ハニーポット観察日記(2019/02/21)
WOWHoneypot
ハニーポット「WOWHoneypot」で2019/02/21 (木) 00:00~23:59 UTC(運用49日目)に取得したログの簡易分析です。
DrupalやまとまったWebShellやphpMyAdminなどの探査がありました。
概況
- 集計期間 : 2019/02/21 (木) 00:00~23:59 UTC
- 総アクセス件数 : 145 件(前日比 +144 件)
- WebShellの探査 : 125 件
- トップページへのアクセス : 7 件
- phpMyAdminの探査 : 7 件
- Network Weathermapの探査 : 2 件
- Microsoft IIS 6.0の脆弱性(CVE-2017-7269)を利用した攻撃 : 1 件
- WebDAVの探査 : 1 件
- WordPressのコンフィグファイルの探査 : 1 件
- Drupalの探査 : 1 件
- ユニークIPアドレス件数 : 10 件 (前日比 +9 件)
- アクセス元の国数 : 9 カ国 (前日比 +8 カ国)
国別のアクセス件数
国別のアクセス件数は以下の通りです。
順位 | 国名 | 件数 | 前日の順位 | 前日の件数 | 件数差 | 備考 |
---|---|---|---|---|---|---|
1. | Indonesia | 136 | - | 0 | +136 | - |
2. | United States | 2 | - | 0 | +2 | - |
3. | Germany | 1 | - | 0 | +1 | - |
4. | Spain | 1 | - | 0 | +1 | - |
5. | Taiwan | 1 | - | 0 | +1 | - |
6. | Japan | 1 | - | 0 | +1 | - |
7. | Turkey | 1 | - | 0 | +1 | - |
8. | Brazil | 1 | - | 0 | +1 | - |
9. | Ukraine | 1 | - | 0 | +1 | - |
アクセス先
- Drupalの探査は
/CHANGELOG.txt
というパスに対して行われました。 - 2019/02/14以来、7日ぶりにまとまったWebShellやphpMyAdminなどの探査を観測しました。
- 2019/02/19以来、2日ぶりにZGrabによるスキャンを観測しました。
- 件数は1件で、User-Agentは
Mozilla/5.0 zgrab/0.x
でした。
- 件数は1件で、User-Agentは
Drupalの探査
Drupalの探査のHTTPリクエストは以下の通りです。
2019/02/21(JST)に公開されたDrupalのRCE(Remote Code Execution)の脆弱性(CVE-2019-6340)と関係がありそうです。
GET /CHANGELOG.txt HTTP/1.1 Host: xxx.xxx.xxx.xxx Connection: close Accept-Encoding: gzip User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Currently seeing Drupal-related scans attempting to use the "CHANGELOG.txt" method to locate vulnerable sites due to CVE-2019-6340.
— Bad Packets Report (@bad_packets) February 22, 2019
The correct path for Drupal 8 is /core/CHANGELOG.txt – however you won't find the version the site using. It's just a generic message. pic.twitter.com/AWzhJH8t2l
アクセス先一覧
アクセス先の一覧は以下の通りです。
順位 | 備考 | アクセス先 | 件数 | 前日の順位 | 前日の件数 | 件数差 |
---|---|---|---|---|---|---|
1. | トップページへのアクセス | GET / HTTP/1.1 | 6 | - | 0 | +6 |
2. | WebShellの探査 | POST /qq.php HTTP/1.1 | 3 | - | 0 | +3 |
3. | WebShellの探査 | GET /shell.php HTTP/1.1 | 2 | - | 0 | +2 |
4. | WebShellの探査 | GET /cmd.php HTTP/1.1 | 2 | - | 0 | +2 |
5. | WebShellの探査 | POST /xx.php HTTP/1.1 | 2 | - | 0 | +2 |
6. | WebShellの探査 | POST /conflg.php HTTP/1.1 | 2 | - | 0 | +2 |
7. | WebShellの探査 | POST /q.php HTTP/1.1 | 2 | - | 0 | +2 |
8. | Microsoft IIS 6.0の脆弱性(CVE-2017-7269)を利用した攻撃 | PROPFIND / HTTP/1.1 | 1 | - | 0 | +1 |
9. | WebDAVの探査 | GET /webdav/ HTTP/1.1 | 1 | - | 0 | +1 |
10. | WebShellの探査 | GET /0C87E923.php HTTP/1.1 | 1 | - | 0 | +1 |
11. | WebShellの探査 | GET /help.php HTTP/1.1 | 1 | - | 0 | +1 |
12. | WebShellの探査 | GET /java.php HTTP/1.1 | 1 | - | 0 | +1 |
