【ハニーポット簡易分析】Honeypot簡易分析(406-407日目:9/29-10/1)
Honeypot簡易分析(406-407日目:9/29-10/1)となります。
◾️Honeytrap
※80ポートは除く
<国別検知数および検知数>
<ポート検知数>
<新規マルウェアダウンロード>
| malware_url | VT_link | virus name |
| hxxp://188[.]241[.]73[.]110 | https://www.virustotal.com/file/d01984d5f581bbb2100fe65e5c677563a9150fe22edbdf875601d86c63862f3d/analysis/1568618881/ | |
| hxxp://anunna[.]club/x | https://www.virustotal.com/url/909fc6bee20704cbabf60e87015c40449ad952472d2bff376a1abffc9a699ec3/analysis/1568526488/ | |
| hxxp://142[.]11[.]199[.]235/mips | https://www.virustotal.com/file/06dd850915d9dd8703119dd400c744fd9e8f6a96cde547ef6f8bb365dd339ac9/analysis/1569725933/ | ESET-NOD32:a variant of Linux/Mirai.AEL, TrendMicro-HouseCall:Trojan.Linux.MIRAI.SMMR1, Avast:ELF:Mirai-VV [Trj], Kaspersky:HEUR:Backdoor.Linux.Mirai.b, Tencent:Backdoor.Linux.Mirai.wao, Sophos:Linux/DDoS-CIA, DrWeb:Linux.Mirai.1443, TrendMicro:Trojan.Linux.MIRAI.SMMR1, Microsoft:DDoS:Linux/Gafgyt.YA!MTB, ZoneAlarm:HEUR:Backdoor.Linux.Mirai.b, Avast-Mobile:ELF:Mirai-UM [Trj], GData:Linux.Trojan.Mirai.E, AhnLab-V3:Linux/Mirai15.Exp, Rising:Backdoor.Mirai/Linux!1.BAF6 (CLASSIC), Ikarus:Trojan.Linux.Mirai, Fortinet:ELF/Mirai.OX!tr, AVG:ELF:Mirai-VV [Trj] |
| hxxp://185[.]86[.]78[.]254 | https://www.virustotal.com/file/883ef85e3d2ce48c3581398a432e6e902d85ee2276dc28a57026ed33c2e97957/analysis/1569572965/ | |
| hxxp://142[.]11[.]199[.]235/arm7 | https://www.virustotal.com/file/89e9d8b64b786255ce2bb6dfd7971f4facf22ac17e6e3256d3edbdd86d54a6d1/analysis/1569915727/ | MicroWorld-eScan:Gen:Variant.Linux.Mirai.1, FireEye:Gen:Variant.Linux.Mirai.1, McAfee:RDN/Generic BackDoor, AegisLab:Trojan.Linux.Mirai.K!c, Symantec:Trojan.Gen.MBT, ESET-NOD32:a variant of Linux/Mirai.AEL, TrendMicro-HouseCall:Trojan.Linux.MIRAI.SMMR1, Avast:ELF:Mirai-AHV [Trj], ClamAV:Unix.Dropper.Mirai-7135925-0, Kaspersky:HEUR:Backdoor.Linux.Mirai.au, BitDefender:Gen:Variant.Linux.Mirai.1, NANO-Antivirus:Trojan.ElfArm32.Mirai.gbbqvh, Rising:Backdoor.Mirai/Linux!1.BAF6 (CLASSIC), Ad-Aware:Gen:Variant.Linux.Mirai.1, Sophos:Linux/DDoS-CIA, F-Secure:Malware.LINUX/Mirai.wnzpj, DrWeb:Linux.Mirai.2618, TrendMicro:Trojan.Linux.MIRAI.SMMR1, Emsisoft:Gen:Variant.Linux.Mirai.1 (B), Cyren:ELF/Trojan.SJNJ-2, Avira:LINUX/Mirai.wnzpj, Fortinet:ELF/Mirai.AE!tr, Arcabit:Trojan.Linux.Mirai.1, ZoneAlarm:HEUR:Backdoor.Linux.Mirai.au, Avast-Mobile:ELF:Mirai-UM [Trj], Microsoft:DDoS:Linux/Gafgyt.YA!MTB, AhnLab-V3:Linux/Mirai13.Exp, ALYac:Gen:Variant.Linux.Mirai.1, MAX:malware (ai score=89), Tencent:Backdoor.Linux.Mirai.wam, Ikarus:Trojan.Linux.Mirai, GData:Gen:Variant.Linux.Mirai.1, AVG:ELF:Mirai-AHV [Trj], Qihoo-360:Win32/Backdoor.3df |
| hxxp://cb[.]fuckingmy[.]life/download[.]exe | https://www.virustotal.com/url/e9f5753e8b9309ed204a1eda6000a92650aeccad615b8fadb622348f1053c7b9/analysis/1569664299/ | |
| hxxp://31[.]13[.]195[.]49/x | https://www.virustotal.com/url/65071584ab70a5353da1eeec090311e3fb8c2c1de103387b2c94cb29d32ac4b3/analysis/1568512414/ | |
| hxxp://42[.]227[.]78[.]236:35773/Mozi[.]m | https://www.virustotal.com/url/8aa375bd9d07a03c90094b9f55bd078010fd1e1ccfa23a4e17bf86c43a72fb53/analysis/1569853294/ | |
| hxxp://switchnets[.]net/unstable | https://www.virustotal.com/url/aacd30e68a31b91742fbe5a9078ae0823f13255018ab65efe39a0e4a6c48f89b/analysis/1568526555/ | |
