Honeytrapのログが取れていないと調査してみるとiptablesの設定がおかしくうまくログを取得できていませんでした。よって、今回はWoWHoneypot分となります。
WoWHoneypot
<国別検知数および検知数>
<ちょっと気になった通信>
Pulse Secureの脆弱性 (CVE-2019-11510)に関する通信を検知していたので、調査してみました。また、Fortinet の脆弱性(CVE-2018-13379)は検知していませんでした。
7/12
リクエスト:
/dana-na/jam/querymanifest.cgi?component=preConfiguration
概要:
調査してみたのですが、脆弱性を特定できませんでした。
送信元IPを調査してみると、普段からスキャンを行なっているIPであり、abuse報告も多々ありました。
https://www.abuseipdb.com/check/122.228.19.79
8/26
リクエスト:
/dana-na/nc/nc_gina_ver.txt
概要:
CVE-2019-11510 の脆弱性が存在するか調査している通信となります。
本リクエスト内容はgithubにも上がっているものであり、Pulse Secure のバージョンを調査する通信となります。おそらく、該当の製品が存在しているかどうかの調査行為と思われます。
Pulse Secure Version Scanner · GitHub
送信元IPアドレスを調査してみたところ、他のIPでも同様の通信が発生していたようです。
abuseipdb.com/check/104.131.218.38
<検知パス一覧>
| wow_path_research | target | CVE | reference | count |
| / | - | - | - | 450 |
| /TP/public/index.php | ThinkPHP | - | - | 39 |
| hxxp://110.249.212.46/testget | Unauthorized Relay | - | - | 32 |
| /index.action | Apache Struts2 | CVE-2017-5638 | https://github.com/mazen160/struts-pwn | 9 |
| /login.action | 9 | |||
| /robots.txt | - | - | - | 9 |
| /tmpfs/snap.jpg | IP camera | - | https://www.ispyconnect.com/man.aspx?n=IPCMontor | 9 |
| /jsrpc.php | Zabbix | - | - | 8 |
| /wp-admin/ | WordPress | - | - | 8 |
| /zabbix/jsrpc.php | Zabbix | - | - | 8 |
| /favicon.ico | - | - | - | 5 |
| /manager/html | Tomcat | - | - | 4 |
| /phpmyadmin | phpMyAdmin | - | - | 4 |
| /phpmyadmin/scripts/setup.php | phpMyAdmin | - | - | 4 |
| /admin/assets/js/views/login.js | FreePBX | - | https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743 | 3 |
| /afterlogic/VERSION | 3 | |||
| /cgi-bin/luci | 3 | |||
| /login.asp | Login Page | - | - | 3 |
| /myadmin/scripts/setup.php | 3 | |||
| /phpMyAdmin/scripts/setup.php | 3 | |||
| /provision/ | - | - | - | 3 |
| /tftp/ | 3 | |||
| /w00tw00t.at.blackhats.romanian.anti-sec:) | phpMyAdmin | - | - | 3 |
| www.baidu.com:443 | Unauthorized Relay | - | - | 3 |
| /%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess | 2 | |||
| /.well-known/security.txt | SSL certificate | - | https://qiita.com/comefigo/items/e9b1bce93c1b615e5934 | 2 |
| //hxxpmon.php | Zabbix | - | - | 2 |
| //proxies.php | Zabbix | - | - | 2 |
| /HNAP1/ | D-Link DIR-850L | CVE-2015-2051 | https://www.morihi-soc.net/?p=981 | 2 |
| /MyAdmin/scripts/setup.php | phpMyAdmin | - | - | 2 |
| /aastra/ | Aastra | https://en.wikipedia.org/wiki/Aastra_Technologies | 2 | |
| /api_jsonrpc.php | Zabbix | - | - | 2 |
| /cfg/ | - | - | - | 2 |
| /cisco/ | cisco | 2 | ||
| /config/ | - | - | - | 2 |
| /configs/ | - | - | - | 2 |
