MENU

溶けかけてるうさぎ HP BLOG TOP RECENT ARTICLES POPULAR ARTICLES ABOUT THIS BLOG

CATEGORY

大学 (99) 航空宇宙 (67) 写真 (45) 旅行 (23) 飯・酒 (13) コンピュータ (101) その他 (27)

TAG

ARCHIVE

RECENT

【星景写真】種子島で星景写真撮影 【写真】令和元年度 富士総合火力演習 ―FUJIFILM X-T3 で戦車の火炎を撮る― Smart Kitchen Summit Japan 2019に参加してきた 人生初ライブ:ポルカドットスティングレイ「有頂天 TOUR」 【カメラ】FUJIFILM X-T3用にZEISSのMakro-Planarを買った ―Touit 2.8/50M―

【Apache】不審なアクセスログ

事象発生日:2017-08-09

記事公開日:-

ここのところ,Apacheのログを見ることが多かったので,そのときに見つけた不審なアクセスログをまとめた.

 

トップ画像の出典はこちら

1.動作環境

Ubuntu Server 16.04.2 LTS

Apache HTTP Server 2.4.18 (Ubuntu)

2.アクセスログ

似たようなものは除外するが,不審なアクセスログは以下の様なものがあった.

80.211.231.111 - - [06/Aug/2017:11:31:15 +0900] "GET /muieblackcat HTTP/1.1" 404 374 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:16 +0900] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 390 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:17 +0900] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 390 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:17 +0900] "GET //PMA/scripts/setup.php HTTP/1.1" 404 383 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:18 +0900] "GET //pma/scripts/setup.php HTTP/1.1" 404 383 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:18 +0900] "GET //admin/scripts/setup.php HTTP/1.1" 404 385 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:19 +0900] "GET //dbadmin/scripts/setup.php HTTP/1.1" 404 387 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:20 +0900] "GET //mysql/scripts/setup.php HTTP/1.1" 404 385 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:20 +0900] "GET //myadmin/scripts/setup.php HTTP/1.1" 404 387 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:21 +0900] "GET //phpmyadmin2/scripts/setup.php HTTP/1.1" 404 391 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:21 +0900] "GET //phpMyAdmin2/scripts/setup.php HTTP/1.1" 404 391 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:22 +0900] "GET //phpMyAdmin-2/scripts/setup.php HTTP/1.1" 404 392 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:22 +0900] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 404 392 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:23 +0900] "GET //sqlmanager/scripts/setup.php HTTP/1.1" 404 390 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:24 +0900] "GET //mysqlmanager/scripts/setup.php HTTP/1.1" 404 392 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:24 +0900] "GET //p/m/a/scripts/setup.php HTTP/1.1" 404 385 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:25 +0900] "GET //PMA2005/scripts/setup.php HTTP/1.1" 404 387 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:25 +0900] "GET //pma2005/scripts/setup.php HTTP/1.1" 404 387 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:26 +0900] "GET //phpmanager/scripts/setup.php HTTP/1.1" 404 390 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:26 +0900] "GET //php-myadmin/scripts/setup.php HTTP/1.1" 503 473 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:27 +0900] "GET //phpmy-admin/scripts/setup.php HTTP/1.1" 503 473 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:27 +0900] "GET //webadmin/scripts/setup.php HTTP/1.1" 503 473 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:28 +0900] "GET //sqlweb/scripts/setup.php HTTP/1.1" 503 473 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:29 +0900] "GET //websql/scripts/setup.php HTTP/1.1" 503 473 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:29 +0900] "GET //webdb/scripts/setup.php HTTP/1.1" 503 473 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:30 +0900] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 503 473 "-" "-"
80.211.231.111 - - [06/Aug/2017:11:31:30 +0900] "GET //mysql-admin/scripts/setup.php HTTP/1.1" 503 473 "-" "-"
Log.1 Apache access.log
5.188.203.23 - - [06/Aug/2017:14:20:04 +0900] "GET /.hg/hgrc HTTP/1.0" 404 370 "-" "FBI"
Log.2 Apache access.log
94.102.49.122 - - [06/Aug/2017:23:16:11 +0900] "GET /xmlrpc.php HTTP/1.1" 404 353 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
Log.3 Apache access.log
121.40.151.219 - - [08/Aug/2017:01:22:44 +0900] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 403 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:45 +0900] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 390 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:46 +0900] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 390 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:46 +0900] "GET /pma/scripts/setup.php HTTP/1.1" 404 383 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:47 +0900] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 387 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:48 +0900] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 387 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:48 +0900] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 403 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:48 +0900] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 390 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:49 +0900] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 390 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:50 +0900] "GET /pma/scripts/setup.php HTTP/1.1" 404 383 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:50 +0900] "GET /myadmin/scripts/setup.php HTTP/1.1" 503 473 "-" "ZmEu"
121.40.151.219 - - [08/Aug/2017:01:22:51 +0900] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 503 473 "-" "ZmEu"
Log.4 Apache access.log
164.52.7.132 - - [08/Aug/2017:08:48:49 +0900] "\x16\x03\x01\x01\"\x01" 400 0 "-" "-"
164.52.7.132 - - [08/Aug/2017:08:48:58 +0900] "GET / HTTP/1.1" 200 3353 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
164.52.7.132 - - [08/Aug/2017:08:49:08 +0900] "\x05d\x05\xc9" 400 0 "-" "-"
164.52.7.132 - - [08/Aug/2017:08:49:11 +0900] "fox a 1 -1 fox hello" 400 0 "-" "-"
164.52.7.132 - - [08/Aug/2017:08:49:11 +0900] "OPTIONS * RTSP/1.0" 400 0 "-" "-"
164.52.7.132 - - [08/Aug/2017:08:49:21 +0900] "stats" 400 0 "-" "-"
164.52.7.132 - - [08/Aug/2017:08:49:30 +0900] "\x03" 400 0 "-" "-"
164.52.7.132 - - [08/Aug/2017:08:49:30 +0900] "\x03" 400 0 "-" "-"
164.52.7.132 - - [08/Aug/2017:08:49:33 +0900] "W" 400 0 "-" "-"
164.52.7.132 - - [08/Aug/2017:08:49:33 +0900] "@RSYNCD: 29" 400 0 "-" "-"
164.52.7.132 - - [08/Aug/2017:08:49:45 +0900] "INFO ALL" 400 0 "-" "-"
164.52.7.132 - - [08/Aug/2017:08:50:13 +0900] "\x03printer" 400 0 "-" "-"
Log.5 Apache access.log

