フランスからWordPressに悪意のあるリクエストが大量に届くので解析

フランスからWordPressに悪意のあるリクエストが大量に届くので解析

2018-08-178 min read

目次

  1. 概要
  2. ログファイルの場所
  3. アクセスログの内容
  4. 実際のアクセスログ
  5. 参考

概要

以前紹介した、AWS Lightsail + WordPressサーバに 定期的に大量のアクセスが届くのでログを調べてみました。 fr.png ↑写真はアクセスがあった時のGoogle Analyticsレポート。

ログファイルの場所

aws lightsailでwordpress付きイメージを選択した場合、apacheのアクセスログ・エラーログは

/opt/bitnami/apache2/logs

以下に配置されます。

アクセスログの内容

access_logファイルを見るとたくさんの不穏な文字列を含むリクエストがほぼ同時刻に投げられているようでした。 Google AnalyticsによればプロバイダはOnline SAS (Wiki - en)というホスティングサービスの会社となっておりました。 とりあえず気持ち悪いので、htaccessを設定するなど、何かしら設定をしておこうかと思います。 詳しいことがわかり次第追記します。

※追記: 以下にaccess_logのを貼り付けておきました。 一応IPは隠しております。 phpMyadminとか不穏なワードが含まれているのを確認できるかと思います。