| /devicecfg/ | 2 | |||
| /epgrec/do-record.sh | epgrec | - | http://www.mda.or.jp/epgrec/index.php/epgrec%E3%81%AE%E3%82%A4%E3%83%B3%E3%82%B9%E3%83%88%E3%83%BC%E3%83%AB%E3%81%A8%E8%A8%AD%E5%AE%9A | 2 |
| /foltia/ | foltia ANIME LOCKER | - | https://sec-owl.hatenablog.com/entry/2018/08/01/004310 | 2 |
| /gateways/ | - | - | - | 2 |
| /grandstream/ | Grandstream Networks | - | https://www.grandstream.jp/ | 2 |
| /gs/ | - | - | - | 2 |
| /linksys/ | - | - | - | 2 |
| /manager/text/list | Tomcat | - | https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html | 2 |
| /mitel/ | - | - | - | 2 |
| /obihai/ | OBiTALK | - | www.obihai.com/ | 2 |
| /panasonic/ | panasonic | - | - | 2 |
| /phone/ | - | - | - | 2 |
| /phones/ | - | - | - | 2 |
| /pma/scripts/setup.php | 2 | |||
| /polycom/ | polycom | - | https://www.otsuka-shokai.co.jp/products/tvm/polycom/ | 2 |
| /prov/ | - | - | - | 2 |
| /provisioning/ | - | - | - | 2 |
| /pv/ | 2 | |||
| /sip/ | sip | - | - | 2 |
| /sipura/ | 2 | |||
| /sitemap.xml | xml sitemap | - | - | 2 |
| /snom/ | - | - | - | 2 |
| /spa/ | - | - | - | 2 |
| /tftpboot/ | 2 | |||
| /voip/ | voip | - | - | 2 |
| /xml/ | xml | - | - | 2 |
| /xmlrpc.php | WordPress | - | - | 2 |
| /yealink/ | Yealink | - | https://www.yealink.com/ | 2 |
| /zabbix//hxxpmon.php | Zabbix | - | - | 2 |
| /zabbix//proxies.php | Zabbix | - | - | 2 |
| /zabbix/api_jsonrpc.php | Zabbix | - | https://www.exploit-db.com/exploits/39937 | 2 |
| cn.bing.com:443 | Unauthorized Relay | - | - | 2 |
| hxxp://112.124.42.80:63435/ | Unauthorized Relay | - | - | 2 |
| hxxp://112.35.66.7:8088/index.php | Unauthorized Relay | - | - | 2 |
| hxxp://123.125.114.144/ | Unauthorized Relay | - | - | 2 |
| hxxp://www.123cha.com/ | Unauthorized Relay | - | - | 2 |
| hxxp://www.ip.cn/ | Unauthorized Relay | - | - | 2 |
| /.o3mJzT | 1 | |||
| //contents/scripts/IR300/chinese.js | 1 | |||
| //ldskflks | 1 | |||
| /Polycoms/ | 1 | |||
| /Security/users | 1 | |||
| /VP530 | 1 | |||
| /Yealink/T23 | 1 | |||
| /_async/AsyncResponseService | Oracle WebLogic Server | CVE-2019-2725 | https://www.secure-sketch.com/blog/verify-oracle-weblogic-vulnerability | 1 |
| /admin/index.php | 1 | |||
| /algo/ | - | - | - | 1 |
| /app/ | 1 | |||
| /app/provision/ | 1 | |||
| /asterisk/ | Asterisk | - | https://ja.wikipedia.org/wiki/Asterisk_(PBX) | 1 |
| /ata/ | 1 | |||
| /atacom/ | 1 | |||
| /autoprovision/ | 1 | |||
| /backup/ | - | - | - | 1 |
| /boot/ | - | - | - | 1 |
| /cfgs | 1 | |||
| /cfgvoice/ | 1 | |||
| /cgi-bin/webctrl.cgi | 1 | |||
| /cisco | cisco | 1 | ||
| /cm/ | 1 | |||
