Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Drupalgeddon2 をハニーポットで観察してみた

Avatar for Kazuaki Morihisa Kazuaki Morihisa
June 30, 2018
Technology
1
1.3k

Drupalgeddon2 をハニーポットで観察してみた

2018年6月30日 第4回 ハニーポッター技術交流会 発表資料 @morihi_soc #hanipo_tech
https://hanipo-tech.connpass.com/event/90337/
Avatar for Kazuaki Morihisa

Kazuaki Morihisa

June 30, 2018
Tweet

More Decks by Kazuaki Morihisa

See All by Kazuaki Morihisa
まだ見ぬ攻撃を求めて
Avatar for Kazuaki Morihisa morihi_soc
1
1k
ハニーポットのログを国別で傾向分析してみた
Avatar for Kazuaki Morihisa morihi_soc
1
2k
ハニーポットで見る攻撃の検知傾向 〜秘密のファイル〜
Avatar for Kazuaki Morihisa morihi_soc
2
1.9k
あの脆弱性は今 ~ハニーポットで追ってみた~
Avatar for Kazuaki Morihisa morihi_soc
5
3.1k
ハニーポット活用事例紹介
Avatar for Kazuaki Morihisa morihi_soc
0
1.2k
ハニーポットの育てかた
Avatar for Kazuaki Morihisa morihi_soc
0
1.3k
Satori 系ボットネット観察 Attack from Japan
Avatar for Kazuaki Morihisa morihi_soc
0
1.9k
ハニーポットと脆弱性スキャン
Avatar for Kazuaki Morihisa morihi_soc
2
1.3k
ハニーポット開発でビビってしまった話
Avatar for Kazuaki Morihisa morihi_soc
4
1.5k

Other Decks in Technology

See All in Technology
10分で学ぶ、RAGの仕組みと実践
Avatar for Marimo supermarimobros
0
760
コスト最適重視でAurora PostgreSQLのログ分析基盤を作ってみた #jawsug_tokyo
Avatar for のんピ non97
1
860
勝手に!深堀り!Cloud Run worker pools / Deep dive Cloud Run worker pools
Avatar for iselegant iselegant
4
620
LINE 購物幕後推手
Avatar for LINE Developers Taiwan line_developers_tw
PRO
0
330
フルカイテン株式会社 エンジニア向け採用資料
Avatar for FULL KAITEN fullkaiten
0
5.4k
ドキュメント管理の理想と現実
Avatar for Ohara Kazuhiro kazuhe
3
310
QA/SDETの現在と、これからの挑戦
Avatar for imtnd imtnd
0
220
Winning at PHP in Production in 2025
Avatar for Benjamin Eberlei beberlei
1
270
2025-04-14 Data & Analytics 井戸端会議 Multi tenant log platform with Iceberg
Avatar for kamijin_fanta kamijin_fanta
0
180
続・やっぱり余白が大切だった話
Avatar for KAKEHASHI kakehashi
PRO
2
120
Mastraに入門してみた ~AWS CDKを添えて~
Avatar for つくぼし tsukuboshi
0
380
AIエージェント開発手法と業務導入のプラクティス
Avatar for Yoshinori Kosaka ykosaka
9
2.7k

Featured

See All Featured
How to Think Like a Performance Engineer
Avatar for Harry Roberts csswizardry
23
1.6k
Producing Creativity
Avatar for Steve Smith orderedlist
PRO
344
40k
Become a Pro
Avatar for Speaker Deck speakerdeck
PRO
28
5.3k
The Illustrated Children's Guide to Kubernetes
Avatar for Chris Short chrisshort
48
49k
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
110k
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
656
60k
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
267
13k
How To Stay Up To Date on Web Technology
Avatar for Chris Coyier chriscoyier
790
250k
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
41
2.6k
Faster Mobile Websites
Avatar for Dean Hume deanohume
306
31k
Building Applications with DynamoDB
Avatar for Matt Wood mza
94
6.4k
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
331
21k

Transcript

  1. 2018೥6݄30೔ ୈ4ճ ϋχʔϙολʔٕज़ަྲྀձൃදࢿྉ Drupalgeddon2 Λ ϋχʔϙοτͰ؍࡯ͯ͠Έͨ @morihi_soc

  2. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ XIPBNJ w ৿ٱ࿨ত !NPSJIJ@TPD  w ຊۀ͸ωοτϫʔΫηΩϡϦςΟΤϯδχΞɾΞφϦετ w

