木曜日, 3月 02, 2017

#OCJP-135: SSH TCP ポートフォワーディング経由でのSMTP(とHTTP)ハッキング事件について

昨日、「MalwareMustDie」のブログで昨年10月からの SSH での TCP フォワーディングを使うハッキングの仕組みを
報告しました。


SSHでのTCPポートフォワーディングとは日本語では「SSHでのポートフォワーディング」ですね。ようは、確立している SSH 接続をトンネルとして利用し、任意の通信をトンネルを経由させて転送することで、転送先ネットワークやサーバとは、透過的な通信が可能となります。

報告内容の中にSSHでのポートフォワーディングの上でSMTP経由のハッキングの動きがあり、回数も多く、2016年10月24日から2017年2月27日の段階では 8,000件以上 の SMTP 不正なアクセスの動きを発見しました。

スクリーンショットは下記となります↓

↑その中に74件は国内のメールサーバのIPを発見致しました。


報告しましたSSHでのポートフォワーディング経由SMTP又はHTTP/HTTPSハッキングの目的はメールアドレスとパスワードを盗む事にあるのを確認しました。ハッカーがそのメールアドレスを色々な用途に悪用し、「IoT」にも転用されたので、その時に具体的に何アカウントが取られたのかを確認することが出来ました。現在データをまとめている最中で、警察とCERTにも連絡をしようと考えています。

SSHでのポートフォワーディングでのHTTP(S)の攻撃について、日本国内の影響があり、例えば↓

1. なりすましHTTPリクエスト↓

↑なりすましHTTPリクエストのURLをGET.MOBU.JPを送信された証拠

2. SONYさんのアカウント認証サーバにフォーマット文字列攻撃↓


SMTPやPOP3の攻撃上で、取られてしまいましたメアドのスナップショットは下記のビデオとなります↓



↑そのデータの上を確認したら日本国内のメアドが無さそうです。

ハッキングの動きに関しては、もっと細かいSMTPコマンドの履歴がありますが、セキュリティの為にそのコマンド自体はここや「MalwareMustDie」には出しません。

なお、SMTPハッキングの目的は恐らく下記の2件と思われます↓
1.既に手元にあるメールアドレスの実在性を確認する事
2.メールサーバをスキャンする事

攻撃元のIPは全て踏み台のデバイスですので、ほぼハッキングされていたSSHサービスですが、もっと細かく言うと殆ど「IoT」デバイスで、ベトナム国からのアクセスが一番多いと確認致しました。