| /conf/ | - | - | - | 1 |
| /configuration/ | - | - | - | 1 |
| /dana-na/nc/nc_gina_ver.txt | 1 | |||
| /dd9a8afc0676f231e6439ecf489f8336.php | 1 | |||
| /device | 1 | |||
| /device/ | 1 | |||
| /devicecfg | 1 | |||
| /digium/ | d50 | - | https://www.digium.com/products/ip-phones/d50 | 1 |
| /dms | 1 | |||
| /dms/ | - | - | - | 1 |
| /download/ | - | - | - | 1 |
| /etc/ | Setting File | - | - | 1 |
| /extension/ | 1 | |||
| /fanvil/ | Fanvil Technology | - | https://www.softsu.co.jp/newslist/fanvil-technology%E7%A4%BE%E3%81%AE%E9%AB%98%E5%93%81%E8%B3%AA%E3%83%BB%E9%AB%98%E6%A9%9F%E8%83%BDsip%E3%83%BBvoip%E9%9B%BB%E8%A9%B1%E6%A9%9F%E3%81%AE%E6%A4%9C%E8%A8%BC%E8%B2%B8%E5%87%BA%E3%82%92/ | 1 |
| /firmware/ | - | - | - | 1 |
| /ftp/ | ftp | - | - | 1 |
| /gateway/ | 1 | |||
| /gigaset/ | 1 | |||
| /grandstram/ | 1 | |||
| /gsm/ | 1 | |||
| /gswave/ | Grandstream Networks | - | https://www.grandstream.jp/ | 1 |
| /home/ | - | - | - | 1 |
| /htek/ | htek | - | http://www.htek.com/ | 1 |
| /huawei/ | 1 | |||
| /ims | 1 | |||
| /index.php | - | - | - | 1 |
| /lang/en/images/banner_bg.jpg | 1 | |||
| /line/ | - | - | - | 1 |
| /login.cgi | login Page | - | - | 1 |
| /login.html | login Page | - | - | 1 |
| /matrix/ | 1 | |||
| /mysql/admin/index.php | phpMyAdmin | - | - | 1 |
| /mysql/scripts/setup.php | 1 | |||
| /nice ports,/Trinity.txt.bak | 1 | |||
| /pbx/ | - | - | - | 1 |
| /phoneprov/ | 1 | |||
| /phpMyAdmin/index.php | 1 | |||
| /phpmyadmin/ | phpMyAdmin | - | - | 1 |
| /phpmyadmin/index.php | phpMyAdmin | - | - | 1 |
| /phprov/ | 1 | |||
| /poly/ | 1 | |||
| /provisiom/ | 1 | |||
| /pub/ | - | - | - | 1 |
| /root/ | 1 | |||
| /sangoma/ | sangoma | - | https://www.sangoma.com/ | 1 |
| /secure/ContactAdministrators!default.jspa | JIRA | - | https://ja.wikipedia.org/wiki/JIRA_(%E3%82%BD%E3%83%95%E3%83%88%E3%82%A6%E3%82%A7%E3%82%A2) | 1 |
| /shell | Webshell | - | - | 1 |
| /smart/ | - | - | - | 1 |
| /smarty/ | - | - | - | 1 |
| /spa122/ | 1 | |||
| /spectralink/ | spectralink | - | https://www.spectralink.com/ | 1 |
| /spura/ | 1 | |||
| /system/ | 1 | |||
| /temp/ | - | - | - | 1 |
| /templates/ | 1 | |||
| /test/ | 1 | |||
| /text/ | - | - | - | 1 |
| /tftpphone/ | 1 | |||
| /tftproot/ | 1 | |||
| /tmpfs/auto.jpg | IP camera | - | - | 1 |
| /vodafone/ | Vodafone | - | - | 1 |
| /voice | 1 | |||
| /voipprov/ | 1 | |||
| /vtech/ | - | - | - | 1 |
| /xsp1/ | 1 | |||
| /yealink | 1 | |||
| hxxp://191.162.195.26:8605/affcsyyo1zjjdjcerk9 | 1 | |||
| hxxp://www.baidu.com/ | Unauthorized Relay | - | - | 1 |
<新規パス一覧>
| wow_path_research | target | CVE | reference |
