AWSサーバへの不穏なアクセスを確認する
環境
パブリックにEC2インスタンス立ててALBも立ててRoute53も準備
EC2にApacheだけインストール
以下のアクセスできるルートを準備
1.EC2インスタンスへIP直
http://ec2-52-198-35-195.ap-northeast-1.compute.amazonaws.com
3.ALBのDNS経由
http://test-alb-387476744.ap-northeast-1.elb.amazonaws.com
4.ALBのIP経由
(注) ALBのIPアドレスを確認するにはALBのDNS名をdigする
dig test-alb-387476744.ap-northeast-1.elb.amazonaws.com
5.Route53経由
上記アクセスルートを用意した上でしばらく放置しておく
結果
2日程放置しました。
一部抜粋
10.0.1.8 - - [26/Jun/2019:07:48:23 +0900] "POST /x.php HTTP/1.1" 404 203 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:23 +0900] "POST /cnm.php HTTP/1.1" 404 205 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:23 +0900] "POST /1ndex.php HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:23 +0900] "POST /autoloader.php HTTP/1.1" 404 212 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:23 +0900] "POST /51.php HTTP/1.1" 404 204 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:23 +0900] "POST /cadre.php HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:23 +0900] "POST /mm.php HTTP/1.1" 404 204 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:24 +0900] "POST /test.php HTTP/1.1" 404 206 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:24 +0900] "POST /1q.php HTTP/1.1" 404 204 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:24 +0900] "POST /1111.php HTTP/1.1" 404 206 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:24 +0900] "POST /errors.php HTTP/1.1" 404 208 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:24 +0900] "POST /q.php HTTP/1.1" 404 203 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:24 +0900] "POST /lanyecn.php HTTP/1.1" 404 209 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:24 +0900] "POST /lanyecn.php HTTP/1.1" 404 209 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:24 +0900] "POST /mybestloves.php HTTP/1.1" 404 213 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:25 +0900] "POST /xiaoxi.php HTTP/1.1" 404 208 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:25 +0900] "POST /xiaoxi.php HTTP/1.1" 404 208 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:25 +0900] "POST /ww.php HTTP/1.1" 404 204 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:25 +0900] "POST /pop.php HTTP/1.1" 404 205 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:25 +0900] "POST /ok.php HTTP/1.1" 404 204 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:25 +0900] "POST /test.php HTTP/1.1" 404 206 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:25 +0900] "POST /conf.php HTTP/1.1" 404 206 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:25 +0900] "POST /dashu.php HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:26 +0900] "POST /shell.php HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:26 +0900] "POST /queqiao.php HTTP/1.1" 404 209 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:26 +0900] "POST /12345.php HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:26 +0900] "POST /qqq.php HTTP/1.1" 404 205 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:26 +0900] "POST /15.php HTTP/1.1" 404 204 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:26 +0900] "POST /slider.php HTTP/1.1" 404 208 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:27 +0900] "POST /images/1.php HTTP/1.1" 404 210 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:27 +0900] "POST /images/asp.php HTTP/1.1" 404 212 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:27 +0900] "POST /images/entyy.php HTTP/1.1" 404 214 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:27 +0900] "POST /images/1ndex.php HTTP/1.1" 404 214 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:27 +0900] "POST /images/defau1t.php HTTP/1.1" 404 216 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:27 +0900] "POST /webconfig.txt.php HTTP/1.1" 404 215 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:27 +0900] "POST /administrator/webconfig.txt.php HTTP/1.1" 404 229 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:27 +0900] "POST /api.php HTTP/1.1" 404 205 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:28 +0900] "POST /luso.php HTTP/1.1" 404 206 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:28 +0900] "POST /1ndex.php HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:28 +0900] "POST /indexbak.php HTTP/1.1" 404 210 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:28 +0900] "POST /xmlrpc.php HTTP/1.1" 404 208 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:28 +0900] "POST /blog/xmlrpc.php HTTP/1.1" 404 213 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:28 +0900] "POST /errors/processor.php HTTP/1.1" 404 218 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:28 +0900] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 248 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:28 +0900] "POST /plus/90sec.php HTTP/1.1" 404 212 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:29 +0900] "POST /plus/e7xue.php HTTP/1.1" 404 212 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:29 +0900] "POST /plus/mybak.php HTTP/1.1" 404 212 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:29 +0900] "POST /plus/service.php HTTP/1.1" 404 214 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:29 +0900] "POST /plus/laobiao.php HTTP/1.1" 404 214 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:29 +0900] "POST /plus/xsvip.php HTTP/1.1" 404 212 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:29 +0900] "POST /plus/bakup.php HTTP/1.1" 404 212 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0" 10.0.1.8 - - [26/Jun/2019:07:48:29 +0900] "POST /c.php HTTP/1.1" 404 203 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:31.0) Gecko/20100101 Firefox/31.0"
ALBの固定IP経由でかなりきてますね。
3000アクセス程いろんなPHPファイルを狙ってきてました。
ファイル名なんかそれらしいものを狙ってます。
Mysqlのコンフィグを狙ったものも多くありました。
まとめ
これだけのアクセスがあるという認識は常に持たないと駄目ですね。 セキュリティはおろそかにできません(自戒
最低限 ・セキュリティグループでのアクセス制限 ・WAFによるHTTPアクセスの制限
などは必要です。
以上