    झຯͰϋχʔϙοτͷӡ༻Λ͢Δϋχʔϙολʔ w ϒϩάˠIUUQXXXNPSJIJTPDOFU w ϋχʔϙολʔٕज़ަྲྀձओ࠵ऀ w IUUQTIBOJQPUFDIDPOOQBTTDPN 2 ࠓ·Ͱʹ͓ੈ࿩ʹͳͬͨΠϕϯτ(Ұ෦) ɾ*5,FZT ݱ4FD$BQ  ɾωοτϫʔΫύέοτΛಡΉձ Ծ  ɾ/*4$αΠόʔϋϩ΢Οϯ ɾ*OUFSOFU8FFLɾ)BSEFOJOH ɾTTNKQɾ"*4FDɾ4UVEZ$PEF ɾULULηΩϡϦςΟษڧձ ɾ૯ؔ੢αΠόʔηΩϡϦςΟ-5େձ ग़൛ͨ͠ຊ΍ٕज़ಉਓࢽ

  3. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ͓඼ॻ͖ w %SVQBMHFEEPOͱ͸ w ߈ܸαϯϓϧ঺հ w 808)POFZQPUͰͷݕ஌ঢ়گ w

    ௿ର࿩ܕͱߴର࿩ܕͷൺֱ w ·ͱΊ 3

  4. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ %SVQBMHFEEPOͱ͸ w %SVQBMʹ͸ɺϦϞʔτ͔Β೚ҙͷίʔυ͕࣮ߦՄ ೳͱͳΔ੬ऑੑ $7& ͕ଘࡏ͠ɺ͜ͷ ੬ऑੑΛѱ༻͢Δ͜ͱͰɺԕִͷୈࡾऀ͕ɺඇެ։ σʔλΛ઄औͨ͠ΓɺγεςϜσʔλΛվมͨ͠Γ

    ͢ΔͳͲͷՄೳੑ͕͋Δͱͷ͜ͱͰ͢ɻ w ӨڹΛड͚Δόʔδϣϯ͸࣍ͷ௨Γɻͨͩ͠αϙʔ τ͕੾Ε͍ͯΔݹ͍όʔδϣϯ΋ӨڹΛड͚ΔՄೳ ੑ͕͋Γɻ w %SVQBMΑΓલͷόʔδϣϯ w %SVQBMΑΓલͷόʔδϣϯ 4 JPCERT/CC ͷϖʔδ͔ΒҾ༻ https://www.jpcert.or.jp/at/2018/at180012.html

  5. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ڪාͷେԦ;ͨͨͼ w ೥݄೔%SVQBMެ͔ࣜΒɺिؒޙʹηΩϡ ϦςΟϦϦʔεΛ͢Δͱͷൃද  w ೥݄೔$7&ͷ੬ऑੑΛमਖ਼ ͨ͠όʔδϣϯ͕ެ։

     w ೥݄೔ηΩϡϦςΟݚڀऀʹΑΓɺϦϞʔ τίʔυ࣮ߦͷղੳ৘ใ͕ެ։ ɻ
 ೥ͷ੬ऑੑ $7& Λኲኵͱͤ͞Δ ΄Ͳةݥ౓͕ߴ͘ɺ%SVQBMHFEEPOͱݺ͹ΕΔɻ 5 *1 https://www.drupal.org/psa-2018-001 *2 https://www.drupal.org/SA-CORE-2018-002 *3 https://research.checkpoint.com/uncovering-drupalgeddon-2/ ը૾Ҿ༻ݩˣ https://scanforsecurity.com/news/drupalgeddon-2-vulnerability-used-infect-servers-backdoors-coinminers.html

  6. ߈ܸαϯϓϧ ঺հ ↑2018೥6݄9೔ ৽॓ޚԓ େԹࣨͰࡱӨ ৯஬২෺Ͱ͸ͳ͍ɻ

  7. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ߈ܸαϯϓϧ঺հ w ϋχʔϙοτʹର͢Δ߈ܸͰ࠷΋ଟ͔ͬͨύλʔϯ w ߈ܸର৅ͷύε͸ʮVTFSSFHJTUFSʯ 7

  8. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ߈ܸαϯϓϧ঺հ w %SVQBMܥΛૂͬͨ߈ܸύλʔϯ w ஈ֊Ͱ߈ܸΛ੒ཱͤ͞Δ w 8FCαʔό͔ΒͷԠ౴ʹGPSNͷJEؚ͕·ΕΔ w

