ZmEu 해킹시도 접근

ZmEu

phpMyadmin 2.X 접속 접근 시도

404 에러를 보면서 취약점을 찾아나가는 툴로 생각됨

apache access log 분석

"GET /phpMyAdmin-2.2.3/scripts/setup.php HTTP/1.1" 404 311 "-" "ZmEu" "GET /web/phpMyAdmin/index.php HTTP/1.1" 404 222 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1" "GET /phpMyAdmin/index.php HTTP/1.1" 404 218 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1" "GET /phpMyAdmin-2/index.php HTTP/1.1" 404 220 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1" "GET /phpMyAdmin-2.2.3/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1" "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 226 "-" "ZmEu" "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 226 "-" "ZmEu" "GET /phpMyAdmin/translators.html HTTP/1.1" 404 225 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" "GET /phpMyAdmin/translators.html HTTP/1.1" 404 225 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" "GET /phpMyAdmin/translators.html HTTP/1.1" 404 225 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" "GET /3rdparty/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 235 "-" "ZmEu" "GET /backup/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 233 "-" "ZmEu" "GET /bkup/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 231 "-" "ZmEu" "GET /_phpMyAdmin/scripts/setup.php HTTP/1.1" 404 227 "-" "ZmEu" "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 226 "-" "ZmEu" "GET /phpMyAdmi/scripts/setup.php HTTP/1.1" 404 225 "-" "ZmEu" "GET /phpMyAds/scripts/setup.php HTTP/1.1" 404 224 "-" "ZmEu" "GET /phpMyA/scripts/setup.php HTTP/1.1" 404 222 "-" "ZmEu" "GET //phpMyAdmin/ HTTP/1.1" 404 778 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" "GET //phpMyAdmin2/ HTTP/1.1" 404 779 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" "GET //phpMyAdmin-2/ HTTP/1.1" 404 211 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" "GET //phpMyAdmin//scripts/setup.php HTTP/1.1" 404 227 "-" "Plesk" "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 226 "-" "ZmEu" "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 226 "-" "ZmEu" "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 200 3230 "-" "ZmEu" "GET <title>phpMyAdmin HTTP/1.1" 400 226 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" "GET /phpMyAdmin/ HTTP/1.1" 404 795 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" "GET /phpMyAdmin2/ HTTP/1.1" 404 796 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" "GET /phpMyAdmin-2/ HTTP/1.1" 404 211 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 200 3183 "-" "ZmEu" "GET /phpMyAdmin/main.php HTTP/1.1" 404 217 "-" "Sharky"

대응방법

Abuse Page 생성 리다이렉션이 될 php 페이지를 생성한다. ex) http://www.philriesch.com/special/ipblock.php   옵션으로404대신403에러를 보여 툴을 혼란시킬수 있다. 다음의 문구가 들어간 php페이지 생성 header("HTTP/1.1 403 Forbidden");

mod_rewrite User-Agent스트링에 “ZmEu” .htaccess파일을 웹루트에 생성 및 추가 RewriteEngine on RewriteCond %{REQUEST_URI} !^/path/to/your/abusefile.php RewriteCond %{HTTP_USER_AGENT} (.*)ZmEu(.*) RewriteRule .* http://www.yourdomain.com/path/to/your/abusefile.php[R=301,L]

참고 및 참조 : http://blog.naver.com/fortop