ZmEuだとかMorfeus Fucking Scannerだとか

/ Linux/Unix / Comment[0]
ハニポのログを見てみたら怪しいリクエストがいっぱいあった

ログの一部抜粋
74.63.212.48 - - [06/Nov/2011:06:41:26 +0900] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 401 623 "-" "ZmEu"
74.63.212.48 - - [06/Nov/2011:06:41:27 +0900] "GET /scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"
74.63.212.48 - - [06/Nov/2011:06:41:27 +0900] "GET /admin/scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"
74.63.212.48 - - [06/Nov/2011:06:41:27 +0900] "GET /admin/pma/scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"
74.63.212.48 - - [06/Nov/2011:06:41:28 +0900] "GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"
74.63.212.48 - - [06/Nov/2011:06:41:28 +0900] "GET /db/scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"
74.63.212.48 - - [06/Nov/2011:06:41:28 +0900] "GET /dbadmin/scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"
74.63.212.48 - - [06/Nov/2011:06:41:29 +0900] "GET /myadmin/scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"
74.63.212.48 - - [06/Nov/2011:06:41:29 +0900] "GET /mysql/scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"
74.63.212.48 - - [06/Nov/2011:06:41:30 +0900] "GET /mysqladmin/scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"

119.59.100.25 - - [06/Nov/2011:11:18:09 +0900] "GET /V20xRmRRPT0K HTTP/1.1" 401 623 "-" "-"
119.59.100.25 - - [06/Nov/2011:11:18:09 +0900] "GET // HTTP/1.1" 401 623 "-" "-"
119.59.100.25 - - [06/Nov/2011:11:18:13 +0900] "GET //admin/pma/ HTTP/1.1" 401 623 "-" "-"
119.59.100.25 - - [06/Nov/2011:11:18:13 +0900] "GET //admin/phpmyadmin/ HTTP/1.1" 401 623 "-" "-"
119.59.100.25 - - [06/Nov/2011:11:18:14 +0900] "GET //db/ HTTP/1.1" 401 623 "-" "-"
119.59.100.25 - - [06/Nov/2011:11:18:14 +0900] "GET //dbadmin/ HTTP/1.1" 401 623 "-" "-"
119.59.100.25 - - [06/Nov/2011:11:18:19 +0900] "GET //mysql/ HTTP/1.1" 401 623 "-" "-"
119.59.100.25 - - [06/Nov/2011:11:18:20 +0900] "GET //mysqladmin/ HTTP/1.1" 401 623 "-" "-"
119.59.100.25 - - [06/Nov/2011:11:18:20 +0900] "GET //typo3/phpmyadmin/ HTTP/1.1" 401 623 "-" "-"
119.59.100.25 - - [06/Nov/2011:11:18:20 +0900] "GET //phpadmin/ HTTP/1.1" 401 623 "-" "-"

122.208.115.220 - - [06/Nov/2011:19:52:25 +0900] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 401 623 "-" "ZmEu"
122.208.115.220 - - [06/Nov/2011:19:52:25 +0900] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"
122.208.115.220 - - [06/Nov/2011:19:52:25 +0900] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"
122.208.115.220 - - [06/Nov/2011:19:52:25 +0900] "GET /pma/scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"
122.208.115.220 - - [06/Nov/2011:19:52:25 +0900] "GET /myadmin/scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"
122.208.115.220 - - [06/Nov/2011:19:52:25 +0900] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"
220.226.103.254 - - [06/Nov/2011:21:07:51 +0900] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 401 623 "-" "ZmEu"
220.226.103.254 - - [06/Nov/2011:21:07:52 +0900] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"
220.226.103.254 - - [06/Nov/2011:21:07:53 +0900] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"
220.226.103.254 - - [06/Nov/2011:21:07:53 +0900] "GET /pma/scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"

119.59.100.25 - - [07/Nov/2011:19:20:07 +0900] "GET //PMA/README HTTP/1.1" 401 623 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
119.59.100.25 - - [07/Nov/2011:19:20:07 +0900] "GET //PMA2005/README HTTP/1.1" 401 623 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
119.59.100.25 - - [07/Nov/2011:19:20:08 +0900] "GET //README HTTP/1.1" 401 623 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
119.59.100.25 - - [07/Nov/2011:19:20:08 +0900] "GET //README/README HTTP/1.1" 401 623 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
119.59.100.25 - - [07/Nov/2011:19:20:09 +0900] "GET //admin/README HTTP/1.1" 401 623 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
119.59.100.25 - - [07/Nov/2011:19:20:09 +0900] "GET //admin/phpmyadmin/README HTTP/1.1" 401 623 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
119.59.100.25 - - [07/Nov/2011:19:20:10 +0900] "GET //admin/pma/README HTTP/1.1" 401 623 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
119.59.100.25 - - [07/Nov/2011:19:20:10 +0900] "GET //admm/README HTTP/1.1" 401 623 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
119.59.100.25 - - [07/Nov/2011:19:20:11 +0900] "GET //admn/README HTTP/1.1" 401 623 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
119.59.100.25 - - [07/Nov/2011:19:20:11 +0900] "GET //databaseadmin/README HTTP/1.1" 401 623 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

216.17.72.111 - - [08/Nov/2011:22:11:05 +0900] "GET /user/soapCaller.bs HTTP/1.1" 401 623 "-" "Morfeus Fucking Scanner"

