>> 목록보이기
#공격로그
#스캔로그
#Apache Axis2
#POST /command.php
#muieblackcat
오늘의 웹서버 공격로그 (2016년 12월 8,9일
122.241.135.164 - - [08/Dec/2016:15:35:58 +0900] "GET /axis2 HTTP/1.1" 404 413 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" 222.186.21.211 - - [08/Dec/2016:23:19:55 +0900] "GET /axis2 HTTP/1.1" 404 413 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
접속자 IP주소: 122.241.135.164 (중국 저장성), 222.186.21.211 (중국 장쑤성)
Apache Axis2에 대한 탐색이다.
종종 Axis2에 대한 스캔이 관찰된다. Axis2에도 무언가 취약점이 있다는 뜻이다.
대표적인 것으로는 Axis2의 초기 관리자 비밀번호가 admin:1234인 것이 있다.
91.236.75.4 - - [08/Dec/2016:17:57:56 +0900] "GET http://www.google.com/reader/about/ HTTP/1.1" 404 420 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 61.164.149.211 - - [08/Dec/2016:19:21:42 +0900] "GET http://www.sgtsrj.com/index.aspx HTTP/1.1" 404 417 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)" 123.59.69.128 - - [09/Dec/2016:23:13:33 +0900] "GET http://www.baidu.com/favicon.ico HTTP/1.1" 200 1691 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36" 50.118.255.147 - - [09/Dec/2016:18:58:46 +0900] "GET http://www.luisaranguren.com/azenv.php HTTP/1.1" 404 442 "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; Trident/5.0)" 50.118.255.147 - - [09/Dec/2016:18:58:47 +0900] "CONNECT www.baidu.com:443 HTTP/1.1" 200 26906 "-" "-" 50.118.255.147 - - [09/Dec/2016:18:58:47 +0900] "\x80\x98\x01\x03\x01" 400 0 "-" "-" 198.12.15.59 - - [09/Dec/2016:05:50:42 +0900] "GET http://www.sgtsrj.com/index.aspx HTTP/1.1" 404 417 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)" 50.118.255.147 - - [09/Dec/2016:02:22:21 +0900] "CONNECT www.baidu.com:443 HTTP/1.1" 200 27545 "-" "-" 50.118.255.147 - - [09/Dec/2016:02:22:21 +0900] "\x80\x98\x01\x03\x01" 400 0 "-" "-" 180.150.187.160 - - [09/Dec/2016:09:32:37 +0900] "GET http://www.baidu.com/favicon.ico HTTP/1.1" 200 1691 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36"
접속자 IP주소: 91.236.75.4 (폴란드), 61.164.149.211 (중국 저장성) 등
공개 프록시 기능 탐색 로그들이다.
서버 응답은 404.
50.118.255.147 - - [09/Dec/2016:02:22:20 +0900] "GET http://proxyjudge.us/ HTTP/1.1" 200 26668 "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; Trident/5.0)" 123.59.42.149 - - [09/Dec/2016:00:27:59 +0900] "GET http://www.baidu.com/favicon.ico HTTP/1.1" 200 1691 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36"
접속자 IP주소: 50.118.255.147 (미국 캘리포니아), 123.59.42.149 (중국 북경)
서버 응답은 200인 공개 프록시 기능 탐색 로그들이다. 특이하게도,
웹핵누리집의 Apache 웹서버는 "GET http://another.site/path HTTP/1.1"를
"GET /path HTTP/1.1"로 응답하는 것을 관찰하였다.
(아파치 서버의 특징일까?)
157.52.188.41 - - [08/Dec/2016:22:48:31 +0900] "GET /manager/html HTTP/1.1" 404 420 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)" 101.201.208.90 - - [09/Dec/2016:14:51:30 +0900] "GET /manager/html HTTP/1.1" 404 420 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
접속자 IP주소: 157.52.188.41 (미국 캘리포니아), 101.201.208.90 (중국 저장성)
Apache Tomcat Default Manager 탐색 로그들이다.
191.179.84.159 - - [09/Dec/2016:16:55:27 +0900] "GET /cgi/common.cgi HTTP/1.0" 404 439 "-" "Wget(linux)"
191.179.84.159 - - [09/Dec/2016:16:55:28 +0900] "GET /stssys.htm HTTP/1.0" 404 435 "-" "Wget(linux)"
191.179.84.159 - - [09/Dec/2016:16:55:30 +0900] "POST /command.php HTTP/1.0" 404 436 "-" "Wget(linux)"
191.179.84.159 - - [09/Dec/2016:16:55:30 +0900] "GET /language/Swedish${IFS}&&echo${IFS}610cker>qt&&tar${IFS}/string.js HTTP/1.0" 404 509 "-" "Wget(linux)"
191.179.84.159 - - [09/Dec/2016:16:55:31 +0900] "GET /../../../../../../../mnt/mtd/qt HTTP/1.0" 400 455 "-" "Wget(linux)"
191.179.84.159 - - [09/Dec/2016:16:55:32 +0900] "GET /cgi/common.cgi HTTP/1.0" 404 439 "-" "Wget(linux)"
191.179.84.159 - - [09/Dec/2016:16:55:33 +0900] "GET /stssys.htm HTTP/1.0" 404 435 "-" "Wget(linux)"
191.179.84.159 - - [09/Dec/2016:16:55:35 +0900] "POST /command.php HTTP/1.0" 404 436 "-" "Wget(linux)"
191.179.84.159 - - [09/Dec/2016:16:55:35 +0900] "GET /language/Swedish${IFS}&&echo${IFS}610cker>qt&&tar${IFS}/string.js HTTP/1.0" 404 509 "-" "Wget(linux)"
191.179.84.159 - - [09/Dec/2016:16:55:36 +0900] "GET /../../../../../../../mnt/mtd/qt HTTP/1.0" 400 455 "-" "Wget(linux)"
접속자 IP주소: 191.179.84.159 (브라질 리오데자네이로)
D-Link 무선공유기 취약점 탐색 로그들이다.
89.248.169.50 - - [10/Dec/2016:05:19:06 +0900] "GET /muieblackcat HTTP/1.1" 404 437 "-" "-" 89.248.169.50 - - [10/Dec/2016:05:19:07 +0900] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 453 "-" "-" 89.248.169.50 - - [10/Dec/2016:05:19:08 +0900] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 453 "-" "-" 89.248.169.50 - - [10/Dec/2016:05:19:08 +0900] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 404 453 "-" "-"
접속자 IP주소: 89.248.169.50 (세에셸 공화국)
Muieblackcat 스캔봇 탐색 로그들이다. PhpMyAdmin을 찾으려는 시도이다.
[처음 작성한 날: 2016.12.10] [마지막으로 고친 날: 2016.12.10]
< 이전 글 : HTML 삽입, XSS 공격 탐지방법 (2016.12.11)
> 다음 글 : 오늘의 웹서버 공격 로그, XML-RPC, Open Proxy (2016.12.08)
이 저작물은 크리에이티브
커먼즈 저작자표시 4.0 국제 라이선스에 따라 이용할 수 있습니다.
잘못된 내용, 오탈자 및 기타 문의사항은 j1n5uk{at}daum.net으로 연락주시기 바랍니다.
문서의 시작으로 컴퓨터 깨알지식 웹핵 누리집 대문