« Trek clip 11/11 (TE NorthAmerica) | メイン | Web clip 11/11 »

自宅鯖にて

昨晩ずっとプラグインの件をやっていて、もう限界だから寝ようと思ったところ気づきました。
というかちょっと前から気づいてたのですが、何かなーそのうち落ち着くかなーと。
 
ルーターのランプがずっとぺかぺかして、HDDにアクセスしっぱなしなのです。
 
ずっとカチカチカチカチ言って気持ち悪いので一応調べてみるかと。
もう倒れそうなのになぁ....(以下続きに)
 

 
まず、転送量を見てみることにしました。
ファイル置き場になってる部分もあり、FreshReaderを何人かで使ってることもあります。
 
うーん。さほどでもない。
 
 
 
マシンが壊れちゃったのかなーとか思うけれども自分でアクセスするとちゃんと動いている....
 
 
 
しょうがないからシステムログ見るかと。
どーやって何を見ればいいのかよくわからないまま、とりあえず httpd (httpデーモン) のログを見てみることに。
 
うーん。別に自分以外は大したことない.....
 
 
 
眠いのになー 眠いのにー
でも調べれば調べるほどよくわかりません。気持ち悪さがつのります。
 
 
 
       |
   \  __  /
   _ (m) _ピコーン
      |ミ|
    /  `´  \
     ('A`)
     ノヽノヽ
       くく
 
あ、そだ。ftpd (ftpデーモン) あったな。
んーと、 /var/log/proftpd か.....  
 
 
 
 
 
 
 
 

[11/Nov/2006:04:46:00 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:01 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:01 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:01 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:01 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:03 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:03 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:03 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:03 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:04 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:05 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:05 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:05 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:05 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:06 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:07 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:07 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:07 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:08 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:08 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:09 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:09 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:10 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:10 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:10 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:11 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:12 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:12 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:12 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:12 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:14 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:14 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:14 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:14 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:15 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:16 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:16 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:16 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:16 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:17 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:18 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:18 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:18 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:19 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:19 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:20 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:20 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:21 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:21 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:21 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:22 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:23 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:23 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:23 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:23 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:25 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:25 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:25 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:26 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:26 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:27 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:27 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:28 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:28 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:28 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:29 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:30 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:30 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:30 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:31 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:32 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:32 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:32 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:33 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:33 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:34 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:34 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:35 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:35 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:35 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:40 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:40 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:40 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:41 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:41 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:42 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:42 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:43 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:43 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:43 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:44 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:45 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:45 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:45 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:45 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:47 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:47 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:47 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:48 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:48 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:49 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:49 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:50 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:50 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:50 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:51 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:52 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:52 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:52 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:52 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:54 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:54 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:54 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:54 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:55 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:56 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:56 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:57 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:57 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:57 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:58 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:58 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:59 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:59 +0900] : nobody (222.122.13.28 [222.122.13.28])
[11/Nov/2006:04:46:59 +0900] : nobody (222.122.13.28 [222.122.13.28])

 
何じゃああああぁぁぁぁこりゃあああああああああ
 
 
 
どう見てもパスワードクラックです。本当にありが(ry
 
ちなみにこれは認証のログ。これで1分間分。
AM2:48からずーーーーーっとこの調子で来ていて、この時点で14500回ほど........
まぁ途中で気づいたということはまだ破られてないということなのでしょうけど。
 
この鯖には別に大事なデータがあるわけじゃなし、ついでにユーザidは何でやっていたのかわかんないけど root じゃ入れないようにしてるから大概は大丈夫だと思うんだけどね。
 
# と書いて気づいたのだけど nobody というidで入ろうとしてたのだろうか??? わからん。あー無知だなオレ
 
 
 
とりあえず気持ち悪いので ftpd を落とす。
一瞬で静かになるマシン....
 
 
 
さてと、どっからだこの馬鹿野郎は。whoisでと....
 
 
 
 
 

"222.122.13.28"のWHOIS結果[whois.arin.net]
 
[Querying whois.arin.net]
[Redirected to whois.apnic.net]
[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
 
inetnum: 222.96.0.0 - 222.122.255.255
netname: KORNET
descr: KOREA TELECOM
descr: Network Management Center
country: KR
admin-c: DL248-AP
tech-c: GK40-AP
remarks: ***********************************************
remarks: KRNIC of NIDA is the National Internet Registry
remarks: in Korea under APNIC. If you would like to
remarks: find assignment information in detail
remarks: please refer to the NIDA Whois DB
remarks: http://whois.nida.or.kr/english/index.html
remarks: ***********************************************
status: Allocated Portable
mnt-by: MNT-KRNIC-AP
changed: hm-changed@apnic.net 20031027
changed: hm-changed@apnic.net 20041007
source: APNIC

 
 
こーりーqあwせdrftgyふじこlp(超怒
 
 
 
 
どういうid/passで来ていたのかログ残ってないのかなぁ。手口が知りたいなぁ。
それにしても思うのは、ここのサーバはまだ自分で気づくしいいのですが、レンタル鯖側がこんな感じでアタックされたらどーなんだろと。
レン鯖業者が不審なアクセスはブロックしてくれるのかなぁ。
 
もちろんid/passが両方割れるということはほとんどないとは思うのだけれど、なんとなくぞっとしたのでした。
 
それにしてもこんなことしてるやつは氏ね!
 
 
# あとどうでもいいけど http://whois.nida.or.kr/ にウケたニダ
 
 
 
(追記 23:02)
krfilter - deny accesses from .kr
 ここを参考にずばっとフィルタリングの設定をしてみました。
 (注:このサイトではなく自宅サーバは(基本的には)私と知人しかアクセスしないものです)
 



Ads by ワード

投稿者: nni 日時: 2006年11月11日 15:32 |

トラックバック

このエントリーのトラックバックURL:
http://www.nnistar.com/cgi/mt/mt-tb.cgi/1437

スパムがあまりにも多くて頭に来たのでcgi名を変えました。 nni-tb.cgi に変更して送信ください。
ご面倒をおかけして申し訳ありません(表記を変えるとまた自動で取られる可能性があるのでそのままにしています)。
なお、エントリへのリンクがないトラックバックは自動的にスパムとみなされることがあります。

コメントを投稿

RSS feed meter for http://www.nnistar.com/