從 Web Log 學習系統漏洞 13

這個 phpmyadmin 的入侵測試有幾個特徵, 每次大概一分鐘的測試, 每次測試使用單一IP (每次不同 IP, 所以防火牆不好擋), 開頭會有 "PROPFIND / HTTP/1.1" 405 236 "-" "-" 及 "POST /wls-wsat/CoordinatorPortType HTTP/1.1" 404 226 "-" " 這兩個要求, 之前架站時有用過一個小程式, 如果短時間內網站有大量存取要求時會被自動加入防火牆阻擋, 不過那程式連正常的存取也擋, 後來就沒繼續用了, 使用阿帕契的阻擋規則也只是從 error 404 變成 403, 沒什麼意義, 再繼續找找看有什麼方法解決

47.89.10.162 - - [05/Jun/2018:09:02:47 +0800] "PROPFIND / HTTP/1.1" 405 236 "-" "-"
47.89.10.162 - - [05/Jun/2018:09:02:47 +0800] "POST /wls-wsat/CoordinatorPortType HTTP/1.1" 404 226 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:50 +0800] "GET /index.php HTTP/1.1" 404 207 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:50 +0800] "GET /phpmyadmin/index.php HTTP/1.1" 404 218 "-" "Mozilla/5.0"

47.89.10.162 - - [05/Jun/2018:09:02:51 +0800] "GET /phpMyAdmin/index.php HTTP/1.1" 404 218 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:51 +0800] "GET /pmd/index.php HTTP/1.1" 404 211 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:51 +0800] "GET /pma/index.php HTTP/1.1" 404 211 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:51 +0800] "GET /PMA/index.php HTTP/1.1" 404 211 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:51 +0800] "GET /PMA2/index.php HTTP/1.1" 404 212 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:52 +0800] "GET /pmamy/index.php HTTP/1.1" 404 213 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:52 +0800] "GET /pmamy2/index.php HTTP/1.1" 404 214 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:54 +0800] "GET /mysql/index.php HTTP/1.1" 404 213 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:54 +0800] "GET /admin/index.php HTTP/1.1" 404 213 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:54 +0800] "GET /db/index.php HTTP/1.1" 404 210 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:55 +0800] "GET /dbadmin/index.php HTTP/1.1" 404 215 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:55 +0800] "GET /web/phpMyAdmin/index.php HTTP/1.1" 404 222 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:55 +0800] "GET /admin/pma/index.php HTTP/1.1" 404 217 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:55 +0800] "GET /admin/PMA/index.php HTTP/1.1" 404 217 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:55 +0800] "GET /admin/mysql/index.php HTTP/1.1" 404 219 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:55 +0800] "GET /admin/mysql2/index.php HTTP/1.1" 404 220 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:56 +0800] "GET /admin/phpmyadmin/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:56 +0800] "GET /admin/phpMyAdmin/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:57 +0800] "GET /admin/phpmyadmin2/index.php HTTP/1.1" 404 225 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:58 +0800] "GET /mysqladmin/index.php HTTP/1.1" 404 218 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:58 +0800] "GET /mysql-admin/index.php HTTP/1.1" 404 219 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:58 +0800] "GET /phpadmin/index.php HTTP/1.1" 404 216 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:59 +0800] "GET /phpmyadmin0/index.php HTTP/1.1" 404 219 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:59 +0800] "GET /phpmyadmin1/index.php HTTP/1.1" 404 219 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:59 +0800] "GET /phpmyadmin2/index.php HTTP/1.1" 404 219 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:59 +0800] "GET /myadmin/index.php HTTP/1.1" 404 215 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:59 +0800] "GET /myadmin2/index.php HTTP/1.1" 404 216 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:02:59 +0800] "GET /xampp/phpmyadmin/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:03:00 +0800] "GET /phpMyadmin_bak/index.php HTTP/1.1" 404 222 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:03:02 +0800] "GET /www/phpMyAdmin/index.php HTTP/1.1" 404 222 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:03:03 +0800] "GET /tools/phpMyAdmin/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:03:03 +0800] "GET /phpmyadmin-old/index.php HTTP/1.1" 404 222 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:03:03 +0800] "GET /phpMyAdminold/index.php HTTP/1.1" 404 221 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:03:03 +0800] "GET /phpMyAdmin.old/index.php HTTP/1.1" 404 222 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:03:03 +0800] "GET /pma-old/index.php HTTP/1.1" 404 215 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:03:03 +0800] "GET /claroline/phpMyAdmin/index.php HTTP/1.1" 404 228 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:03:04 +0800] "GET /typo3/phpmyadmin/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:03:06 +0800] "GET /phpma/index.php HTTP/1.1" 404 213 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:03:06 +0800] "GET /phpmyadmin/phpmyadmin/index.php HTTP/1.1" 404 229 "-" "Mozilla/5.0"
47.89.10.162 - - [05/Jun/2018:09:03:06 +0800] "GET /phpMyAdmin/phpMyAdmin/index.php HTTP/1.1" 404 229 "-" "Mozilla/5.0"