119.254.72.218 - - [12/Nov/2011:04:24:43 +0900] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 489 "-" "ZmEu"
119.254.72.218 - - [12/Nov/2011:04:24:44 +0900] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 478 "-" "ZmEu"
119.254.72.218 - - [12/Nov/2011:04:24:47 +0900] "GET /pma/scripts/setup.php HTTP/1.1" 404 473 "-" "ZmEu"
119.254.72.218 - - [12/Nov/2011:04:24:47 +0900] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 476 "-" "ZmEu"
119.254.72.218 - - [12/Nov/2011:04:24:48 +0900] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 476 "-" "ZmEu"

61.187.206.148 - - [31/Oct/2011:21:42:05 +0900] "GET /user/soapCaller.bs HTTP/1.1" 404 469 "-" "Morfeus Fucking Scanner"
216.17.72.111 - - [01/Nov/2011:00:38:44 +0900] "GET /user/soapCaller.bs HTTP/1.1" 404 469 "-" "Morfeus Fucking Scanner"
61.187.206.148 - - [01/Nov/2011:03:11:51 +0900] "GET /user/soapCaller.bs HTTP/1.1" 404 469 "-" "Morfeus Fucking Scanner"

216.171.171.163 - - [02/Nov/2011:04:17:45 +0900] "GET /user/soapCaller.bs HTTP/1.1" 404 469 "-" "Morfeus Fucking Scanner"

61.19.248.91 - - [03/Nov/2011:17:08:27 +0900] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 401 623 "-" "ZmEu"
61.19.248.91 - - [03/Nov/2011:17:08:27 +0900] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"
61.19.248.91 - - [03/Nov/2011:17:08:27 +0900] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"
61.19.248.91 - - [03/Nov/2011:17:08:27 +0900] "GET /pma/scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"
61.19.248.91 - - [03/Nov/2011:17:08:28 +0900] "GET /myadmin/scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"
61.19.248.91 - - [03/Nov/2011:17:08:28 +0900] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 401 623 "-" "ZmEu"

216.171.171.163 - - [04/Nov/2011:05:09:23 +0900] "GET /user/soapCaller.bs HTTP/1.1" 401 623 "-" "Morfeus Fucking Scanner"

202.143.147.156 - - [19/Oct/2011:03:53:45 +0900] "GET //phpmyadmin/ HTTP/1.1" 404 466 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
202.143.147.156 - - [19/Oct/2011:03:53:46 +0900] "GET //phpMyAdmin/ HTTP/1.1" 404 467 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
202.143.147.156 - - [19/Oct/2011:03:53:47 +0900] "GET //MyAdmin/ HTTP/1.1" 404 465 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
202.143.147.156 - - [19/Oct/2011:03:53:48 +0900] "GET //myadmin/ HTTP/1.1" 404 464 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
202.143.147.156 - - [19/Oct/2011:03:53:49 +0900] "GET //pma/ HTTP/1.1" 404 461 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
202.143.147.156 - - [19/Oct/2011:03:53:50 +0900] "GET //mysql/ HTTP/1.1" 404 463 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"

38.126.100.104 - - [19/Oct/2011:12:13:57 +0900] "GET /user/soapCaller.bs HTTP/1.1" 404 469 "-" "Morfeus Fucking Scanner"

78.40.226.30 - - [15/Sep/2011:13:35:02 +0900] "GET /scripts/setup.php HTTP/1.1" 403 501 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
78.40.226.30 - - [15/Sep/2011:13:35:02 +0900] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 403 512 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
78.40.226.30 - - [15/Sep/2011:13:35:02 +0900] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 403 512 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
78.40.226.30 - - [15/Sep/2011:13:35:02 +0900] "GET /pma/scripts/setup.php HTTP/1.1" 403 505 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
78.40.226.30 - - [15/Sep/2011:13:35:02 +0900] "GET /mysql/scripts/setup.php HTTP/1.1" 403 507 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
78.40.226.30 - - [15/Sep/2011:13:35:02 +0900] "POST /scripts/setup.php HTTP/1.1" 403 501 "***.***.**.**" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"

見ての通りZmEuはphpMyAdminの脆弱性調査ツールらしいね。ユーザーエージェントを偽装してる野郎も居たり
Morfeus Fucking Scannerも同じくPHPの脆弱性調査ツールらしい。
うちのApache君は全て401や403でブロックしてるから安心。

perlスクリプトを使って攻撃者のIPから国を調べてみる。
#!/usr/bin/perl
use Geo::IP;

$gi = Geo::IP->new(GEOIP_STANDARD);
open(F,$ARGV[0]);
while(){
chomp;
print "$_ ",$gi->country_code_by_addr("$_"),"\n";
}
close(F);

$ egrep 'ZmEu|Morfeus' /var/log/apache2/access.log|cut -d" " -f1|sort|uniq > attacker.log
$ ./geoip.pl attacker.log
119.254.72.218	CN
119.59.100.25 TH
122.208.115.220 JP
202.143.147.156 TH
216.17.72.111 US
216.171.171.163 US
220.226.103.254 IN
38.126.100.104 US
61.187.206.148 CN
61.19.248.91 TH
74.63.212.48 US
78.40.226.30 TR

タイ、日本、アメリカ、インド、中国、トルコ...あちこちから攻撃を受けてるね


対策
phpやapacheを最新のバージョンにアップグレードする。
Apacheでユーザーエージェントごとブロックしてリスクを減らす。

httpd.conf
<Location />
 Deny from env=deny_agent
</Location>
SetEnvIf User-Agent "^Morfeus Fucking Scanner" deny_agent
SetEnvIf User-Agent "*ZmEu*" deny_agent
関連記事

コメント

:
:
:
:
:
管理人のみ表示を許可