13. | WebShellの探査 | GET /_query.php HTTP/1.1 | 1 | - | 0 | +1 |
14. | WebShellの探査 | GET /test.php HTTP/1.1 | 1 | - | 0 | +1 |
15. | WebShellの探査 | GET /db_cts.php HTTP/1.1 | 1 | - | 0 | +1 |
16. | phpMyAdminの探査 | GET /db_pma.php HTTP/1.1 | 1 | - | 0 | +1 |
17. | WebShellの探査 | GET /logon.php HTTP/1.1 | 1 | - | 0 | +1 |
18. | WebShellの探査 | GET /help-e.php HTTP/1.1 | 1 | - | 0 | +1 |
19. | WebShellの探査 | GET /license.php HTTP/1.1 | 1 | - | 0 | +1 |
20. | WebShellの探査 | GET /log.php HTTP/1.1 | 1 | - | 0 | +1 |
21. | WebShellの探査 | GET /hell.php HTTP/1.1 | 1 | - | 0 | +1 |
22. | WebShellの探査 | GET /pmd_online.php HTTP/1.1 | 1 | - | 0 | +1 |
23. | WebShellの探査 | GET /x.php HTTP/1.1 | 1 | - | 0 | +1 |
24. | WebShellの探査 | GET /htdocs.php HTTP/1.1 | 1 | - | 0 | +1 |
25. | WebShellの探査 | GET /desktop.ini.php HTTP/1.1 | 1 | - | 0 | +1 |
26. | WebShellの探査 | GET /z.php HTTP/1.1 | 1 | - | 0 | +1 |
27. | WebShellの探査 | GET /lala.php HTTP/1.1 | 1 | - | 0 | +1 |
28. | WebShellの探査 | GET /lala-dpr.php HTTP/1.1 | 1 | - | 0 | +1 |
29. | WebShellの探査 | GET /wpc.php HTTP/1.1 | 1 | - | 0 | +1 |
30. | WebShellの探査 | GET /wpo.php HTTP/1.1 | 1 | - | 0 | +1 |
31. | WebShellの探査 | GET /text.php HTTP/1.1 | 1 | - | 0 | +1 |
32. | WordPressのコンフィグファイルの探査 | GET /wp-config.php HTTP/1.1 | 1 | - | 0 | +1 |
33. | WebShellの探査 | GET /muhstik.php HTTP/1.1 | 1 | - | 0 | +1 |
34. | WebShellの探査 | GET /muhstik2.php HTTP/1.1 | 1 | - | 0 | +1 |
35. | WebShellの探査 | GET /muhstiks.php HTTP/1.1 | 1 | - | 0 | +1 |
36. | WebShellの探査 | GET /muhstik-dpr.php HTTP/1.1 | 1 | - | 0 | +1 |
37. | WebShellの探査 | GET /lol.php HTTP/1.1 | 1 | - | 0 | +1 |
38. | WebShellの探査 | GET /uploader.php HTTP/1.1 | 1 | - | 0 | +1 |
39. | WebShellの探査 | GET /cmv.php HTTP/1.1 | 1 | - | 0 | +1 |
40. | WebShellの探査 | GET /cmdd.php HTTP/1.1 | 1 | - | 0 | +1 |
41. | WebShellの探査 | GET /knal.php HTTP/1.1 | 1 | - | 0 | +1 |
42. | WebShellの探査 | GET /appserv.php HTTP/1.1 | 1 | - | 0 | +1 |
43. | phpMyAdminの探査 | GET /scripts/setup.php HTTP/1.1 | 1 | - | 0 | +1 |
44. | phpMyAdminの探査 | GET /phpmyadmin/scripts/setup.php HTTP/1.1 | 1 | - | 0 | +1 |
45. | phpMyAdminの探査 | GET /phpMyAdmin/scripts/setup.php HTTP/1.1 | 1 | - | 0 | +1 |
46. | phpMyAdminの探査 | GET /phpmyadmin/scripts/db___.init.php HTTP/1.1 | 1 | - | 0 | +1 |
47. | phpMyAdminの探査 | GET /phpMyAdmin/scripts/db___.init.php HTTP/1.1 | 1 | - | 0 | +1 |
48. | Network Weathermapの探査 | GET /plugins/weathermap/editor.php HTTP/1.1 | 1 | - | 0 | +1 |
49. | Network Weathermapの探査 | GET /cacti/plugins/weathermap/editor.php HTTP/1.1 | 1 | - | 0 | +1 |
50. | WebShellの探査 | POST /wuwu11.php HTTP/1.1 | 1 | - | 0 | +1 |
51. | WebShellの探査 | POST /xw.php HTTP/1.1 | 1 | - | 0 | +1 |