そして、その「IoT」の後ろに接続された本当のアタッカーのIPも確認出来ましたので、ブロックする事がおすすめです。下記はその一覧です↓
104.155.205.70 | 70.205.155.104.bc.googleusercontent.com. |15169 | 104.154.0.0/15 | GOOGLE | US | google.com | Google Inc.
104.255.70.230 |  |46664 | 104.255.64.0/21 | VOLUMEDRIVE | US | volumedrive.com | VolumeDrive
104.255.70.231 |  |46664 | 104.255.64.0/21 | VOLUMEDRIVE | US | volumedrive.com | VolumeDrive
104.255.71.138 |  |46664 | 104.255.64.0/21 | VOLUMEDRIVE | US | volumedrive.com | VolumeDrive
107.178.111.104 | we.love.servers.at.ioflood.com. |53755 | 107.178.64.0/18 | IOFLOOD | US | lakesidewebhosting.com | Lakeside Web Hosting LLC
107.178.111.105 | we.love.servers.at.ioflood.com. |53755 | 107.178.64.0/18 | IOFLOOD | US | lakesidewebhosting.com | Lakeside Web Hosting LLC
107.178.111.166 | we.love.servers.at.ioflood.com. |53755 | 107.178.64.0/18 | IOFLOOD | US | ioflood.com | BudgetNode LLC
107.178.111.169 | we.love.servers.at.ioflood.com. |53755 | 107.178.64.0/18 | IOFLOOD | US | ioflood.com | BudgetNode LLC
109.190.229.147 | 147-229-190-109.dsl.ovh.fr. |35540 | 109.190.0.0/16 | OVH | FR | ovh.com | OVH SAS
109.201.154.187 | tsn109-201-154-187.dyn.nltelcom.net. |43350 | 109.201.128.0/19 | NFORCE | NL | nforce.com | NForce Entertainment B.V.
109.236.91.85 | customer.worldstream.nl. |49981 | 109.236.80.0/20 | WORLDSTREAM | NL | worldstream.nl | WorldStream
123.206.33.59 |  |45090 | 123.206.32.0/23 | CNNIC-TENCENT-NET |  | tencent.com | Tencent Cloud Computing (Beijing) Co. Ltd.
136.243.1.22 | static.22.1.243.136.clients.your-server.de. |24940 | 136.243.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
136.243.60.144 | static.144.60.243.136.clients.your-server.de. |24940 | 136.243.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
14.140.69.250 | 14.140.69.250.static-delhi.vsnl.net.in. |4755 | 14.140.64.0/21 | TATACOMM | IN | vsnl.net.in | Internet Service Provider
142.0.32.6 | The.Easiest.The.Best.VPSInfinity.com. |46664 | 142.0.32.0/24 | VOLUMEDRIVE | US | volumedrive.com | VolumeDrive
142.0.32.9 | The.Easiest.The.Best.VPSInfinity.com. |46664 | 142.0.32.0/24 | VOLUMEDRIVE | US | volumedrive.com | VolumeDrive
142.0.38.120 |  |46664 | 142.0.38.0/24 | VOLUMEDRIVE | US | volumedrive.com | VolumeDrive
142.0.38.121 |  |46664 | 142.0.38.0/24 | VOLUMEDRIVE | US | volumedrive.com | VolumeDrive
142.4.218.181 | ns505660.ip-142-4-218.net. |16276 | 142.4.192.0/19 | OVH | FR | ovh.com | OVH Hosting Inc.
144.76.35.115 | static.115.35.76.144.clients.your-server.de. |24940 | 144.76.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
144.76.37.11 | static.11.37.76.144.clients.your-server.de. |24940 | 144.76.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
149.56.243.4 | ns533925.ip-149-56-243.net. |16276 | 149.56.0.0/16 | OVH | FR | suitesoftware.com | Suite Software
158.69.127.127 | ns524586.ip-158-69-127.net. |16276 | 158.69.0.0/16 | OVH | FR | parsons.com | Parsons Corporation
163.172.124.113 | 163-172-124-113.rev.poneytelecom.eu. |12876 | 163.172.0.0/16 | AS12876 | FR | hmrc.gov.uk | HM Customs and Excise HQ Network
163.172.200.221 | 163-172-200-221.rev.poneytelecom.eu. |12876 | 163.172.0.0/16 | AS12876 | FR | hmrc.gov.uk | HM Customs and Excise HQ Network
163.172.226.184 | 163-172-226-184.rev.poneytelecom.eu. |12876 | 163.172.0.0/16 | AS12876 | FR | hmrc.gov.uk | HM Customs and Excise HQ Network
167.114.118.29 | ns511894.ip-167-114-118.net. |16276 | 167.114.0.0/16 | OVH | FR | ovh.com | OVH Hosting Inc.
167.114.210.108 | ns516312.ip-167-114-210.net. |16276 | 167.114.0.0/16 | OVH | FR | ovh.com | OVH Hosting Inc.
173.208.141.170 | 01f190-refoils.geekspicy.com. |32097 | 173.208.128.0/17 | WII-KC | US | wholesaleinternet.com | Wholesale Internet Inc.
173.208.251.50 |  |32097 | 173.208.128.0/17 | WII-KC | US | datashack.net | DataShack LC
173.81.108.81 | 173-81-108-81.chstcmtk01.res.dyn.suddenlink.net. |19108 | 173.81.0.0/17 | SUDDENLINK-COMMUNICA | US | suddenlink.com | Suddenlink Communications
176.31.244.32 | ns386546.ip-176-31-244.eu. |16276 | 176.31.0.0/16 | OVH | FR | ovh.com | OVH SAS
176.9.37.73 | static.73.37.9.176.clients.your-server.de. |24940 | 176.9.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
176.9.39.107 | static.107.39.9.176.clients.your-server.de. |24940 | 176.9.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
176.9.45.18 | static.18.45.9.176.clients.your-server.de. |24940 | 176.9.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
176.9.45.67 | static.67.45.9.176.clients.your-server.de. |24940 | 176.9.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
176.9.5.204 | static.204.5.9.176.clients.your-server.de. |24940 | 176.9.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
178.20.154.228 | c814874.freehost.com.ua. |42331 | 178.20.154.0/23 | FREEHOST | UA | freehost.com.ua | PE Freehost
