Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ハニーポットで見る攻撃の検知傾向 〜秘密のファイル〜

ハニーポットで見る攻撃の検知傾向 〜秘密のファイル〜

2019年2月16日 【第4回】サイバーセキュリティ勉強会2019 in 塩尻
@morihi_soc #shiojiri_oss
https://connpass.com/event/109559/

Kazuaki Morihisa

February 16, 2019
Tweet

More Decks by Kazuaki Morihisa

Other Decks in Technology

Transcript

  1. ϋχʔϙοτͱൿີͷϑΝΠϧ 2 XIPBNJ w ৿ٱ࿨ত !NPSJIJ@TPD  w ຊۀ͸ωοτϫʔΫηΩϡϦςΟΤϯδχΞɾΞφϦετ w

    झຯͰϋχʔϙοτͷӡ༻Λ͢Δϋχʔϙολʔ w ϒϩάˠIUUQTXXXNPSJIJTPDOFU w ϋχʔϙολʔٕज़ަྲྀձओ࠵ऀ w IUUQTIBOJQPUFDIDPOOQBTTDPN ࠓ·Ͱʹ͓ੈ࿩ʹͳͬͨΠϕϯτ(Ұ෦) ɾ*5,FZT ݱ4FD$BQ  ɾωοτϫʔΫύέοτΛಡΉձ Ծ  ɾ/*4$αΠόʔϋϩ΢Οϯ ɾ*OUFSOFU8FFLɾ)BSEFOJOH ɾTTNKQɾ"*4FDɾ4UVEZ$PEF ɾULULηΩϡϦςΟษڧձ ɾ૯ؔ੢αΠόʔηΩϡϦςΟ-5େձ ɾ08"41/BHPZBɾ*P54FD+1 ɾ͢ΈͩηΩϡϦςΟษڧձ ग़൛ͨ͠ຊ΍ٕज़ಉਓࢽ NEW 2018೥10݄ˣ
  2. ϋχʔϙοτͱൿີͷϑΝΠϧ ϋχʔϙοτͷ঺հ w ϋχʔϙοτ )POFZQPU ͱ͸ɺ͋͑ͯ߈ܸΛड͚Δ ͜ͱΛલఏͱͨ͠γεςϜͰ͢ɻ w ϋχʔϙοτΛӡ༻͢Δਓͷ͜ͱˠϋχʔϙολʔ w

    ϋχʔϙοτͰ͸༷ʑͳϩάΛऩूՄೳ w ௕ظతʹϋχʔϙοτΛӡ༻͍ͯ͠Δ͔Βͦ͜ɺ
 ߈ܸͷ܏޲Λ೺Ѳ͢Δ͜ͱ͕Ͱ͖Δɻ 4
  3. ϋχʔϙοτͱൿີͷϑΝΠϧ ௿ର࿩ܕͷϋχʔϙοτ w ௿ର࿩ܕ
 ˠ࣮ࡏ͢Διϑτ΢ΣΞͳͲΛ໛฿͢Δํࣜ w 44)ϋχʔϙοτ w 44)ͰϦϞʔτΞΫηε͖ͯͨ͠߈ܸऀͷೖྗ ͞Εͨ04ίϚϯυΛه࿥͠ɺ؍࡯͢Δ͜ͱ͕

    Ͱ͖Δɻ w 8FCϋχʔϙοτ w )551ͷཁٻ಺༰Λड͚෇͚ͯɺ8FCΞϓϦέʔ γϣϯͷ੬ऑੑ΍ϑΝΠϧͷௐࠪͳͲͷߦಈΛ ؍࡯͢Δ͜ͱ͕Ͱ͖Δɻ 5 ※෼ྨํ๏΍ϋχʔϙοτͷछྨ͸ଟ਺͋Γ·͢ɻ
  4. ϋχʔϙοτͱൿີͷϑΝΠϧ 7 ߈ܸऀΛ͓΋ͯͳ͢͠Δʮ808)POFZQPUʯͷ঺հ ߈ܸऀ WOWHoneypot ᶃअຐ͢ΔͰʙ GET /wordpress/wp-login.php HTTP/1.1 ᶅϩάΠϯϒϧʔτ߈ܸ΍

