MENU

溶けかけてるうさぎ HP BLOG TOP RECENT ARTICLES POPULAR ARTICLES ABOUT THIS BLOG

CATEGORY

大学 (85) 航空宇宙 (55) 写真 (25) 旅行 (14) 飯・酒 (11) コンピュータ (88) その他 (13)

TAG

ARCHIVE

2018 (92) 2017 (80) 2016 (0)

RECENT

【駅メモ】4年目に突入して,ようやく3000駅突破 【WebRTC】Raspberry Pi搭載ロボットをWebRTCで遠隔操作しようとして失敗した 【航空宇宙】航空宇宙アドベントカレンダー 始まります! 【Perl】YAPC::Tokyo 2019 のチケットを確保しました! 【カメラ】Canonから富士フイルムに乗り換えました

【Apache】不審なアクセスログ

2017-08-09

ここのところ,Apacheのログを見ることが多かったので,そのときに見つけた不審なアクセスログをまとめた.

 

トップ画像の出典はこちら

1.動作環境

Ubuntu Server 16.04.2 LTS

Apache HTTP Server 2.4.18 (Ubuntu)

2.アクセスログ

似たようなものは除外するが,不審なアクセスログは以下の様なものがあった.

80.211.231.111 - - [06/Aug/2017:11:31:15 +0900] "GET /muieblackcat HTTP/1.1" 404 374 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:16 +0900] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 390 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:17 +0900] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 390 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:17 +0900] "GET //PMA/scripts/setup.php HTTP/1.1" 404 383 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:18 +0900] "GET //pma/scripts/setup.php HTTP/1.1" 404 383 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:18 +0900] "GET //admin/scripts/setup.php HTTP/1.1" 404 385 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:19 +0900] "GET //dbadmin/scripts/setup.php HTTP/1.1" 404 387 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:20 +0900] "GET //mysql/scripts/setup.php HTTP/1.1" 404 385 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:20 +0900] "GET //myadmin/scripts/setup.php HTTP/1.1" 404 387 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:21 +0900] "GET //phpmyadmin2/scripts/setup.php HTTP/1.1" 404 391 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:21 +0900] "GET //phpMyAdmin2/scripts/setup.php HTTP/1.1" 404 391 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:22 +0900] "GET //phpMyAdmin-2/scripts/setup.php HTTP/1.1" 404 392 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:22 +0900] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 404 392 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:23 +0900] "GET //sqlmanager/scripts/setup.php HTTP/1.1" 404 390 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:24 +0900] "GET //mysqlmanager/scripts/setup.php HTTP/1.1" 404 392 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:24 +0900] "GET //p/m/a/scripts/setup.php HTTP/1.1" 404 385 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:25 +0900] "GET //PMA2005/scripts/setup.php HTTP/1.1" 404 387 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:25 +0900] "GET //pma2005/scripts/setup.php HTTP/1.1" 404 387 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:26 +0900] "GET //phpmanager/scripts/setup.php HTTP/1.1" 404 390 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:26 +0900] "GET //php-myadmin/scripts/setup.php HTTP/1.1" 503 473 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:27 +0900] "GET //phpmy-admin/scripts/setup.php HTTP/1.1" 503 473 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:27 +0900] "GET //webadmin/scripts/setup.php HTTP/1.1" 503 473 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:28 +0900] "GET //sqlweb/scripts/setup.php HTTP/1.1" 503 473 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:29 +0900] "GET //websql/scripts/setup.php HTTP/1.1" 503 473 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:29 +0900] "GET //webdb/scripts/setup.php HTTP/1.1" 503 473 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:30 +0900] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 503 473 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:30 +0900] "GET //mysql-admin/scripts/setup.php HTTP/1.1" 503 473 "-" "-"
Log.1 Apache access.log
5.188.203.23 - - [06/Aug/2017:14:20:04 +0900] "GET /.hg/hgrc HTTP/1.0" 404 370 "-" "FBI"
Log.2 Apache access.log
94.102.49.122 - - [06/Aug/2017:23:16:11 +0900] "GET /xmlrpc.php HTTP/1.1" 404 353 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
Log.3 Apache access.log
121.40.151.219 - - [08/Aug/2017:01:22:44 +0900] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 403 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:45 +0900] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 390 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:46 +0900] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 390 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:46 +0900] "GET /pma/scripts/setup.php HTTP/1.1" 404 383 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:47 +0900] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 387 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:48 +0900] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 387 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:48 +0900] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 403 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:48 +0900] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 390 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:49 +0900] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 390 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:50 +0900] "GET /pma/scripts/setup.php HTTP/1.1" 404 383 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:50 +0900] "GET /myadmin/scripts/setup.php HTTP/1.1" 503 473 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:51 +0900] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 503 473 "-" "ZmEu"
Log.4 Apache access.log
164.52.7.132 - - [08/Aug/2017:08:48:49 +0900] "\x16\x03\x01\x01\"\x01" 400 0 "-" "-"
164.52.7.132 - - [08/Aug/2017:08:48:58 +0900] "GET / HTTP/1.1" 200 3353 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
164.52.7.132 - - [08/Aug/2017:08:49:08 +0900] "\x05d\x05\xc9" 400 0 "-" "-"
164.52.7.132 - - [08/Aug/2017:08:49:11 +0900] "fox a 1 -1 fox hello" 400 0 "-" "-"
164.52.7.132 - - [08/Aug/2017:08:49:11 +0900] "OPTIONS * RTSP/1.0" 400 0 "-" "-"
164.52.7.132 - - [08/Aug/2017:08:49:21 +0900] "stats" 400 0 "-" "-"
164.52.7.132 - - [08/Aug/2017:08:49:30 +0900] "\x03" 400 0 "-" "-"
164.52.7.132 - - [08/Aug/2017:08:49:30 +0900] "\x03" 400 0 "-" "-"
164.52.7.132 - - [08/Aug/2017:08:49:33 +0900] "W" 400 0 "-" "-"
164.52.7.132 - - [08/Aug/2017:08:49:33 +0900] "@RSYNCD: 29" 400 0 "-" "-"
164.52.7.132 - - [08/Aug/2017:08:49:45 +0900] "INFO ALL" 400 0 "-" "-"
164.52.7.132 - - [08/Aug/2017:08:50:13 +0900] "\x03printer" 400 0 "-" "-"
Log.5 Apache access.log