実際のアクセスログ

120.*.*.35 - - [16/Aug/2018:07:43:59 +0000] "PROPFIND / HTTP/1.1" 302 202
120.*.*.35 - - [16/Aug/2018:07:44:01 +0000] "GET /webdav/ HTTP/1.1" 302 212
120.*.*.35 - - [16/Aug/2018:07:44:05 +0000] "GET /help.php HTTP/1.1" 302 213
120.*.*.35 - - [16/Aug/2018:07:44:05 +0000] "GET /java.php HTTP/1.1" 302 213
120.*.*.35 - - [16/Aug/2018:07:44:05 +0000] "GET /_query.php HTTP/1.1" 302 215
120.*.*.35 - - [16/Aug/2018:07:44:06 +0000] "GET /test.php HTTP/1.1" 302 213
120.*.*.35 - - [16/Aug/2018:07:44:06 +0000] "GET /db_cts.php HTTP/1.1" 302 215
120.*.*.35 - - [16/Aug/2018:07:44:06 +0000] "GET /db_pma.php HTTP/1.1" 302 215
120.*.*.35 - - [16/Aug/2018:07:44:07 +0000] "GET /logon.php HTTP/1.1" 302 214
120.*.*.35 - - [16/Aug/2018:07:44:08 +0000] "GET /help-e.php HTTP/1.1" 302 215
120.*.*.35 - - [16/Aug/2018:07:44:09 +0000] "GET /license.php HTTP/1.1" 302 216
120.*.*.35 - - [16/Aug/2018:07:44:09 +0000] "GET /log.php HTTP/1.1" 302 212
120.*.*.35 - - [16/Aug/2018:07:44:09 +0000] "GET /hell.php HTTP/1.1" 302 213
120.*.*.35 - - [16/Aug/2018:07:44:09 +0000] "GET /pmd_online.php HTTP/1.1" 302 219
120.*.*.35 - - [16/Aug/2018:07:44:10 +0000] "GET /x.php HTTP/1.1" 302 210
120.*.*.35 - - [16/Aug/2018:07:44:10 +0000] "GET /shell.php HTTP/1.1" 302 214
120.*.*.35 - - [16/Aug/2018:07:44:10 +0000] "GET /desktop.ini.php HTTP/1.1" 302 220
120.*.*.35 - - [16/Aug/2018:07:44:11 +0000] "GET /z.php HTTP/1.1" 302 210
120.*.*.35 - - [16/Aug/2018:07:44:13 +0000] "GET /lala.php HTTP/1.1" 302 213
120.*.*.35 - - [16/Aug/2018:07:44:13 +0000] "GET /lala-dpr.php HTTP/1.1" 302 217
120.*.*.35 - - [16/Aug/2018:07:44:13 +0000] "GET /wpo.php HTTP/1.1" 302 212
120.*.*.35 - - [16/Aug/2018:07:44:14 +0000] "GET /text.php HTTP/1.1" 302 213
120.*.*.35 - - [16/Aug/2018:07:44:14 +0000] "GET /wp-config.php HTTP/1.1" 302 218
120.*.*.35 - - [16/Aug/2018:07:44:14 +0000] "GET /muhstik.php HTTP/1.1" 302 216
120.*.*.35 - - [16/Aug/2018:07:44:15 +0000] "GET /muhstik2.php HTTP/1.1" 302 217
120.*.*.35 - - [16/Aug/2018:07:44:15 +0000] "GET /muhstiks.php HTTP/1.1" 302 217
120.*.*.35 - - [16/Aug/2018:07:44:15 +0000] "GET /muhstik-dpr.php HTTP/1.1" 302 220
120.*.*.35 - - [16/Aug/2018:07:44:15 +0000] "GET /lol.php HTTP/1.1" 302 212
120.*.*.35 - - [16/Aug/2018:07:44:16 +0000] "GET /uploader.php HTTP/1.1" 302 217
120.*.*.35 - - [16/Aug/2018:07:44:17 +0000] "GET /cmd.php HTTP/1.1" 302 212
120.*.*.35 - - [16/Aug/2018:07:44:17 +0000] "GET /cmx.php HTTP/1.1" 302 212
120.*.*.35 - - [16/Aug/2018:07:44:17 +0000] "GET /cmv.php HTTP/1.1" 302 212
120.*.*.35 - - [16/Aug/2018:07:44:18 +0000] "GET /cmdd.php HTTP/1.1" 302 213
120.*.*.35 - - [16/Aug/2018:07:44:18 +0000] "GET /knal.php HTTP/1.1" 302 213
120.*.*.35 - - [16/Aug/2018:07:44:19 +0000] "GET /cmd.php HTTP/1.1" 302 212
120.*.*.35 - - [16/Aug/2018:07:44:19 +0000] "GET /shell.php HTTP/1.1" 302 214
120.*.*.35 - - [16/Aug/2018:07:44:19 +0000] "GET /appserv.php HTTP/1.1" 302 216
120.*.*.35 - - [16/Aug/2018:07:44:23 +0000] "POST /xw.php HTTP/1.1" 302 211
120.*.*.35 - - [16/Aug/2018:07:44:23 +0000] "POST /xw1.php HTTP/1.1" 302 212
120.*.*.35 - - [16/Aug/2018:07:44:25 +0000] "POST /9678.php HTTP/1.1" 302 213
