ハニーポットで見る攻撃の検知傾向 〜秘密のファイル〜

ハニーポットで見る攻撃の検知傾向 〜秘密のファイル〜

2019年2月16日 【第4回】サイバーセキュリティ勉強会2019 in 塩尻
@morihi_soc #shiojiri_oss
https://connpass.com/event/109559/

292a5fc0722cc2ddabf2b088a8f12793?s=128

Kazuaki Morihisa

February 16, 2019
Tweet

Transcript

  1. 2019೥2݄16೔ ʲୈ4ճʳαΠόʔηΩϡϦςΟษڧձ2019 in Ԙ৲ൃදࢿྉ ϋχʔϙοτͰݟΔ߈ܸͷݕ஌܏޲ ʙൿີͷϑΝΠϧʙ @morihi_soc

  2. ϋχʔϙοτͱൿີͷϑΝΠϧ 2 XIPBNJ w ৿ٱ࿨ত !NPSJIJ@TPD  w ຊۀ͸ωοτϫʔΫηΩϡϦςΟΤϯδχΞɾΞφϦετ w

    झຯͰϋχʔϙοτͷӡ༻Λ͢Δϋχʔϙολʔ w ϒϩάˠIUUQTXXXNPSJIJTPDOFU w ϋχʔϙολʔٕज़ަྲྀձओ࠵ऀ w IUUQTIBOJQPUFDIDPOOQBTTDPN ࠓ·Ͱʹ͓ੈ࿩ʹͳͬͨΠϕϯτ(Ұ෦) ɾ*5,FZT ݱ4FD$BQ  ɾωοτϫʔΫύέοτΛಡΉձ Ծ  ɾ/*4$αΠόʔϋϩ΢Οϯ ɾ*OUFSOFU8FFLɾ)BSEFOJOH ɾTTNKQɾ"*4FDɾ4UVEZ$PEF ɾULULηΩϡϦςΟษڧձ ɾ૯ؔ੢αΠόʔηΩϡϦςΟ-5େձ ɾ08"41/BHPZBɾ*P54FD+1 ɾ͢ΈͩηΩϡϦςΟษڧձ ग़൛ͨ͠ຊ΍ٕज़ಉਓࢽ NEW 2018೥10݄ˣ
  3. ϋχʔϙοτͱൿີͷϑΝΠϧ ͓඼ॻ͖ w ϋχʔϙοτͷ঺հ w 44)ϋχʔϙοτ w 8FCϋχʔϙοτ w ߈ܸऀ͕ݟ͕ͨΔαʔόͷϑΝΠϧ

    w ߈ܸख๏ w ߈ܸϩά w ·ͱΊ 3
  4. ϋχʔϙοτͱൿີͷϑΝΠϧ ϋχʔϙοτͷ঺հ w ϋχʔϙοτ )POFZQPU ͱ͸ɺ͋͑ͯ߈ܸΛड͚Δ ͜ͱΛલఏͱͨ͠γεςϜͰ͢ɻ w ϋχʔϙοτΛӡ༻͢Δਓͷ͜ͱˠϋχʔϙολʔ w

    ϋχʔϙοτͰ͸༷ʑͳϩάΛऩूՄೳ w ௕ظతʹϋχʔϙοτΛӡ༻͍ͯ͠Δ͔Βͦ͜ɺ
 ߈ܸͷ܏޲Λ೺Ѳ͢Δ͜ͱ͕Ͱ͖Δɻ 4
  5. ϋχʔϙοτͱൿີͷϑΝΠϧ ௿ର࿩ܕͷϋχʔϙοτ w ௿ର࿩ܕ
 ˠ࣮ࡏ͢Διϑτ΢ΣΞͳͲΛ໛฿͢Δํࣜ w 44)ϋχʔϙοτ w 44)ͰϦϞʔτΞΫηε͖ͯͨ͠߈ܸऀͷೖྗ ͞Εͨ04ίϚϯυΛه࿥͠ɺ؍࡯͢Δ͜ͱ͕