179.107.96.142 | 142-96-107-179.telbrax.net.br. |28250 | 179.107.96.0/20 | Telbrax | BR | telbrax.com.br | Telbrax Ltda
179.43.134.98 |  |51852 | 179.43.128.0/18 | PLI | CH | bollettafree.it | Private Layer Switzerland
185.110.132.202 |  |40965 | 185.110.132.0/24 | INFIUM-CUSTOMER | UA | - | -
185.159.37.21 | 185-159-37-21.controlyourself.online. |202619 | 185.159.37.0/24 | FENIKS | RU | - | -
185.169.229.19 |  |206975 | 185.169.229.0/24 | TOLDERGIB | GI | - | -
185.82.97.50 |  |42183 | 185.82.97.0/24 | NET360 | LB | net360.email | Net 360 S.A.R.L
192.162.101.217 | vps2411.inrr.ru. |50113 | 192.162.101.0/24 | SUPERSERVERSDATACENT | RU | ntx.ru | MediaServicePlus Ltd.
192.99.38.228 | ns502309.ip-192-99-38.net. |16276 | 192.99.0.0/16 | OVH | FR | ovh.com | OVH Hosting Inc.
193.95.75.16 |  |2609 | 193.95.0.0/17 | TN-BB | TN | 3s.tn | 3S GlobalNet
194.63.141.141 |  |50113 | 194.63.141.0/24 | SUPERSERVERSDATACENT | RU | ntx.ru | MediaServicePlus Ltd.
194.75.41.250 |  |2856 | 194.72.0.0/14 | BT-UK | GB | bt.com | BT Infrastructure Layer
195.154.43.41 | 195-154-43-41.rev.poneytelecom.eu. |12876 | 195.154.0.0/16 | AS12876 | FR | online.net | Online S.A.S.
195.154.55.32 | 195-154-55-32.rev.poneytelecom.eu. |12876 | 195.154.0.0/16 | AS12876 | FR | online.net | Online S.A.S.
195.154.59.205 | 195-154-59-205.rev.poneytelecom.eu. |12876 | 195.154.0.0/16 | AS12876 | FR | online.net | Online S.A.S.
195.97.83.26 |  |3329 | 195.97.0.0/17 | HOL | GR | hol.gr | Hellas on Line S.A.
198.204.237.26 | fo8c.com. |33387 | 198.204.224.0/19 | DATASHACK | US | datashack.net | DataShack LC
198.204.255.194 |  |33387 | 198.204.224.0/19 | DATASHACK | US | alexanderneves.com.br | Zhou Pizhong
199.115.230.194 |  |46664 | 199.115.230.0/24 | VOLUMEDRIVE | US | volumedrive.com | VolumeDrive
199.115.230.198 |  |46664 | 199.115.230.0/24 | VOLUMEDRIVE | US | volumedrive.com | VolumeDrive
199.115.230.200 |  |46664 | 199.115.230.0/24 | VOLUMEDRIVE | US | volumedrive.com | VolumeDrive
199.168.138.229 |  |46664 | 199.168.138.0/24 | VOLUMEDRIVE | US | volumedrive.com | VolumeDrive
199.168.139.156 |  |46664 | 199.168.139.0/24 | VOLUMEDRIVE | US | volumedrive.com | VolumeDrive
212.129.27.25 | 212-129-27-25.rev.poneytelecom.eu. |12876 | 212.129.0.0/18 | AS12876 | FR | online.net | Online S.A.S.
212.83.142.65 | 212-83-142-65.rev.poneytelecom.eu. |12876 | 212.83.128.0/19 | AS12876 | FR | online.net | Online S.A.S.
213.239.202.114 | 213-239-202-114.clients.your-server.de. |24940 | 213.239.192.0/18 | HETZNER | DE | hetzner.de | Hetzner Online AG
213.239.205.116 | static.213-239-205-116.clients.your-server.de. |24940 | 213.239.192.0/18 | HETZNER | DE | hetzner.de | Hetzner Online AG
216.250.125.113 | u19883663.onlinehome-server.com. |8560 | 216.250.112.0/20 | ONEANDONE | DE | oneandone.net | 1&1 Internet Inc.
217.23.8.17 | customer.worldstream.nl. |49981 | 217.23.0.0/20 | WORLDSTREAM | NL | worldstream.nl | WorldStream
35.167.162.218 | ec2-35-167-162-218.us-west-2.compute.amazonaws.com. |16509 | 35.160.0.0/13 | AMAZON-02 | US | merit.edu | Merit Network Inc.
37.187.187.138 | ip138.ip-37-187-187.eu. |16276 | 37.187.0.0/16 | OVH | FR | ovh.com | OVH SAS
37.49.224.110 |  |133229 | 37.49.224.0/24 | HOSTPALACE | IN | estroweb.in | Estro Web Services Private Limited
38.84.132.236 | tomenta.com. |174 | 38.0.0.0/8 | COGENT-174 | US | yourbestnetwork.net | Hostzealot
45.32.113.192 | 45.32.113.192.vultr.com. |20473 | 45.32.96.0/19  | AS-CHOOPA | US | choopa.com | Choopa LLC
45.76.156.126 | 45.76.156.126.vultr.com. |20473 | 45.76.152.0/21 | AS-CHOOPA | US | choopa.com | Choopa LLC
46.4.57.23  | static.23.57.4.46.clients.your-server.de.  |24940 | 46.4.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
46.4.59.91  | static.91.59.4.46.clients.your-server.de.  |24940 | 46.4.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
46.4.60.138 | static.46-4-60-138.clients.your-server.de. |24940 | 46.4.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
46.4.69.181 | static.46-4-69-181.clients.your-server.de. |24940 | 46.4.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
46.4.84.66  | static.46-4-84-66.clients.your-server.de.  |24940 | 46.4.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
46.4.98.163 | static.46-4-98-163.clients.your-server.de. |24940 | 46.4.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
5.196.76.41 | ns335510.ip-5-196-76.eu. |16276 | 5.196.0.0/16 | OVH | FR | ovh.com | OVH SAS