120.*.*.35 - - [16/Aug/2018:07:44:25 +0000] "POST /wc.php HTTP/1.1" 302 211
120.*.*.35 - - [16/Aug/2018:07:44:26 +0000] "POST /xx.php HTTP/1.1" 302 211
120.*.*.35 - - [16/Aug/2018:07:44:27 +0000] "POST /s.php HTTP/1.1" 302 210
120.*.*.35 - - [16/Aug/2018:07:44:28 +0000] "POST /w.php HTTP/1.1" 302 210
120.*.*.35 - - [16/Aug/2018:07:44:28 +0000] "POST /sheep.php HTTP/1.1" 302 214
120.*.*.35 - - [16/Aug/2018:07:44:31 +0000] "POST /db.init.php HTTP/1.1" 302 216
120.*.*.35 - - [16/Aug/2018:07:44:32 +0000] "POST /db_session.init.php HTTP/1.1" 302 224
120.*.*.35 - - [16/Aug/2018:07:44:32 +0000] "POST /db__.init.php HTTP/1.1" 302 218
120.*.*.35 - - [16/Aug/2018:07:44:34 +0000] "POST /wp-admins.php HTTP/1.1" 302 218
120.*.*.35 - - [16/Aug/2018:07:44:34 +0000] "POST /m.php?pbid=open HTTP/1.1" 302 220
120.*.*.35 - - [16/Aug/2018:07:44:35 +0000] "POST /db_dataml.php HTTP/1.1" 302 218
120.*.*.35 - - [16/Aug/2018:07:44:37 +0000] "POST /db_desql.php HTTP/1.1" 302 217
120.*.*.35 - - [16/Aug/2018:07:44:37 +0000] "POST /mx.php HTTP/1.1" 302 211
120.*.*.35 - - [16/Aug/2018:07:44:40 +0000] "POST /wshell.php HTTP/1.1" 302 215
120.*.*.35 - - [16/Aug/2018:07:44:41 +0000] "POST /xshell.php HTTP/1.1" 302 215
120.*.*.35 - - [16/Aug/2018:07:44:41 +0000] "POST /qq.php HTTP/1.1" 302 211
120.*.*.35 - - [16/Aug/2018:07:44:42 +0000] "POST /conflg.php HTTP/1.1" 302 215
120.*.*.35 - - [16/Aug/2018:07:44:43 +0000] "POST /lindex.php HTTP/1.1" 302 215
120.*.*.35 - - [16/Aug/2018:07:44:46 +0000] "POST /phpstudy.php HTTP/1.1" 302 217
120.*.*.35 - - [16/Aug/2018:07:44:46 +0000] "POST /phpStudy.php HTTP/1.1" 302 217
120.*.*.35 - - [16/Aug/2018:07:44:47 +0000] "POST /weixiao.php HTTP/1.1" 302 216
120.*.*.35 - - [16/Aug/2018:07:44:49 +0000] "POST /feixiang.php HTTP/1.1" 302 217
120.*.*.35 - - [16/Aug/2018:07:44:49 +0000] "POST /ak47.php HTTP/1.1" 302 213
120.*.*.35 - - [16/Aug/2018:07:44:50 +0000] "POST /ak48.php HTTP/1.1" 302 213
120.*.*.35 - - [16/Aug/2018:07:44:50 +0000] "POST /xiao.php HTTP/1.1" 302 213
120.*.*.35 - - [16/Aug/2018:07:44:51 +0000] "POST /yao.php HTTP/1.1" 302 212
120.*.*.35 - - [16/Aug/2018:07:44:51 +0000] "POST /defect.php HTTP/1.1" 302 215
120.*.*.35 - - [16/Aug/2018:07:44:54 +0000] "POST /webslee.php HTTP/1.1" 302 216
120.*.*.35 - - [16/Aug/2018:07:44:55 +0000] "POST /q.php HTTP/1.1" 302 210
120.*.*.35 - - [16/Aug/2018:07:44:56 +0000] "POST /pe.php HTTP/1.1" 302 211
120.*.*.35 - - [16/Aug/2018:07:44:57 +0000] "POST /hm.php HTTP/1.1" 302 211
120.*.*.35 - - [16/Aug/2018:07:44:57 +0000] "POST /cainiao.php HTTP/1.1" 302 216
120.*.*.35 - - [16/Aug/2018:07:44:59 +0000] "POST /zuoshou.php HTTP/1.1" 302 216
120.*.*.35 - - [16/Aug/2018:07:45:00 +0000] "POST /zuo.php HTTP/1.1" 302 212
120.*.*.35 - - [16/Aug/2018:07:45:00 +0000] "POST /aotu.php HTTP/1.1" 302 213
120.*.*.35 - - [16/Aug/2018:07:45:03 +0000] "POST /cmd.php HTTP/1.1" 302 212
120.*.*.35 - - [16/Aug/2018:07:45:04 +0000] "POST /bak.php HTTP/1.1" 302 212
120.*.*.35 - - [16/Aug/2018:07:45:04 +0000] "POST /system.php HTTP/1.1" 302 215
120.*.*.35 - - [16/Aug/2018:07:45:05 +0000] "POST /l7.php HTTP/1.1" 302 211
120.*.*.35 - - [16/Aug/2018:07:45:05 +0000] "POST /l8.php HTTP/1.1" 302 211
