• WOWHoneypot
  • 概況
  • 国別のアクセス件数
  • アクセス先
    • Drupalの探査
    • アクセス先一覧

WOWHoneypot

ハニーポット「WOWHoneypot」で2019/02/21 (木) 00:00~23:59 UTC(運用49日目)に取得したログの簡易分析です。

DrupalやまとまったWebShellやphpMyAdminなどの探査がありました。

概況

• 集計期間 : 2019/02/21 (木) 00:00~23:59 UTC
• 総アクセス件数 : 145 件(前日比 +144 件)
  • WebShellの探査 : 125 件
  • トップページへのアクセス : 7 件
  • phpMyAdminの探査 : 7 件
  • Network Weathermapの探査 : 2 件
  • Microsoft IIS 6.0の脆弱性(CVE-2017-7269)を利用した攻撃 : 1 件
  • WebDAVの探査 : 1 件
  • WordPressのコンフィグファイルの探査 : 1 件
  • Drupalの探査 : 1 件
• ユニークIPアドレス件数 : 10 件 (前日比 +9 件)
• アクセス元の国数 : 9 カ国 (前日比 +8 カ国)

国別のアクセス件数

国別のアクセス件数は以下の通りです。

順位	国名	件数	前日の順位	前日の件数	件数差	備考
1.	Indonesia	136	-	0	+136	-
2.	United States	2	-	0	+2	-
3.	Germany	1	-	0	+1	-
4.	Spain	1	-	0	+1	-
5.	Taiwan	1	-	0	+1	-
6.	Japan	1	-	0	+1	-
7.	Turkey	1	-	0	+1	-
8.	Brazil	1	-	0	+1	-
9.	Ukraine	1	-	0	+1	-

アクセス先

• Drupalの探査は/CHANGELOG.txtというパスに対して行われました。
  • 送信元IPアドレスはAmazon Technologies Inc.に登録されたものでした。
• 2019/02/14以来、7日ぶりにまとまったWebShellやphpMyAdminなどの探査を観測しました。
  • 件数は136件で、送信元IPアドレスはインドネシアのPT.Infokom Elektrindo(AS17670)に登録されたものでした。
• 2019/02/19以来、2日ぶりにZGrabによるスキャンを観測しました。
  • 件数は1件で、User-AgentはMozilla/5.0 zgrab/0.xでした。

Drupalの探査

Drupalの探査のHTTPリクエストは以下の通りです。
2019/02/21(JST)に公開されたDrupalのRCE(Remote Code Execution)の脆弱性(CVE-2019-6340)と関係がありそうです。

GET /CHANGELOG.txt HTTP/1.1
Host: xxx.xxx.xxx.xxx
Connection: close
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36

Currently seeing Drupal-related scans attempting to use the "CHANGELOG.txt" method to locate vulnerable sites due to CVE-2019-6340.

The correct path for Drupal 8 is /core/CHANGELOG.txt – however you won't find the version the site using. It's just a generic message. pic.twitter.com/AWzhJH8t2l

