Drupalgeddon2 をハニーポットで観察してみた

Transcript

1. 2018೥6݄30೔ ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձൃදࢿྉ Drupalgeddon2 Λ ϋχʔϙοτͰ؍࡯ͯ͠Έͨ @morihi_soc

2. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ 
   XIPBNJ w ৿ٱ
   ࿨ত !NPSJIJ@TPD
   
   w ຊۀ͸ωοτϫʔΫηΩϡϦςΟΤϯδχΞɾΞφϦετ
   w

   झຯͰϋχʔϙοτͷӡ༻Λ͢Δϋχʔϙολʔ
   w ϒϩάˠ
   IUUQXXXNPSJIJTPDOFU
   w ϋχʔϙολʔٕज़ަྲྀձ
   ओ࠵ऀ
   w IUUQTIBOJQPUFDIDPOOQBTTDPN 2 ࠓ·Ͱʹ͓ੈ࿩ʹͳͬͨΠϕϯτ(Ұ෦) ɾ*5,FZT ݱ4FD$BQ
   ɾωοτϫʔΫύέοτΛಡΉձ Ծ
   ɾ/*4$
   αΠόʔϋϩ΢Οϯ
   ɾ*OUFSOFU8FFL
   
   
   
   
   
   
   ɾ)BSEFOJOH
   ɾTTNKQ
   
   
   
   ɾ"*4FD
   
   
   ɾ4UVEZ$PEF
   ɾULUL
   ηΩϡϦςΟษڧձ
   ɾ૯ؔ੢αΠόʔηΩϡϦςΟ-5େձ ग़൛ͨ͠ຊ΍ٕज़ಉਓࢽ

3. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ͓඼ॻ͖ w %SVQBMHFEEPO
   ͱ͸
   w ߈ܸαϯϓϧ঺հ
   w 808)POFZQPU
   Ͱͷݕ஌ঢ়گ
   w

   ௿ର࿩ܕͱߴର࿩ܕͷൺֱ
   w ·ͱΊ 3

4. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ %SVQBMHFEEPO
   ͱ͸ w %SVQBM
   ʹ͸ɺϦϞʔτ͔Β೚ҙͷίʔυ͕࣮ߦՄ ೳͱͳΔ੬ऑੑ
   $7&
   ͕ଘࡏ͠ɺ͜ͷ ੬ऑੑΛѱ༻͢Δ͜ͱͰɺԕִͷୈࡾऀ͕ɺඇެ։ σʔλΛ઄औͨ͠ΓɺγεςϜσʔλΛվมͨ͠Γ

   ͢ΔͳͲͷՄೳੑ͕͋Δͱͷ͜ͱͰ͢ɻ
   w ӨڹΛड͚Δόʔδϣϯ͸࣍ͷ௨Γɻͨͩ͠αϙʔ τ͕੾Ε͍ͯΔݹ͍όʔδϣϯ΋ӨڹΛड͚ΔՄೳ ੑ͕͋Γɻ
   w %SVQBM
   
   ΑΓલͷόʔδϣϯ
   w %SVQBM
   
   ΑΓલͷόʔδϣϯ 4 JPCERT/CC ͷϖʔδ͔ΒҾ༻ https://www.jpcert.or.jp/at/2018/at180012.html

5. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ڪාͷେԦ;ͨͨͼ w ೥݄೔
   %SVQBM
   ެ͔ࣜΒɺिؒޙʹηΩϡ ϦςΟϦϦʔεΛ͢Δͱͷൃද 
   w ೥݄೔
   $7&ͷ੬ऑੑΛमਖ਼ ͨ͠όʔδϣϯ͕ެ։

   
   w ೥݄೔
   ηΩϡϦςΟݚڀऀʹΑΓɺϦϞʔ τίʔυ࣮ߦͷղੳ৘ใ͕ެ։ ɻ
 ೥ͷ੬ऑੑ $7& Λኲኵͱͤ͞Δ ΄Ͳةݥ౓͕ߴ͘ɺ%SVQBMHFEEPOͱݺ͹ΕΔɻ 5 *1 https://www.drupal.org/psa-2018-001 *2 https://www.drupal.org/SA-CORE-2018-002 *3 https://research.checkpoint.com/uncovering-drupalgeddon-2/ ը૾Ҿ༻ݩˣ https://scanforsecurity.com/news/drupalgeddon-2-vulnerability-used-infect-servers-backdoors-coinminers.html

6. ߈ܸαϯϓϧ ঺հ ↑2018೥6݄9೔ ৽॓ޚԓ େԹࣨͰࡱӨ ৯஬২෺Ͱ͸ͳ͍ɻ

7. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ߈ܸαϯϓϧ঺հ w ϋχʔϙοτʹର͢Δ߈ܸͰ࠷΋ଟ͔ͬͨύλʔϯ
   w ߈ܸର৅ͷύε͸ʮVTFSSFHJTUFSʯ 7

8. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ߈ܸαϯϓϧ঺հ w %SVQBM
   ܥΛૂͬͨ߈ܸύλʔϯ
   w ஈ֊Ͱ߈ܸΛ੒ཱͤ͞Δ
   w 8FC
   αʔό͔ΒͷԠ౴ʹ
   GPSN
   ͷ
   JE
   ؚ͕·ΕΔ
   w

   8

9. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ߈ܸαϯϓϧ঺հ w %SVQBM
   ܥΛૂͬͨ߈ܸύλʔϯ
   w ճ໨ͷΞΫηεͰ
   GPSN
   ͷσʔλΛΩϟογϡ͞ ͤͯɺճ໨ͷΞΫηεͰϨϯμϦϯάͤͯ͞ίϚϯ υ࣮ߦΛࢼΈΔɻ 9

10. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ߈ܸऀͷૂ͍Λ୳Δ w 1045
    ͷϘσΟ෦෼ʹ஫໨͠ɺ߈ܸऀ͕ͲΜͳҙਤ Ͱ߈ܸ͖ͯͨ͠ͷ͔ߟ͑ͯΈΑ͏
    w ੬ऑੑͷௐࠪΛ͍ͯ͠Δ௨৴͔ΒɺϚϧ΢ΣΞײછ ΛࢼΈΔ΋ͷ·Ͱ༷ʑͳ߈ܸΛݕ஌
    w

    ͍͔ͭ͘ϐοΫΞοϓͯ͠঺հ 10

11. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ߈ܸࣄྫ ੬ऑੑͷௐࠪ w FDIP
    ίϚϯυͰจࣈྻΛදࣔ͢Δ
    w JE
    ίϚϯυͰϢʔβ໊Λදࣔ͢Δ 11

12. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ߈ܸࣄྫ ϑΝΠϧμ΢ϯϩʔυ w ੬ऑੑΛಥ͍ͯγΣϧεΫϦϓτΛμ΢ϯϩʔυ͠ ࣮ͯߦͤ͞Δ߈ܸ
    w GFUDI
    ίϚϯυ΋࢖͍ͬͯͯɺ#4%
    ܥ΋߈ܸର৅ 12

13. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ߈ܸࣄྫ ϑΝΠϧμ΢ϯϩʔυ w TI
    ϑΝΠϧͰμ΢ϯϩʔυΛࢼΈΔϑΝΠϧΛ
 ௥ՃͰௐࠪͯ͠Έͨ݁Ռɻ
    w ෳ਺ͷ
    $16
    ΞʔΩςΫνϟʹରԠͰ͖ΔΑ͏ʹɺ ϑΝΠϧΛμ΢ϯϩʔυ͍ͯͨ͠ɻ

    13

14. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ߈ܸࣄྫ ϑΝΠϧμ΢ϯϩʔυ w த਎͸
    %%P4
    ʹར༻͞ΕΔ
    
    5TVOBNJ
    Ϛϧ΢ΣΞ IUUQTXXXWJSVTUPUBMDPNFOpMFDDBBCFDCGDDEDD⒎CBEFGEDECBFBOBMZTJT 14

15. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ߈ܸࣄྫ ϑΝΠϧ࡞੒ w FDIP
    ίϚϯυΛύΠϓͰܨ͍Ͱɺ1)1
    ϑΝΠϧΛ ࡞੒͍ͯ͠Δɻ
    w #"4&
    Ͱσίʔυ͢Δͱɺͳʹ΍Βո͍͠งғؾɻ 15

16. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ߈ܸࣄྫ ϑΝΠϧ࡞੒ w 04
    ίϚϯυ࣮ߦػೳͱϑΝΠϧΞοϓϩʔυػೳ Λ࣋ͭ
    8FC4IFMM
    ͩͬͨ 16 ※WebShell ͸ɺϒϥ΢β͔Β

    Web αʔόΛૢ࡞͢Δ͜ͱ͕Ͱ͖ΔϓϩάϥϜɻ
 ৄ͘͠͸ ٕज़ಉਓࢽͷʮWebShell ਤේʯΛݟͯͶ! https://booth.pm/ja/items/718303

17. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ 808)POFZQPU
    Ͱͷݕ஌ঢ়گ w ೥݄೔͔Β݄೔·ͰͷظؒΛநग़ 17

18. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ௿ର࿩ܕͱߴର࿩ܕͷൺֱ w ϋχʔϙοτ͸͍͔ͭ͘෼ྨ͢Δํ๏͕͋Γ·͢
    w ௿ର࿩ܕ ྫɿ808)POFZQPU
    w

