WordPressサーバーが攻撃を受けた。Apacheの生ログを以下に添付する。
151.80.97.152 - - [08/May/2016:11:39:45 +0900] "POST /forest/computer/category/server/xampp-for-windows/xamp-control/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 404 209672 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 192.168.11.11 - - [08/May/2016:11:39:47 +0900] "POST /forest/computer/wp-admin/admin-ajax.php HTTP/1.1" 200 101 "https://clover.fcg.world/wp-admin/post.php?post=4135&action=edit" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36" 151.80.97.152 - - [08/May/2016:11:39:45 +0900] "POST /forest/computer/category/server/xampp-for-windows/xamp-control/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 404 209672 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 151.80.97.152 - - [08/May/2016:11:39:47 +0900] "POST /forest/computer/category/server/xampp-for-windows/xamp-control/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 404 209672 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 151.80.97.152 - - [08/May/2016:11:39:47 +0900] "POST /forest/computer/category/server/xampp-for-windows/xamp-control/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 404 209672 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 151.80.97.152 - - [08/May/2016:11:39:45 +0900] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 151.80.97.152 - - [08/May/2016:11:39:45 +0900] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 151.80.97.152 - - [08/May/2016:11:39:52 +0900] "GET /forest/computer/category/server/xampp-for-windows/xamp-control/tmp/petx.php?baca HTTP/1.1" 302 326 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 151.80.97.152 - - [08/May/2016:11:39:53 +0900] "GET /forest/conservatoire/ HTTP/1.1" 200 139140 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 151.80.97.152 - - [08/May/2016:11:39:56 +0900] "GET /forest/computer/category/server/xampp-for-windows/xamp-control/tmp/recky.php HTTP/1.1" 302 326 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 151.80.97.152 - - [08/May/2016:11:39:51 +0900] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 151.80.97.152 - - [08/May/2016:11:39:51 +0900] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 151.80.97.152 - - [08/May/2016:11:39:56 +0900] "GET /forest/conservatoire/ HTTP/1.1" 200 139140 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 151.80.97.152 - - [08/May/2016:11:39:59 +0900] "GET /forest/computer/category/server/xampp-for-windows/xamp-control/tmp/metri.php HTTP/1.1" 302 326 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 151.80.97.152 - - [08/May/2016:11:40:01 +0900] "GET /tmp/petx.php?baca HTTP/1.1" 302 326 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 151.80.97.152 - - [08/May/2016:11:40:00 +0900] "GET /forest/conservatoire/ HTTP/1.1" 200 139140 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 151.80.97.152 - - [08/May/2016:11:40:03 +0900] "GET /forest/computer/category/server/xampp-for-windows/xamp-control/tmp/metri.php HTTP/1.1" 302 326 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
ログを観察してみると、”/index.php?option=com_jce”で始まる攻撃を繰り返し受けているのがわかる。
どういう攻撃なのか調べてみたところJoomlaの記事作成エディタであるJCE(Joomla Content Editor)の脆弱性をついた攻撃らしい。
画像に見せかけてphpのスクリプトを送りこむという手口らしい。私のサーバーにはJoomlaはインストールされていないのだが、WordPressのindex.phpから使用できるのだろうか。。
WordPress本体あるいはプラグインの脆弱性なのかもしれないが、原因が特定できなかったため、Apacheのmod_rewriteでクエリ文字列にoption=com_jceを含むものを全てはじくことにした。
# JCE攻撃対策 RewriteCond %{QUERY_STRING} ^(.*)option=com_jce(.*)$ RewriteRule (.*) /forest/musica/? [R=301,L]
クエリ文字列にoption=com_jceが含まれていたら全て/forest/musicaに飛ばした上で、クエリ文字列を削除するという指定である。
参考
morihi-soc
コメント