5.45.64.11  |  |50673 | 5.45.64.0/21 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.68.142 |  |50673 | 5.45.64.0/21 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.72.234 |  |50673 | 5.45.72.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.72.51  |  |50673 | 5.45.72.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.73.208 |  |50673 | 5.45.72.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.73.253 |  |50673 | 5.45.72.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.74.251 |  |50673 | 5.45.72.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.75.230 |  |50673 | 5.45.72.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.76.23  |  |50673 | 5.45.76.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.77.161 |  |50673 | 5.45.76.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.78.229 |  |50673 | 5.45.76.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.84.153 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.84.154 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.84.155 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.84.176 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.84.177 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.84.178 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.84.192 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.84.193 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.84.195 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.85.135 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.85.136 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.85.137 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.85.146 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.85.147 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.85.149 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.85.159 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.85.160 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.85.161 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.86.144 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.86.145 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.86.166 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.86.167 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.86.168 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.86.65  |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.86.66  |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.86.67  |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.86.75  |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.87.178 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.87.179 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.87.183 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.87.184 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.45.87.185 |  |50673 | 5.45.84.0/22 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
5.9.118.106 | static.106.118.9.5.clients.your-server.de. |24940 | 5.9.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
5.9.150.10  | static.10.150.9.5.clients.your-server.de. |24940 | 5.9.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
5.9.153.69  | static.69.153.9.5.clients.your-server.de. |24940 | 5.9.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
5.9.19.80   | static.80.19.9.5.clients.your-server.de. |24940 | 5.9.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
5.9.50.173  | static.173.50.9.5.clients.your-server.de. |24940 | 5.9.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
5.9.59.85   | static.85.59.9.5.clients.your-server.de. |24940 | 5.9.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
5.9.71.103  | static.103.71.9.5.clients.your-server.de. |24940 | 5.9.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
5.9.74.105  | static.105.74.9.5.clients.your-server.de. |24940 | 5.9.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
50.21.183.44 | u19282468.onlinehome-server.com. |8560 | 50.21.176.0/20 | ONEANDONE | DE | oneandone.net | 1&1 Internet Inc.
62.210.220.115 | 62-210-220-115.rev.poneytelecom.eu. |12876 | 62.210.0.0/16 | AS12876 | FR | online.net | Online S.A.S.
78.46.78.150 | static.150.78.46.78.clients.your-server.de. |24940 | 78.46.0.0/15 | HETZNER | DE | hetzner.de | Hetzner Online AG
8.38.88.94 |  |13886 | 8.38.88.0/24 | CLOUD-SOUTH | US | level3.com | Level 3 Communications Inc.
80.47.120.159 | host-80-47-120-159.as13285.net. |9105 | 80.40.0.0/13 | TISCALI | GB | talktalk.co.uk | Pipex - Tiscali Migration Space
81.199.16.233 | 81.199.16.233.satcom-systems.net. |12491 | 81.199.16.0/22 | IPPLANET | IL | gilat.net | Gilat Satcom
85.229.201.206 | c-cec9e555.09-484-73746f39.cust.bredbandsbolaget.se. |2119 | 85.224.0.0/13 | TELENOR | NO | bredbandsbolaget.se | B2 customers in sto39.se
88.198.2.84 | static.88-198-2-84.clients.your-server.de. |24940 | 88.198.0.0/16 | HETZNER | DE | hetzner.de | Hetzner Online AG
91.197.235.11||60144 | 91.197.234.0/23 | THREE-W-INFRA | NL | - | Planet Telecom Ltd.
93.190.143.155 | customer.worldstream.nl. |49981 | 93.190.140.0/22 | WORLDSTREAM | NL | worldstream.nl | WorldStream

