오늘의 웹서버 공격 로그: MySQL 관리 인터페이스 자동탐색 도구

홈페이지 취약점 분석 이야기	파일 지도 사진 깨알

>> 목록보이기
#공격로그 #스캔로그 #phpMyAdmin #자동화 공격도구 #조르기 스캐너 #Jorgee Vulnerability Scanner #A9-Using Components with Known Vulnerabilities

오늘의 웹서버 취약점 스캔 로그: MySQL 관리자 인터페이스 전용 취약점 탐지 도구, 조르기 스캐너

해커들이 사용하는 취약점 스캐너 중 Jorgee Security Scanner는 phpMyAdmin과 같이 MySQL 관리자 애플리케이션을 탐지하는 도구이다. 2012년 이전부터 지속적으로 MySQL SQL 관리기능을 표적으로 하는 웹취약점스캐너라고 한다. User-Agent 문자열은 Mozilla/5.0 Jorgee를 사용한다. 그리고 HTTP 요청은 HEAD http://122.32.19.138:80/mysql/dbadmin/와 같이 GET이 아니라 HEAD를 사용하면 IP주소를 이용한다는 것이 특이하다.

2009년, 2010년에 보고된 바 있는 Revolt Scanner도 비슷한 로그를 남긴다. Jorgee와 Revolt Scanner는 뭔가 서로 관련이 있을 것 같다.

공격자의 IP주소는 188.34.2.17(이란 테헤란)이다.