    Ͱ͖Δɻ w 8FCϋχʔϙοτ w )551ͷཁٻ಺༰Λड͚෇͚ͯɺ8FCΞϓϦέʔ γϣϯͷ੬ऑੑ΍ϑΝΠϧͷௐࠪͳͲͷߦಈΛ ؍࡯͢Δ͜ͱ͕Ͱ͖Δɻ 5 ※෼ྨํ๏΍ϋχʔϙοτͷछྨ͸ଟ਺͋Γ·͢ɻ
  6. ϋχʔϙοτͱൿີͷϑΝΠϧ 44)ϋχʔϙοτͷ؍࡯ ྫ 6 SSHϋχʔϙοτ(Kippo)Ͱ࠾औͨ͠ෆਖ਼ϩάΠϯޙͷܗ੻2 https://youtu.be/iFvLr55A5nU

  7. ϋχʔϙοτͱൿີͷϑΝΠϧ 7 ߈ܸऀΛ͓΋ͯͳ͢͠Δʮ808)POFZQPUʯͷ঺հ ߈ܸऀ WOWHoneypot ᶃअຐ͢ΔͰʙ GET /wordpress/wp-login.php HTTP/1.1 ᶅϩάΠϯϒϧʔτ߈ܸ΍

    POST /wordpress/wp-login.php HTTP/1.1 ᶄWordPress ͷϖʔδͰ͢ɻͲ͏ͧ! 200 OK ͓ͬ WordPress ಈ͍͍ͯΔ΍Μ wp-login.php ͔ͩΒ WordPress Λ૷͓͏ GitHub→ https://github.com/morihisa/WOWHoneypot ෼ੳ ෼ੳ 8FMDPNFUP0NPUFOBTIJ8FC)POFZQPU
  8. ϋχʔϙοτͱൿີͷϑΝΠϧ ߈ܸऀ͕ݟ͕ͨΔαʔόͷϑΝΠϧ w ߈ܸऀͷૂ͍͸༷ʑ w ৘ใ઄औ΍ۚમ໨తͳͲ͋Δ͕ɺ࠷ॳͷҰา͸߈ܸ ର৅αʔόͷ৘ใΛऩू͢Δ͜ͱɻ w ಘΒΕͨ৘ใΛجʹαʔόΛ߈ུ͍ͯ͘͠ɻ w

    ύεϫʔυ͕ه࿥͞Ε͍ͯΔϑΝΠϧ΍ɺઃఆϑΝ Πϧ͸ɺ߈ܸऀʹͱͬͯັྗతɻ w 8FCϋχʔϙοτͰɺϑΝΠϧΛӾཡ͠Α͏ͱ͢Δ ߈ܸʹ஫໨ͯ͠ɺϩάΛ؍࡯ͯ͠Έ·ͨ͠ɻ 8
  9. ϋχʔϙοτͱൿີͷϑΝΠϧ ߈ܸͷαϯϓϧϩά w 808)POFZQPU͸ɺཁٻ಺༰ͷશจΛอଘ͢Δ͜ ͱ͕Մೳɻ w ޙ௥͍Ͱϩά෼ੳ͢Δͱ͖ʹศརɻ w ϩάͷ̍ߦ໨ʹΞΫηε͠Α͏ͱ͍ͯ͠ΔϑΝΠϧ ύε΍໊લؚ͕·Ε͍ͯΔɻ

    9
  10. ϋχʔϙοτͱൿີͷϑΝΠϧ ೥ͷNPSJIJTPDͷϩά݅਺ 10 ※ ࢲ͕ݸਓͰ؅ཧ͢Δ WOWHoneypot ͷϩά૯݅਺ NO PHOTO NO

    SNS ձ৔ݶΓ
  11. ϋχʔϙοτͱൿີͷϑΝΠϧ αʔό಺෦ͷϑΝΠϧΛӾཡ͢Δ߈ܸ 11 w 8FCͰ͸ɺ͓͓·͔ʹͭͷ߈ܸख๏͕࢖ΘΕΔ w ੬ऑੑΛૂͬͨํ๏ w ϩʔΧϧϑΝΠϧΠϯΫϧʔδϣϯ -'*