上記のIPが使われている証拠がありますので、例えば「104.155.205.70」ですが、GoogleのIPですけど↓

↑本件をGoogleに報告済みです。

また、SMTP不正なアクセス攻撃に当たる国内のメールサーバの環境には、やられたかどうかが外部から見えないので、管理者が確認出来るように74件のIP一覧を報告します↓
106.162.192.203 |  |2516 | 106.162.0.0/16 | KDDI | JP | kddi.com | KDDI Corporation
106.187.230.6   |  |2516 | 106.187.128.0/17 | KDDI | JP | kddi.com | KDDI Corporation
112.78.120.10   | sv12.plus-server.net. |9371 | 112.78.112.0/20 | SAKURA | JP | plus-server.net | Alpha Technical Co .ltd
114.147.125.218 | p782219-omed01.osaka.ocn.ne.jp. |4713 | 114.144.0.0/12 | OCN | JP | ocn.ne.jp | Open Computer Network
118.152.10.135  | KD118152010135.ppp-bb.dion.ne.jp. |2516 | 118.152.0.0/16 | KDDI | JP | dion.ne.jp | Dion
125.206.115.2   | smtp02.win-sv.com. |4713 | 125.200.0.0/13 | OCN | JP | ir.gmocloud.com | GMO Cloud K.K.
133.242.230.105 |  |7684 | 133.242.0.0/16 | SAKURA | JP | sakura.ad.jp | Sakura Internet Inc.
133.80.153.32   | mail-rcpt1.cc.kogakuin.ac.jp. |55904 | 133.80.128.0/17 | KOGAKUIN |  | nic.ad.jp | Japan Network Information Center
150.95.255.38   |  |7506 | 150.95.128.0/17 | INTERQ | JP | gmo.jp | GMO Internet Inc.
153.149.229.71  | ofmgw0221.ocn.ad.jp. |4713 | 153.128.0.0/11 | OCN | JP | ocn.ne.jp | Open Computer Network
153.149.246.112 | bz-amx-ucb003.ocn.ad.jp. |4713 | 153.128.0.0/11 | OCN | JP | ocn.ne.jp | Open Computer Network
157.7.107.6     | mx01.lolipop.jp. |7506 | 157.7.64.0/18 | INTERQ | JP | lolipop.jp | GMO Pepabo Inc.
160.16.111.115  | tk2-231-25361.vs.sakura.ne.jp. |9370 | 160.16.0.0/17 | SAKURA | JP | sakura.ad.jp | Sakura Internet Inc.
160.16.202.142  | tk2-243-31138.vs.sakura.ne.jp. |9370 | 160.16.128.0/17 | SAKURA | JP | sakura.ad.jp | Sakura Internet Inc.
160.16.67.124   | tk2-209-14370.vs.sakura.ne.jp. |9370 | 160.16.0.0/17 | SAKURA | JP | sakura.ad.jp | Sakura Internet Inc.
160.198.22.24   | mvwall.med.uoeh-u.ac.jp ; mail.imsva.uoeh-u.ac.jp. |2907 | 160.198.0.0/16 | SINET | JP | uoeh-u.ac.jp | University of Occupational and Environmental Health Japan
163.44.174.162  | v163-44-174-162.a06b.g.tyo1.static.cnode.io. |7506 | 163.44.160.0/20 | INTERQ | JP | gmo.jp | GMO Internet Inc.
163.44.75.32    | unused-163-44-075-032.interq.or.jp. |7506 | 163.44.64.0/19 | INTERQ | JP | gmo.jp | GMO Internet Inc.
176.32.85.196   | ec2-176-32-85-196.ap-northeast-1.compute.amazonaws.com. |16509 | 176.32.64.0/19 | AMAZON-02 | US | amazon.com | Amazon Data Services Ireland Ltd
176.34.45.137   | ec2-176-34-45-137.ap-northeast-1.compute.amazonaws.com. |16509 | 176.34.32.0/19 | AMAZON-02 | US | amazon.com | Amazon Data Services Ireland Ltd
182.22.12.116   | mta004.mail.vip.bbt.yahoo.co.jp. |23816 | 182.22.0.0/17 | YAHOO | JP | yahoo.co.jp | Yahoo Japan Corporation
182.22.12.120   | ybbmta001.mail.vip.bbt.yahoo.co.jp. |23816 | 182.22.0.0/17 | YAHOO | JP | yahoo.co.jp | Yahoo Japan Corporation
182.22.12.246   | mta008.mail.vip.bbt.yahoo.co.jp. |23816 | 182.22.0.0/17 | YAHOO | JP | yahoo.co.jp | Yahoo Japan Corporation
