오늘의 웹서버 공격 로그: phpMyAdmin 취약점 자동탐색 도구

홈페이지 취약점 분석 이야기	파일 지도 사진 깨알

>> 목록보이기
#공격로그 #스캔로그 #phpMyAdmin #자동화 공격도구 #즈메우 스캐너 #ZmEu Scanner #CVE-2009-1151 #/scripts/setup.php #A9-Using Components with Known Vulnerabilities

오늘의 웹서버 취약점 스캔 로그: phpMyAdmin 전용 취약점 탐지 도구, 즈메우 스캐너

루마니아 신화의 괴물 즈메우(Zmeu). 그림 출처: 위키메디아

phpMyAdmin은 PHP로 개발한 MySQL 관리용 웹 인터페이스이다. MySQL DBMS를 편리하게 관리할 수 있기 때문에 많은 곳에서 사용하고 있다. 오늘 웹핵누리집의 아파치 로그를 보면 phpMyAdmin 경로를 탐색하는 것을 확인할 수 있었다. 접속자의 IP 주소는 52.205.94.248(미국 버지니아 또는 일리노이)이다. 이 IP주소의 접속 로그에는 독특한 특징이 있는데 1) 공통적으로 /scripts/setup.php 경로를 탐색하고, 2) 웹 브라우저(User-Agent) 문자열이 ZmEu라는 것이다.