| hxxp://174[.]128[.]226[.]101/mps | https://www.virustotal.com/file/bcc137723a2a366ab7dce082d9b19cfaa6cfdb13094cf69ef6535142d0982e58/analysis/1570022926/ | MicroWorld-eScan:Gen:Variant.Backdoor.Linux.Tsunami.1, FireEye:Gen:Variant.Backdoor.Linux.Tsunami.1, McAfee:GenericRXIB-LW!3CC83DCB49AA, Symantec:Linux.Backdoor.Kaiten, ESET-NOD32:a variant of Linux/Tsunami.NDJ, TrendMicro-HouseCall:Backdoor.Linux.BASHLITE.SMJC10, Avast:ELF:DDoS-Y [Trj], Kaspersky:HEUR:Backdoor.Linux.IrcShell.p, BitDefender:Gen:Variant.Backdoor.Linux.Tsunami.1, Tencent:Backdoor.Linux.Tsunami.x, Ad-Aware:Gen:Variant.Backdoor.Linux.Tsunami.1, Emsisoft:Gen:Variant.Backdoor.Linux.Tsunami.1 (B), DrWeb:Linux.BackDoor.Tsunami.239, TrendMicro:Backdoor.Linux.BASHLITE.SMJC10, McAfee-GW-Edition:GenericRXIB-LW!3CC83DCB49AA, Sophos:Linux/Tsunami-A, Jiangmin:Backdoor.Linux.asoo, Fortinet:ELF/Tsunami.NDJ!tr, Arcabit:Trojan.Backdoor.Linux.Tsunami.1, ZoneAlarm:HEUR:Backdoor.Linux.IrcShell.p, Avast-Mobile:ELF:Tsunami-EQ [Trj], ALYac:Gen:Variant.Backdoor.Linux.Tsunami.1, MAX:malware (ai score=85), Rising:Backdoor.Tsunami!1.A1B2 (CLASSIC), Ikarus:Trojan.Linux.Gafgyt, GData:Gen:Variant.Backdoor.Linux.Tsunami.1, AVG:ELF:DDoS-Y [Trj], Qihoo-360:virus.elf.tsunami.gen |
◾️WoWHoneypot
<国別検知数および検知数>
<検知パス一覧>
| wow_path_research | target | CVE | reference | count |
| / | - | - | - | 102 |
| /admin/assets/js/views/login.js | FreePBX | - | https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 | 28 |
| /html/repository | 6 | |||
| /TP/public/index.php | ThinkPHP | - | - | 3 |
| /MyAdmin/scripts/setup.php | phpMyAdmin | - | - | 2 |
| /myadmin/scripts/setup.php | phpMyAdmin phpMyAdmin |
- - |
- - |
2 |
| /mysql/scripts/setup.php | MySQL | - | - | 2 |
| /mysqladmin/scripts/setup.php | phpMyAdmin | - | - | 2 |
| /phpMyAdmin/scripts/db___.init.php | phpMyAdmin | - | - | 2 |
| /phpMyAdmin/scripts/setup.php | phpMyAdmin | - | - | 2 |
| /phpmyadmin/scripts/db___.init.php | 2 | |||
| /phpmyadmin/scripts/setup.php | phpMyAdmin | - | - | 2 |
| /pma/scripts/setup.php | phpMyAdmin phpMyAdmin |
- - |
- - |
2 |
| /services/user/values.xml | 2 | |||
| /sqladmin/scripts/setup.php | phpMyAdmin | - | - | 2 |
| ../../etc/passwd | passwd | - | - | 1 |
| / CSCOE /files/file_list.json | 1 | |||
| //MyAdmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
| //myadmin/scripts/setup.php | 1 | |||
| //phpMyAdmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
| //phpmyadmin/scripts/setup.php | 1 | |||
| //pma/scripts/setup.php | phpMyAdmin | - | - | 1 |
| /HNAP1/ | D-Link DIR-850L | CVE-2015-2051 | https://www.morihi-soc.net/?p=981 | 1 |
| /index.php | - | - | - | 1 |
| /login.php | - | - | - | 1 |
| /manager/text/list | Tomcat | - | https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html | 1 |
| /muieblackcat | Scanner | - | https://eromang.zataz.com/2011/08/14/suc027-muieblackcat-setup-php-web-scanner-robot/ | 1 |
| /robots.txt | - | - | - | 1 |
| /scripts/setup.php | phpMyAdmin | - | - | 1 |
| /secure/ContactAdministrators!default.jspa | JIRA | - | https://ja.wikipedia.org/wiki/JIRA_(%E3%82%BD%E3%83%95%E3%83%88%E3%82%A6%E3%82%A7%E3%82%A2) | 1 |
| /v1/agent/self | consul | - | https://github.com/hashicorp/consul/blob/master/api/agent.go | 1 |
| hxxp://112.35.88.28:8088/index.php | Unauthorized Relay | - | - | 1 |
<新規検知パス一覧>
| wow_path_research | target | CVE | reference |
| / CSCOE /files/file_list.json | Cisco | CVE-2018-0296 | https://github.com/yassineaboukir/CVE-2018-0296/blob/master/cisco_asa.py |
| //myadmin/scripts/setup.php | phpMyAdmin | - | - |
| //phpmyadmin/scripts/setup.php | phpMyAdmin | - | - |
| /html/repository | CIRCONTROL CirCarLife | CVE-2018-16668 | https://github.com/SadFud/Exploits/blob/master/Real%20World/Suites/cir-pwn-life/exploit.py |
| /phpmyadmin/scripts/db___.init.php | phpMyAdmin | - | - |
| /services/user/values.xml | CIRCONTROL CirCarLife | CVE-2018-16670 | https://github.com/SadFud/Exploits/blob/master/Real%20World/Suites/cir-pwn-life/exploit.py |