182.22.12.247   | mta007.mail.vip.bbt.yahoo.co.jp. |23816 | 182.22.0.0/17 | YAHOO | JP | yahoo.co.jp | Yahoo Japan Corporation
182.22.12.248   | mta006.mail.vip.bbt.yahoo.co.jp. |23816 | 182.22.0.0/17 | YAHOO | JP | yahoo.co.jp | Yahoo Japan Corporation
182.22.12.249   | mta005.mail.vip.bbt.yahoo.co.jp. |23816 | 182.22.0.0/17 | YAHOO | JP | yahoo.co.jp | Yahoo Japan Corporation
183.79.16.116   | mta704.mail.vip.djm.yahoo.co.jp. |24572 | 183.79.0.0/16 | YAHOO-JP-AS | JP | yahoo.co.jp | Yahoo Japan
183.79.16.118   | mta702.mail.vip.djm.yahoo.co.jp. |24572 | 183.79.0.0/16 | YAHOO-JP-AS | JP | yahoo.co.jp | Yahoo Japan
183.79.16.247   | mta707.mail.vip.djm.yahoo.co.jp. |24572 | 183.79.0.0/16 | YAHOO-JP-AS | JP | yahoo.co.jp | Yahoo Japan
183.79.16.248   | mta706.mail.vip.djm.yahoo.co.jp. |24572 | 183.79.0.0/16 | YAHOO-JP-AS | JP | yahoo.co.jp | Yahoo Japan
183.90.232.12   | sv1211.xserver.jp. |9371 | 183.90.224.0/19 | SAKURA | JP | xserver.ne.jp | XSERVER Inc.
202.11.16.178   | whois2016.jprs.jp. |18149 | 202.11.16.0/23 | JPRS | JP | jprs.co.jp | Japan Registry Service Co. Ltd.
202.181.97.43   | www233.sakura.ne.jp. |9370 | 202.181.96.0/20 | SAKURA | JP | sakura.ad.jp | SRS SAKURA Internet Inc.
202.210.184.14  |  |4686 | 202.210.128.0/18 | BEKKOAME | JP | - | 8crops Inc.
202.210.184.20  |  |4686 | 202.210.128.0/18 | BEKKOAME | JP | - | 8crops Inc.
202.212.114.78  | mbd1.plala.or.jp. |2514 | 202.212.0.0/16 | INFOSPHERE | JP | plala.or.jp | NTT Plala Inc.
202.216.228.114 | mgate02.cloud-mail.jp. |10013 | 202.216.224.0/19 | FBDC | JP | dti.co.jp | Dream Train Internet
202.216.228.116 | mgate04.cloud-mail.jp. |10013 | 202.216.224.0/19 | FBDC | JP | dti.co.jp | Dream Train Internet
202.224.16.96   | smtp01.tac-net.ne.jp. |18281 | 202.224.16.0/20 | TAC | JP | tac-net.ne.jp | Tokoname New-TV Corporation
202.224.39.196  | mail.asahi-net.or.jp. |4685 | 202.224.32.0/19 | ASAHI | JP | asahi-net.jp | Asahi Net
202.224.39.235  | sbmx.asahi-net.or.jp. |4685 | 202.224.32.0/19 | ASAHI | JP | asahi-net.jp | Asahi Net
202.225.89.133  | bgmgate1.biglobe.ne.jp. ; bgmgate2.biglobe.ne.jp. |2518 | 202.225.0.0/16 | BIGLOBE | JP | biglobe.co.jp | Biglobe Inc.
202.230.33.236  | 202-230-33-236.seedshosting.jp. |4694 | 202.230.0.0/16 | IDC | JP | seeds.ne.jp | Seeds Hosting Service
202.230.33.241  | 202-230-33-241.seedshosting.jp. |4694 | 202.230.0.0/16 | IDC | JP | seeds.ne.jp | Seeds Hosting Service
202.230.33.243  | 202-230-33-243.seedshosting.jp. |4694 | 202.230.0.0/16 | IDC | JP | seeds.ne.jp | Seeds Hosting Service
202.234.38.69   |  |4694 | 202.234.0.0/18 | IDC | JP | cyberagent.info | CyberAgent Inc.
202.237.169.16  | red.ibaraki-ct.ac.jp. |2907 | 202.237.168.0/23 | SINET | JP | kosen-k.go.jp | Institue National Colleges of Technology Japan
202.238.84.11   | ms-mxin1.so-net.ne.jp. |2527 | 202.238.64.0/18 | SO | JP | so-net.ne.jp | So-net Service
202.238.84.13   | ms-mxin3.so-net.ne.jp. |2527 | 202.238.64.0/18 | SO | JP | so-net.ne.jp | So-net Service
202.238.84.22   | ms-gmxin2.so-net.ne.jp. |2527 | 202.238.64.0/18 | SO | JP | so-net.ne.jp | So-net Service
