EC2への不正アクセスの囮調査

AWSサーバへの不穏なアクセスを確認する

環境

f:id:piyojir0:20190624112143j:plain

パブリックにEC2インスタンス立ててALBも立ててRoute53も準備

EC2にApacheだけインストール

以下のアクセスできるルートを準備

１．EC2インスタンスへIP直

http://52.198.35.195

２．EC2インスタンスのパブリックDNS直

http://ec2-52-198-35-195.ap-northeast-1.compute.amazonaws.com

３．ALBのDNS経由

http://test-alb-387476744.ap-northeast-1.elb.amazonaws.com

４．ALBのIP経由

http://13.230.171.196

http://54.65.129.254

(注)　ALBのIPアドレスを確認するにはALBのDNS名をdigする

 dig test-alb-387476744.ap-northeast-1.elb.amazonaws.com

５．Route53経由

http://attack.hogehoge.com

上記アクセスルートを用意した上でしばらく放置しておく

結果

２日程放置しました。

一部抜粋

10.0.1.8 - - [26/Jun/2019:07:48:23 +0900] "POST /x.php HTTP/1.1" 404 203 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:23 +0900] "POST /cnm.php HTTP/1.1" 404 205 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:23 +0900] "POST /1ndex.php HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:23 +0900] "POST /autoloader.php HTTP/1.1" 404 212 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:23 +0900] "POST /51.php HTTP/1.1" 404 204 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:23 +0900] "POST /cadre.php HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:23 +0900] "POST /mm.php HTTP/1.1" 404 204 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:24 +0900] "POST /test.php HTTP/1.1" 404 206 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:24 +0900] "POST /1q.php HTTP/1.1" 404 204 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:24 +0900] "POST /1111.php HTTP/1.1" 404 206 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:24 +0900] "POST /errors.php HTTP/1.1" 404 208 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:24 +0900] "POST /q.php HTTP/1.1" 404 203 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:24 +0900] "POST /lanyecn.php HTTP/1.1" 404 209 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:24 +0900] "POST /lanyecn.php HTTP/1.1" 404 209 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:24 +0900] "POST /mybestloves.php HTTP/1.1" 404 213 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:25 +0900] "POST /xiaoxi.php HTTP/1.1" 404 208 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:25 +0900] "POST /xiaoxi.php HTTP/1.1" 404 208 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:25 +0900] "POST /ww.php HTTP/1.1" 404 204 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:25 +0900] "POST /pop.php HTTP/1.1" 404 205 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:25 +0900] "POST /ok.php HTTP/1.1" 404 204 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:25 +0900] "POST /test.php HTTP/1.1" 404 206 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:25 +0900] "POST /conf.php HTTP/1.1" 404 206 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:25 +0900] "POST /dashu.php HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:26 +0900] "POST /shell.php HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:26 +0900] "POST /queqiao.php HTTP/1.1" 404 209 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:26 +0900] "POST /12345.php HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:26 +0900] "POST /qqq.php HTTP/1.1" 404 205 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:26 +0900] "POST /15.php HTTP/1.1" 404 204 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:26 +0900] "POST /slider.php HTTP/1.1" 404 208 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:27 +0900] "POST /images/1.php HTTP/1.1" 404 210 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:27 +0900] "POST /images/asp.php HTTP/1.1" 404 212 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:27 +0900] "POST /images/entyy.php HTTP/1.1" 404 214 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:27 +0900] "POST /images/1ndex.php HTTP/1.1" 404 214 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:27 +0900] "POST /images/defau1t.php HTTP/1.1" 404 216 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:27 +0900] "POST /webconfig.txt.php HTTP/1.1" 404 215 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:27 +0900] "POST /administrator/webconfig.txt.php HTTP/1.1" 404 229 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:27 +0900] "POST /api.php HTTP/1.1" 404 205 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:28 +0900] "POST /luso.php HTTP/1.1" 404 206 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:28 +0900] "POST /1ndex.php HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:28 +0900] "POST /indexbak.php HTTP/1.1" 404 210 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:28 +0900] "POST /xmlrpc.php HTTP/1.1" 404 208 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:28 +0900] "POST /blog/xmlrpc.php HTTP/1.1" 404 213 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:28 +0900] "POST /errors/processor.php HTTP/1.1" 404 218 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:28 +0900] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 248 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:28 +0900] "POST /plus/90sec.php HTTP/1.1" 404 212 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:29 +0900] "POST /plus/e7xue.php HTTP/1.1" 404 212 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:29 +0900] "POST /plus/mybak.php HTTP/1.1" 404 212 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:29 +0900] "POST /plus/service.php HTTP/1.1" 404 214 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:29 +0900] "POST /plus/laobiao.php HTTP/1.1" 404 214 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:29 +0900] "POST /plus/xsvip.php HTTP/1.1" 404 212 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:29 +0900] "POST /plus/bakup.php HTTP/1.1" 404 212 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
10.0.1.8 - - [26/Jun/2019:07:48:29 +0900] "POST /c.php HTTP/1.1" 404 203 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"

ALBの固定IP経由でかなりきてますね。

3000アクセス程いろんなPHPファイルを狙ってきてました。

ファイル名なんかそれらしいものを狙ってます。

Mysqlのコンフィグを狙ったものも多くありました。

まとめ

これだけのアクセスがあるという認識は常に持たないと駄目ですね。セキュリティはおろそかにできません（自戒

最低限・セキュリティグループでのアクセス制限・WAFによるHTTPアクセスの制限

などは必要です。

以上

2&>1

AWSとかGCPとかGolangとかとか

EC2への不正アクセスの囮調査

環境

結果

まとめ