    POST /wordpress/wp-login.php HTTP/1.1 ᶄWordPress ͷϖʔδͰ͢ɻͲ͏ͧ! 200 OK ͓ͬ WordPress ಈ͍͍ͯΔ΍Μ wp-login.php ͔ͩΒ WordPress Λ૷͓͏ GitHub→ https://github.com/morihisa/WOWHoneypot ෼ੳ ෼ੳ 8FMDPNFUP0NPUFOBTIJ8FC)POFZQPU
  5. ϋχʔϙοτͱൿີͷϑΝΠϧ ߈ܸऀ͕ݟ͕ͨΔαʔόͷϑΝΠϧ w ߈ܸऀͷૂ͍͸༷ʑ w ৘ใ઄औ΍ۚમ໨తͳͲ͋Δ͕ɺ࠷ॳͷҰา͸߈ܸ ର৅αʔόͷ৘ใΛऩू͢Δ͜ͱɻ w ಘΒΕͨ৘ใΛجʹαʔόΛ߈ུ͍ͯ͘͠ɻ w

    ύεϫʔυ͕ه࿥͞Ε͍ͯΔϑΝΠϧ΍ɺઃఆϑΝ Πϧ͸ɺ߈ܸऀʹͱͬͯັྗతɻ w 8FCϋχʔϙοτͰɺϑΝΠϧΛӾཡ͠Α͏ͱ͢Δ ߈ܸʹ஫໨ͯ͠ɺϩάΛ؍࡯ͯ͠Έ·ͨ͠ɻ 8
  6. ϋχʔϙοτͱൿີͷϑΝΠϧ αʔό಺෦ͷϑΝΠϧΛӾཡ͢Δ߈ܸ 11 w 8FCͰ͸ɺ͓͓·͔ʹͭͷ߈ܸख๏͕࢖ΘΕΔ w ੬ऑੑΛૂͬͨํ๏ w ϩʔΧϧϑΝΠϧΠϯΫϧʔδϣϯ -'*

    ΍σΟϨ ΫτϦτϥόʔαϧ ͱ͍ͬͨ੬ऑੑΛѱ༻ͯ͠ɺ ϑΝΠϧΛӾཡ͢Δɻ w ઃఆෆඋΛૂͬͨํ๏ w ओʹΞΫηε੍ݶ͕ෆे෼ͳαʔόΛૂͬͯɺϑΝ ΠϧΛӾཡ͢Δɻ * ύετϥόʔαϧͱ΋ݺ͹ΕΔ
  7. ϋχʔϙοτͱൿີͷϑΝΠϧ ϑΝΠϧγεςϜશମ(ඇެ։ྖҬ) ɾ֎෦͔ΒͷΞΫηεΛڐՄ͠ͳ͍ྖҬͰ ɹOS ͷγεςϜϑΝΠϧͳͲΛஔ͘ͱ͜Ζ ߈ܸͷجຊతͳߟ͑ํ 12 Web αʔϏε༻σΟϨΫτϦ(ඇެ։ྖҬ) ɾ֎෦͔ΒͷΞΫηεΛڐՄ͠ͳ͍ྖҬ

    ɹઃఆϑΝΠϧྫ) .htpasswd ϑΝΠϧ Web αʔϏε༻σΟϨΫτϦ(ެ։ྖҬ) ɾ୭Ͱ΋ΞΫηεͰ͖ΔྖҬͰ ɹWeb αΠτͷϝΠϯίϯςϯπΛஔ͘ͱ͜Ζ ಛఆϢʔβ༻σΟϨΫτϦ(Ұ෦ެ։ྖҬ) ɾ৘ใڞ༗ܝࣔ൘ͳͲͰɺ ɹύεϫʔυΛ஌͍ͬͯΔ ɹϢʔβͷΈΞΫηεΛڐՄ͢Δ ɹઃఆϑΝΠϧྫ) .htaccess ϑΝΠϧ ެ։ྖҬ͔Β ෆਖ਼ʹ্ͷ֊૚Λ ࢀরՄೳͳͷ͕ σΟϨΫτϦ τϥόʔαϧ (੬ऑੑ) ΞΫηε੍ݶ͕ े෼Ͱ͸ͳ͍৔ॴΛ ࢀরՄೳͳͷ͕ ઃఆෆඋ
  8. ϋχʔϙοτͱൿີͷϑΝΠϧ ߈ܸϩάαϯϓϧʙ੬ऑੑฤʙ w $JTDP7JEFP4VSWFJMMBODF0QFSBUJPOT.BOBHFS ͷ੬ऑੑΛૂͬͨ߈ܸ w ӾཡΛࢼΈ͍ͯΔϑΝΠϧ͸ɺ߈ܸऀ͕େ޷͖ͳ
 FUDQBTTXEϑΝΠϧͰɺ04ͷΞΧ΢ϯτʹؔ͢ Δ৘ใ͕هࡌ͞Ε͍ͯ·͢ɻ w

