메뉴 닫기

ZmEu 해킹시도 접근

ZmEu
phpMyadmin 2.X 접속 접근 시도
404 에러를 보면서 취약점을 아나가는 툴로 생각됨
apache access log 분석

‘/phpMyAdmin-2.2.3/scripts/setup.php HTTP/1.1’ 404 311 ‘-‘ ‘ZmEu’
‘/web/phpMyAdmin/index.php HTTP/1.1’ 404 222 ‘-‘ ‘Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1’
‘/phpMyAdmin/index.php HTTP/1.1’ 404 218 ‘-‘ ‘Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1’
‘/phpMyAdmin-2/index.php HTTP/1.1’ 404 220 ‘-‘ ‘Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1’
‘/phpMyAdmin-2.2.3/index.php HTTP/1.1’ 404 224 ‘-‘ ‘Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1’

‘ /phpMyAdmin/scripts/setup.php HTTP/1.1’ 404 226 ‘-‘ ‘ZmEu’
‘ /phpMyAdmin/scripts/setup.php HTTP/1.1’ 404 226 ‘-‘ ‘ZmEu’

‘ /phpMyAdmin/translators.html HTTP/1.1’ 404 225 ‘-‘ ‘Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]’
‘ /phpMyAdmin/translators.html HTTP/1.1’ 404 225 ‘-‘ ‘Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]’
‘ /phpMyAdmin/translators.html HTTP/1.1’ 404 225 ‘-‘ ‘Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]’

‘ /3rdparty/phpMyAdmin/scripts/setup.php HTTP/1.1’ 404 235 ‘-‘ ‘ZmEu’
‘ /backup/phpMyAdmin/scripts/setup.php HTTP/1.1’ 404 233 ‘-‘ ‘ZmEu’
‘ /bkup/phpMyAdmin/scripts/setup.php HTTP/1.1’ 404 231 ‘-‘ ‘ZmEu’
‘ /_phpMyAdmin/scripts/setup.php HTTP/1.1’ 404 227 ‘-‘ ‘ZmEu’
‘ /phpMyAdmin/scripts/setup.php HTTP/1.1’ 404 226 ‘-‘ ‘ZmEu’
‘ /phpMyAdmi/scripts/setup.php HTTP/1.1’ 404 225 ‘-‘ ‘ZmEu’
‘ /phpMyAds/scripts/setup.php HTTP/1.1’ 404 224 ‘-‘ ‘ZmEu’
‘ /phpMyA/scripts/setup.php HTTP/1.1’ 404 222 ‘-‘ ‘ZmEu’

‘ //phpMyAdmin/ HTTP/1.1’ 404 778 ‘-‘ ‘Made by ZmEu @ WhiteHat Team – www.whitehat.ro’
‘ //phpMyAdmin2/ HTTP/1.1’ 404 779 ‘-‘ ‘Made by ZmEu @ WhiteHat Team – www.whitehat.ro’
‘ //phpMyAdmin-2/ HTTP/1.1’ 404 211 ‘-‘ ‘Made by ZmEu @ WhiteHat Team – www.whitehat.ro’

‘ //phpMyAdmin//scripts/setup.php HTTP/1.1’ 404 227 ‘-‘ ‘Plesk’
‘ /phpMyAdmin/scripts/setup.php HTTP/1.1’ 404 226 ‘-‘ ‘ZmEu’
‘ /phpMyAdmin/scripts/setup.php HTTP/1.1’ 404 226 ‘-‘ ‘ZmEu’
‘ /phpMyAdmin/scripts/setup.php HTTP/1.1’ 200 3230 ‘-‘ ‘ZmEu’

‘ /phpMyAdmin HTTP/1.1’ 400 226 ‘-‘ ‘Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)’

‘ /phpMyAdmin/ HTTP/1.1’ 404 795 ‘-‘ ‘Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)’
‘ /phpMyAdmin2/ HTTP/1.1’ 404 796 ‘-‘ ‘Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)’
‘ /phpMyAdmin-2/ HTTP/1.1’ 404 211 ‘-‘ ‘Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)’
‘ /phpMyAdmin/scripts/setup.php HTTP/1.1’ 200 3183 ‘-‘ ‘ZmEu’
‘ /phpMyAdmin/main.php HTTP/1.1’ 404 217 ‘-‘ ‘Sharky’

대응방법
Abuse Page 생성
리다이렉션이 될 php 페이지를 생성한다.
ex) http://www.philriesch.com/special/ipblock.php
옵션으로404대신403에러를 보여 툴을 혼란시킬수 있다.
다음의 문구가 들어간 php페이지 생성
header(“HTTP/1.1 403 Forbidden”);
mod_rewrite
User-Agent스트링에 “ZmEu”
.htaccess파일을 웹루트에 생성 및 추가
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/path/to/your/abusefile.php
RewriteCond %{HTTP_USER_AGENT} (.*)ZmEu(.*)
RewriteRule .* http://www.yourdomain.com/path/to/your/abusefile.php[R=301,L]
참조 블로그: http://blog.naver.com/fortop
END

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x