Go to TOP Page
Google:

□Agent の名前はよーわからん

○Javascript を attack したいラシイのだが・・・

オイラの web site には 2009/07/23 日に初弾が命中。
計 8 発の命中弾がきまつたが、http status code 400 or 404(w で華麗にスルーで直撃弾はありませんでつた。
bot ラシイのだが、 Agent の名前がよーワカラン。
Agent には、 "Toata dragostea mea pentru diavola" だって。
何語だコリャ?英語ではなさそうだし・・・・。
ip address を whois してみると・・・・
cctld は nl(オランダ)だって。オランダ語か?。Web 翻訳してみたら違ってた。
片っ端から自動翻訳してみたらルーマニア語だったよ。
翻訳結果は、"悪魔のすべての私の愛" だって。

愚劣なことを言う

で、なんの soft の Javascript なのかなとゆーと・・・・
Zen Cart - http://zen-cart.jp/ ってとこがリリースしている統合型 EC サイト構築システムだって。

使ってる人は大至急 update
しないと危ないぞっ!!

□亜種か?

○RoundCube Webmail が狙われたラシィ

そもそもは、RoundCube Webmail - http://roundcube.net/ を狙うものラシィ。
それを、 Zen Cart 用にスクラッチしたッポイ感じがありまつ。

Agent がまんまコピーでつが。

で、 access_log に残ってたリクエストはこんな感じ。


access_log
83.137.195.115 - - [23/Jul/2009:10:32:59 +0900] "GET HTTP/1.1 HTTP/1.1" 400 226 "-" "Toata dragostea mea pentru diavola"
83.137.195.115 - - [23/Jul/2009:10:33:00 +0900] "GET /includes/general.js HTTP/1.1" 404 2066 "-" "Toata dragostea mea pentru diavola"
83.137.195.115 - - [23/Jul/2009:10:33:00 +0900] "GET /zen/includes/general.js HTTP/1.1" 404 2066 "-" "Toata dragostea mea pentru diavola"
83.137.195.115 - - [23/Jul/2009:10:33:01 +0900] "GET /zencart/includes/general.js HTTP/1.1" 404 2066 "-" "Toata dragostea mea pentru diavola"
83.137.195.115 - - [23/Jul/2009:10:33:01 +0900] "GET /zen-cart/includes/general.js HTTP/1.1" 404 2066 "-" "Toata dragostea mea pentru diavola"
83.137.195.115 - - [23/Jul/2009:10:33:02 +0900] "GET /cart/includes/general.js HTTP/1.1" 404 2066 "-" "Toata dragostea mea pentru diavola"
83.137.195.115 - - [23/Jul/2009:10:33:02 +0900] "GET /shop/includes/general.js HTTP/1.1" 404 2066 "-" "Toata dragostea mea pentru diavola"
83.137.195.115 - - [23/Jul/2009:10:33:03 +0900] "GET /store/includes/general.js HTTP/1.1" 404 2066 "-" "Toata dragostea mea pentru diavola"

□Agent で拒否の方向性で。

○.htaccess にでも書いておいてね。


.htaccess の一例
SetEnvIf User-Agent "Toata dragostea" deny_agent
deny from env=deny_agent