    ͳ͓࠷ۙ͸ɺΞΧ΢ϯτͷύεϫʔυ৘ใ͸ه࿥͞ Εͳ͍ɻ FUDTIBEPXʹอଘ͞Ε͍ͯΔ  w ͕࿈ͳ͍ͬͯΔ෦෼͕σΟϨΫτϦτϥόʔαϧ 14 /BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/passwd ߈ܸϩά(ΞΫηεઌͷΈൈਮ)
  9. ϋχʔϙοτͱൿີͷϑΝΠϧ ߈ܸϩάαϯϓϧʙઃఆෆඋฤʙ w ӾཡΛࢼΈ͍ͯΔϑΝΠϧ͸FOW w ͜ͷϑΝΠϧʹ͸؀ڥม਺Λهड़͠·͢ɻ w ͨͱ͑͹04΍8FCΞϓϦέʔγϣϯͳͲͷ؀ڥ ৘ใ ࣮ߦ࣌ͷύε΍"1*ΩʔͳͲ

    ͕هࡌ͞Ε͍ͯ ·͢ɻ w ΞϓϦέʔγϣϯͷ"1*Ωʔ͕߈ܸऀʹ஌ΒΕͯ͠ ·͏ͱɺෆਖ਼ʹૢ࡞͞Εͯ͠·͏͜ͱʹܨ͕Γ·͢ɻ 23 /.env ߈ܸϩά(ΞΫηεઌͷΈൈਮ)
  10. ϋχʔϙοτͱൿີͷϑΝΠϧ ߈ܸϩάαϯϓϧʙઃఆෆඋฤʙ 24 /.vscode/ftp-sync.json ߈ܸϩά(ΞΫηεઌͷΈൈਮ) w ӾཡΛࢼΈ͍ͯΔϑΝΠϧ͸GUQTZODKTPO w ͜ͷϑΝΠϧʹ͸'51઀ଓ༻ͷΞΧ΢ϯτ໊͓Αͼ ύεϫʔυͳͲͷ৘ใ͕هࡌ͞Ε͍ͯ·͢ɻ

    w ςΩετΤσΟλͷઃఆϑΝΠϧͷͭ w '51ͷ઀ଓ৘ใ͸ΤσΟλΛ໰ΘͣૂΘΕ͍ͯΔ w "UPNΤσΟλͷ3FNPUF'51ϓϥάΠϯ w 4VCMJNF5FYUΤσΟλͷ4'51ύοέʔδ w 7JTVBM4UVEJP$PEFΤσΟλ ࢀߟɿϋχʔϙοτ؍࡯ه࿥(43) ʮftpͷઃఆ৘ใΛૂͬͨϑΝΠϧͷ୳ࠪʯ https://www.morihi-soc.net/?p=995
  11. ϋχʔϙοτͱൿີͷϑΝΠϧ ߈ܸϩάαϯϓϧʙઃఆෆඋฤʙ 25 /backup/bitcoin/wallet.dat ߈ܸϩά(ΞΫηεઌͷΈൈਮ) w ӾཡΛࢼΈ͍ͯΔϑΝΠϧ͸XBMMFUEBU w ͜ͷϑΝΠϧʹ͸ϏοτίΠϯΛอଘ͢Δ΢ΥϨο τ

