cute_otter’s blog

ハニーポットの観察日記を付けています

ハニーポット観察日記(2019/02/21)

WOWHoneypot

ハニーポット「WOWHoneypot」で2019/02/21 (木) 00:00~23:59 UTC(運用49日目)に取得したログの簡易分析です。

DrupalやまとまったWebShellやphpMyAdminなどの探査がありました。

概況

  • 集計期間 : 2019/02/21 (木) 00:00~23:59 UTC
  • 総アクセス件数 : 145 件(前日比 +144 件)
  • ユニークIPアドレス件数 : 10 件 (前日比 +9 件)
  • アクセス元の国数 : 9 カ国 (前日比 +8 カ国)

国別のアクセス件数

国別のアクセス件数は以下の通りです。

順位 国名 件数 前日の順位 前日の件数 件数差 備考
1. Indonesia 136 - 0 +136 -
2. United States 2 - 0 +2 -
3. Germany 1 - 0 +1 -
4. Spain 1 - 0 +1 -
5. Taiwan 1 - 0 +1 -
6. Japan 1 - 0 +1 -
7. Turkey 1 - 0 +1 -
8. Brazil 1 - 0 +1 -
9. Ukraine 1 - 0 +1 -

アクセス先

  • Drupalの探査は/CHANGELOG.txtというパスに対して行われました。
  • 2019/02/14以来、7日ぶりにまとまったWebShellやphpMyAdminなどの探査を観測しました。
  • 2019/02/19以来、2日ぶりにZGrabによるスキャンを観測しました。
    • 件数は1件で、User-AgentはMozilla/5.0 zgrab/0.xでした。

Drupalの探査

Drupalの探査のHTTPリクエストは以下の通りです。
2019/02/21(JST)に公開されたDrupalのRCE(Remote Code Execution)の脆弱性(CVE-2019-6340)と関係がありそうです。

GET /CHANGELOG.txt HTTP/1.1
Host: xxx.xxx.xxx.xxx
Connection: close
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36

