honeypotの簡易分析18日目

honeypot

2019-04-18のアクセス数は1514件でした。

■送信元IPアドレスの数は 282件です。

■メソッドの一覧と件数は以下です。

method総数
CONNECT2
GET767
OPTIONS4
POST741
合計 結果1514

■アクセスパス一覧と件数は以下です。

pathmethod総数
/ GET51
/ OPTIONS4
//myadmin/scripts/setup.phpGET2
//phpmyadmin/scripts/setup.phpGET1
//pma/scripts/setup.phpGET1
/admin/scripts/setup.phpGET1
/administrator/index.phpGET1
/api/v1/overview/default?filterBy=&itemsPerPage=10&
name=&page=1&sortBy=d,creationTimestamp		GET1
/blog//?author=1GET1
/blog//wp-json/wp/v2/users/GET1
/blog/wp-login.phpGET32
/blog/wp-login.phpPOST31
/blog/xmlrpc.phpPOST31
/cms//?author=1GET1
/cms//wp-json/wp/v2/users/GET1
/cms/wp-login.phpGET33
/cms/wp-login.phpPOST30
/cms/xmlrpc.phpPOST31
/dbadmin/scripts/setup.phpGET1
/HNAP1/GET2
/manager/htmlGET281
/muieblackcatGET1
/myadmin/scripts/setup.phpGET2
/mysql/scripts/setup.phpGET1
/mysqladmin/scripts/setup.phpGET1
/phpma/scripts/setup.phpGET1
/phpMyAdmin/scripts/setup.phpGET2
/pma/scripts/setup.phpGET2
/sqlweb/scripts/setup.phpGET1
/tmUnblock.cgiPOST1
/TP/public/index.phpGET5
/TP/public/index.php?s=captchaPOST4
/TP/public/index.php?s=index/\think\app/invokefunction
&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1		GET4
/users?page=&size=5POST3
/w00tw00t.at.blackhats.romanian.anti-sec:)GET1
/webdb/scripts/setup.phpGET1
/websql/scripts/setup.phpGET1
/wordpress//?author=1GET1
/wordpress//wp-json/wp/v2/users/GET1
/wordpress/wp-login.phpGET32
/wordpress/wp-login.phpPOST30
/wordpress/xmlrpc.phpPOST31
/wp-login.phpGET31
/wp-login.phpPOST31
/wp//?author=1GET1
/wp//wp-json/wp/v2/users/GET1
/wp/wp-login.phpGET32
/wp/wp-login.phpPOST31
/wp/xmlrpc.phpPOST31
/wp1//?author=1GET1
/wp1//wp-json/wp/v2/users/GET1
/wp1/wp-login.phpGET31
/wp1/wp-login.phpPOST29
/wp1/xmlrpc.phpPOST29
/wp2//?author=1GET1
/wp2//wp-json/wp/v2/users/GET1
/wp2/wp-login.phpGET30
/wp2/wp-login.phpPOST31
/wp2/xmlrpc.phpPOST31
/wp3//?author=1GET1
/wp3//wp-json/wp/v2/users/GET1
/wp3/wp-login.phpGET31
/wp3/wp-login.phpPOST30
/wp3/xmlrpc.phpPOST31
/wp4//?author=1GET1
/wp4//wp-json/wp/v2/users/GET1
/wp4/wp-login.phpGET31
/wp4/wp-login.phpPOST31
/wp4/xmlrpc.phpPOST31
/wp5//?author=1GET1
/wp5//wp-json/wp/v2/users/GET1
/wp5/wp-login.phpGET32
/wp5/wp-login.phpPOST31
/wp5/xmlrpc.phpPOST31
/wp6//?author=1GET1
/wp6//wp-json/wp/v2/users/GET1
/wp6/wp-login.phpGET32
/wp6/wp-login.phpPOST31
/wp6/xmlrpc.phpPOST31
/wp8//?author=1GET1
/wp8/wp-login.phpGET30
/wp8/wp-login.phpPOST29
/wp8/xmlrpc.phpPOST29
/xmlrpc.phpPOST31
http://110.249.212.46/testget?q=23333&port=80GET2
http://www.baidu.com/GET2
www.baidu.com:443CONNECT2

気になるlog

wordpress系の件数の多さにより、過去最高のデータ量です。

きれいにwp-login.phpの調査、wp-login.phpへのlogin試行、/xmlrpc.phpへのxmlのpostとなってます。

許可しないIPからの”〜/xmlrpc.php”はブロックしておくべきですね。

-=-=507件目のlog=-=-

[2019-04-18 13:33:27+0900] 79.127.127.253 ほげ:80 "GET /muieblackcat HTTP/1.1" 200 False 
GET /muieblackcat HTTP/1.1
 Accept: /
 Accept-Language: en-us
 Accept-Encoding: gzip, deflate
 Host: ほげ
 Connection: Close

”muieblackcat”が気になって調べたけど、どうやら脆弱性スキャナーらしい。IPで絞るとどうやらphpmyadminのスキャナーのように見えます。

timesrc_ippath総数
13:33:2779.127.127.253/muieblackcat1
13:33:3579.127.127.253//phpmyadmin/scripts/setup.php1
13:33:3679.127.127.253//myadmin/scripts/setup.php1
13:33:3779.127.127.254//pma/scripts/setup.php1
13:33:3779.127.127.253//myadmin/scripts/setup.php1