    ిࢠࡒ෍ ͷ৘ใ͕هࡌ͞Ε͍ͯ·͢ɻ w ߈ܸऀʹݟΒΕͯ͠·͏ͱɺϏοτίΠϯΛউखʹ Ҿ͖ग़͞Εͯ͠·͏Մೳੑ͕͋Γ·͢ɻ w ϨϯλϧαʔόͳͲͰϚΠχϯάΛ͍ͯ͠Δ৔߹͸ɺ ΞΫηε੍ݶΛ͢ΔͳͲಛʹ஫ҙ͕ඞཁɻ w όοΫΞοϓσΟϨΫτϦΛૂ͍ͬͯΔ఺΋஫໨ ࢀߟɿ https://ja.bitcoinwiki.org/wiki/%E3%83%93%E3%83%83%E3%83%88%E3%82%B3%E3%82%A4%E3%83%B3%E3%83%BB%E3%82%A6%E3%82%A9%E3%83%AC%E3%83%83%E3%83%88
  12. ϋχʔϙοτͱൿີͷϑΝΠϧ ߈ܸϩάαϯϓϧʙઃఆෆඋฤʙ 26 //../../../../../../../../boot.ini ߈ܸϩά(ΞΫηεઌͷΈൈਮ) w ӾཡΛࢼΈ͍ͯΔϑΝΠϧ͸CPPUJOJ w ͜ͷϑΝΠϧʹ͸8JOEPXT͕ىಈ͢Δͱ͖ʹඞཁ ͳ৘ใ͕هࡌ͞Ε͍ͯ·͢ɻ

    w 8JOEPXTͰ͸ɺ؅ཧऀݖݶͰίϚϯυϓϩϯϓ τΛ։͖ɺCDEFEJUίϚϯυͰදࣔՄೳɻ w ߈ܸର৅͸-JOVYܥͷαʔό͚ͩͰ͸ͳ͘ɺ 8JOEPXTαʔό΋ؚ·Ε·͢ɻΠϯλʔωοτʹ ެ։͢Δͱ͖ʹ͸߈ܸରࡦ͕ඞཁͰ͢ɻ
  13. ϋχʔϙοτͱൿີͷϑΝΠϧ ύε·ͱΊ w ੬ऑੑฤ w #85VUJMTMPHTSFBE@MPHKTQ pMUFSMPHFUDQBTTXE w DPNQPOFOUTDPN@IEqWQMBZFSIEqWQMBZFSEPXOMPBEQIQ GDPOpHVSBUJPOQIQ

    w XQDPOUFOUQMVHJOTJCTNBQQSPMJCEPXOMPBEQIQ pMFXQDPOpHQIQ w ઃఆෆඋฤ w CBTI@IJTUPSZ w FOW w WTDPEFGUQTZODKTPO w CBDLVQCJUDPJOXBMMFUEBU w CPPUJOJ w ࠓճ঺հͰ͖ͳ͔ͬͨ΋ͷ Ұ෦ 27 •/.bash_logout •/.bash_profile •/.bashrc •/.cpanel_config.php •/./doc/html/config.html •/./doc/html/credits.html •/.DS_Store •/.git •/.gitconfig •/.gitignore •/.hg/hgrc •/.hg/requires •/.htaccess •/.htpasswd •/.idea/WebServers.xml •/.idea/workspace.xml •//../../../../../../../../windows/ win.ini •/../../../../../mnt/mtd/Config/ Account1 •/wp-admin/admin-ajax.php? action=revslider_show_image&img =../../.my.cnf •/.profile •/components/com_foxcontact/ lib/uploader.php? cid=0&mid=0&qqfile=/../../../../ s.html •/components/com_foxcontact/ lib/uploader.php? cid=0&mid=0&qqfile=/../../s.php •/.ssh/authorized_keys •/.ssh/id_dsa •/.ssh/id_dsa.pub •/.ssh/id_dss •/.ssh/id_ecdsa •/.ssh/id_ecdsa.pub •/.ssh/id_ed25519 •/.ssh/id_ed25519.pub •/.ssh/id_rsa •/.ssh/id_rsa.pub •/.ssh/identity •/.ssh/known_hosts •/.stats/awstats.pl •/.vimrc