52. | WebShellの探査 | POST /xw1.php HTTP/1.1 | 1 | - | 0 | +1 |
53. | WebShellの探査 | POST /9678.php HTTP/1.1 | 1 | - | 0 | +1 |
54. | WebShellの探査 | POST /wc.php HTTP/1.1 | 1 | - | 0 | +1 |
55. | WebShellの探査 | POST /s.php HTTP/1.1 | 1 | - | 0 | +1 |
56. | WebShellの探査 | POST /w.php HTTP/1.1 | 1 | - | 0 | +1 |
57. | WebShellの探査 | POST /sheep.php HTTP/1.1 | 1 | - | 0 | +1 |
58. | WebShellの探査 | POST /qaq.php HTTP/1.1 | 1 | - | 0 | +1 |
59. | WebShellの探査 | POST /db.init.php HTTP/1.1 | 1 | - | 0 | +1 |
60. | WebShellの探査 | POST /db_session.init.php HTTP/1.1 | 1 | - | 0 | +1 |
61. | WebShellの探査 | POST /db__.init.php HTTP/1.1 | 1 | - | 0 | +1 |
62. | WebShellの探査 | POST /wp-admins.php HTTP/1.1 | 1 | - | 0 | +1 |
63. | WebShellの探査 | POST /m.php?pbid=open HTTP/1.1 | 1 | - | 0 | +1 |
64. | WebShellの探査 | POST /db_dataml.php HTTP/1.1 | 1 | - | 0 | +1 |
65. | WebShellの探査 | POST /db_desql.php HTTP/1.1 | 1 | - | 0 | +1 |
66. | WebShellの探査 | POST /mx.php HTTP/1.1 | 1 | - | 0 | +1 |
67. | WebShellの探査 | POST /wshell.php HTTP/1.1 | 1 | - | 0 | +1 |
68. | WebShellの探査 | POST /xshell.php HTTP/1.1 | 1 | - | 0 | +1 |
69. | WebShellの探査 | POST /lindex.php HTTP/1.1 | 1 | - | 0 | +1 |
70. | WebShellの探査 | POST /phpstudy.php HTTP/1.1 | 1 | - | 0 | +1 |
71. | WebShellの探査 | POST /phpStudy.php HTTP/1.1 | 1 | - | 0 | +1 |
72. | WebShellの探査 | POST /weixiao.php HTTP/1.1 | 1 | - | 0 | +1 |
73. | WebShellの探査 | POST /feixiang.php HTTP/1.1 | 1 | - | 0 | +1 |
74. | WebShellの探査 | POST /ak47.php HTTP/1.1 | 1 | - | 0 | +1 |
75. | WebShellの探査 | POST /ak48.php HTTP/1.1 | 1 | - | 0 | +1 |
76. | WebShellの探査 | POST /xiao.php HTTP/1.1 | 1 | - | 0 | +1 |
77. | WebShellの探査 | POST /yao.php HTTP/1.1 | 1 | - | 0 | +1 |
78. | WebShellの探査 | POST /defect.php HTTP/1.1 | 1 | - | 0 | +1 |
79. | WebShellの探査 | POST /webslee.php HTTP/1.1 | 1 | - | 0 | +1 |
80. | WebShellの探査 | POST /pe.php HTTP/1.1 | 1 | - | 0 | +1 |
81. | WebShellの探査 | POST /hm.php HTTP/1.1 | 1 | - | 0 | +1 |
82. | WebShellの探査 | POST /cainiao.php HTTP/1.1 | 1 | - | 0 | +1 |
83. | WebShellの探査 | POST /zuoshou.php HTTP/1.1 | 1 | - | 0 | +1 |
84. | WebShellの探査 | POST /zuo.php HTTP/1.1 | 1 | - | 0 | +1 |
85. | WebShellの探査 | POST /aotu.php HTTP/1.1 | 1 | - | 0 | +1 |
86. | WebShellの探査 | POST /aotu7.php HTTP/1.1 | 1 | - | 0 | +1 |
87. | WebShellの探査 | POST /cmd.php HTTP/1.1 | 1 | - | 0 | +1 |
88. | WebShellの探査 | POST /bak.php HTTP/1.1 | 1 | - | 0 | +1 |
89. | WebShellの探査 | POST /system.php HTTP/1.1 | 1 | - | 0 | +1 |
90. | WebShellの探査 | POST /l6.php HTTP/1.1 | 1 | - | 0 | +1 |
91. | WebShellの探査 | POST /l7.php HTTP/1.1 | 1 | - | 0 | +1 |
92. | WebShellの探査 | POST /l8.php HTTP/1.1 | 1 | - | 0 | +1 |