    8

  9. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ߈ܸαϯϓϧ঺հ w %SVQBMܥΛૂͬͨ߈ܸύλʔϯ w ճ໨ͷΞΫηεͰGPSNͷσʔλΛΩϟογϡ͞ ͤͯɺճ໨ͷΞΫηεͰϨϯμϦϯάͤͯ͞ίϚϯ υ࣮ߦΛࢼΈΔɻ 9

  10. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ߈ܸऀͷૂ͍Λ୳Δ w 1045ͷϘσΟ෦෼ʹ஫໨͠ɺ߈ܸऀ͕ͲΜͳҙਤ Ͱ߈ܸ͖ͯͨ͠ͷ͔ߟ͑ͯΈΑ͏ w ੬ऑੑͷௐࠪΛ͍ͯ͠Δ௨৴͔ΒɺϚϧ΢ΣΞײછ ΛࢼΈΔ΋ͷ·Ͱ༷ʑͳ߈ܸΛݕ஌ w

    ͍͔ͭ͘ϐοΫΞοϓͯ͠঺հ 10

  11. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ߈ܸࣄྫ ੬ऑੑͷௐࠪ w FDIPίϚϯυͰจࣈྻΛදࣔ͢Δ w JEίϚϯυͰϢʔβ໊Λදࣔ͢Δ 11

  12. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ߈ܸࣄྫ ϑΝΠϧμ΢ϯϩʔυ w ੬ऑੑΛಥ͍ͯγΣϧεΫϦϓτΛμ΢ϯϩʔυ͠ ࣮ͯߦͤ͞Δ߈ܸ w GFUDIίϚϯυ΋࢖͍ͬͯͯɺ#4%ܥ΋߈ܸର৅ 12

  13. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ߈ܸࣄྫ ϑΝΠϧμ΢ϯϩʔυ w TIϑΝΠϧͰμ΢ϯϩʔυΛࢼΈΔϑΝΠϧΛ
 ௥ՃͰௐࠪͯ͠Έͨ݁Ռɻ w ෳ਺ͷ$16ΞʔΩςΫνϟʹରԠͰ͖ΔΑ͏ʹɺ ϑΝΠϧΛμ΢ϯϩʔυ͍ͯͨ͠ɻ

    13

  14. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ߈ܸࣄྫ ϑΝΠϧμ΢ϯϩʔυ w த਎͸%%P4ʹར༻͞ΕΔ5TVOBNJϚϧ΢ΣΞ IUUQTXXXWJSVTUPUBMDPNFOpMFDDBBCFDCGDDEDD⒎CBEFGEDECBFBOBMZTJT 14

  15. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ߈ܸࣄྫ ϑΝΠϧ࡞੒ w FDIPίϚϯυΛύΠϓͰܨ͍Ͱɺ1)1ϑΝΠϧΛ ࡞੒͍ͯ͠Δɻ w #"4&Ͱσίʔυ͢Δͱɺͳʹ΍Βո͍͠งғؾɻ 15

  16. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ߈ܸࣄྫ ϑΝΠϧ࡞੒ w 04ίϚϯυ࣮ߦػೳͱϑΝΠϧΞοϓϩʔυػೳ Λ࣋ͭ8FC4IFMMͩͬͨ 16 ※WebShell ͸ɺϒϥ΢β͔Β

    Web αʔόΛૢ࡞͢Δ͜ͱ͕Ͱ͖ΔϓϩάϥϜɻ
 ৄ͘͠͸ ٕज़ಉਓࢽͷʮWebShell ਤේʯΛݟͯͶ! https://booth.pm/ja/items/718303

  17. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ 808)POFZQPUͰͷݕ஌ঢ়گ w ೥݄೔͔Β݄೔·ͰͷظؒΛநग़ 17

  18. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ௿ର࿩ܕͱߴର࿩ܕͷൺֱ w ϋχʔϙοτ͸͍͔ͭ͘෼ྨ͢Δํ๏͕͋Γ·͢ w ௿ର࿩ܕ ྫɿ808)POFZQPU  w

    ࣮ࡏ͢Διϑτ΢ΣΞΛ໛฿͢Δํࣜ w ϩά෼ੳ͠΍͘͢ͳ͍ͬͯΔ͕ɺ੬ऑੑͷ໛฿͸
 ׬ᘳʹͰ͖ͳ͍ɻ w ߴର࿩ܕ ྫɿ"QBDIF 1)1 %SVQBM  w ιϑτ΢ΣΞΛͦͷ··࢖͏ํࣜ w ຊ෺ͳͷͰඪతΛߜͬͨ߈ܸΛݕ஌͠΍͍͕͢ EBZͷ੬ऑੑʹΑΓɺϛΠϥऔΓ͕ϛΠϥঢ়ଶʹ ͳΓ͔Ͷͳ͍ɻ 18