— Bad Packets Report (@bad_packets) February 22, 2019

アクセス先一覧

アクセス先の一覧は以下の通りです。

順位	備考	アクセス先	件数	前日の順位	前日の件数	件数差
1.	トップページへのアクセス	GET / HTTP/1.1	6	-	0	+6
2.	WebShellの探査	POST /qq.php HTTP/1.1	3	-	0	+3
3.	WebShellの探査	GET /shell.php HTTP/1.1	2	-	0	+2
4.	WebShellの探査	GET /cmd.php HTTP/1.1	2	-	0	+2
5.	WebShellの探査	POST /xx.php HTTP/1.1	2	-	0	+2
6.	WebShellの探査	POST /conflg.php HTTP/1.1	2	-	0	+2
7.	WebShellの探査	POST /q.php HTTP/1.1	2	-	0	+2
8.	Microsoft IIS 6.0の脆弱性(CVE-2017-7269)を利用した攻撃	PROPFIND / HTTP/1.1	1	-	0	+1
9.	WebDAVの探査	GET /webdav/ HTTP/1.1	1	-	0	+1
10.	WebShellの探査	GET /0C87E923.php HTTP/1.1	1	-	0	+1
11.	WebShellの探査	GET /help.php HTTP/1.1	1	-	0	+1
12.	WebShellの探査	GET /java.php HTTP/1.1	1	-	0	+1
13.	WebShellの探査	GET /_query.php HTTP/1.1	1	-	0	+1
14.	WebShellの探査	GET /test.php HTTP/1.1	1	-	0	+1
15.	WebShellの探査	GET /db_cts.php HTTP/1.1	1	-	0	+1
16.	phpMyAdminの探査	GET /db_pma.php HTTP/1.1	1	-	0	+1
17.	WebShellの探査	GET /logon.php HTTP/1.1	1	-	0	+1
18.	WebShellの探査	GET /help-e.php HTTP/1.1	1	-	0	+1
19.	WebShellの探査	GET /license.php HTTP/1.1	1	-	0	+1
20.	WebShellの探査	GET /log.php HTTP/1.1	1	-	0	+1
21.	WebShellの探査	GET /hell.php HTTP/1.1	1	-	0	+1
22.	WebShellの探査	GET /pmd_online.php HTTP/1.1	1	-	0	+1
23.	WebShellの探査	GET /x.php HTTP/1.1	1	-	0	+1
24.	WebShellの探査	GET /htdocs.php HTTP/1.1	1	-	0	+1
25.	WebShellの探査	GET /desktop.ini.php HTTP/1.1	1	-	0	+1
26.	WebShellの探査	GET /z.php HTTP/1.1	1	-	0	+1
27.	WebShellの探査	GET /lala.php HTTP/1.1	1	-	0	+1
28.	WebShellの探査	GET /lala-dpr.php HTTP/1.1	1	-	0	+1
29.	WebShellの探査	GET /wpc.php HTTP/1.1	1	-	0	+1
30.	WebShellの探査	GET /wpo.php HTTP/1.1	1	-	0	+1
31.	WebShellの探査	GET /text.php HTTP/1.1	1	-	0	+1
32.	WordPressのコンフィグファイルの探査	GET /wp-config.php HTTP/1.1	1	-	0	+1
33.	WebShellの探査	GET /muhstik.php HTTP/1.1	1	-	0	+1
34.	WebShellの探査	GET /muhstik2.php HTTP/1.1	1	-	0	+1
35.	WebShellの探査	GET /muhstiks.php HTTP/1.1	1	-	0	+1
36.	WebShellの探査	GET /muhstik-dpr.php HTTP/1.1	1	-	0	+1
37.	WebShellの探査	GET /lol.php HTTP/1.1	1	-	0	+1
38.	WebShellの探査	GET /uploader.php HTTP/1.1	1	-	0	+1
39.	WebShellの探査	GET /cmv.php HTTP/1.1	1	-	0	+1
40.	WebShellの探査	GET /cmdd.php HTTP/1.1	1	-	0	+1
41.	WebShellの探査	GET /knal.php HTTP/1.1	1	-	0	+1
42.	WebShellの探査	GET /appserv.php HTTP/1.1	1	-	0	+1
43.	phpMyAdminの探査	GET /scripts/setup.php HTTP/1.1	1	-	0	+1
44.	phpMyAdminの探査	GET /phpmyadmin/scripts/setup.php HTTP/1.1	1	-	0	+1