203.138.180.240 |  |2514 | 203.138.0.0/16 | INFOSPHERE | JP | nttdocomo.com | NTT DoCoMo Inc.
210.131.2.29    | mx2.nifty.com. |2510 | 210.131.0.0/17 | INFOWEB | JP | nifty.com | Nifty Serve Network
210.131.2.36    | hde318.rx.nifty.ad.jp. |2510 | 210.131.0.0/17 | INFOWEB | JP | nifty.com | Nifty Serve Network
210.157.5.29    | mx.zero.jp. |7506 | 210.157.0.0/20 | INTERQ | JP | gmo.jp | GMO Internet Inc.
211.122.83.177  | p117178-obmd01.osaka.ocn.ne.jp. |4713 | 211.122.0.0/15 | OCN | JP | ocn.ne.jp | Open Computer Network
211.9.223.227   | irmxv12.secure.ne.jp. |9597 | 211.9.192.0/19 | CPI | JP | kddi-webcommunications.co.jp | KDDI Web Communications Inc.
218.251.125.178 |  |17511 | 218.251.0.0/17 | K | JP | dion.ne.jp | 123server Inc.
219.117.35.88   | mx-v4.commufa.jp. |18126 | 219.117.32.0/20 | CTCX | JP | ctc.co.jp | Chubu Telecommunications Co. Inc.
219.122.96.89   | mx2.ucatv.ne.jp. |18274 | 219.122.96.0/20 | UCATV | JP | ucatv.ne.jp | Utsunomiya Cable TV Corporation
220.152.52.135  | mgw.wkb.m4.zaq.ne.jp. |9824 | 220.152.0.0/18 | JTCL-JP | JP | jcom.co.jp | Jupiter Telecommunication Co. Ltd
222.230.188.167 | mgw.cyberhome.ne.jp. |2519 | 222.230.0.0/16 | VECTANT | JP | cyberhome.ne.jp | Familynet-Japan Corporation
23.103.139.138  | mail-os2jpn010138.inbound.protection.outlook.com. |8075 | 23.103.128.0/17 | MICROSOFT-CORP-MSN-A | JP | microsoft.com | Microsoft Corporation
27.85.176.228   | lsean.ezweb.ne.jp. |2516 | 27.85.0.0/16 | KDDI | JP | kddi.com | KDDI Corporation
52.68.171.138   | ec2-52-68-171-138.ap-northeast-1.compute.amazonaws.com. |16509 | 52.68.0.0/15 | AMAZON-02 | JP | amazon.com | Amazon Technologies Inc.
52.69.135.23    | ec2-52-69-135-23.ap-northeast-1.compute.amazonaws.com. |16509 | 52.68.0.0/15 | AMAZON-02 | JP | amazon.com | Amazon Technologies Inc.
54.168.60.47    | ec2-54-168-60-47.ap-northeast-1.compute.amazonaws.com. |16509 | 54.168.0.0/16 | AMAZON-02 | JP | amazon.com | Amazon Technologies Inc.
54.248.87.44    | ec2-54-248-87-44.ap-northeast-1.compute.amazonaws.com. |16509 | 54.248.0.0/17 | AMAZON-02 | JP | amazon.com | Amazon.com Inc.
54.249.93.10    | ec2-54-249-93-10.ap-northeast-1.compute.amazonaws.com. |16509 | 54.249.64.0/18 | AMAZON-02 | JP | amazon.com | Amazon.com Inc.
54.250.127.114  | ec2-54-250-127-114.ap-northeast-1.compute.amazonaws.com. |16509 | 54.250.0.0/17 | AMAZON-02 | JP | amazon.com | Amazon.com Inc.
54.65.100.214   | ec2-54-65-100-214.ap-northeast-1.compute.amazonaws.com. |16509 | 54.64.0.0/15 | AMAZON-02 | JP | amazon.com | Amazon Technologies Inc.
58.93.255.223   | mx.plala.or.jp. |4713 | 58.88.0.0/13 | OCN | JP | plala.or.jp | NTT Plala Inc.
59.157.130.3    | wm.cloud-mail.jp. |10013 | 59.157.128.0/18 | FBDC | JP | dream.jp | Dream Train Internet Inc.
61.110.217.118  |  |36408 | 61.110.217.0/24 | CDNETWORKSUS-02 | JP | CDNetworks | CDNetworks Inc
61.86.4.65      | mailgw.kcn.ne.jp. |18081 | 61.86.0.0/18 | KCN | JP | kcn.jp | Kintetsu Cable Network Ltd.

