The data online on ZoomEye is in overwrite and update mode, which means that if the data is not scanned in the second scan, the updated data will not be overwritten. The data on ZoomEye will retain the banner data obtained in the first scan. This The mechanism actually has a good scene fit in this kind of malicious attack source tracing: after the download servers used by malicious attacks such as Botnet, APT and other attacks are discovered, they are usually directly deactivated and abandoned. Of course, some are also targets of hacking. Very violent and went offline immediately! Therefore, many attack sites are likely to be cached online by ZoomEye.
Of course, the data provided in the ZoomEye history API can be queried for each scan regardless of whether you cover it or not. However, the currently provided ZoomEye history API can only be queried through IP, not through Keyword matching search, so we need to use it in conjunction with the ZoomEye online cache data search and positioning mentioned above.
Case 1: Darkhotel APT
A few days ago, I actually mentioned it in the "Black Technology" Knowledge Planet, but there is just a "bug" that needs to be fixed: the IE 0day used by Darkhotel this time should It is CVE-2019-1367 instead of CVE-2020-0674 (thanks to 勋肉丁@奇安信). Of course, this "bug" does not affect the theme of this article.
As can be seen from the above picture, we used ZoomEye online data to locate the IP address of a Darkhotel puddle attack site at that time. We used ZoomEye SDK to query the history of this IP:
╭─heige@404Team ~╰─$python Python 2.7.16 (default, Mar 15 2019, 21:13:51)[GCC 4.2.1 Compatible Apple LLVM 10.0.0 (clang-1000.11.45.5)] on darwinType "help", "copyright", "credits" or "license" for more information. import zoomeye zm = zoomeye.ZoomEye(username="xxxxx", password="xxxx") zm.login() u'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpX...' data = zm.history_ip("202.x.x.x") 22
List the time nodes and corresponding port services that include this IP data in ZoomEye historical data
... >>>for i in data['data']: ... print(i['timestamp'],i['portinfo']['port']) ... (u'2020-01-28T10:58:02', 80) (u'2020-01-05T18:33:17', 80) (u'2019-11-25T05:27:58', 80) (u'2019-11-02T16:10:40', 80) (u'2019-10-31T11:39:02', 80) (u'2019-10-06T05:24:44', 80) (u'2019-08-02T09:52:27', 80) (u'2019-07-27T19:22:11', 80) (u'2019-05-18T10:38:59', 8181) (u'2019-05-02T19:37:20', 8181) (u'2019-05-01T00:48:05', 8009) (u'2019-04-09T16:29:58', 8181) (u'2019-03-24T20:46:31', 8181) (u'2018-05-18T18:22:21', 137) (u'2018-02-22T20:50:01', 8181) (u'2017-03-13T03:11:39', 8181) (u'2017-03-12T16:43:54', 8181) (u'2017-02-25T09:56:28', 137) (u'2016-11-01T00:22:30', 137) (u'2015-12-30T22:53:17', 8181) (u'2015-03-13T20:17:45', 8080) (u'2015-03-13T19:33:15', 21)
Let’s take a look at the time nodes and ports that were implanted in IE 0day for water hole attacks:
>>> for i in data['data']: ... if "164.js" in i['raw_data']: ... print(i['timestamp'],i['portinfo']['port']) ... (u'2020-01-28T10:58:02', 80) (u'2020-01-05T18:33:17', 80) (u'2019-11-25T05:27:58', 80) (u'2019-11-02T16:10:40', 80) (u'2019-10-31T11:39:02', 80) (u'2019-10-06T05:24:44', 80)
Obviously the approximate time range of this watering hole attack is from 2019-10-06 05:24:44 to 2020-01-28 10:58:02. In addition, this IP is obviously not purchased by the attacker. VPS and the like, but directly attacked a specific website as a "watering hole" for attack. It is certain that this IP website had been invaded as early as 2019-10-06! From the nature of the website of this puddle, we can basically infer that the main target of Darkhotel’s attack is the users who visit this website!
Let’s continue to list which port services this IP opened in 2019 to help us analyze possible intrusion points:
>>> for i in data['data']: ... if "2019" in i['timestamp']: ... print(i['timestamp'],i['portinfo']['port'],i['portinfo']['service'],i['portinfo']['product']) ... (u'2019-11-25T05:27:58', 80, u'http', u'nginx') (u'2019-11-02T16:10:40', 80, u'http', u'nginx') (u'2019-10-31T11:39:02', 80, u'http', u'nginx') (u'2019-10-06T05:24:44', 80, u'http', u'nginx') (u'2019-08-02T09:52:27', 80, u'http', u'nginx') (u'2019-07-27T19:22:11', 80, u'http', u'nginx') (u'2019-05-18T10:38:59', 8181, u'http', u'Apache Tomcat/Coyote JSP engine') (u'2019-05-02T19:37:20', 8181, u'http', u'Apache Tomcat/Coyote JSP engine') (u'2019-05-01T00:48:05', 8009, u'ajp13', u'Apache Jserv') (u'2019-04-09T16:29:58', 8181, u'http', u'Apache httpd') (u'2019-03-24T20:46:31', 8181, u'http', u'Apache Tomcat/Coyote JSP engine')
A very typical JSP operating environment, in May 2019 At that time, port 8009 was opened. Problems such as weak passwords for Tomcat backend management have always been common means of penetration~~
By the way, in fact, this attack also involves another IP, because this IP-related port banner is because The update has been covered, so it cannot be searched directly through ZoomEye online search. However, if you know the IP, you can also use the ZoomEye historical data API to query the historical data of this IP. I will not go into details here.
Case 2: Poison Ivy (APT-C-01)
For detailed reports on Poison Ivy (APT-C-01), please refer to https://ti.qianxin.com/uploads/2018/09/20/6f8ad451646c9eda1f75c5d31f39f668.pdf We directly focus on
"A tool used by the Poison Ivy organization to control and distribute attack payloads Control domain name http://updateinfo.servegame.org"
"Then download the payload from
hxxp://updateinfo.servegame.org/tiny1detvghrt.tmp
"
URL, we first try to find the corresponding domain name IP, obviously not much has been gained at this time:
╭─heige@404Team ~╰─$ping updateinfo.servegame.orgping: cannot resolve updateinfo.servegame.org: Unknown host
In Qi Anxin’s report we can see that the download server WEB service directory used can be traversed
So we should be able to directly try to search for the file name "tiny1detvghrt.tmp", and sure enough we found it
>>> data = zm.history_ip("165.227.220.223") >>> 9 >>> for i in data['data']: ... print(i['timestamp'],i['portinfo']['port']) ... (u'2019-06-18T19:02:22', 22) (u'2018-09-02T08:13:58', 22) (u'2018-07-31T05:58:44', 22) (u'2018-05-20T00:55:48', 80) (u'2018-05-16T20:42:35', 22) (u'2018-04-08T07:53:00', 80) (u'2018-02-22T19:04:29', 22) (u'2017-11-21T19:09:14', 80) (u'2017-10-04T05:17:38', 80)Continue to look at the time interval of this tiny1detvghrt.tmp deployment:
>>> for i in data['data']: ... if "tiny1detvghrt.tmp" in i['raw_data']: ... print(i['timestamp'],i['portinfo']['port']) ... (u'2018-05-20T00:55:48', 80) (u'2018-04-08T07:53:00', 80) (u'2017-11-21T19:09:14', 80)At least we can determine from The attack has already been deployed at the end of November 2017. There is another time node before this time node: 2017-10-04 05:17:38. Let’s take a look at his banner data:
>>> for i in data['data']: ... if "2017-10-04" in i['timestamp']: ... print(i['raw_data']) ... HTTP/1.1 200 OK Date: Tue, 03 Oct 2017 21:17:37 GMT Server: Apache Vary: Accept-Encoding Content-Length: 1757 Connection: close Content-Type: text/html;charset=UTF-8nbsp;HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <title>Index of /</title> <h2 id="Index-of">Index of /</h2>
Name a> | Last modified a> | Size a> | Description a> | |
---|---|---|---|---|
doajksdlfsadk.tmp a> | 2017-09-15 08:21 | 4.9K | ||
doajksdlfsadk.tmp.1 a> | 2017-09-15 08:21 | 4.9K | ||
doajksdlrfadk.tmp a> | 2017-09-27 06:36 | 4.9K | ||
dvhrksdlfsadk.tmp a> | 2017-09-27 06:38 | 4.9K | ||
vfajksdlfsadk.tmp a> | 2017-09-27 06:37 | 4.9K | ||
wget-log a> | 2017-09-20 07:24 | 572 | ||
The above is the detailed content of Example analysis of using ZoomEye to find APT attacks. For more information, please follow other related articles on the PHP Chinese website!