45.	phpMyAdminの探査	GET /phpMyAdmin/scripts/setup.php HTTP/1.1	1	-	0	+1
46.	phpMyAdminの探査	GET /phpmyadmin/scripts/db___.init.php HTTP/1.1	1	-	0	+1
47.	phpMyAdminの探査	GET /phpMyAdmin/scripts/db___.init.php HTTP/1.1	1	-	0	+1
48.	Network Weathermapの探査	GET /plugins/weathermap/editor.php HTTP/1.1	1	-	0	+1
49.	Network Weathermapの探査	GET /cacti/plugins/weathermap/editor.php HTTP/1.1	1	-	0	+1
50.	WebShellの探査	POST /wuwu11.php HTTP/1.1	1	-	0	+1
51.	WebShellの探査	POST /xw.php HTTP/1.1	1	-	0	+1
52.	WebShellの探査	POST /xw1.php HTTP/1.1	1	-	0	+1
53.	WebShellの探査	POST /9678.php HTTP/1.1	1	-	0	+1
54.	WebShellの探査	POST /wc.php HTTP/1.1	1	-	0	+1
55.	WebShellの探査	POST /s.php HTTP/1.1	1	-	0	+1
56.	WebShellの探査	POST /w.php HTTP/1.1	1	-	0	+1
57.	WebShellの探査	POST /sheep.php HTTP/1.1	1	-	0	+1
58.	WebShellの探査	POST /qaq.php HTTP/1.1	1	-	0	+1
59.	WebShellの探査	POST /db.init.php HTTP/1.1	1	-	0	+1
60.	WebShellの探査	POST /db_session.init.php HTTP/1.1	1	-	0	+1
61.	WebShellの探査	POST /db__.init.php HTTP/1.1	1	-	0	+1
62.	WebShellの探査	POST /wp-admins.php HTTP/1.1	1	-	0	+1
63.	WebShellの探査	POST /m.php?pbid=open HTTP/1.1	1	-	0	+1
64.	WebShellの探査	POST /db_dataml.php HTTP/1.1	1	-	0	+1
65.	WebShellの探査	POST /db_desql.php HTTP/1.1	1	-	0	+1
66.	WebShellの探査	POST /mx.php HTTP/1.1	1	-	0	+1
67.	WebShellの探査	POST /wshell.php HTTP/1.1	1	-	0	+1
68.	WebShellの探査	POST /xshell.php HTTP/1.1	1	-	0	+1
69.	WebShellの探査	POST /lindex.php HTTP/1.1	1	-	0	+1
70.	WebShellの探査	POST /phpstudy.php HTTP/1.1	1	-	0	+1
71.	WebShellの探査	POST /phpStudy.php HTTP/1.1	1	-	0	+1
72.	WebShellの探査	POST /weixiao.php HTTP/1.1	1	-	0	+1
73.	WebShellの探査	POST /feixiang.php HTTP/1.1	1	-	0	+1
74.	WebShellの探査	POST /ak47.php HTTP/1.1	1	-	0	+1
75.	WebShellの探査	POST /ak48.php HTTP/1.1	1	-	0	+1
76.	WebShellの探査	POST /xiao.php HTTP/1.1	1	-	0	+1
77.	WebShellの探査	POST /yao.php HTTP/1.1	1	-	0	+1
78.	WebShellの探査	POST /defect.php HTTP/1.1	1	-	0	+1
79.	WebShellの探査	POST /webslee.php HTTP/1.1	1	-	0	+1
80.	WebShellの探査	POST /pe.php HTTP/1.1	1	-	0	+1
81.	WebShellの探査	POST /hm.php HTTP/1.1	1	-	0	+1
82.	WebShellの探査	POST /cainiao.php HTTP/1.1	1	-	0	+1
83.	WebShellの探査	POST /zuoshou.php HTTP/1.1	1	-	0	+1
84.	WebShellの探査	POST /zuo.php HTTP/1.1	1	-	0	+1
85.	WebShellの探査	POST /aotu.php HTTP/1.1	1	-	0	+1
86.	WebShellの探査	POST /aotu7.php HTTP/1.1	1	-	0	+1
87.	WebShellの探査	POST /cmd.php HTTP/1.1	1	-	0	+1
