アタックされた

ログを眺めていました。早速アタックが来ていました。そこそこ大量に。

１．phpMyAdminのセットアップ脆弱性狙いのアタック

※参考になる他所様のページヘのリンク[phpMyAdminのsetup.phpの脆弱性を突くサイバー攻撃を確認]

grep コマンドでログ全般を見たところ、結構来ている模様です。

——-<その様子ここから>——-

root@wordpress:/var/log/apache2# grep myadmin *
access.log:208.67.1.236 – – [15/Jun/2016:20:45:32 +0000] “GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1” 404 407 “-” “-”
access.log:208.67.1.236 – – [15/Jun/2016:20:45:33 +0000] “GET //myadmin/scripts/setup.php HTTP/1.1” 404 403 “-” “-”
access.log:208.67.1.236 – – [15/Jun/2016:20:45:34 +0000] “GET //typo3/phpmyadmin/scripts/setup.php HTTP/1.1” 404 409 “-” “-”
access.log:208.67.1.236 – – [15/Jun/2016:20:45:36 +0000] “GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1” 404 409 “-” “-”
access.log:208.67.1.236 – – [15/Jun/2016:20:45:38 +0000] “GET //_phpmyadmin/scripts/setup.php HTTP/1.1” 404 406 “-” “-”
access.log:208.67.1.236 – – [15/Jun/2016:20:45:39 +0000] “GET //administrator/components/com_joommyadmin/phpmyadmin/scripts/setup.php HTTP/1.1” 404 431 “-” “-”
access.log:208.67.1.236 – – [15/Jun/2016:20:45:39 +0000] “GET //apache-default/phpmyadmin/scripts/setup.php HTTP/1.1” 404 412 “-” “-”
access.log:208.67.1.236 – – [15/Jun/2016:20:45:40 +0000] “GET //blog/phpmyadmin/scripts/setup.php HTTP/1.1” 404 408 “-” “-”
access.log:208.67.1.236 – – [15/Jun/2016:20:45:40 +0000] “GET //cpanelphpmyadmin/scripts/setup.php HTTP/1.1” 404 408 “-” “-”
access.log:208.67.1.236 – – [15/Jun/2016:20:45:41 +0000] “GET //cpphpmyadmin/scripts/setup.php HTTP/1.1” 404 406 “-” “-”
access.log:208.67.1.236 – – [15/Jun/2016:20:45:41 +0000] “GET //forum/phpmyadmin/scripts/setup.php HTTP/1.1” 404 409 “-” “-”
access.log:208.67.1.236 – – [15/Jun/2016:20:45:41 +0000] “GET //php/phpmyadmin/scripts/setup.php HTTP/1.1” 404 407 “-” “-”
access.log:208.67.1.236 – – [15/Jun/2016:20:45:42 +0000] “GET //phpmyadmin/scripts/setup.php HTTP/1.1” 404 404 “-” “-”
access.log:120.27.110.115 – – [16/Jun/2016:05:59:25 +0000] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 391 “-” “-”
access.log:221.234.19.37 – – [16/Jun/2016:22:51:45 +0000] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 391 “-” “-”
access.log:203.110.167.86 – – [18/Jun/2016:05:59:27 +0000] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 391 “-” “-”
access.log:114.34.68.208 – – [18/Jun/2016:09:00:08 +0000] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 391 “-” “-”
access.log:96.87.165.146 – – [18/Jun/2016:10:59:23 +0000] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 391 “-” “-”
access.log.1:64.16.209.177 – – [05/Jun/2016:17:09:05 +0000] “GET /phpmyadmin/scripts/setup.php HTTP/1.0” 404 413 “-” “-”
access.log.1:121.42.150.120 – – [06/Jun/2016:02:33:33 +0000] “GET /phpmyadmin/scripts/setup.php HTTP/1.1” 404 404 “-” “ZmEu”
access.log.1:121.42.150.120 – – [06/Jun/2016:02:33:35 +0000] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 403 “-” “ZmEu”
access.log.1:190.244.96.69 – – [08/Jun/2016:03:18:55 +0000] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 391 “-” “-”
access.log.1:31.14.140.138 – – [08/Jun/2016:11:13:30 +0000] “GET //phpmyadmin/scripts/setup.php HTTP/1.1” 404 404 “-” “-”
access.log.1:31.14.140.138 – – [08/Jun/2016:11:13:31 +0000] “GET //myadmin/scripts/setup.php HTTP/1.1” 404 403 “-” “-”
access.log.1:31.14.140.138 – – [08/Jun/2016:12:54:21 +0000] “GET //phpmyadmin/scripts/setup.php HTTP/1.1” 404 404 “-” “-”
access.log.1:31.14.140.138 – – [08/Jun/2016:12:54:22 +0000] “GET //myadmin/scripts/setup.php HTTP/1.1” 404 403 “-” “-”
access.log.1:121.42.158.86 – – [08/Jun/2016:20:42:00 +0000] “GET /phpmyadmin/scripts/setup.php HTTP/1.1” 404 404 “-” “ZmEu”
access.log.1:121.42.158.86 – – [08/Jun/2016:20:42:01 +0000] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 403 “-” “ZmEu”
error.log:[Wed Jun 15 20:45:33 2016] [error] [client 208.67.1.236] File does not exist: /var/www/wordpress/myadmin
error.log:[Wed Jun 15 20:45:38 2016] [error] [client 208.67.1.236] File does not exist: /var/www/wordpress/_phpmyadmin
error.log:[Wed Jun 15 20:45:40 2016] [error] [client 208.67.1.236] File does not exist: /var/www/wordpress/cpanelphpmyadmin
error.log:[Wed Jun 15 20:45:41 2016] [error] [client 208.67.1.236] File does not exist: /var/www/wordpress/cpphpmyadmin
error.log:[Wed Jun 15 20:45:42 2016] [error] [client 208.67.1.236] File does not exist: /var/www/wordpress/phpmyadmin
error.log:[Thu Jun 16 05:59:25 2016] [error] [client 120.27.110.115] File does not exist: /var/www/wordpress/myadmin
error.log:[Thu Jun 16 22:51:45 2016] [error] [client 221.234.19.37] File does not exist: /var/www/wordpress/myadmin
error.log:[Sat Jun 18 05:59:27 2016] [error] [client 203.110.167.86] File does not exist: /var/www/wordpress/myadmin
error.log:[Sat Jun 18 09:00:08 2016] [error] [client 114.34.68.208] File does not exist: /var/www/wordpress/myadmin
error.log:[Sat Jun 18 10:59:23 2016] [error] [client 96.87.165.146] File does not exist: /var/www/wordpress/myadmin
error.log.1:[Sun Jun 05 17:09:05 2016] [error] [client 64.16.209.177] File does not exist: /var/www/wordpress/phpmyadmin
error.log.1:[Mon Jun 06 02:33:33 2016] [error] [client 121.42.150.120] File does not exist: /var/www/wordpress/phpmyadmin
error.log.1:[Mon Jun 06 02:33:35 2016] [error] [client 121.42.150.120] File does not exist: /var/www/wordpress/myadmin
error.log.1:[Wed Jun 08 03:18:55 2016] [error] [client 190.244.96.69] File does not exist: /var/www/wordpress/myadmin
error.log.1:[Wed Jun 08 11:13:30 2016] [error] [client 31.14.140.138] File does not exist: /var/www/wordpress/phpmyadmin
error.log.1:[Wed Jun 08 11:13:31 2016] [error] [client 31.14.140.138] File does not exist: /var/www/wordpress/myadmin
error.log.1:[Wed Jun 08 12:54:21 2016] [error] [client 31.14.140.138] File does not exist: /var/www/wordpress/phpmyadmin
error.log.1:[Wed Jun 08 12:54:22 2016] [error] [client 31.14.140.138] File does not exist: /var/www/wordpress/myadmin
error.log.1:[Wed Jun 08 20:42:00 2016] [error] [client 121.42.158.86] File does not exist: /var/www/wordpress/phpmyadmin
error.log.1:[Wed Jun 08 20:42:01 2016] [error] [client 121.42.158.86] File does not exist: /var/www/wordpress/myadmin
root@wordpress:/var/log/apache2#