93. | WebShellの探査 | POST /56.php HTTP/1.1 | 1 | - | 0 | +1 |
94. | WebShellの探査 | POST /mz.php HTTP/1.1 | 1 | - | 0 | +1 |
95. | WebShellの探査 | POST /yumo.php HTTP/1.1 | 1 | - | 0 | +1 |
96. | WebShellの探査 | POST /min.php HTTP/1.1 | 1 | - | 0 | +1 |
97. | WebShellの探査 | POST /wan.php HTTP/1.1 | 1 | - | 0 | +1 |
98. | WebShellの探査 | POST /wanan.php HTTP/1.1 | 1 | - | 0 | +1 |
99. | WebShellの探査 | POST /ssaa.php HTTP/1.1 | 1 | - | 0 | +1 |
100. | WebShellの探査 | POST /aw.php HTTP/1.1 | 1 | - | 0 | +1 |
101. | WebShellの探査 | POST /12.php HTTP/1.1 | 1 | - | 0 | +1 |
102. | WebShellの探査 | POST /hh.php HTTP/1.1 | 1 | - | 0 | +1 |
103. | WebShellの探査 | POST /ak.php HTTP/1.1 | 1 | - | 0 | +1 |
104. | WebShellの探査 | POST /ip.php HTTP/1.1 | 1 | - | 0 | +1 |
105. | WebShellの探査 | POST /infoo.php HTTP/1.1 | 1 | - | 0 | +1 |
106. | WebShellの探査 | POST /qwe.php HTTP/1.1 | 1 | - | 0 | +1 |
107. | WebShellの探査 | POST /post.php HTTP/1.1 | 1 | - | 0 | +1 |
108. | WebShellの探査 | POST /h1.php HTTP/1.1 | 1 | - | 0 | +1 |
109. | WebShellの探査 | POST /test.php HTTP/1.1 | 1 | - | 0 | +1 |
110. | WebShellの探査 | POST /3.php HTTP/1.1 | 1 | - | 0 | +1 |
111. | WebShellの探査 | POST /phpinfi.php HTTP/1.1 | 1 | - | 0 | +1 |
112. | WebShellの探査 | POST /9510.php HTTP/1.1 | 1 | - | 0 | +1 |
113. | WebShellの探査 | POST /python.php HTTP/1.1 | 1 | - | 0 | +1 |
114. | WebShellの探査 | POST /default.php HTTP/1.1 | 1 | - | 0 | +1 |
115. | WebShellの探査 | POST /sean.php HTTP/1.1 | 1 | - | 0 | +1 |
116. | WebShellの探査 | POST /app.php HTTP/1.1 | 1 | - | 0 | +1 |
117. | WebShellの探査 | POST /help.php HTTP/1.1 | 1 | - | 0 | +1 |
118. | WebShellの探査 | POST /tiandi.php HTTP/1.1 | 1 | - | 0 | +1 |
119. | WebShellの探査 | POST /miao.php HTTP/1.1 | 1 | - | 0 | +1 |
120. | WebShellの探査 | POST /xz.php HTTP/1.1 | 1 | - | 0 | +1 |
121. | WebShellの探査 | POST /linuxse.php HTTP/1.1 | 1 | - | 0 | +1 |
122. | WebShellの探査 | POST /zuoindex.php HTTP/1.1 | 1 | - | 0 | +1 |
123. | WebShellの探査 | POST /zshmindex.php HTTP/1.1 | 1 | - | 0 | +1 |
124. | WebShellの探査 | POST /tomcat.php HTTP/1.1 | 1 | - | 0 | +1 |
125. | WebShellの探査 | POST /ceshi.php HTTP/1.1 | 1 | - | 0 | +1 |
126. | WebShellの探査 | POST /1hou.php HTTP/1.1 | 1 | - | 0 | +1 |
127. | WebShellの探査 | POST /ou2.php HTTP/1.1 | 1 | - | 0 | +1 |
128. | WebShellの探査 | POST /zuos.php HTTP/1.1 | 1 | - | 0 | +1 |
129. | WebShellの探査 | POST /zuoshss.php HTTP/1.1 | 1 | - | 0 | +1 |
130. | WebShellの探査 | POST /boots.php HTTP/1.1 | 1 | - | 0 | +1 |
131. | phpMyAdminの探査 | GET /mysql/admin/index.php?lang=en HTTP/1.1 | 1 | - | 0 | +1 |
132. | トップページへのアクセス | GET / HTTP/1.0 | 1 | - | 0 | +1 |
133. | Drupalの探査 | GET /CHANGELOG.txt HTTP/1.1 | 1 | - | 0 | +1 |
WOWHoneypotで取得したログの簡易分析は以上です。