アクセス先一覧

アクセス先の一覧は以下の通りです。

順位 備考 アクセス先 件数 前日の順位 前日の件数 件数差
1. トップページへのアクセス GET / HTTP/1.1 6 - 0 +6
2. WebShellの探査 POST /qq.php HTTP/1.1 3 - 0 +3
3. WebShellの探査 GET /shell.php HTTP/1.1 2 - 0 +2
4. WebShellの探査 GET /cmd.php HTTP/1.1 2 - 0 +2
5. WebShellの探査 POST /xx.php HTTP/1.1 2 - 0 +2
6. WebShellの探査 POST /conflg.php HTTP/1.1 2 - 0 +2
7. WebShellの探査 POST /q.php HTTP/1.1 2 - 0 +2
8. Microsoft IIS 6.0の脆弱性(CVE-2017-7269)を利用した攻撃 PROPFIND / HTTP/1.1 1 - 0 +1
9. WebDAVの探査 GET /webdav/ HTTP/1.1 1 - 0 +1
10. WebShellの探査 GET /0C87E923.php HTTP/1.1 1 - 0 +1
11. WebShellの探査 GET /help.php HTTP/1.1 1 - 0 +1
12. WebShellの探査 GET /java.php HTTP/1.1 1 - 0 +1
13. WebShellの探査 GET /_query.php HTTP/1.1 1 - 0 +1
14. WebShellの探査 GET /test.php HTTP/1.1 1 - 0 +1
15. WebShellの探査 GET /db_cts.php HTTP/1.1 1 - 0 +1
16. phpMyAdminの探査 GET /db_pma.php HTTP/1.1 1 - 0 +1
17. WebShellの探査 GET /logon.php HTTP/1.1 1 - 0 +1
18. WebShellの探査 GET /help-e.php HTTP/1.1 1 - 0 +1
19. WebShellの探査 GET /license.php HTTP/1.1 1 - 0 +1
20. WebShellの探査 GET /log.php HTTP/1.1 1 - 0 +1
21. WebShellの探査 GET /hell.php HTTP/1.1 1 - 0 +1
22. WebShellの探査 GET /pmd_online.php HTTP/1.1 1 - 0 +1
23. WebShellの探査 GET /x.php HTTP/1.1 1 - 0 +1
24. WebShellの探査 GET /htdocs.php HTTP/1.1 1 - 0 +1
25. WebShellの探査 GET /desktop.ini.php HTTP/1.1 1 - 0 +1
26. WebShellの探査 GET /z.php HTTP/1.1 1 - 0 +1
27. WebShellの探査 GET /lala.php HTTP/1.1 1 - 0 +1
28. WebShellの探査 GET /lala-dpr.php HTTP/1.1 1 - 0 +1
29. WebShellの探査 GET /wpc.php HTTP/1.1 1 - 0 +1
30. WebShellの探査 GET /wpo.php HTTP/1.1 1 - 0 +1
31. WebShellの探査 GET /text.php HTTP/1.1 1 - 0 +1
32. WordPressのコンフィグファイルの探査 GET /wp-config.php HTTP/1.1 1 - 0 +1
33. WebShellの探査 GET /muhstik.php HTTP/1.1 1 - 0 +1
34. WebShellの探査 GET /muhstik2.php HTTP/1.1 1 - 0 +1
35. WebShellの探査 GET /muhstiks.php HTTP/1.1 1 - 0 +1
36. WebShellの探査 GET /muhstik-dpr.php HTTP/1.1 1 - 0 +1
37. WebShellの探査 GET /lol.php HTTP/1.1 1 - 0 +1
38. WebShellの探査 GET /uploader.php HTTP/1.1 1 - 0 +1
39. WebShellの探査 GET /cmv.php HTTP/1.1 1 - 0 +1
40. WebShellの探査 GET /cmdd.php HTTP/1.1 1 - 0 +1
41. WebShellの探査 GET /knal.php HTTP/1.1 1 - 0 +1
42. WebShellの探査 GET /appserv.php HTTP/1.1 1 - 0 +1
43. phpMyAdminの探査 GET /scripts/setup.php HTTP/1.1 1 - 0 +1
44. phpMyAdminの探査 GET /phpmyadmin/scripts/setup.php HTTP/1.1 1 - 0 +1
45. phpMyAdminの探査 GET /phpMyAdmin/scripts/setup.php HTTP/1.1 1 - 0 +1
46. phpMyAdminの探査 GET /phpmyadmin/scripts/db___.init.php HTTP/1.1 1 - 0 +1
47. phpMyAdminの探査 GET /phpMyAdmin/scripts/db___.init.php HTTP/1.1 1 - 0 +1
48. Network Weathermapの探査 GET /plugins/weathermap/editor.php HTTP/1.1 1 - 0 +1
49. Network Weathermapの探査 GET /cacti/plugins/weathermap/editor.php HTTP/1.1 1 - 0 +1
50. WebShellの探査 POST /wuwu11.php HTTP/1.1 1 - 0 +1
51. WebShellの探査 POST /xw.php HTTP/1.1 1 - 0 +1
52. WebShellの探査 POST /xw1.php HTTP/1.1 1 - 0 +1
53. WebShellの探査 POST /9678.php HTTP/1.1 1 - 0 +1
54. WebShellの探査 POST /wc.php HTTP/1.1 1 - 0 +1
55. WebShellの探査 POST /s.php HTTP/1.1 1 - 0 +1
56. WebShellの探査 POST /w.php HTTP/1.1 1 - 0 +1
57. WebShellの探査 POST /sheep.php HTTP/1.1 1 - 0 +1
58. WebShellの探査 POST /qaq.php HTTP/1.1 1 - 0 +1
59. WebShellの探査 POST /db.init.php HTTP/1.1 1 - 0 +1
60. WebShellの探査 POST /db_session.init.php HTTP/1.1 1 - 0 +1
61. WebShellの探査 POST /db__.init.php HTTP/1.1 1 - 0 +1
62. WebShellの探査 POST /wp-admins.php HTTP/1.1 1 - 0 +1
63. WebShellの探査 POST /m.php?pbid=open HTTP/1.1 1 - 0 +1
64. WebShellの探査 POST /db_dataml.php HTTP/1.1 1 - 0 +1
65. WebShellの探査 POST /db_desql.php HTTP/1.1 1 - 0 +1