52.205.94.248 - - [21/Jan/2017:04:44:03 +0900] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 450 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:03 +0900] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 450 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:04 +0900] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 453 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:04 +0900] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 450 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:04 +0900] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 453 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:05 +0900] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 453 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:05 +0900] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 453 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:06 +0900] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 450 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:06 +0900] "GET /myAdmin/scripts/setup.php HTTP/1.1" 404 450 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:07 +0900] "GET /mysqladmin/scripts/setup.php HTTP/1.1" 404 453 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:07 +0900] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 453 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:08 +0900] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 453 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:08 +0900] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 453 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:09 +0900] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 453 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:09 +0900] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 453 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:09 +0900] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 453 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:10 +0900] "GET /pma/scripts/setup.php HTTP/1.1" 404 446 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:10 +0900] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 453 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:11 +0900] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 450 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:11 +0900] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 450 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:12 +0900] "GET /scripts/setup.php HTTP/1.1" 404 442 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:12 +0900] "GET /admin/scripts/setup.php HTTP/1.1" 404 448 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:12 +0900] "GET /admin/pma/scripts/setup.php HTTP/1.1" 404 452 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:13 +0900] "GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:13 +0900] "GET /db/scripts/setup.php HTTP/1.1" 404 445 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:14 +0900] "GET /dbadmin/scripts/setup.php HTTP/1.1" 404 450 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:14 +0900] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 450 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:15 +0900] "GET /mysql/scripts/setup.php HTTP/1.1" 404 448 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:15 +0900] "GET /mysqladmin/scripts/setup.php HTTP/1.1" 404 453 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:16 +0900] "GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:16 +0900] "GET /phpadmin/scripts/setup.php HTTP/1.1" 404 451 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:16 +0900] "GET /pma/scripts/setup.php HTTP/1.1" 404 446 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:17 +0900] "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 457 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:17 +0900] "GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:18 +0900] "GET /web/scripts/setup.php HTTP/1.1" 404 446 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:18 +0900] "GET /php-my-admin/scripts/setup.php HTTP/1.1" 404 455 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:19 +0900] "GET /websql/scripts/setup.php HTTP/1.1" 404 449 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:19 +0900] "GET /phpMyAdmin-2/scripts/setup.php HTTP/1.1" 404 455 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:20 +0900] "GET /_phpmyadmin/scripts/setup.php HTTP/1.1" 404 454 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:20 +0900] "GET /administrator/components/com_joommyadmin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 494 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:20 +0900] "GET /apache-default/phpmyadmin/scripts/setup.php HTTP/1.1" 404 468 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:21 +0900] "GET /blog/phpmyadmin/scripts/setup.php HTTP/1.1" 404 458 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:21 +0900] "GET /cpanelphpmyadmin/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:22 +0900] "GET /cpphpmyadmin/scripts/setup.php HTTP/1.1" 404 455 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:22 +0900] "GET /forum/phpmyadmin/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:23 +0900] "GET /php/phpmyadmin/scripts/setup.php HTTP/1.1" 404 457 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:23 +0900] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 453 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:23 +0900] "GET /phpMyAdmin-2.10.0.0/scripts/setup.php HTTP/1.1" 404 462 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:24 +0900] "GET /phpMyAdmin-2.10.0.1/scripts/setup.php HTTP/1.1" 404 462 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:24 +0900] "GET /phpMyAdmin-2.10.0.2/scripts/setup.php HTTP/1.1" 404 462 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:25 +0900] "GET /phpMyAdmin-2.10.0/scripts/setup.php HTTP/1.1" 404 460 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:25 +0900] "GET /phpMyAdmin-2.10.1.0/scripts/setup.php HTTP/1.1" 404 462 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:26 +0900] "GET /phpMyAdmin-2.10.2.0/scripts/setup.php HTTP/1.1" 404 462 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:26 +0900] "GET /phpMyAdmin-2.11.0.0/scripts/setup.php HTTP/1.1" 404 462 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:27 +0900] "GET /phpMyAdmin-2.11.1-all-languages/scripts/setup.php HTTP/1.1" 404 474 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:27 +0900] "GET /phpMyAdmin-2.11.1.0/scripts/setup.php HTTP/1.1" 404 462 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:28 +0900] "GET /phpMyAdmin-2.11.1.1/scripts/setup.php HTTP/1.1" 404 462 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:28 +0900] "GET /phpMyAdmin-2.11.1.2/scripts/setup.php HTTP/1.1" 404 462 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:28 +0900] "GET /phpMyAdmin-2.6.1-pl2/scripts/setup.php HTTP/1.1" 404 463 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:29 +0900] "GET /phpMyAdmin-2.6.1-pl3/scripts/setup.php HTTP/1.1" 404 463 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:29 +0900] "GET /phpMyAdmin-2.6.4-pl3/scripts/setup.php HTTP/1.1" 404 463 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:30 +0900] "GET /phpMyAdmin-2.6.4-pl4/scripts/setup.php HTTP/1.1" 404 463 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:30 +0900] "GET /phpMyAdmin-2.6.4-rc1/scripts/setup.php HTTP/1.1" 404 463 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:31 +0900] "GET /phpMyAdmin-2.6.5/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:31 +0900] "GET /phpMyAdmin-2.6.6/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:31 +0900] "GET /phpMyAdmin-2.6.9/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:32 +0900] "GET /phpMyAdmin-2.7.0-beta1/scripts/setup.php HTTP/1.1" 404 465 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:32 +0900] "GET /phpMyAdmin-2.7.0-pl1/scripts/setup.php HTTP/1.1" 404 463 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:33 +0900] "GET /phpMyAdmin-2.7.0-pl2/scripts/setup.php HTTP/1.1" 404 463 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:33 +0900] "GET /phpMyAdmin-2.7.0-rc1/scripts/setup.php HTTP/1.1" 404 463 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:34 +0900] "GET /phpMyAdmin-2.7.5/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:34 +0900] "GET /phpMyAdmin-2.7.6/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:35 +0900] "GET /phpMyAdmin-2.7.7/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:35 +0900] "GET /phpMyAdmin-2.8.2.3/scripts/setup.php HTTP/1.1" 404 461 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:35 +0900] "GET /phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:36 +0900] "GET /phpMyAdmin-2.8.3/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:36 +0900] "GET /phpMyAdmin-2.8.4/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:37 +0900] "GET /phpMyAdmin-2.8.5/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:37 +0900] "GET /phpMyAdmin-2.8.6/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:38 +0900] "GET /phpMyAdmin-2.8.7/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:38 +0900] "GET /phpMyAdmin-2.8.8/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:39 +0900] "GET /phpMyAdmin-2.8.9/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:39 +0900] "GET /phpMyAdmin-2.9.0-rc1/scripts/setup.php HTTP/1.1" 404 463 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:40 +0900] "GET /phpMyAdmin-2.9.0.1/scripts/setup.php HTTP/1.1" 404 461 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:40 +0900] "GET /phpMyAdmin-2.9.0.2/scripts/setup.php HTTP/1.1" 404 461 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:40 +0900] "GET /phpMyAdmin-2.9.0/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:41 +0900] "GET /phpMyAdmin-2.9.1/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:41 +0900] "GET /phpMyAdmin-2.9.2/scripts/setup.php HTTP/1.1" 404 459 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:42 +0900] "GET /phpMyAdmin-2/scripts/setup.php HTTP/1.1" 404 455 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:42 +0900] "GET /phpMyAdmin-3.0.0-rc1-english/scripts/setup.php HTTP/1.1" 404 471 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:43 +0900] "GET /phpMyAdmin-3.0.0.0-all-languages/scripts/setup.php HTTP/1.1" 404 475 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:43 +0900] "GET /phpMyAdmin-3.0.1.0-english/scripts/setup.php HTTP/1.1" 404 469 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:44 +0900] "GET /phpMyAdmin-3.0.1.0/scripts/setup.php HTTP/1.1" 404 461 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:44 +0900] "GET /phpMyAdmin-3.0.1.1/scripts/setup.php HTTP/1.1" 404 461 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:45 +0900] "GET /phpMyAdmin-3.1.0.0-english/scripts/setup.php HTTP/1.1" 404 469 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:45 +0900] "GET /phpMyAdmin-3.1.0.0/scripts/setup.php HTTP/1.1" 404 461 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:46 +0900] "GET /phpMyAdmin-3.1.1.0-all-languages/scripts/setup.php HTTP/1.1" 404 475 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:46 +0900] "GET /phpMyAdmin-3.1.2.0-all-languages/scripts/setup.php HTTP/1.1" 404 475 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:46 +0900] "GET /phpMyAdmin-3.1.2.0-english/scripts/setup.php HTTP/1.1" 404 469 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:47 +0900] "GET /phpMyAdmin-3.1.2.0/scripts/setup.php HTTP/1.1" 404 461 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:47 +0900] "GET /phpMyAdmin-3.4.3.1/scripts/setup.php HTTP/1.1" 404 461 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:48 +0900] "GET /phpMyAdmin2/scripts/setup.php HTTP/1.1" 404 454 "-" "ZmEu"
52.205.94.248 - - [21/Jan/2017:04:44:48 +0900] "GET /phpMyAdmin3/scripts/setup.php HTTP/1.1" 404 454 "-" "ZmEu"

