variant.Backdoor.Linux.Tsunami.1, AVG:ELF:DDoS-Y [Trj], Qihoo-360:virus.elf.tsunami.gen |
| hxxp://188[.]241[.]73[.]110 | https://www.virustotal.com/file/d01984d5f581bbb2100fe65e5c677563a9150fe22edbdf875601d86c63862f3d/analysis/1568618881/ | 200 | 042f495f7f6adefc7b376f9d00f9e64f04cadcee | |
| hxxp://31[.]13[.]195[.]49/x | https://www.virustotal.com/url/65071584ab70a5353da1eeec090311e3fb8c2c1de103387b2c94cb29d32ac4b3/analysis/1568512414/ | Unknown | ||
| hxxp://cb[.]fuckingmy[.]life/download[.]exe | https://www.virustotal.com/url/e9f5753e8b9309ed204a1eda6000a92650aeccad615b8fadb622348f1053c7b9/analysis/1569664299/ | Unknown | ||
| hxxp://185[.]172[.]110[.]237/mipsel | https://www.virustotal.com/url/317cada8f0ffedb2bc8c4c6c15b607e1d0a2edf32e512835660784736509b288/analysis/1569299761/ | Unknown | ||
| hxxp://142[.]11[.]199[.]235/mips | https://www.virustotal.com/file/06dd850915d9dd8703119dd400c744fd9e8f6a96cde547ef6f8bb365dd339ac9/analysis/1569725933/ | 200 | 174ceacd2aa596aaf78fc8a365ba04a93c27c11b | ESET-NOD32:a variant of Linux/Mirai.AEL, TrendMicro-HouseCall:Trojan.Linux.MIRAI.SMMR1, Avast:ELF:Mirai-VV [Trj], Kaspersky:HEUR:Backdoor.Linux.Mirai.b, Tencent:Backdoor.Linux.Mirai.wao, Sophos:Linux/DDoS-CIA, DrWeb:Linux.Mirai.1443, TrendMicro:Trojan.Linux.MIRAI.SMMR1, Microsoft:DDoS:Linux/Gafgyt.YA!MTB, ZoneAlarm:HEUR:Backdoor.Linux.Mirai.b, Avast-Mobile:ELF:Mirai-UM [Trj], GData:Linux.Trojan.Mirai.E, AhnLab-V3:Linux/Mirai15.Exp, Rising:Backdoor.Mirai/Linux!1.BAF6 (CLASSIC), Ikarus:Trojan.Linux.Mirai, Fortinet:ELF/Mirai.OX!tr, AVG:ELF:Mirai-VV [Trj] |
| hxxp://45[.]95[.]168[.]161 | https://www.virustotal.com/url/614371a211695d8761942a4076032c405fe19f28bc8e59ec94fb43652a662b69/analysis/1569711800/ | 403 |
◾️WoWHoneypot
<国別検知数および検知数>
| target | count |
|---|---|
| - | 78 |
| FreePBX | 20 |
| phpMyAdmin | 19 |
| ThinkPHP | 9 |
| DGN1000 Netgea Router | 1 |
| SSL certificate | 1 |
| Webshell | 1 |
| Zabbix | 1 |
| xml sitemap | 1 |
<マルウェアダウンロード>
なし
なし
<検知パス一覧>
| wow_path_research | target | CVE | reference | count |
| / | - | - | - | 74 |
| /admin/assets/js/views/login.js | FreePBX | - | https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 | 20 |
| /TP/public/index.php | ThinkPHP | - | - | 9 |
| /MyAdmin/scripts/setup.php | phpMyAdmin | - | - | 2 |
| /password_change.cgi | phpMyAdmin | - | - | 2 |
| /phpMyAdmin/scripts/setup.php | phpMyAdmin | - | - | 2 |
| /phpmyadmin/scripts/setup.php | phpMyAdmin | - | - | 2 |
| /pma/scripts/setup.php | phpMyAdmin phpMyAdmin |
- - |
- - |
2 |
| /robots.txt | - | - | - | 2 |
| /w00tw00t.at.blackhats.romanian.anti-sec:) | phpMyAdmin | - | - | 2 |
| /.well-known/security.txt | SSL certificate | - | https://qiita.com/comefigo/items/e9b1bce93c1b615e5934 | 1 |
| /dd9a8afc0676f231e6439ecf489f8336.php | Webshell | - | - | 1 |
| /favicon.ico | - | - | - | 1 |
| /myadmin/scripts/setup.php | phpMyAdmin phpMyAdmin |
- - |
- - |
1 |
| /mysql/admin/index.php | phpMyAdmin | - | - | 1 |
| /phpMyAdmin/index.php | phpMyAdmin | - | - | 1 |
| /phpmyadmin/index.php | phpMyAdmin | - | - | 1 |
| /setup.cgi | DGN1000 Netgea Router | - | - | 1 |
| /sitemap.xml | xml sitemap | - | - | 1 |
| /zabbix/jsrpc.php | Zabbix | - | - | 1 |
以上となります。