ZoomEye线上的数据是覆盖更新的模式,也就是说第2次扫描如果没有扫描到数据就不会覆盖更新数据,ZoomEye上的数据会保留第1次扫描获取到的banner数据,这个机制在这种恶意攻击溯源里其实有着很好的场景契合点:恶意攻击比如Botnet、APT等攻击使用的下载服务器被发现后一般都是直接停用抛弃,当然也有一些是被黑的目标,也是很暴力的直接下线!所以很多的攻击现场很可能就被ZoomEye线上缓存。当然在ZoomEye历史api里提供的数据,不管你覆盖不覆盖都可以查询出每次扫描得到的banner数

一般来说著名的Linux系统基本上分两大类:RedHat系列:Redhat、Centos、Fedora等;Debian系列:Debian、Ubuntu等。yum(YellowdogUpdater,Modified)是一个在Fedora和RedHat以及SUSE中的Shell前端软件包管理器。apt(AdvancedPackagingTool)是一个在Debian和Ubuntu中的Shell前端软件包管理器。概述一般来说著名的Linux系统基本上分两大类:RedHat系列:Redhat、Cento

关于威胁情报处理周期模型“威胁情报处理周期”(F3EAD)一词源于军事,是美陆军为主战兵种各级指挥员设计的组织资源、部署兵力的方法。网络应急响应中心借鉴这套方法,分以下六个阶段处理威胁情报信息:威胁情报处理周期F3EAD威胁情报处理周期模型的应用第一步:查找某月某日,部署在合作方公有云服务器上的“洋葱”系统告警发现疑似木马程序,于是应急响应团队快速启动应急相应流程:干系人等一键拉群,电话接入。受害系统隔离待查。安全系统、审计日志导出待溯源分析。业务系统架构、代码相关资料准备,待分析入侵突破口及受

在Deepin系统上安装PHP8,您可以按照以下步骤进行操作:更新系统:打开终端,并执行以下命令来更新系统软件包:sudoaptupdatesudoaptupgrade添加OndřejSurýPPA源:PHP8可以通过OndřejSurýPPA源进行安装。执行以下命令来添加该源:sudoaptinstallsoftware-properties-commonsudoadd-apt-repositoryppa:ondrej/php更新软件包列表:执行以下命令来更新软件包列表以获取PPA源中的PHP

手动修改Ubuntu的apt-get源1、用ssh工具连接到Ubuntu(我用的xshell)2、命令行敲入cd/etc/apt/3、备份此目录下的source.list文件(要有sudo权限),此时就有了一个source.list.bak文件4、清空source.list文件内容(注:清空后不可恢复,所以需要执行上一步提前备份一下这个文件),此时用sudo提示权限不够,直接切换到root用户下执行这条命令5、用vim打开source.list,按i键进入编辑模式把要修改的源地址粘贴进来,然后按

以下是Ubuntu18.04系统编译安装Docker的教程:卸载旧版Docker(如果已安装):sudoaptremovedockerdocker-enginedocker.iocontainerdrunc更新系统软件包:sudoaptupdatesudoaptupgrade安装Docker依赖项:sudoaptinstallapt-transport-httpsca-certificatescurlsoftware-properties-common添加Docker官方的GPG密钥:curl-

可以通过使用MySQL官方的APT存储库来安装MySQL5.7。以下是在Ubuntu20.04系统上通过官方APT存储库安装MySQL5.7的步骤:添加MySQLAPT存储库:wgethttps://dev.mysql.com/get/mysql-apt-config_0.8.17-1_all.debsudodpkg-imysql-apt-config_0.8.17-1_all.deb在安装过程中,您将看到一个配置界面。选择MySQLServer版本为5.7,然后完成配置。更新软件包列表:sud

yum是RedHat系列发行版(如RHEL和CentOS)中的包管理器,而Ubuntu使用的是另一种包管理器,名为apt(AdvancedPackageTool)。在Ubuntu系统中,您可以使用apt命令来管理软件包。以下是在Ubuntu系统中安装软件包的基本步骤:更新软件包索引在执行任何安装操作之前,首先执行以下命令以更新软件包索引:sudoaptupdate安装软件包使用以下命令来安装特定的软件包:sudoaptinstallpackage_name将”package_name̶


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

AI Hentai Generator
Generate AI Hentai for free.

Hot Article

Hot Tools

PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool

MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.

SublimeText3 Linux new version
SublimeText3 Linux latest version

SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.

EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function
