The data online on ZoomEye is in overwrite and update mode, which means that if the data is not scanned in the second scan, the updated data will not be overwritten. The data on ZoomEye will retain the banner data obtained in the first scan. This The mechanism actually has a good scene fit in this kind of malicious attack source tracing: after the download servers used by malicious attacks such as Botnet, APT and other attacks are discovered, they are usually directly deactivated and abandoned. Of course, some are also targets of hacking. Very violent and went offline immediately! Therefore, many attack sites are likely to be cached online by ZoomEye.
Of course, the data provided in the ZoomEye history API can be queried for each scan regardless of whether you cover it or not. However, the currently provided ZoomEye history API can only be queried through IP, not through Keyword matching search, so we need to use it in conjunction with the ZoomEye online cache data search and positioning mentioned above.
A few days ago, I actually mentioned it in the "Black Technology" Knowledge Planet, but there is just a "bug" that needs to be fixed: the IE 0day used by Darkhotel this time should It is CVE-2019-1367 instead of CVE-2020-0674 (thanks to 勋肉丁@奇安信). Of course, this "bug" does not affect the theme of this article.
As can be seen from the above picture, we used ZoomEye online data to locate the IP address of a Darkhotel puddle attack site at that time. We used ZoomEye SDK to query the history of this IP:
╭─heige@404Team ~╰─$python Python 2.7.16 (default, Mar 15 2019, 21:13:51)[GCC 4.2.1 Compatible Apple LLVM 10.0.0 (clang-1000.11.45.5)] on darwinType "help", "copyright", "credits" or "license" for more information.
import zoomeye
zm = zoomeye.ZoomEye(username="xxxxx", password="xxxx")
zm.login()
u'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpX...'
data = zm.history_ip("202.x.x.x")
22List the time nodes and corresponding port services that include this IP data in ZoomEye historical data
... >>>for i in data['data']: ... print(i['timestamp'],i['portinfo']['port']) ... (u'2020-01-28T10:58:02', 80) (u'2020-01-05T18:33:17', 80) (u'2019-11-25T05:27:58', 80) (u'2019-11-02T16:10:40', 80) (u'2019-10-31T11:39:02', 80) (u'2019-10-06T05:24:44', 80) (u'2019-08-02T09:52:27', 80) (u'2019-07-27T19:22:11', 80) (u'2019-05-18T10:38:59', 8181) (u'2019-05-02T19:37:20', 8181) (u'2019-05-01T00:48:05', 8009) (u'2019-04-09T16:29:58', 8181) (u'2019-03-24T20:46:31', 8181) (u'2018-05-18T18:22:21', 137) (u'2018-02-22T20:50:01', 8181) (u'2017-03-13T03:11:39', 8181) (u'2017-03-12T16:43:54', 8181) (u'2017-02-25T09:56:28', 137) (u'2016-11-01T00:22:30', 137) (u'2015-12-30T22:53:17', 8181) (u'2015-03-13T20:17:45', 8080) (u'2015-03-13T19:33:15', 21)
Let’s take a look at the time nodes and ports that were implanted in IE 0day for water hole attacks:
>>> for i in data['data']: ... if "164.js" in i['raw_data']: ... print(i['timestamp'],i['portinfo']['port']) ... (u'2020-01-28T10:58:02', 80) (u'2020-01-05T18:33:17', 80) (u'2019-11-25T05:27:58', 80) (u'2019-11-02T16:10:40', 80) (u'2019-10-31T11:39:02', 80) (u'2019-10-06T05:24:44', 80)
Obviously the approximate time range of this watering hole attack is from 2019-10-06 05:24:44 to 2020-01-28 10:58:02. In addition, this IP is obviously not purchased by the attacker. VPS and the like, but directly attacked a specific website as a "watering hole" for attack. It is certain that this IP website had been invaded as early as 2019-10-06! From the nature of the website of this puddle, we can basically infer that the main target of Darkhotel’s attack is the users who visit this website!