    ΍σΟϨ ΫτϦτϥόʔαϧ ͱ͍ͬͨ੬ऑੑΛѱ༻ͯ͠ɺ ϑΝΠϧΛӾཡ͢Δɻ w ઃఆෆඋΛૂͬͨํ๏ w ओʹΞΫηε੍ݶ͕ෆे෼ͳαʔόΛૂͬͯɺϑΝ ΠϧΛӾཡ͢Δɻ * ύετϥόʔαϧͱ΋ݺ͹ΕΔ
  12. ϋχʔϙοτͱൿີͷϑΝΠϧ ϑΝΠϧγεςϜશମ(ඇެ։ྖҬ) ɾ֎෦͔ΒͷΞΫηεΛڐՄ͠ͳ͍ྖҬͰ ɹOS ͷγεςϜϑΝΠϧͳͲΛஔ͘ͱ͜Ζ ߈ܸͷجຊతͳߟ͑ํ 12 Web αʔϏε༻σΟϨΫτϦ(ඇެ։ྖҬ) ɾ֎෦͔ΒͷΞΫηεΛڐՄ͠ͳ͍ྖҬ

    ɹઃఆϑΝΠϧྫ) .htpasswd ϑΝΠϧ Web αʔϏε༻σΟϨΫτϦ(ެ։ྖҬ) ɾ୭Ͱ΋ΞΫηεͰ͖ΔྖҬͰ ɹWeb αΠτͷϝΠϯίϯςϯπΛஔ͘ͱ͜Ζ ಛఆϢʔβ༻σΟϨΫτϦ(Ұ෦ެ։ྖҬ) ɾ৘ใڞ༗ܝࣔ൘ͳͲͰɺ ɹύεϫʔυΛ஌͍ͬͯΔ ɹϢʔβͷΈΞΫηεΛڐՄ͢Δ ɹઃఆϑΝΠϧྫ) .htaccess ϑΝΠϧ ެ։ྖҬ͔Β ෆਖ਼ʹ্ͷ֊૚Λ ࢀরՄೳͳͷ͕ σΟϨΫτϦ τϥόʔαϧ (੬ऑੑ) ΞΫηε੍ݶ͕ े෼Ͱ͸ͳ͍৔ॴΛ ࢀরՄೳͳͷ͕ ઃఆෆඋ
  13. ʙ੬ऑੑฤʙ

  14. ϋχʔϙοτͱൿີͷϑΝΠϧ ߈ܸϩάαϯϓϧʙ੬ऑੑฤʙ w $JTDP7JEFP4VSWFJMMBODF0QFSBUJPOT.BOBHFS ͷ੬ऑੑΛૂͬͨ߈ܸ w ӾཡΛࢼΈ͍ͯΔϑΝΠϧ͸ɺ߈ܸऀ͕େ޷͖ͳ
 FUDQBTTXEϑΝΠϧͰɺ04ͷΞΧ΢ϯτʹؔ͢ Δ৘ใ͕هࡌ͞Ε͍ͯ·͢ɻ w

    ͳ͓࠷ۙ͸ɺΞΧ΢ϯτͷύεϫʔυ৘ใ͸ه࿥͞ Εͳ͍ɻ FUDTIBEPXʹอଘ͞Ε͍ͯΔ  w ͕࿈ͳ͍ͬͯΔ෦෼͕σΟϨΫτϦτϥόʔαϧ 14 /BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/passwd ߈ܸϩά(ΞΫηεઌͷΈൈਮ)
  15. ϋχʔϙοτͱൿີͷϑΝΠϧ FUDQBTTXEϑΝΠϧαϯϓϧ 15 ؅ཧऀͷΞΧ΢ϯτ Web αʔϏεͷΞΧ΢ϯτ Ҿ༻ݩɿ Ubuntu 18.04.1

  16. ϋχʔϙοτͱൿີͷϑΝΠϧ ߈ܸϩάαϯϓϧʙ੬ऑੑฤʙ w $.4ͷͭͰ͋Δ+PPNMBͷ)%'-71MBZFSϓϥ άΠϯͷ੬ऑੑΛૂͬͨ߈ܸ w ӾཡΛࢼΈ͍ͯΔϑΝΠϧ͸DPOpHVSBUJPOQIQ w ͜ͷϑΝΠϧ͸+PPNMBͷઃఆϑΝΠϧͰ͋Γɺ 8FCαΠτͷ໊લͳͲͷجຊ৘ใ͔Βɺσʔλϕʔ