120.*.*.35 - - [16/Aug/2018:07:45:08 +0000] "POST /qaq.php HTTP/1.1" 302 212
120.*.*.35 - - [16/Aug/2018:07:45:09 +0000] "POST /q.php HTTP/1.1" 302 210
120.*.*.35 - - [16/Aug/2018:07:45:09 +0000] "POST /56.php HTTP/1.1" 302 211
120.*.*.35 - - [16/Aug/2018:07:45:12 +0000] "POST /mz.php HTTP/1.1" 302 211
120.*.*.35 - - [16/Aug/2018:07:45:13 +0000] "POST /xx.php HTTP/1.1" 302 211
120.*.*.35 - - [16/Aug/2018:07:45:13 +0000] "POST /qaq.php HTTP/1.1" 302 212
120.*.*.35 - - [16/Aug/2018:07:45:17 +0000] "POST /qaq.php HTTP/1.1" 302 212
120.*.*.35 - - [16/Aug/2018:07:45:17 +0000] "POST /yumo.php HTTP/1.1" 302 213
120.*.*.35 - - [16/Aug/2018:07:45:18 +0000] "POST /min.php HTTP/1.1" 302 212
120.*.*.35 - - [16/Aug/2018:07:45:18 +0000] "POST /wan.php HTTP/1.1" 302 212
120.*.*.35 - - [16/Aug/2018:07:45:20 +0000] "POST /wanan.php HTTP/1.1" 302 214
120.*.*.35 - - [16/Aug/2018:07:45:22 +0000] "POST /ssaa.php HTTP/1.1" 302 213
120.*.*.35 - - [16/Aug/2018:07:45:22 +0000] "POST /qq.php HTTP/1.1" 302 211
120.*.*.35 - - [16/Aug/2018:07:45:23 +0000] "POST /aw.php HTTP/1.1" 302 211
120.*.*.35 - - [16/Aug/2018:07:45:27 +0000] "POST /hh.php HTTP/1.1" 302 211
120.*.*.35 - - [16/Aug/2018:07:45:28 +0000] "POST /ak.php HTTP/1.1" 302 211
120.*.*.35 - - [16/Aug/2018:07:45:29 +0000] "POST /ip.php HTTP/1.1" 302 211
120.*.*.35 - - [16/Aug/2018:07:45:29 +0000] "POST /infoo.php HTTP/1.1" 302 214
120.*.*.35 - - [16/Aug/2018:07:45:30 +0000] "POST /qq.php HTTP/1.1" 302 211
120.*.*.35 - - [16/Aug/2018:07:45:31 +0000] "POST /qwe.php HTTP/1.1" 302 212
120.*.*.35 - - [16/Aug/2018:07:45:32 +0000] "POST /1213.php HTTP/1.1" 302 213
120.*.*.35 - - [16/Aug/2018:07:45:33 +0000] "POST /post.php HTTP/1.1" 302 213
120.*.*.35 - - [16/Aug/2018:07:45:34 +0000] "POST /h1.php HTTP/1.1" 302 211
120.*.*.35 - - [16/Aug/2018:07:45:35 +0000] "POST /test.php HTTP/1.1" 302 213
120.*.*.35 - - [16/Aug/2018:07:45:35 +0000] "POST /3.php HTTP/1.1" 302 210
120.*.*.35 - - [16/Aug/2018:07:45:36 +0000] "POST /phpinfi.php HTTP/1.1" 302 216
120.*.*.35 - - [16/Aug/2018:07:45:38 +0000] "POST /xiaoma.php HTTP/1.1" 302 215
120.*.*.35 - - [16/Aug/2018:07:45:38 +0000] "POST /xiaomae.php HTTP/1.1" 302 216
120.*.*.35 - - [16/Aug/2018:07:45:39 +0000] "POST /xiaomar.php HTTP/1.1" 302 216
120.*.*.35 - - [16/Aug/2018:07:45:39 +0000] "POST /qq.php HTTP/1.1" 302 211
120.*.*.35 - - [16/Aug/2018:07:45:40 +0000] "POST /data.php HTTP/1.1" 302 213
120.*.*.35 - - [16/Aug/2018:07:45:42 +0000] "POST /log.php HTTP/1.1" 302 212
120.*.*.35 - - [16/Aug/2018:07:45:43 +0000] "POST /fack.php HTTP/1.1" 302 213
120.*.*.35 - - [16/Aug/2018:07:45:44 +0000] "POST /angge.php HTTP/1.1" 302 214
120.*.*.35 - - [16/Aug/2018:07:45:45 +0000] "GET /phpmyadmin/index.php HTTP/1.1" 302 225
120.*.*.35 - - [16/Aug/2018:07:45:45 +0000] "GET /phpMyAdmin/index.php HTTP/1.1" 302 225
120.*.*.35 - - [16/Aug/2018:07:45:45 +0000] "GET /pmd/index.php HTTP/1.1" 302 218
120.*.*.35 - - [16/Aug/2018:07:45:46 +0000] "GET /pma/index.php HTTP/1.1" 302 218
120.*.*.35 - - [16/Aug/2018:07:45:46 +0000] "GET /PMA/index.php HTTP/1.1" 302 218
120.*.*.35 - - [16/Aug/2018:07:45:47 +0000] "GET /PMA2/index.php HTTP/1.1" 302 219
