初心者SEが技術的な事とかを、とりあえずメモしておくための日記です。

初心者SEのとりあえずメモ日記

ネットワーク

Jorgeeとかいう謎のUserAgentのアクセス

投稿日:

攻撃と思われる謎のアクセスログ

サーバのアクセスログを確認したところ、攻撃と思われるログが大量に出力されていました。

JorgeeとかいうUserAgentのアクセス。
こんな感じでした。

XX.XX.XX.XX - - [26/Nov/2017:04:14:35] "HEAD /mysql/dbadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 192
XX.XX.XX.XX - - [26/Nov/2017:04:14:35] "HEAD /mysql/mysqlmanager/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 162
XX.XX.XX.XX - - [26/Nov/2017:04:14:35] "HEAD /phpMyadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 164
XX.XX.XX.XX - - [26/Nov/2017:04:14:35] "HEAD /phpmyAdmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 174
XX.XX.XX.XX - - [26/Nov/2017:04:14:35] "HEAD /phpmyadmin3/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 186
XX.XX.XX.XX - - [26/Nov/2017:04:14:35] "HEAD /2phpmyadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 167
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /phppma/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 183
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /shopdb/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 174
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /program/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 169
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /dbadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 168
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /db/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 161
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /mysql/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 161
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /db/phpmyadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 157
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /sqlmanager/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 161
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /php-myadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 170
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /mysqladmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 168
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /admin/phpmyadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 170
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /admin/sysadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 153
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /admin/db/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 159
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /admin/pMA/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 161
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /mysql/db/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 165
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /mysql/pMA/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 160
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /sql/php-myadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 176
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /sql/sql/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 155
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /sql/webadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 158
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /sql/websql/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 157
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /sql/sqladmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 156
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /sql/phpmyadmin2/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 157
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /sql/phpMyAdmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 161
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /db/webadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 160
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /db/websql/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 161
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /db/dbadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 119
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /db/phpmyadmin3/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 160
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /db/phpMyAdmin-3/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 172
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /administrator/phpMyAdmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 186
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /administrator/web/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 162
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /administrator/PMA/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 159
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /phpMyAdmin2/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 171
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /phpMyAdmin4/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 165
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /php-my-admin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 166
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /PMA2012/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 161
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /PMA2014/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 163
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /PMA2016/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 166
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /PMA2018/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 163
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /pma2012/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 172
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /pma2014/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 164
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /pma2016/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 165
XX.XX.XX.XX - - [26/Nov/2017:04:14:39] "HEAD /pma2018/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 179
XX.XX.XX.XX - - [26/Nov/2017:04:14:39] "HEAD /phpmyadmin2012/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 164
XX.XX.XX.XX - - [26/Nov/2017:04:14:39] "HEAD /phpmyadmin2014/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 169
XX.XX.XX.XX - - [26/Nov/2017:04:14:39] "HEAD /phpmyadmin2016/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 172
XX.XX.XX.XX - - [26/Nov/2017:04:14:39] "HEAD /phpmyadmin2018/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 174

 

pdpmyadminやmysqlへの攻撃

pdpmyadminやmysqlのコンソールへのアクセスを試みるログでした。
私はこれらのツールを導入していなかったので無関係でした。
そのため、上記のアクセスのHTTPステータスコードは全て404になっています。

これらのツールを導入する際はURLを変更するか、アクセス可能なIPアドレスの制限をするなど、事前に検討をして、セキュリティの強化をしておく必要があると思います。

 

ブロック方法

ちなみにこの手の攻撃は、IPでブロックをしてもすぐにIPを変えてまたアクセスしてくるので無意味です。
いわゆる「イタチごっこ」状態ですね。

もしどうしても対処したいのであれば、User Agentによるブロックをした方が効果的かもしれません。

SetEnvIf User-Agent "Jorgee" banned
deny from env=banned

参考:https://hacknote.jp/archives/30700/

攻撃と思われる謎のアクセスログ

サーバのアクセスログを確認したところ、攻撃と思われるログが大量に出力されていました。

JorgeeとかいうUserAgentのアクセス。
こんな感じでした。

XX.XX.XX.XX - - [26/Nov/2017:04:14:35] "HEAD /mysql/dbadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 192
XX.XX.XX.XX - - [26/Nov/2017:04:14:35] "HEAD /mysql/mysqlmanager/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 162
XX.XX.XX.XX - - [26/Nov/2017:04:14:35] "HEAD /phpMyadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 164
XX.XX.XX.XX - - [26/Nov/2017:04:14:35] "HEAD /phpmyAdmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 174
XX.XX.XX.XX - - [26/Nov/2017:04:14:35] "HEAD /phpmyadmin3/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 186
XX.XX.XX.XX - - [26/Nov/2017:04:14:35] "HEAD /2phpmyadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 167
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /phppma/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 183
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /shopdb/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 174
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /program/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 169
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /dbadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 168
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /db/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 161
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /mysql/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 161
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /db/phpmyadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 157
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /sqlmanager/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 161
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /php-myadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 170
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /mysqladmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 168
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /admin/phpmyadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 170
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /admin/sysadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 153
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /admin/db/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 159
XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /admin/pMA/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 161
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /mysql/db/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 165
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /mysql/pMA/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 160
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /sql/php-myadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 176
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /sql/sql/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 155
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /sql/webadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 158
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /sql/websql/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 157
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /sql/sqladmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 156
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /sql/phpmyadmin2/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 157
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /sql/phpMyAdmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 161
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /db/webadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 160
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /db/websql/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 161
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /db/dbadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 119
XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /db/phpmyadmin3/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 160
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /db/phpMyAdmin-3/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 172
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /administrator/phpMyAdmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 186
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /administrator/web/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 162
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /administrator/PMA/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 159
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /phpMyAdmin2/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 171
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /phpMyAdmin4/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 165
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /php-my-admin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 166
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /PMA2012/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 161
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /PMA2014/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 163
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /PMA2016/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 166
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /PMA2018/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 163
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /pma2012/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 172
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /pma2014/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 164
XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /pma2016/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 165
XX.XX.XX.XX - - [26/Nov/2017:04:14:39] "HEAD /pma2018/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 179
XX.XX.XX.XX - - [26/Nov/2017:04:14:39] "HEAD /phpmyadmin2012/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 164
XX.XX.XX.XX - - [26/Nov/2017:04:14:39] "HEAD /phpmyadmin2014/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 169
XX.XX.XX.XX - - [26/Nov/2017:04:14:39] "HEAD /phpmyadmin2016/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 172
XX.XX.XX.XX - - [26/Nov/2017:04:14:39] "HEAD /phpmyadmin2018/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 174

 

pdpmyadminやmysqlへの攻撃

pdpmyadminやmysqlのコンソールへのアクセスを試みるログでした。
私はこれらのツールを導入していなかったので無関係でした。
そのため、上記のアクセスのHTTPステータスコードは全て404になっています。

これらのツールを導入する際はURLを変更するか、アクセス可能なIPアドレスの制限をするなど、事前に検討をして、セキュリティの強化をしておく必要があると思います。

 

ブロック方法

ちなみにこの手の攻撃は、IPでブロックをしてもすぐにIPを変えてまたアクセスしてくるので無意味です。
いわゆる「イタチごっこ」状態ですね。

もしどうしても対処したいのであれば、User Agentによるブロックをした方が効果的かもしれません。

SetEnvIf User-Agent "Jorgee" banned
deny from env=banned

参考:https://hacknote.jp/archives/30700/

-ネットワーク
-,

Copyright© 初心者SEのとりあえずメモ日記 , 2018 All Rights Reserved Powered by STINGER.