3.簡単な考察

phpMyAdmin

まずは,,から.

phpMyAdminとはによると,MySQLサーバーをウェブブラウザで管理するためのデータベース接続クライアントツールだそう.

これがインストールされてるかどうか,それっぽいディレクトリパスに探索をかけているようだ.

 

なお,に,実際にハニーポットをたてて観察した記事がある.

Mercurial

について.

/.hg/hgrcとは,どうやらMercurialのディレクトリだそうだ.

Mercurialとはによると,クロスプラットフォームの分散型バージョン管理システムだそう.

 

それはさておき,UAが"FBI"ってどういうことやねん....

IPの所在地を確認すると,ロシアなんですが....

WordPress

次は

によると,xmlrpc.phpはWordPressのファイルだそう.

脆弱性が度々話題になるWordPressですが,やはり攻撃対象になるんですね.

???

最後に

これ,今回で一番怖かったもの.

よくわからないが,何かコマンドを発行してる?

気持ち悪いので,詳しい方コメントにて教えてください.

4.出典サイト

Wikipedia. phpMyAdmin. Retrieved August 9, 2017, from https://ja.wikipedia.org/wiki/PhpMyAdmin
ろば電子が詰まっている. phpMyAdminを狙った攻撃観察. Retrieved August 9, 2017, from http://d.hatena.ne.jp/ozuma/20130916/1379332757
Wikipedia. Mercurial. Retrieved August 9, 2017, from https://ja.wikipedia.org/wiki/Mercurial
Smart | サーバ構築・ウェブサイト制作の講座サイト. xmlrpc.phpにDoS攻撃を受けた時の対処法. Retrieved August 9, 2017, from http://rfs.jp/sb/wordpress/wp-lab/xmlrpc-php-ddos.html

コメントを投稿

名前

Email (※公開されることはありません)

コメント