これでおK なハヅ。
暫く様子みてみまつ。


□効果を確認する

○2009/08/05 に第二波が着弾

さっそく第二波がきまつた。
access_log をご覧あれ。


access_log
ns39308.ovh.net - - [05/Aug/2009:12:45:46 +0900] "GET HTTP/1.1 HTTP/1.1" 400 226 "-" "Toata dragostea mea pentru diavola"
ns39308.ovh.net - - [05/Aug/2009:12:45:47 +0900] "GET /admin/js/keyhandler.js HTTP/1.1" 403 2282 "-" "Toata dragostea mea pentru diavola"
ns39308.ovh.net - - [05/Aug/2009:12:45:47 +0900] "GET /admin/pma/js/keyhandler.js HTTP/1.1" 403 2282 "-" "Toata dragostea mea pentru diavola"
ns39308.ovh.net - - [05/Aug/2009:12:45:48 +0900] "GET /admin/phpmyadmin/js/keyhandler.js HTTP/1.1" 403 2282 "-" "Toata dragostea mea pentru diavola"
ns39308.ovh.net - - [05/Aug/2009:12:45:48 +0900] "GET /db/js/keyhandler.js HTTP/1.1" 403 2282 "-" "Toata dragostea mea pentru diavola"
ns39308.ovh.net - - [05/Aug/2009:12:45:49 +0900] "GET /dbadmin/js/keyhandler.js HTTP/1.1" 403 2282 "-" "Toata dragostea mea pentru diavola"
ns39308.ovh.net - - [05/Aug/2009:12:45:49 +0900] "GET /myadmin/js/keyhandler.js HTTP/1.1" 403 2282 "-" "Toata dragostea mea pentru diavola"
ns39308.ovh.net - - [05/Aug/2009:12:45:50 +0900] "GET /mysql/js/keyhandler.js HTTP/1.1" 403 2282 "-" "Toata dragostea mea pentru diavola"
ns39308.ovh.net - - [05/Aug/2009:12:45:51 +0900] "GET /mysqladmin/js/keyhandler.js HTTP/1.1" 403 2282 "-" "Toata dragostea mea pentru diavola"
ns39308.ovh.net - - [05/Aug/2009:12:45:51 +0900] "GET /typo3/phpmyadmin/js/keyhandler.js HTTP/1.1" 403 2282 "-" "Toata dragostea mea pentru diavola"
ns39308.ovh.net - - [05/Aug/2009:12:45:52 +0900] "GET /phpadmin/js/keyhandler.js HTTP/1.1" 403 2282 "-" "Toata dragostea mea pentru diavola"
ns39308.ovh.net - - [05/Aug/2009:12:45:52 +0900] "GET /phpMyAdmin/js/keyhandler.js HTTP/1.1" 403 2282 "-" "Toata dragostea mea pentru diavola"
ns39308.ovh.net - - [05/Aug/2009:12:45:53 +0900] "GET /phpmyadmin/js/keyhandler.js HTTP/1.1" 403 2282 "-" "Toata dragostea mea pentru diavola"
ns39308.ovh.net - - [05/Aug/2009:12:45:54 +0900] "GET /phpmyadmin1/js/keyhandler.js HTTP/1.1" 403 2282 "-" "Toata dragostea mea pentru diavola"
ns39308.ovh.net - - [05/Aug/2009:12:45:54 +0900] "GET /phpmyadmin2/js/keyhandler.js HTTP/1.1" 403 2282 "-" "Toata dragostea mea pentru diavola"
ns39308.ovh.net - - [05/Aug/2009:12:45:55 +0900] "GET /pma/js/keyhandler.js HTTP/1.1" 403 2282 "-" "Toata dragostea mea pentru diavola"
ns39308.ovh.net - - [05/Aug/2009:12:45:55 +0900] "GET /web/phpMyAdmin/js/keyhandler.js HTTP/1.1" 403 2282 "-" "Toata dragostea mea pentru diavola"
ns39308.ovh.net - - [05/Aug/2009:12:45:56 +0900] "GET /xampp/phpmyadmin/js/keyhandler.js HTTP/1.1" 403 2282 "-" "Toata dragostea mea pentru diavola"
ns39308.ovh.net - - [05/Aug/2009:12:45:56 +0900] "GET /web/js/keyhandler.js HTTP/1.1" 403 2282 "-" "Toata dragostea mea pentru diavola"
ns39308.ovh.net - - [05/Aug/2009:12:45:57 +0900] "GET /php-my-admin/js/keyhandler.js HTTP/1.1" 403 2282 "-" "Toata dragostea mea pentru diavola"
ns39308.ovh.net - - [05/Aug/2009:12:45:58 +0900] "GET /websql/js/keyhandler.js HTTP/1.1" 403 2282 "-" "Toata dragostea mea pentru diavola"

初弾だけ status code 400 - Bad Request で跳ね返しているけど、後は全て 403 - Forbidden 迎撃してマス。
こんなモンでしょう。効果アリってことでどうでつか?




go back    next
Copyright(c) ORATORIO-TANGRAM.com 2001-2007 All Rights Reserved.
Total:counter