    εͷ઀ଓ৘ใͳͲ͕هࡌ͞Ε͍ͯ·͢ɻ 16 /components/com_hdflvplayer/hdflvplayer/download.php?f=../../../configuration.php ߈ܸϩά(ΞΫηεઌͷΈൈਮ)
  17. ϋχʔϙοτͱൿີͷϑΝΠϧ +PPNMBͷઃఆϑΝΠϧαϯϓϧ w DPOpHVSBUJPOQIQ 17 Ҿ༻ݩɿ https://github.com/joomla/joomla-cms/blob/staging/installation/configuration.php-dist σʔλϕʔεઃఆ Web αΠτઃఆ

  18. ϋχʔϙοτͱൿີͷϑΝΠϧ ߈ܸϩάαϯϓϧʙ੬ऑੑฤʙ w 8PSE1SFTTͷ5IF*#4.BQQSPϓϥάΠϯͷ੬ऑ ੑΛૂͬͨ߈ܸ w ӾཡΛࢼΈ͍ͯΔϑΝΠϧ͸XQDPOpHQIQ w ͜ͷϑΝΠϧ͸8PSE1SFTTͷઃఆϑΝΠϧͰ͋Γɺ 8FCαΠτͷ໊લͳͲͷجຊ৘ใ͔Βɺσʔλϕʔ

    εͷ઀ଓ৘ใͳͲ͕هࡌ͞Ε͍ͯ·͢ɻ 18 /wp-content/plugins/ibs-mappro/lib/download.php?file=../../../../wp-config.php ߈ܸϩά(ΞΫηεઌͷΈൈਮ)
  19. ϋχʔϙοτͱൿີͷϑΝΠϧ 8PSE1SFTTͷઃఆϑΝΠϧαϯϓϧ w XQDPOpHQIQ 19 Ҿ༻ݩɿ https://github.com/WordPress/WordPress/blob/master/wp-config-sample.php σʔλϕʔεύεϫʔυ σʔλϕʔεΞΧ΢ϯτ

  20. ϋχʔϙοτͱൿີͷϑΝΠϧ XQDPOpHQIQͷӾཡͷࢼΈ͸ଟ͍ w 8PSE1SFTTΛӡ༻͍ͯ͠ΔͱɺXQDPOpHQIQΛ Ӿཡ͠Α͏ͱࢼΈΔ߈ܸ͕ඇৗʹଟ͍ɻ w ಛʹ4MJEFS3FWPMVUJPOϓϥάΠϯͷ੬ऑੑ $7&  ʹର͢Δ߈ܸ͕ଟ͍ɻ

    w ೥ͷ੬ऑੑʹ΋ؔΘΒͣ೥ݱࡏ΋ଓ͘ɻ 20 ↑ࢲͷϒϩάͷΞΫηεϩά͔Β߈ܸͷࠟ੻Λൈਮ
  21. ʙઃఆෆඋฤʙ

  22. ϋχʔϙοτͱൿີͷϑΝΠϧ ߈ܸϩάαϯϓϧʙઃఆෆඋฤʙ w ӾཡΛࢼΈ͍ͯΔϑΝΠϧ͸CBTI@IJTUPSZ w ͜ͷϑΝΠϧʹ͸ίϚϯυͷ࣮ߦه࿥ʹؔ͢Δ৘ใ ͕هࡌ͞Ε͍ͯ·͢ɻ w ͜ͷϑΝΠϧ͕ӾཡͰ͖ΔͱɺϑΥϧμͷߏ੒΍αʔ όͷઃఆ஋ͳͲΛਪଌͰ͖Δ৔߹͕͋Γ·͢ɻ

    w ΋͠ίϚϯυϥΠϯΦϓγϣϯͰɺύεϫʔυΛࢦ ఆ͍ͯͨ͠৔߹͸ɾɾɾɻ w ྫ NZTRMVSPPUQQBTTXPSE 22 /.bash_history ߈ܸϩά(ΞΫηεઌͷΈൈਮ)
  23. ϋχʔϙοτͱൿີͷϑΝΠϧ ߈ܸϩάαϯϓϧʙઃఆෆඋฤʙ w ӾཡΛࢼΈ͍ͯΔϑΝΠϧ͸FOW w ͜ͷϑΝΠϧʹ͸؀ڥม਺Λهड़͠·͢ɻ w ͨͱ͑͹04΍8FCΞϓϦέʔγϣϯͳͲͷ؀ڥ ৘ใ ࣮ߦ࣌ͷύε΍"1*ΩʔͳͲ