88.	WebShellの探査	POST /bak.php HTTP/1.1	1	-	0	+1
89.	WebShellの探査	POST /system.php HTTP/1.1	1	-	0	+1
90.	WebShellの探査	POST /l6.php HTTP/1.1	1	-	0	+1
91.	WebShellの探査	POST /l7.php HTTP/1.1	1	-	0	+1
92.	WebShellの探査	POST /l8.php HTTP/1.1	1	-	0	+1
93.	WebShellの探査	POST /56.php HTTP/1.1	1	-	0	+1
94.	WebShellの探査	POST /mz.php HTTP/1.1	1	-	0	+1
95.	WebShellの探査	POST /yumo.php HTTP/1.1	1	-	0	+1
96.	WebShellの探査	POST /min.php HTTP/1.1	1	-	0	+1
97.	WebShellの探査	POST /wan.php HTTP/1.1	1	-	0	+1
98.	WebShellの探査	POST /wanan.php HTTP/1.1	1	-	0	+1
99.	WebShellの探査	POST /ssaa.php HTTP/1.1	1	-	0	+1
100.	WebShellの探査	POST /aw.php HTTP/1.1	1	-	0	+1
101.	WebShellの探査	POST /12.php HTTP/1.1	1	-	0	+1
102.	WebShellの探査	POST /hh.php HTTP/1.1	1	-	0	+1
103.	WebShellの探査	POST /ak.php HTTP/1.1	1	-	0	+1
104.	WebShellの探査	POST /ip.php HTTP/1.1	1	-	0	+1
105.	WebShellの探査	POST /infoo.php HTTP/1.1	1	-	0	+1
106.	WebShellの探査	POST /qwe.php HTTP/1.1	1	-	0	+1
107.	WebShellの探査	POST /post.php HTTP/1.1	1	-	0	+1
108.	WebShellの探査	POST /h1.php HTTP/1.1	1	-	0	+1
109.	WebShellの探査	POST /test.php HTTP/1.1	1	-	0	+1
110.	WebShellの探査	POST /3.php HTTP/1.1	1	-	0	+1
111.	WebShellの探査	POST /phpinfi.php HTTP/1.1	1	-	0	+1
112.	WebShellの探査	POST /9510.php HTTP/1.1	1	-	0	+1
113.	WebShellの探査	POST /python.php HTTP/1.1	1	-	0	+1
114.	WebShellの探査	POST /default.php HTTP/1.1	1	-	0	+1
115.	WebShellの探査	POST /sean.php HTTP/1.1	1	-	0	+1
116.	WebShellの探査	POST /app.php HTTP/1.1	1	-	0	+1
117.	WebShellの探査	POST /help.php HTTP/1.1	1	-	0	+1
118.	WebShellの探査	POST /tiandi.php HTTP/1.1	1	-	0	+1
119.	WebShellの探査	POST /miao.php HTTP/1.1	1	-	0	+1
120.	WebShellの探査	POST /xz.php HTTP/1.1	1	-	0	+1
121.	WebShellの探査	POST /linuxse.php HTTP/1.1	1	-	0	+1
122.	WebShellの探査	POST /zuoindex.php HTTP/1.1	1	-	0	+1
123.	WebShellの探査	POST /zshmindex.php HTTP/1.1	1	-	0	+1
124.	WebShellの探査	POST /tomcat.php HTTP/1.1	1	-	0	+1
125.	WebShellの探査	POST /ceshi.php HTTP/1.1	1	-	0	+1
126.	WebShellの探査	POST /1hou.php HTTP/1.1	1	-	0	+1
127.	WebShellの探査	POST /ou2.php HTTP/1.1	1	-	0	+1
128.	WebShellの探査	POST /zuos.php HTTP/1.1	1	-	0	+1
129.	WebShellの探査	POST /zuoshss.php HTTP/1.1	1	-	0	+1
130.	WebShellの探査	POST /boots.php HTTP/1.1	1	-	0	+1
131.	phpMyAdminの探査	GET /mysql/admin/index.php?lang=en HTTP/1.1	1	-	0	+1
132.	トップページへのアクセス	GET / HTTP/1.0	1	-	0	+1
133.	Drupalの探査	GET /CHANGELOG.txt HTTP/1.1	1	-	0	+1

WOWHoneypotで取得したログの簡易分析は以上です。