188.34.2.17 - - [24/Jan/2017:17:29:23 +0900] "HEAD http://122.32.19.138:80/mysql/admin/ HTTP/1.1" 404 180 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:23 +0900] "HEAD http://122.32.19.138:80/mysql/dbadmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:23 +0900] "HEAD http://122.32.19.138:80/mysql/sqlmanager/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:24 +0900] "HEAD http://122.32.19.138:80/mysql/mysqlmanager/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:24 +0900] "HEAD http://122.32.19.138:80/phpmyadmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:24 +0900] "HEAD http://122.32.19.138:80/phpMyadmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:25 +0900] "HEAD http://122.32.19.138:80/phpMyAdmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:25 +0900] "HEAD http://122.32.19.138:80/phpmyAdmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:26 +0900] "HEAD http://122.32.19.138:80/phpmyadmin2/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:26 +0900] "HEAD http://122.32.19.138:80/phpmyadmin3/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:27 +0900] "HEAD http://122.32.19.138:80/phpmyadmin4/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:27 +0900] "HEAD http://122.32.19.138:80/2phpmyadmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:27 +0900] "HEAD http://122.32.19.138:80/phpmy/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:28 +0900] "HEAD http://122.32.19.138:80/phppma/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:28 +0900] "HEAD http://122.32.19.138:80/myadmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:29 +0900] "HEAD http://122.32.19.138:80/shopdb/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:29 +0900] "HEAD http://122.32.19.138:80/MyAdmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:29 +0900] "HEAD http://122.32.19.138:80/program/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:30 +0900] "HEAD http://122.32.19.138:80/PMA/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:30 +0900] "HEAD http://122.32.19.138:80/dbadmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:30 +0900] "HEAD http://122.32.19.138:80/pma/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:31 +0900] "HEAD http://122.32.19.138:80/db/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:31 +0900] "HEAD http://122.32.19.138:80/admin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:31 +0900] "HEAD http://122.32.19.138:80/mysql/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:32 +0900] "HEAD http://122.32.19.138:80/database/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:32 +0900] "HEAD http://122.32.19.138:80/db/phpmyadmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:32 +0900] "HEAD http://122.32.19.138:80/db/phpMyAdmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:33 +0900] "HEAD http://122.32.19.138:80/sqlmanager/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:33 +0900] "HEAD http://122.32.19.138:80/mysqlmanager/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:33 +0900] "HEAD http://122.32.19.138:80/php-myadmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:34 +0900] "HEAD http://122.32.19.138:80/phpmy-admin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:35 +0900] "HEAD http://122.32.19.138:80/mysqladmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:35 +0900] "HEAD http://122.32.19.138:80/mysql-admin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:35 +0900] "HEAD http://122.32.19.138:80/admin/phpmyadmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:36 +0900] "HEAD http://122.32.19.138:80/admin/phpMyAdmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:36 +0900] "HEAD http://122.32.19.138:80/admin/sysadmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:37 +0900] "HEAD http://122.32.19.138:80/admin/sqladmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:37 +0900] "HEAD http://122.32.19.138:80/admin/db/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:37 +0900] "HEAD http://122.32.19.138:80/admin/web/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:38 +0900] "HEAD http://122.32.19.138:80/admin/pMA/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:38 +0900] "HEAD http://122.32.19.138:80/mysql/pma/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:38 +0900] "HEAD http://122.32.19.138:80/mysql/db/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:39 +0900] "HEAD http://122.32.19.138:80/mysql/web/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:39 +0900] "HEAD http://122.32.19.138:80/mysql/pMA/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:40 +0900] "HEAD http://122.32.19.138:80/sql/phpmanager/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:40 +0900] "HEAD http://122.32.19.138:80/sql/php-myadmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:41 +0900] "HEAD http://122.32.19.138:80/sql/phpmy-admin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:41 +0900] "HEAD http://122.32.19.138:80/sql/sql/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:41 +0900] "HEAD http://122.32.19.138:80/sql/myadmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:42 +0900] "HEAD http://122.32.19.138:80/sql/webadmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:42 +0900] "HEAD http://122.32.19.138:80/sql/sqlweb/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:42 +0900] "HEAD http://122.32.19.138:80/sql/websql/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:43 +0900] "HEAD http://122.32.19.138:80/sql/webdb/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:43 +0900] "HEAD http://122.32.19.138:80/sql/sqladmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:43 +0900] "HEAD http://122.32.19.138:80/sql/sql-admin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:44 +0900] "HEAD http://122.32.19.138:80/sql/phpmyadmin2/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:44 +0900] "HEAD http://122.32.19.138:80/sql/phpMyAdmin2/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:44 +0900] "HEAD http://122.32.19.138:80/sql/phpMyAdmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:45 +0900] "HEAD http://122.32.19.138:80/db/myadmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:45 +0900] "HEAD http://122.32.19.138:80/db/webadmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:45 +0900] "HEAD http://122.32.19.138:80/db/dbweb/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:45 +0900] "HEAD http://122.32.19.138:80/db/websql/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:46 +0900] "HEAD http://122.32.19.138:80/db/webdb/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:46 +0900] "HEAD http://122.32.19.138:80/db/dbadmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:46 +0900] "HEAD http://122.32.19.138:80/db/db-admin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:47 +0900] "HEAD http://122.32.19.138:80/db/phpmyadmin3/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:47 +0900] "HEAD http://122.32.19.138:80/db/phpMyAdmin3/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:47 +0900] "HEAD http://122.32.19.138:80/db/phpMyAdmin-3/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:48 +0900] "HEAD http://122.32.19.138:80/administrator/phpmyadmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:48 +0900] "HEAD http://122.32.19.138:80/administrator/phpMyAdmin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:48 +0900] "HEAD http://122.32.19.138:80/administrator/db/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:49 +0900] "HEAD http://122.32.19.138:80/administrator/web/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:49 +0900] "HEAD http://122.32.19.138:80/administrator/pma/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:49 +0900] "HEAD http://122.32.19.138:80/administrator/PMA/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:50 +0900] "HEAD http://122.32.19.138:80/administrator/admin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:50 +0900] "HEAD http://122.32.19.138:80/phpMyAdmin2/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:50 +0900] "HEAD http://122.32.19.138:80/phpMyAdmin3/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:51 +0900] "HEAD http://122.32.19.138:80/phpMyAdmin4/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:51 +0900] "HEAD http://122.32.19.138:80/phpMyAdmin-3/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:51 +0900] "HEAD http://122.32.19.138:80/php-my-admin/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:52 +0900] "HEAD http://122.32.19.138:80/PMA2012/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:52 +0900] "HEAD http://122.32.19.138:80/pma2012/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:52 +0900] "HEAD http://122.32.19.138:80/PMA2011/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:53 +0900] "HEAD http://122.32.19.138:80/pma2011/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"
188.34.2.17 - - [24/Jan/2017:17:29:53 +0900] "HEAD http://122.32.19.138:80/phpmanager/ HTTP/1.1" 404 179 "-" "Mozilla/5.0 Jorgee"

[처음 작성한 날: 2017.01.25] [마지막으로 고친 날: 2017.01.25]

< 이전 글 : WH-WebEditor-CH 라이브 ISO: 이미지 검증 기능을 우회하여 PHP 웹쉘 생성 (2017.01.30)

> 다음 글 : WH-WebEditor-GM 라이브 ISO: 이미지 검증 기능을 우회하여 PHP 웹쉘 생성 (2017.01.23)

이 저작물은 크리에이티브 커먼즈 저작자표시 4.0 국제 라이선스에 따라 이용할 수 있습니다.
잘못된 내용, 오탈자 및 기타 문의사항은 j1n5uk{at}daum.net으로 연락주시기 바랍니다.
문서의 시작으로 컴퓨터 깨알지식 웹핵 누리집 대문