  19. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ %SVQBMHFEEPOͰݟΔ௿ɾߴର࿩ܕ w ௿ର࿩ܕͰ͋Δ808)POFZQPUͷݕ஌ঢ়گͱ
 ߴର࿩ܕͰ͋Δ%SVQBMͷϋχʔϙοτͷݕ஌ঢ়گ Λൺֱͯ͠Έͨ w ΋ͪΖΜ%SVQBM͸ύονΛଈ೔ద༻ࡁΈɻ w

    %SVQBMͷϋχʔϙοτ͸ɺ808)POFZQPUΑΓ গ͠લ͔Βެ։ͯ͠߈ܸ৘ใΛऩू͍ͯͨ͠ɻ w ͪΐ͏Ͳ%SVQBMHFEEPO͕ग़ͨͱ͖͸ɺผʑͷαʔ όͰ؅ཧ͍ͯͨ͠ͷͰɺൺֱ͕Մೳͩͬͨɻ w ͨͩ͠ɺ%SVQBMͷϋχʔϙοτ͸୆͔͠Քಇͯ͠ ͓Βͣɺ808)POFZQPUͷํ͕୆਺͕ଟ͍ɻ 19

  20. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ॳճͷ߈ܸݕ஌೔ w ͓͞Β͍ w ೥݄೔ʹ੬ऑੑ͕ެ։ɺ݄೔ʹ੬ऑ ੑͷղઆ͕ެ։ɻ 20 ؍ଌ஍఺

    ॳճݕ஌೔ %SVQBMͷߴର࿩ܕϋχʔϙοτ ݄೔ 808)POFZQPU ௿ର࿩ܕ ݄೔ ࢀߟ ܯࢹிΠϯλʔωοτఆ఺؍ଌγεςϜ  ݄೔ ࢀߟ NPSJIJTPDͷϒϩά 8PSE1SFTT ݄೔ *1 https://www.npa.go.jp/cyberpolice/detect/pdf/20180418.pdf

  21. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ϋχʔϙοτͷछผʹΑΔ߈ܸ؍ଌߟ࡯ w NPSJIJTPDͷϋχʔϙοτ؀ڥͰ͸ɺ%SVQBMΛ࢖ͬ ͍ͯΔͱ͜Ζ͕࠷΋ૣ͘߈ܸΛݕ஌ͨ͠ɻ w ੬ऑੑ͕ެ։͞ΕͨΒɺ੬ऑੑ͕͋Γͦ͏ͳͱ͜ Ζ͕ɺਅͬઌʹૂΘΕΔɻ w

    ͱ͸͍͑ɺ௿ର࿩ܕͷϋχʔϙοτͰ΋߈ܸͷ؍ଌ ͸Մೳͩͬͨɻ w 8PSE1SFTTͷΑ͏ͳɺ੬ऑੑͷର৅ͱϛεϚον ͳ؀ڥ͸ɺ߈ܸͷ؍ଌʹ͕͔͔࣌ؒΔɻ w αϯϓϧ਺͕গͳ͍ͷͰۮવ͔΋͠Εͳ͍ɻ 21

  22. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ ·ͱΊ w %SVQBMHHFEPOͷ੬ऑੑΛૂͬͨ߈ܸΛࣄྫΛ౿ ·͑ͯ঺հͨ͠ɻ w ݕ஌ͨ͠߈ܸ͸ɺ੬ऑੑͷௐࠪΛࢼΈΔ΋ͷ͔Βɺ %%P4Ϛϧ΢ΣΞʹײછͤ͞Δ΋ͷɺ8FC4IFMMͷ ઃஔΛࢼΈΔ΋ͷͳͲ༷ʑͩͬͨɻ

    w ϋχʔϙοτͷछผʹΑͬͯɺॳճͷ߈ܸݕ஌೔ʹ ҧ͍͕͋ͬͨɻ
 ͨͩ͠αϯϓϧ਺͕গͳ͍ͷͰࢀߟఔ౓ʹ 22

  23. Drupalgeddon2 ΛϋχʔϙοτͰ؍࡯ͯ͠Έͨ )BQQZ)POFZQPU 23 ←2018೥6݄9೔ ৽॓ޚԓ େԹࣨͰࡱӨ ৯஬২෺Ͱ͸ͳ͍ɻ ͓͠·͍