Let’s continue to list which port services this IP opened in 2019 to help us analyze possible intrusion points:
>>> for i in data['data']: ... if "2019" in i['timestamp']: ... print(i['timestamp'],i['portinfo']['port'],i['portinfo']['service'],i['portinfo']['product']) ... (u'2019-11-25T05:27:58', 80, u'http', u'nginx') (u'2019-11-02T16:10:40', 80, u'http', u'nginx') (u'2019-10-31T11:39:02', 80, u'http', u'nginx') (u'2019-10-06T05:24:44', 80, u'http', u'nginx') (u'2019-08-02T09:52:27', 80, u'http', u'nginx') (u'2019-07-27T19:22:11', 80, u'http', u'nginx') (u'2019-05-18T10:38:59', 8181, u'http', u'Apache Tomcat/Coyote JSP engine') (u'2019-05-02T19:37:20', 8181, u'http', u'Apache Tomcat/Coyote JSP engine') (u'2019-05-01T00:48:05', 8009, u'ajp13', u'Apache Jserv') (u'2019-04-09T16:29:58', 8181, u'http', u'Apache httpd') (u'2019-03-24T20:46:31', 8181, u'http', u'Apache Tomcat/Coyote JSP engine')
A very typical JSP operating environment, in May 2019 At that time, port 8009 was opened. Problems such as weak passwords for Tomcat backend management have always been common means of penetration~~
By the way, in fact, this attack also involves another IP, because this IP-related port banner is because The update has been covered, so it cannot be searched directly through ZoomEye online search. However, if you know the IP, you can also use the ZoomEye historical data API to query the historical data of this IP. I will not go into details here.
For detailed reports on Poison Ivy (APT-C-01), please refer to https://ti.qianxin.com/uploads/2018/09/20/6f8ad451646c9eda1f75c5d31f39f668.pdf We directly focus on
"A tool used by the Poison Ivy organization to control and distribute attack payloads Control domain name http://updateinfo.servegame.org"
"Then download the payload from
hxxp://updateinfo.servegame.org/tiny1detvghrt.tmp
"
URL, we first try to find the corresponding domain name IP, obviously not much has been gained at this time:
╭─heige@404Team ~╰─$ping updateinfo.servegame.orgping: cannot resolve updateinfo.servegame.org: Unknown host
In Qi Anxin’s report we can see that the download server WEB service directory used can be traversed
So we should be able to directly try to search for the file name "tiny1detvghrt.tmp", and sure enough we found it
>>> data = zm.history_ip("165.227.220.223")
>>> 9
>>> for i in data['data']:
... print(i['timestamp'],i['portinfo']['port'])
...
(u'2019-06-18T19:02:22', 22)
(u'2018-09-02T08:13:58', 22)
(u'2018-07-31T05:58:44', 22)
(u'2018-05-20T00:55:48', 80)
(u'2018-05-16T20:42:35', 22)
(u'2018-04-08T07:53:00', 80)
(u'2018-02-22T19:04:29', 22)
(u'2017-11-21T19:09:14', 80)
(u'2017-10-04T05:17:38', 80)>>> for i in data['data']: ... if "tiny1detvghrt.tmp" in i['raw_data']: ... print(i['timestamp'],i['portinfo']['port']) ... (u'2018-05-20T00:55:48', 80) (u'2018-04-08T07:53:00', 80) (u'2017-11-21T19:09:14', 80)
>>> for i in data['data']: ... if "2017-10-04" in i['timestamp']: ... print(i['raw_data']) ... HTTP/1.1 200 OK Date: Tue, 03 Oct 2017 21:17:37 GMT Server: Apache Vary: Accept-Encoding Content-Length: 1757 Connection: close Content-Type: text/html;charset=UTF-8nbsp;HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <title>Index of /</title> <h2>Index of /</h2>
| Name a> | Last modified a> | Size a> | Description a> | |
|---|---|---|---|---|
| doajksdlfsadk.tmp a> | 2017-09-15 08:21 | 4.9K | ||
| doajksdlfsadk.tmp.1 a> | 2017-09-15 08:21 | 4.9K | ||
| doajksdlrfadk.tmp a> | 2017-09-27 06:36 | 4.9K | ||
| dvhrksdlfsadk.tmp a> | 2017-09-27 06:38 | 4.9K | ||
| vfajksdlfsadk.tmp a> | 2017-09-27 06:37 | 4.9K | ||
| wget-log a> | 2017-09-20 07:24 | 572 | ||
The above is the detailed content of Example analysis of using ZoomEye to find APT attacks. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