즈메우(Zmeu)는 루마니아(Romania) 지역의 전설에 등장하는 괴물로 사람의 팔과 다리를 가진 서양 용(dragon)과 닮은 형상이다. 이 팔다리를 여러가지 무기로 형태를 바꿔서 쓸 수 있고 입으로는 불을 뿜는다고 한다. 최근 게임에서도 많이 등장하는 데, 주로 근육질의 남자로 서양용의 날개와 꼬리를 가진 모습으로 표현된다. 다재다능한(?) Zmeu의 이름을 따서 - 루마니아 해커들이 만든 것으로 추정되는 - phpMyAdmin 전용 취약점 스캐너가 바로 Zmeu Scanner이다. phpMyAdmin 취약점 스캔 기능과 SSH 무작위 대입 공격 기능을 가지고 있다고 한다.

[참고자료]

Attacks by ZmEu or w00tw00t robots, 2010.07.22
phpMyAdmin의 임의의 PHP 코드 실행 취약점, 2011.10.11
무작위? 지정? IP를 통한 ZmEu의 취약점 공격, 2013.03.15
[보안공지] phpMyAdmin ‘setup.php’ PHP 코드 인젝션 취약성 안내, 2011.08.09
ZmEu (vulnerability scanner), wikipedia

ZmEu Scanner가 탐색하는 /scripts/setup.php 취약점은 CVE-2009-1151로 2009년 3월에 발견된 취약점이다. CVE-2009-1151 취약점 설명은

"Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action."

이다. PhpMyAdmin 설치 과정에서 사용하는 PHP 코드에서 취약점이 존재하여 설정 파일 내에 웹쉘을 생성할 수 있다고 한다. 때문에 조치 방법은 /scripts/setup.php를 지우는 것이라고 한다 (하지만, phpMyAdmin에는 이외에도 다양한 취약점이 존재하기 때문에 관리자 이외에는 접근할 수 없도록 조치하는 것이 가장 안전하다).

CVEdetails.com에 의하면, 이 취약점은 phpMyAdmin 3.1.3까지에서 발견되는 취약점이라고 한다. 그런데 접속 로그에는 phpMyAdmin 3.4.3.1에 대한 접근 로그가 보인다("GET /phpMyAdmin-3.4.3.1/scripts/setup.php HTTP/1.1"). 아마도 이 버전에도 동일한 취약점이 있다는 것을 해커들이 발견한 것으로 추정된다.

[처음 작성한 날: 2017.01.21] [마지막으로 고친 날: 2017.01.21]

< 이전 글 : 오늘의 웹서버 공격 로그: Bash 쉘쇼크 취약점을 이용한 Perl Ircbot 삽입 시도 (2017.01.22)

> 다음 글 : 오늘의 웹서버 공격 로그: 워드프레스 취약점 자동탐색 도구 (2017.01.18)

이 저작물은 크리에이티브 커먼즈 저작자표시 4.0 국제 라이선스에 따라 이용할 수 있습니다.
잘못된 내용, 오탈자 및 기타 문의사항은 j1n5uk{at}daum.net으로 연락주시기 바랍니다.
문서의 시작으로 컴퓨터 깨알지식 웹핵 누리집 대문