3.簡単な考察

phpMyAdmin

まずは,,から.

phpMyAdminとはによると,MySQLサーバーをウェブブラウザで管理するためのデータベース接続クライアントツールだそう.

これがインストールされてるかどうか,それっぽいディレクトリパスに探索をかけているようだ.

 

なお,に,実際にハニーポットをたてて観察した記事がある.

Mercurial

について.

/.hg/hgrcとは,どうやらMercurialのディレクトリだそうだ.

Mercurialとはによると,クロスプラットフォームの分散型バージョン管理システムだそう.

 

それはさておき,UAが"FBI"ってどういうことやねん....

IPの所在地を確認すると,ロシアなんですが....

WordPress

次は

によると,xmlrpc.phpはWordPressのファイルだそう.

脆弱性が度々話題になるWordPressですが,やはり攻撃対象になるんですね.

???

最後に

これ,今回で一番怖かったもの.

よくわからないが,何かコマンドを発行してる?

気持ち悪いので,詳しい方コメントにて教えてください.

4.出典サイト

Wikipedia. phpMyAdmin. Retrieved August 9, 2017, from https://ja.wikipedia.org/wiki/PhpMyAdmin
ろば電子が詰まっている. phpMyAdminを狙った攻撃観察. Retrieved August 9, 2017, from http://d.hatena.ne.jp/ozuma/20130916/1379332757
Wikipedia. Mercurial. Retrieved August 9, 2017, from https://ja.wikipedia.org/wiki/Mercurial
Smart | サーバ構築・ウェブサイト制作の講座サイト. xmlrpc.phpにDoS攻撃を受けた時の対処法. Retrieved August 9, 2017, from http://rfs.jp/sb/wordpress/wp-lab/xmlrpc-php-ddos.html

コメントを投稿

名前

Email (※公開されることはありません)

コメント