Help us understand the problem. What is going on with this article?

WordPress に不正アクセスしにくるので対処

More than 1 year has passed since last update.

2018/3/1

サイト「 ****** 」の新規ユーザー登録:

ユーザー名: aji*****co

メールアドレス: era****ye@asas.domailnew.com


サーバにログインして、apacheのアクセスログを調べる。

91.200.12.7 - - [01/Mar/2018:02:24:44 +0000] "GET /wp-login.php?action=rp HTTP/1.0" 200 4724 "http://**********/wp-login.php?action=rp" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 YaBrowser/17.10.0.2017 Yowser/2.5 Safari/537.36"
91.200.12.7 - - [01/Mar/2018:02:24:45 +0000] "POST /wp-login.php?action=resetpass HTTP/1.0" 200 1721 "http://**********/wp-login.php?action=rp" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 YaBrowser/17.10.0.2017 Yowser/2.5 Safari/537.36"
91.200.12.7 - - [01/Mar/2018:02:59:59 +0000] "POST /wp-login.php HTTP/1.0" 302 384 "http://**********/bbp-register/" "Mozilla/5.0 (Windows NT 7.0; WOW64; rv:33.1) Gecko/20100101 Firefox/33.1"
91.200.12.7 - - [01/Mar/2018:03:00:02 +0000] "POST /wp-login.php HTTP/1.0" 200 4049 "http://**********/bbp-register/?checkemail=registered" "Mozilla/5.0 (Windows NT 7.0; WOW64; rv:33.1) Gecko/20100101 Firefox/33.1"
91.200.12.7 - - [01/Mar/2018:03:16:01 +0000] "POST /wp-login.php HTTP/1.0" 302 384 "http://**********/bbp-register/" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
91.200.12.7 - - [01/Mar/2018:03:16:03 +0000] "POST /wp-login.php HTTP/1.0" 200 4045 "http://**********/bbp-register/?checkemail=registered" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"

このアドレスのURLは?


nanbuwks@LATITUDE:~$ dig -x 91.200.12.7

; <<>> DiG 9.10.3-P4-Ubuntu <<>> -x 91.200.12.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4262
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;7.12.200.91.in-addr.arpa.  IN  PTR

;; ANSWER SECTION:
7.12.200.91.in-addr.arpa. 3600  IN  PTR dsystemip5.vhoster.org.

;; Query time: 192 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 01 11:34:12 JST 2018
;; MSG SIZE  rcvd: 89

ということで、このアドレスをブラウザで開くと真っ赤っ赤。

image

時間があるときに、どんな攻撃コードが降ってくるか調べてみたいところです。

今回は、安直に該当アドレスをフィルタリングして様子見。

nanbuwks
iotlt
IoT縛りの勉強会です。 毎月イベントを実施しているので是非遊びに来てください! 登壇者を中心にQiitaでも情報発信していきます。 https://iotlt.connpass.com
https://iotlt.connpass.com/
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away