現在、攻撃が頻繁に行われています。国内のメールサーバへのSMTP不正アクセスにご注意ください

(下記の画像、アタッカーが今接続している証拠↓)


≪リファレンス≫

調査記事のソース↓
http://blog.malwaremustdie.org/2017/02/mmd-0062-2017-ssh-direct-tcp-forward-attack.html

レポシトリー(github) / ここでIPアドレスの検索が出来ます↓
https://github.com/unixfreaxjp/MMD-0062-2017

Q and A (InfoSec Institute .comより、MMDとインタビュー内容)↓
http://resources.infosecinstitute.com/exclusive-close-look-largest-credential-harvesting-campaign-via-iot-botnet/

他の言語のアラート情報 (Jドイツ語, イタリア語, 英語)↓
https://capsop.com/itsec/german/malwaremustdie/2017/03/05/SMTP-Hacking-via-SSH-Relays.html
https://www.cert-pa.it/web/guest/news?id=7948
http://formiche.net/2017/03/05/cyberattack-italia-malware/
http://securityaffairs.co/wordpress/56864/cyber-crime/ssh-tcp-direct-forward.html

フォーマット文字列攻撃について↓
https://www.ipa.go.jp/security/awareness/vendor/programmingv2/contents/c906.html

不正アクセス手法と技術的対策に関する調査↓
https://www.ipa.go.jp/files/000003125.pdf

(後でまた追加します..)


Thu Mar 2 07:28:10 JST 2017 @unixfreaxjp/0day.jp/MalwareMustDie,NPO - 報告書を発表しました。
Thu Mar 2 08:42:14 JST 2017 @sonodam先生が日本語を直してくれました (助かります!有難う御座います)

0 件のコメント:

コメントを投稿