WordPressに対するJCE攻撃の記録と対策

WordPress本体

WordPressサーバーが攻撃を受けた。Apacheの生ログを以下に添付する。

151.80.97.152 - - [08/May/2016:11:39:45 +0900] "POST /forest/computer/category/server/xampp-for-windows/xamp-control/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 404 209672 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
192.168.11.11 - - [08/May/2016:11:39:47 +0900] "POST /forest/computer/wp-admin/admin-ajax.php HTTP/1.1" 200 101 "https://clover.fcg.world/wp-admin/post.php?post=4135&action=edit" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36"
151.80.97.152 - - [08/May/2016:11:39:45 +0900] "POST /forest/computer/category/server/xampp-for-windows/xamp-control/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 404 209672 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
151.80.97.152 - - [08/May/2016:11:39:47 +0900] "POST /forest/computer/category/server/xampp-for-windows/xamp-control/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 404 209672 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
151.80.97.152 - - [08/May/2016:11:39:47 +0900] "POST /forest/computer/category/server/xampp-for-windows/xamp-control/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 404 209672 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
151.80.97.152 - - [08/May/2016:11:39:45 +0900] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
151.80.97.152 - - [08/May/2016:11:39:45 +0900] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
151.80.97.152 - - [08/May/2016:11:39:52 +0900] "GET /forest/computer/category/server/xampp-for-windows/xamp-control/tmp/petx.php?baca HTTP/1.1" 302 326 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
151.80.97.152 - - [08/May/2016:11:39:53 +0900] "GET /forest/conservatoire/ HTTP/1.1" 200 139140 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
151.80.97.152 - - [08/May/2016:11:39:56 +0900] "GET /forest/computer/category/server/xampp-for-windows/xamp-control/tmp/recky.php HTTP/1.1" 302 326 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
151.80.97.152 - - [08/May/2016:11:39:51 +0900] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
151.80.97.152 - - [08/May/2016:11:39:51 +0900] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
151.80.97.152 - - [08/May/2016:11:39:56 +0900] "GET /forest/conservatoire/ HTTP/1.1" 200 139140 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
151.80.97.152 - - [08/May/2016:11:39:59 +0900] "GET /forest/computer/category/server/xampp-for-windows/xamp-control/tmp/metri.php HTTP/1.1" 302 326 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
151.80.97.152 - - [08/May/2016:11:40:01 +0900] "GET /tmp/petx.php?baca HTTP/1.1" 302 326 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
151.80.97.152 - - [08/May/2016:11:40:00 +0900] "GET /forest/conservatoire/ HTTP/1.1" 200 139140 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
151.80.97.152 - - [08/May/2016:11:40:03 +0900] "GET /forest/computer/category/server/xampp-for-windows/xamp-control/tmp/metri.php HTTP/1.1" 302 326 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

ログを観察してみると、”/index.php?option=com_jce”で始まる攻撃を繰り返し受けているのがわかる。

どういう攻撃なのか調べてみたところJoomlaの記事作成エディタであるJCE(Joomla Content Editor)の脆弱性をついた攻撃らしい。

JCE

Joomla Content Editor (JCE)

画像に見せかけてphpのスクリプトを送りこむという手口らしい。私のサーバーにはJoomlaはインストールされていないのだが、WordPressのindex.phpから使用できるのだろうか。。

WordPress本体あるいはプラグインの脆弱性なのかもしれないが、原因が特定できなかったため、Apacheのmod_rewriteでクエリ文字列にoption=com_jceを含むものを全てはじくことにした。

# JCE攻撃対策
RewriteCond %{QUERY_STRING} ^(.*)option=com_jce(.*)$
RewriteRule (.*) /forest/musica/? [R=301,L]

クエリ文字列にoption=com_jceが含まれていたら全て/forest/musicaに飛ばした上で、クエリ文字列を削除するという指定である。

参考

morihi-soc

 

コメント