120.*.*.35 - - [16/Aug/2018:07:45:47 +0000] "GET /pmamy/index.php HTTP/1.1" 302 220
120.*.*.35 - - [16/Aug/2018:07:45:47 +0000] "GET /pmamy2/index.php HTTP/1.1" 302 221
120.*.*.35 - - [16/Aug/2018:07:45:47 +0000] "GET /mysql/index.php HTTP/1.1" 302 220
120.*.*.35 - - [16/Aug/2018:07:45:48 +0000] "GET /admin/index.php HTTP/1.1" 302 220
120.*.*.35 - - [16/Aug/2018:07:45:48 +0000] "GET /db/index.php HTTP/1.1" 302 217
120.*.*.35 - - [16/Aug/2018:07:45:48 +0000] "GET /dbadmin/index.php HTTP/1.1" 302 222
120.*.*.35 - - [16/Aug/2018:07:45:48 +0000] "GET /web/phpMyAdmin/index.php HTTP/1.1" 302 229
120.*.*.35 - - [16/Aug/2018:07:45:49 +0000] "GET /admin/pma/index.php HTTP/1.1" 302 224
120.*.*.35 - - [16/Aug/2018:07:45:49 +0000] "GET /admin/PMA/index.php HTTP/1.1" 302 224
120.*.*.35 - - [16/Aug/2018:07:45:49 +0000] "GET /admin/mysql/index.php HTTP/1.1" 302 226
120.*.*.35 - - [16/Aug/2018:07:45:53 +0000] "GET /admin/mysql2/index.php HTTP/1.1" 302 227
120.*.*.35 - - [16/Aug/2018:07:45:53 +0000] "GET /admin/phpmyadmin/index.php HTTP/1.1" 302 231
120.*.*.35 - - [16/Aug/2018:07:45:54 +0000] "GET /admin/phpMyAdmin/index.php HTTP/1.1" 302 231
120.*.*.35 - - [16/Aug/2018:07:45:54 +0000] "GET /admin/phpmyadmin2/index.php HTTP/1.1" 302 232
120.*.*.35 - - [16/Aug/2018:07:45:57 +0000] "GET /mysqladmin/index.php HTTP/1.1" 302 225
120.*.*.35 - - [16/Aug/2018:07:45:57 +0000] "GET /mysql-admin/index.php HTTP/1.1" 302 226
120.*.*.35 - - [16/Aug/2018:07:45:57 +0000] "GET /phpadmin/index.php HTTP/1.1" 302 223
120.*.*.35 - - [16/Aug/2018:07:45:58 +0000] "GET /phpmyadmin0/index.php HTTP/1.1" 302 226
120.*.*.35 - - [16/Aug/2018:07:45:58 +0000] "GET /phpmyadmin1/index.php HTTP/1.1" 302 226
120.*.*.35 - - [16/Aug/2018:07:45:58 +0000] "GET /phpmyadmin2/index.php HTTP/1.1" 302 226
120.*.*.35 - - [16/Aug/2018:07:45:58 +0000] "GET /myadmin/index.php HTTP/1.1" 302 222
120.*.*.35 - - [16/Aug/2018:07:45:59 +0000] "GET /myadmin2/index.php HTTP/1.1" 302 223
120.*.*.35 - - [16/Aug/2018:07:45:59 +0000] "GET /xampp/phpmyadmin/index.php HTTP/1.1" 302 231
120.*.*.35 - - [16/Aug/2018:07:45:59 +0000] "GET /phpMyadmin_bak/index.php HTTP/1.1" 302 229
120.*.*.35 - - [16/Aug/2018:07:46:00 +0000] "GET /www/phpMyAdmin/index.php HTTP/1.1" 302 229
120.*.*.35 - - [16/Aug/2018:07:46:01 +0000] "GET /tools/phpMyAdmin/index.php HTTP/1.1" 302 231
120.*.*.35 - - [16/Aug/2018:07:46:01 +0000] "GET /phpmyadmin-old/index.php HTTP/1.1" 302 229
120.*.*.35 - - [16/Aug/2018:07:46:01 +0000] "GET /phpMyAdminold/index.php HTTP/1.1" 302 228
120.*.*.35 - - [16/Aug/2018:07:46:01 +0000] "GET /phpMyAdmin.old/index.php HTTP/1.1" 302 229
120.*.*.35 - - [16/Aug/2018:07:46:02 +0000] "GET /pma-old/index.php HTTP/1.1" 302 222
120.*.*.35 - - [16/Aug/2018:07:46:02 +0000] "GET /claroline/phpMyAdmin/index.php HTTP/1.1" 302 235
120.*.*.35 - - [16/Aug/2018:07:46:02 +0000] "GET /typo3/phpmyadmin/index.php HTTP/1.1" 302 231
120.*.*.35 - - [16/Aug/2018:07:46:02 +0000] "GET /phpma/index.php HTTP/1.1" 302 220
120.*.*.35 - - [16/Aug/2018:07:46:03 +0000] "GET /phpmyadmin/phpmyadmin/index.php HTTP/1.1" 302 236
120.*.*.35 - - [16/Aug/2018:07:46:03 +0000] "GET /phpMyAdmin/phpMyAdmin/index.php HTTP/1.1" 302 236