66. WebShellの探査 POST /mx.php HTTP/1.1 1 - 0 +1
67. WebShellの探査 POST /wshell.php HTTP/1.1 1 - 0 +1
68. WebShellの探査 POST /xshell.php HTTP/1.1 1 - 0 +1
69. WebShellの探査 POST /lindex.php HTTP/1.1 1 - 0 +1
70. WebShellの探査 POST /phpstudy.php HTTP/1.1 1 - 0 +1
71. WebShellの探査 POST /phpStudy.php HTTP/1.1 1 - 0 +1
72. WebShellの探査 POST /weixiao.php HTTP/1.1 1 - 0 +1
73. WebShellの探査 POST /feixiang.php HTTP/1.1 1 - 0 +1
74. WebShellの探査 POST /ak47.php HTTP/1.1 1 - 0 +1
75. WebShellの探査 POST /ak48.php HTTP/1.1 1 - 0 +1
76. WebShellの探査 POST /xiao.php HTTP/1.1 1 - 0 +1
77. WebShellの探査 POST /yao.php HTTP/1.1 1 - 0 +1
78. WebShellの探査 POST /defect.php HTTP/1.1 1 - 0 +1
79. WebShellの探査 POST /webslee.php HTTP/1.1 1 - 0 +1
80. WebShellの探査 POST /pe.php HTTP/1.1 1 - 0 +1
81. WebShellの探査 POST /hm.php HTTP/1.1 1 - 0 +1
82. WebShellの探査 POST /cainiao.php HTTP/1.1 1 - 0 +1
83. WebShellの探査 POST /zuoshou.php HTTP/1.1 1 - 0 +1
84. WebShellの探査 POST /zuo.php HTTP/1.1 1 - 0 +1
85. WebShellの探査 POST /aotu.php HTTP/1.1 1 - 0 +1
86. WebShellの探査 POST /aotu7.php HTTP/1.1 1 - 0 +1
87. WebShellの探査 POST /cmd.php HTTP/1.1 1 - 0 +1
88. WebShellの探査 POST /bak.php HTTP/1.1 1 - 0 +1
89. WebShellの探査 POST /system.php HTTP/1.1 1 - 0 +1
90. WebShellの探査 POST /l6.php HTTP/1.1 1 - 0 +1
91. WebShellの探査 POST /l7.php HTTP/1.1 1 - 0 +1
92. WebShellの探査 POST /l8.php HTTP/1.1 1 - 0 +1
93. WebShellの探査 POST /56.php HTTP/1.1 1 - 0 +1
94. WebShellの探査 POST /mz.php HTTP/1.1 1 - 0 +1
95. WebShellの探査 POST /yumo.php HTTP/1.1 1 - 0 +1
96. WebShellの探査 POST /min.php HTTP/1.1 1 - 0 +1
97. WebShellの探査 POST /wan.php HTTP/1.1 1 - 0 +1
98. WebShellの探査 POST /wanan.php HTTP/1.1 1 - 0 +1
99. WebShellの探査 POST /ssaa.php HTTP/1.1 1 - 0 +1
100. WebShellの探査 POST /aw.php HTTP/1.1 1 - 0 +1
101. WebShellの探査 POST /12.php HTTP/1.1 1 - 0 +1
102. WebShellの探査 POST /hh.php HTTP/1.1 1 - 0 +1
103. WebShellの探査 POST /ak.php HTTP/1.1 1 - 0 +1
104. WebShellの探査 POST /ip.php HTTP/1.1 1 - 0 +1
105. WebShellの探査 POST /infoo.php HTTP/1.1 1 - 0 +1
106. WebShellの探査 POST /qwe.php HTTP/1.1 1 - 0 +1
107. WebShellの探査 POST /post.php HTTP/1.1 1 - 0 +1
108. WebShellの探査 POST /h1.php HTTP/1.1 1 - 0 +1
109. WebShellの探査 POST /test.php HTTP/1.1 1 - 0 +1
110. WebShellの探査 POST /3.php HTTP/1.1 1 - 0 +1
111. WebShellの探査 POST /phpinfi.php HTTP/1.1 1 - 0 +1
112. WebShellの探査 POST /9510.php HTTP/1.1 1 - 0 +1
113. WebShellの探査 POST /python.php HTTP/1.1 1 - 0 +1
114. WebShellの探査 POST /default.php HTTP/1.1 1 - 0 +1
115. WebShellの探査 POST /sean.php HTTP/1.1 1 - 0 +1
116. WebShellの探査 POST /app.php HTTP/1.1 1 - 0 +1
117. WebShellの探査 POST /help.php HTTP/1.1 1 - 0 +1
118. WebShellの探査 POST /tiandi.php HTTP/1.1 1 - 0 +1
119. WebShellの探査 POST /miao.php HTTP/1.1 1 - 0 +1
120. WebShellの探査 POST /xz.php HTTP/1.1 1 - 0 +1
121. WebShellの探査 POST /linuxse.php HTTP/1.1 1 - 0 +1
122. WebShellの探査 POST /zuoindex.php HTTP/1.1 1 - 0 +1
123. WebShellの探査 POST /zshmindex.php HTTP/1.1 1 - 0 +1
124. WebShellの探査 POST /tomcat.php HTTP/1.1 1 - 0 +1
125. WebShellの探査 POST /ceshi.php HTTP/1.1 1 - 0 +1
126. WebShellの探査 POST /1hou.php HTTP/1.1 1 - 0 +1
127. WebShellの探査 POST /ou2.php HTTP/1.1 1 - 0 +1
128. WebShellの探査 POST /zuos.php HTTP/1.1 1 - 0 +1
129. WebShellの探査 POST /zuoshss.php HTTP/1.1 1 - 0 +1
130. WebShellの探査 POST /boots.php HTTP/1.1 1 - 0 +1
131. phpMyAdminの探査 GET /mysql/admin/index.php?lang=en HTTP/1.1 1 - 0 +1
132. トップページへのアクセス GET / HTTP/1.0 1 - 0 +1
133. Drupalの探査 GET /CHANGELOG.txt HTTP/1.1 1 - 0 +1

WOWHoneypotで取得したログの簡易分析は以上です。