    ͕هࡌ͞Ε͍ͯ ·͢ɻ w ΞϓϦέʔγϣϯͷ"1*Ωʔ͕߈ܸऀʹ஌ΒΕͯ͠ ·͏ͱɺෆਖ਼ʹૢ࡞͞Εͯ͠·͏͜ͱʹܨ͕Γ·͢ɻ 23 /.env ߈ܸϩά(ΞΫηεઌͷΈൈਮ)
  24. ϋχʔϙοτͱൿີͷϑΝΠϧ ߈ܸϩάαϯϓϧʙઃఆෆඋฤʙ 24 /.vscode/ftp-sync.json ߈ܸϩά(ΞΫηεઌͷΈൈਮ) w ӾཡΛࢼΈ͍ͯΔϑΝΠϧ͸GUQTZODKTPO w ͜ͷϑΝΠϧʹ͸'51઀ଓ༻ͷΞΧ΢ϯτ໊͓Αͼ ύεϫʔυͳͲͷ৘ใ͕هࡌ͞Ε͍ͯ·͢ɻ

    w ςΩετΤσΟλͷઃఆϑΝΠϧͷͭ w '51ͷ઀ଓ৘ใ͸ΤσΟλΛ໰ΘͣૂΘΕ͍ͯΔ w "UPNΤσΟλͷ3FNPUF'51ϓϥάΠϯ w 4VCMJNF5FYUΤσΟλͷ4'51ύοέʔδ w 7JTVBM4UVEJP$PEFΤσΟλ ࢀߟɿϋχʔϙοτ؍࡯ه࿥(43) ʮftpͷઃఆ৘ใΛૂͬͨϑΝΠϧͷ୳ࠪʯ https://www.morihi-soc.net/?p=995
  25. ϋχʔϙοτͱൿີͷϑΝΠϧ ߈ܸϩάαϯϓϧʙઃఆෆඋฤʙ 25 /backup/bitcoin/wallet.dat ߈ܸϩά(ΞΫηεઌͷΈൈਮ) w ӾཡΛࢼΈ͍ͯΔϑΝΠϧ͸XBMMFUEBU w ͜ͷϑΝΠϧʹ͸ϏοτίΠϯΛอଘ͢Δ΢ΥϨο τ

    ిࢠࡒ෍ ͷ৘ใ͕هࡌ͞Ε͍ͯ·͢ɻ w ߈ܸऀʹݟΒΕͯ͠·͏ͱɺϏοτίΠϯΛউखʹ Ҿ͖ग़͞Εͯ͠·͏Մೳੑ͕͋Γ·͢ɻ w ϨϯλϧαʔόͳͲͰϚΠχϯάΛ͍ͯ͠Δ৔߹͸ɺ ΞΫηε੍ݶΛ͢ΔͳͲಛʹ஫ҙ͕ඞཁɻ w όοΫΞοϓσΟϨΫτϦΛૂ͍ͬͯΔ఺΋஫໨ ࢀߟɿ https://ja.bitcoinwiki.org/wiki/%E3%83%93%E3%83%83%E3%83%88%E3%82%B3%E3%82%A4%E3%83%B3%E3%83%BB%E3%82%A6%E3%82%A9%E3%83%AC%E3%83%83%E3%83%88
  26. ϋχʔϙοτͱൿີͷϑΝΠϧ ߈ܸϩάαϯϓϧʙઃఆෆඋฤʙ 26 //../../../../../../../../boot.ini ߈ܸϩά(ΞΫηεઌͷΈൈਮ) w ӾཡΛࢼΈ͍ͯΔϑΝΠϧ͸CPPUJOJ w ͜ͷϑΝΠϧʹ͸8JOEPXT͕ىಈ͢Δͱ͖ʹඞཁ ͳ৘ใ͕هࡌ͞Ε͍ͯ·͢ɻ