参考

https://docs.bitnami.com/aws/apps/wordpress/ https://docs.bitnami.com/aws/ https://community.bitnami.com/

Tags
javascript(109)
linux(54)
node.js(53)
amazon%20aws(47)
typescript(44)
%E3%82%A2%E3%83%AB%E3%82%B4%E3%83%AA%E3%82%BA%E3%83%A0(36)
%E7%94%BB%E5%83%8F%E5%87%A6%E7%90%86(30)
html5(29)
php(24)
centos(24)
python(22)
%E7%AB%B6%E6%8A%80%E3%83%97%E3%83%AD%E3%82%B0%E3%83%A9%E3%83%9F%E3%83%B3%E3%82%B0(21)
mac(21)
mysql(20)
canvas(19)
opencv(17)
%E9%9B%91%E8%AB%87(16)
docker(16)
wordpress(15)
atcoder(14)
apache(12)
%E6%A9%9F%E6%A2%B0%E5%AD%A6%E7%BF%92(12)
%E3%83%87%E3%83%BC%E3%82%BF%E3%83%99%E3%83%BC%E3%82%B9(12)
amazon%20s3(12)
red%20hat(12)
prisma(12)
ubuntu(11)
github(10)
git(10)
vue.js(10)
%E7%94%BB%E5%83%8F%E5%87%A6%E7%90%86100%E6%9C%AC%E3%83%8E%E3%83%83%E3%82%AF(10)
mariadb(10)
react(9)
aws%20cdk(9)
css3(8)
%E5%8F%AF%E8%A6%96%E5%8C%96(8)
%E5%B0%8F%E3%83%8D%E3%82%BF(8)
nestjs(8)
amazon%20lightsail(7)
next.js(7)
%E3%83%96%E3%83%AD%E3%82%B0(6)
cms(6)
oracle(6)
perl(6)
gitlab(6)
iam(5)
amazon%20ec2(5)
%E8%B3%87%E6%A0%BC%E8%A9%A6%E9%A8%93(5)
aws%20amplify(5)
curl(4)
Author
githubzennqiita
ただの備忘録です。

※外部送信に関する公表事項