| /%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess | Apache Struts2 | CVE-2017-5638 | https://www.morihi-soc.net/?p=654 |
| /.o3mJzT | - | - | - |
| //ldskflks | - | - | - |
| /Polycoms/ | - | - | |
| /Security/users | Hikvision IP Camera | - | https://packetstormsecurity.com/files/144097/Hikvision-IP-Camera-Access-Bypass.html |
| /VP530 | Yealink VP530 | - | https://www.j-ts.com/product/ipvideophone_01/ |
| /Yealink/T23 | Yealink T23 IP Phone | - | https://telharbor.com/shop/yealink-t23-ip-phone/ |
| /admin/index.php | Login Page | - | - |
| /afterlogic/VERSION | AfterLogic | - | - |
| /app/ | - | - | - |
| /app/provision/ | - | - | - |
| /ata/ | - | - | - |
| /autoprovision/ | - | - | - |
| /cfgs | - | - | - |
| /cfgvoice/ | - | - | - |
| /cgi-bin/webctrl.cgi | InFocus IN3128HD | CVE-2014-8384 | https://jvndb.jvn.jp/ja/contents/2015/JVNDB-2015-002725.html |
| /cm/ | - | - | - |
| /dana-na/nc/nc_gina_ver.txt | Pulse Secure Pulse Connect Secure | CVE-2019-11510 | https://gist.github.com/rxwx/d07495f790d62029b12065c38ac2a86a |
| /dd9a8afc0676f231e6439ecf489f8336.php | Webshell | - | - |
| /device | - | - | - |
| /device/ | - | - | - |
| /devicecfg | Polycom | - | - |
| /dms | - | - | - |
| /extension/ | - | - | - |
| /gateway/ | - | - | - |
| /gigaset/ | Gigaset | - | - |
| /grandstram/ | Grandstream Networks | - | - |
| /gsm/ | - | - | - |
| /huawei/ | HUAWEI | - | - |
| /ims | - | - | - |
| /lang/en/images/banner_bg.jpg | - | - | - |
| /login.action | Login Page | - | - |
| /matrix/ | - | - | - |
| /nice ports,/Trinity.txt.bak | Nmap | - | https://dragos.com/blog/industry-news/threat-hunting-with-python-part-2-detecting-nmap-behavior-with-bro-http-logs/ |
| /phoneprov/ | asterisk | - | https://github.com/asterisk/asterisk/tree/master/phoneprov |
| /phprov/ | - | - | - |
| /poly/ | Poly | - | - |
| /provisiom/ | - | - | - |
| /pv/ | - | - | - |
| /root/ | - | - | - |
| /sipura/ | Sipura | - | - |
| /spa122/ | Cisco SPA122 | - | https://www.cisco.com/c/ja_jp/support/unified-communications/spa122-ata-router/model.html |
| /spura/ | - | - | - |
| /system/ | - | - | - |
| /templates/ | - | - | - |
| /test/ | - | - | - |
| /tftp/ | TFTP | - | - |
| /tftpboot/ | TFTP | - | - |
| /tftpphone/ | Polycom VVX | - | https://support.itctechnology.com/hc/en-us/articles/202302163-Polycom-VVX-Custom-Phone-Logo |
| /tftproot/ | TFTP | - | - |
| /voice | - | - | - |
| /voipprov/ | - | - | - |
| /xsp1/ | - | - | - |
| /yealink | Yealink | - | - |
| hxxp://191[.]162[.]195[.]26:8605/affcsyyo1zjjdjcerk9 | Unauthorized Relay | - | - |
以上となります。