    ࣮ࡏ͢Διϑτ΢ΣΞΛ໛฿͢Δํࣜ
    w ϩά෼ੳ͠΍͘͢ͳ͍ͬͯΔ͕ɺ੬ऑੑͷ໛฿͸
 ׬ᘳʹͰ͖ͳ͍ɻ
    w ߴର࿩ܕ ྫɿ"QBDIF
    
    1)1
    
    %SVQBM
    w ιϑτ΢ΣΞΛͦͷ··࢖͏ํࣜ
    w ຊ෺ͳͷͰඪతΛߜͬͨ߈ܸΛݕ஌͠΍͍͕͢ EBZ
    ͷ੬ऑੑʹΑΓɺϛΠϥऔΓ͕ϛΠϥঢ়ଶʹ ͳΓ͔Ͷͳ͍ɻ 18

19. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ %SVQBMHFEEPO
    ͰݟΔ௿ɾߴର࿩ܕ w ௿ର࿩ܕͰ͋Δ
    808)POFZQPU
    ͷݕ஌ঢ়گͱ
 ߴର࿩ܕͰ͋Δ
    %SVQBM
    ͷϋχʔϙοτͷݕ஌ঢ়گ Λൺֱͯ͠Έͨ
    w ΋ͪΖΜ
    %SVQBM
    ͸ύονΛଈ೔ద༻ࡁΈɻ
    w

    
    %SVQBM
    ͷϋχʔϙοτ͸ɺ808)POFZQPU
    ΑΓ গ͠લ͔Βެ։ͯ͠߈ܸ৘ใΛऩू͍ͯͨ͠ɻ
    w ͪΐ͏Ͳ
    %SVQBMHFEEPO
    ͕ग़ͨͱ͖͸ɺผʑͷαʔ όͰ؅ཧ͍ͯͨ͠ͷͰɺൺֱ͕Մೳͩͬͨɻ
    w ͨͩ͠ɺ%SVQBM
    ͷϋχʔϙοτ͸୆͔͠Քಇͯ͠ ͓Βͣɺ808)POFZQPU
    ͷํ͕୆਺͕ଟ͍ɻ 19

20. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ॳճͷ߈ܸݕ஌೔ w ͓͞Β͍
    w ೥݄೔ʹ੬ऑੑ͕ެ։ɺ݄೔ʹ੬ऑ ੑͷղઆ͕ެ։ɻ 20 ؍ଌ஍఺

    ॳճݕ஌೔ %SVQBM
    ͷߴର࿩ܕϋχʔϙοτ ݄೔ 808)POFZQPU ௿ର࿩ܕ ݄೔ ࢀߟ
    ܯࢹி
    Πϯλʔωοτఆ఺؍ଌγεςϜ  ݄೔ ࢀߟ
    NPSJIJTPD
    ͷϒϩά 8PSE1SFTT ݄೔ *1 https://www.npa.go.jp/cyberpolice/detect/pdf/20180418.pdf

21. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ϋχʔϙοτͷछผʹΑΔ߈ܸ؍ଌߟ࡯ w NPSJIJTPD
    ͷϋχʔϙοτ؀ڥͰ͸ɺ%SVQBM
    Λ࢖ͬ ͍ͯΔͱ͜Ζ͕࠷΋ૣ͘߈ܸΛݕ஌ͨ͠ɻ
    w ੬ऑੑ͕ެ։͞ΕͨΒɺ੬ऑੑ͕͋Γͦ͏ͳͱ͜ Ζ͕ɺਅͬઌʹૂΘΕΔɻ
    w

    ͱ͸͍͑ɺ௿ର࿩ܕͷϋχʔϙοτͰ΋߈ܸͷ؍ଌ ͸Մೳͩͬͨɻ
    w 8PSE1SFTT
    ͷΑ͏ͳɺ੬ऑੑͷର৅ͱϛεϚον ͳ؀ڥ͸ɺ߈ܸͷ؍ଌʹ͕͔͔࣌ؒΔɻ
    w αϯϓϧ਺͕গͳ͍ͷͰۮવ͔΋͠Εͳ͍ɻ 21

22. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ·ͱΊ w %SVQBMHHFEPO
    ͷ੬ऑੑΛૂͬͨ߈ܸΛࣄྫΛ౿ ·͑ͯ঺հͨ͠ɻ
    w ݕ஌ͨ͠߈ܸ͸ɺ੬ऑੑͷௐࠪΛࢼΈΔ΋ͷ͔Βɺ %%P4
    Ϛϧ΢ΣΞʹײછͤ͞Δ΋ͷɺ8FC4IFMM
    ͷ ઃஔΛࢼΈΔ΋ͷͳͲ༷ʑͩͬͨɻ
    

    w ϋχʔϙοτͷछผʹΑͬͯɺॳճͷ߈ܸݕ஌೔ʹ ҧ͍͕͋ͬͨɻ
 ͨͩ͠αϯϓϧ਺͕গͳ͍ͷͰࢀߟఔ౓ʹ 22

23. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ )BQQZ
    )POFZQPU 23 ←2018೥6݄9೔ ৽॓ޚԓ େԹࣨͰࡱӨ ৯஬২෺Ͱ͸ͳ͍ɻ ͓͠·͍