    w 8JOEPXTͰ͸ɺ؅ཧऀݖݶͰίϚϯυϓϩϯϓ τΛ։͖ɺCDEFEJUίϚϯυͰදࣔՄೳɻ w ߈ܸର৅͸-JOVYܥͷαʔό͚ͩͰ͸ͳ͘ɺ 8JOEPXTαʔό΋ؚ·Ε·͢ɻΠϯλʔωοτʹ ެ։͢Δͱ͖ʹ͸߈ܸରࡦ͕ඞཁͰ͢ɻ
  27. ϋχʔϙοτͱൿີͷϑΝΠϧ ύε·ͱΊ w ੬ऑੑฤ w #85VUJMTMPHTSFBE@MPHKTQ pMUFSMPHFUDQBTTXE w DPNQPOFOUTDPN@IEqWQMBZFSIEqWQMBZFSEPXOMPBEQIQ GDPOpHVSBUJPOQIQ

    w XQDPOUFOUQMVHJOTJCTNBQQSPMJCEPXOMPBEQIQ pMFXQDPOpHQIQ w ઃఆෆඋฤ w CBTI@IJTUPSZ w FOW w WTDPEFGUQTZODKTPO w CBDLVQCJUDPJOXBMMFUEBU w CPPUJOJ w ࠓճ঺հͰ͖ͳ͔ͬͨ΋ͷ Ұ෦ 27 •/.bash_logout •/.bash_profile •/.bashrc •/.cpanel_config.php •/./doc/html/config.html •/./doc/html/credits.html •/.DS_Store •/.git •/.gitconfig •/.gitignore •/.hg/hgrc •/.hg/requires •/.htaccess •/.htpasswd •/.idea/WebServers.xml •/.idea/workspace.xml •//../../../../../../../../windows/ win.ini •/../../../../../mnt/mtd/Config/ Account1 •/wp-admin/admin-ajax.php? action=revslider_show_image&img =../../.my.cnf •/.profile •/components/com_foxcontact/ lib/uploader.php? cid=0&mid=0&qqfile=/../../../../ s.html •/components/com_foxcontact/ lib/uploader.php? cid=0&mid=0&qqfile=/../../s.php •/.ssh/authorized_keys •/.ssh/id_dsa •/.ssh/id_dsa.pub •/.ssh/id_dss •/.ssh/id_ecdsa •/.ssh/id_ecdsa.pub •/.ssh/id_ed25519 •/.ssh/id_ed25519.pub •/.ssh/id_rsa •/.ssh/id_rsa.pub •/.ssh/identity •/.ssh/known_hosts •/.stats/awstats.pl •/.vimrc
  28. ϋχʔϙοτͱൿີͷϑΝΠϧ ·ͱΊ w ϋχʔϙοτ͸ɺ߈ܸऀ͕ͲͷΑ͏ʹ߈ܸ͠Α͏ͱ ͍ͯͨ͠ͷ͔Λه࿥͢Δ͜ͱ͕Մೳɻ w ࠓճ͸8FCϋχʔϙοτͷϩάͷ͏ͪɺαʔό಺෦ ͷϑΝΠϧΛӾཡ͢ΔࢼΈʹ͍ͭͯ঺հ͠·ͨ͠ɻ w ϑΝΠϧͷӾཡʹ͸ɺ੬ऑੑΛѱ༻͢Δํ๏ͱɺઃ

    ఆෆඋΛૂͬͨํ๏͕Α͘࢖༻͞Ε·͢ɻ 28 8FCαʔόͷެ։ʹ͸ɺৗʹ࠷৽ͷιϑτ ΢ΣΞΛར༻͢Δͱͱ΋ʹɺΞΫηεݖݶͷ ઃఆʹ࿙Ε͕ͳ͍͔஫ҙ͠Α͏
  29. ϋχʔϙοτͱൿີͷϑΝΠϧ 29 )BQQZ)POFZQPU ↑2018೥10݄20೔ ઍ༿ݝ ਗ਼ਫެԂ(ՖϑΝϯλδΞ)ͰࡱӨ ͓͠·͍