——-<その様子ここまで>——-

アタックで成功すると今度は、config.inc.phpやsetup.phpの存在確認をしてくるそうです。でも、その痕跡はなかったため、今のところは大丈夫そうです。

２．xmlrpc.phpを狙ったブルートフォースアタック

——–<その様子ここから>——

root@wordpress:/var/log/apache2# grep xmlrpc * |wc
1207 22926 199092
↑
1207回のアタック？多すぎるので、先頭２０行と、末尾２０行を見てみました。

root@wordpress:/var/log/apache2# grep xmlrpc * | head -20
access.log:195.154.235.96 – – [18/Jun/2016:10:26:56 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:10:26:59 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:10:27:01 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:10:27:03 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:10:27:05 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:10:27:07 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:10:27:09 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:10:27:11 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:10:27:13 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:10:27:15 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:10:27:18 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:10:27:19 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:10:27:21 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:10:27:23 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:10:27:25 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:10:27:28 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:10:27:29 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:10:27:32 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:10:27:34 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:10:27:36 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
root@wordpress:/var/log/apache2# grep xmlrpc * | tail -20
access.log:195.154.235.96 – – [18/Jun/2016:11:09:49 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:11:09:51 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:11:09:53 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:11:09:55 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:11:09:57 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:11:09:59 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:11:10:02 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:11:10:04 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:11:10:06 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:11:10:08 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:11:10:10 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:11:10:12 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:11:10:14 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:11:11:08 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:11:11:10 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:11:11:14 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:11:11:15 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:11:11:18 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log:195.154.235.96 – – [18/Jun/2016:11:11:20 +0000] “POST /xmlrpc.php HTTP/1.1” 200 650 “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
access.log.1:89.248.174.4 – – [11/Jun/2016:02:58:13 +0000] “GET /xmlrpc.php HTTP/1.1” 405 249 “-” “-”
root@wordpress:/var/log/apache2#

２秒に１回の頻度で来ていました。そしてこの時、攻撃は継続していました。

——–<その様子ここまで>——

そこで、今回攻撃に使われたIPアドレスに返事の応答パケットを返さないように、ルーティングコマンドで、攻撃元IPアドレスへの応答パケットは、loに渡す設定を入れました。
※攻撃元IPアドレスを下記のxxx.xxx.xxx.xxxnに設定しました。

route add xxx.xxx.xxx.xxx lo を入れてみましたら。止まりました。

そこで

route del xxx.xxx.xxx.xxx lo を入れますと、またログに出てきました。

確認できたので、当面、この設定を入れておくことにしました。

route add xxx.xxx.xxx.xxx lo を再設定。

やっていて気づいたのですが、そもそも、ProxmoxVE3.4には
ファイアウォール機能がありました。
それで、防御する方が、やり方としてはスマートなので、今後は、PROXMOXのファイアウォールの設定方法を身につけようと思います。

最近の投稿

最近のコメント

アーカイブ

カテゴリー

calender

固定ページへのリンク

2024年4月
月	火	水	木	金	土	日
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30