攻撃と思われる謎のアクセスログ
サーバのアクセスログを確認したところ、攻撃と思われるログが大量に出力されていました。
JorgeeとかいうUserAgentのアクセス。
こんな感じでした。
XX.XX.XX.XX - - [26/Nov/2017:04:14:35] "HEAD /mysql/dbadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 192 XX.XX.XX.XX - - [26/Nov/2017:04:14:35] "HEAD /mysql/mysqlmanager/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 162 XX.XX.XX.XX - - [26/Nov/2017:04:14:35] "HEAD /phpMyadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 164 XX.XX.XX.XX - - [26/Nov/2017:04:14:35] "HEAD /phpmyAdmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 174 XX.XX.XX.XX - - [26/Nov/2017:04:14:35] "HEAD /phpmyadmin3/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 186 XX.XX.XX.XX - - [26/Nov/2017:04:14:35] "HEAD /2phpmyadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 167 XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /phppma/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 183 XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /shopdb/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 174 XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /program/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 169 XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /dbadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 168 XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /db/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 161 XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /mysql/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 161 XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /db/phpmyadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 157 XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /sqlmanager/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 161 XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /php-myadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 170 XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /mysqladmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 168 XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /admin/phpmyadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 170 XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /admin/sysadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 153 XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /admin/db/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 159 XX.XX.XX.XX - - [26/Nov/2017:04:14:36] "HEAD /admin/pMA/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 161 XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /mysql/db/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 165 XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /mysql/pMA/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 160 XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /sql/php-myadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 176 XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /sql/sql/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 155 XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /sql/webadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 158 XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /sql/websql/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 157 XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /sql/sqladmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 156 XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /sql/phpmyadmin2/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 157 XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /sql/phpMyAdmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 161 XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /db/webadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 160 XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /db/websql/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 161 XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /db/dbadmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 119 XX.XX.XX.XX - - [26/Nov/2017:04:14:37] "HEAD /db/phpmyadmin3/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 160 XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /db/phpMyAdmin-3/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 172 XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /administrator/phpMyAdmin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 186 XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /administrator/web/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 162 XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /administrator/PMA/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 159 XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /phpMyAdmin2/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 171 XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /phpMyAdmin4/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 165 XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /php-my-admin/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 166 XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /PMA2012/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 161 XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /PMA2014/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 163 XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /PMA2016/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 166 XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /PMA2018/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 163 XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /pma2012/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 172 XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /pma2014/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 164 XX.XX.XX.XX - - [26/Nov/2017:04:14:38] "HEAD /pma2016/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 165 XX.XX.XX.XX - - [26/Nov/2017:04:14:39] "HEAD /pma2018/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 179 XX.XX.XX.XX - - [26/Nov/2017:04:14:39] "HEAD /phpmyadmin2012/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 164 XX.XX.XX.XX - - [26/Nov/2017:04:14:39] "HEAD /phpmyadmin2014/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 169 XX.XX.XX.XX - - [26/Nov/2017:04:14:39] "HEAD /phpmyadmin2016/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 172 XX.XX.XX.XX - - [26/Nov/2017:04:14:39] "HEAD /phpmyadmin2018/ HTTP/1.1" 404 - "-" "Mozilla/5.0 Jorgee" 174
pdpmyadminやmysqlへの攻撃
pdpmyadminやmysqlのコンソールへのアクセスを試みるログでした。
私はこれらのツールを導入していなかったので無関係でした。
そのため、上記のアクセスのHTTPステータスコードは全て404になっています。
これらのツールを導入する際はURLを変更するか、アクセス可能なIPアドレスの制限をするなど、事前に検討をして、セキュリティの強化をしておく必要があると思います。
ブロック方法
ちなみにこの手の攻撃は、IPでブロックをしてもすぐにIPを変えてまたアクセスしてくるので無意味です。
いわゆる「イタチごっこ」状態ですね。
もしどうしても対処したいのであれば、User Agentによるブロックをした方が効果的かもしれません。
SetEnvIf User-Agent "Jorgee" banned deny from env=banned
コメント