• このエントリーをはてなブックマークに追加

はじめに

昨日,お客さんとのミーティングで見せるためのデータを,借りているVPSに一時的に上げました.

当日,いざ見せようとしたら...Webサーバにつながりません.というかつながるけどレスポンスがありません.sshもつながりません.が,pingは通ります...

どうしようもないので,サーバ屋さんに問い合わせたところ,apache のプロセスが多数走っているとのこと.とりあえず再起動をお願いしましたが,その直後からまた同じような現象に...

ミーティングをなんとか終わらせ,お仕事場に戻ってからログを確認したところ,同一IPアドレスから一定時間,秒間1,2回くらいの間隔でリクエストが投げられているのがわかりました.いわゆる DoS攻撃 ってヤツなんでしょうか.

以下,そのログの一部を晒してみます.(一応IPアドレスは伏せておきますかね.)

アクセスログ

2009-01-18

始まりは一昨日の朝でした.

xxx.xxx.xxx.xxx - - [18/Jan/2009:09:17:17 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [18/Jan/2009:09:17:18 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [18/Jan/2009:09:17:18 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [18/Jan/2009:09:17:22 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [18/Jan/2009:09:17:19 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
...
xxx.xxx.xxx.xxx - - [18/Jan/2009:10:07:53 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [18/Jan/2009:10:08:03 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [18/Jan/2009:10:10:15 +0900] "GET / HTTP/1.1" 500 622 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [18/Jan/2009:10:10:15 +0900] "GET / HTTP/1.1" 500 622 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [18/Jan/2009:10:10:15 +0900] "GET / HTTP/1.1" 500 622 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"

うわ,500 が出てるし.

...
xxx.xxx.xxx.xxx - - [18/Jan/2009:10:10:54 +0900] "GET / HTTP/1.1" 500 753 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [18/Jan/2009:10:10:54 +0900] "GET / HTTP/1.1" 500 753 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [18/Jan/2009:10:10:54 +0900] "GET / HTTP/1.1" 500 753 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [18/Jan/2009:10:08:57 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [18/Jan/2009:10:09:02 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
...
xxx.xxx.xxx.xxx - - [18/Jan/2009:10:10:18 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [18/Jan/2009:10:10:25 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [18/Jan/2009:10:10:30 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [18/Jan/2009:10:10:48 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [18/Jan/2009:10:10:49 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"

といった感じで 1時間弱続きました.

2009-01-19

問題のミーティングの日です.

xxx.xxx.xxx.xxx - - [19/Jan/2009:10:11:01 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [19/Jan/2009:10:11:01 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [19/Jan/2009:10:11:03 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [19/Jan/2009:10:11:03 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [19/Jan/2009:10:11:04 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
...
xxx.xxx.xxx.xxx - - [19/Jan/2009:11:00:30 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [19/Jan/2009:11:00:42 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [19/Jan/2009:11:00:43 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [19/Jan/2009:11:01:04 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [19/Jan/2009:11:01:07 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
...
xxx.xxx.xxx.xxx - - [19/Jan/2009:12:01:47 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [19/Jan/2009:12:01:51 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [19/Jan/2009:12:01:51 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [19/Jan/2009:12:01:51 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"

このあたりで一度サーバを止めました.(予告なしでスミマセン.)

xxx.xxx.xxx.xxx - - [19/Jan/2009:12:12:18 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [19/Jan/2009:12:12:18 +0900] "GET / HTTP/1.1" 200 23426 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [19/Jan/2009:12:12:27 +0900] "GET /css/_base.css?1232334742 HTTP/1.1" 200 681 "http://www.nicograph.jp/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.0450
6.30)"
xxx.xxx.xxx.xxx - - [19/Jan/2009:12:12:27 +0900] "GET / HTTP/1.1" 200 23426 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [19/Jan/2009:12:12:28 +0900] "GET / HTTP/1.1" 200 23426 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
...
xxx.xxx.xxx.xxx - - [19/Jan/2009:12:14:25 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [19/Jan/2009:12:14:36 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [19/Jan/2009:12:14:26 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [19/Jan/2009:12:14:27 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [19/Jan/2009:12:14:31 +0900] "GET / HTTP/1.1" 200 374 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [19/Jan/2009:12:14:38 +0900] "GET / HTTP/1.1" 200 23426 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"

2時間強...

2008-01-20

そして本日.

xxx.xxx.xxx.xxx - - [20/Jan/2009:12:16:03 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [20/Jan/2009:12:16:04 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [20/Jan/2009:12:16:05 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [20/Jan/2009:12:16:08 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
...
xxx.xxx.xxx.xxx - - [20/Jan/2009:12:56:38 +0900] "GET / HTTP/1.1" 500 753 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [20/Jan/2009:12:56:40 +0900] "GET / HTTP/1.1" 500 753 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [20/Jan/2009:12:54:44 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [20/Jan/2009:12:56:47 +0900] "GET / HTTP/1.1" 500 753 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [20/Jan/2009:12:54:45 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
...
xxx.xxx.xxx.xxx - - [20/Jan/2009:13:23:13 +0900] "GET / HTTP/1.1" 500 622 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [20/Jan/2009:13:23:13 +0900] "GET / HTTP/1.1" 500 622 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [20/Jan/2009:13:23:13 +0900] "GET / HTTP/1.1" 500 622 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [20/Jan/2009:13:23:13 +0900] "GET / HTTP/1.1" 500 622 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [20/Jan/2009:13:23:13 +0900] "GET / HTTP/1.1" 500 622 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
...
xxx.xxx.xxx.xxx - - [20/Jan/2009:14:09:20 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [20/Jan/2009:14:09:27 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [20/Jan/2009:14:09:35 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [20/Jan/2009:14:09:38 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [20/Jan/2009:14:09:39 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"
xxx.xxx.xxx.xxx - - [20/Jan/2009:14:09:45 +0900] "GET / HTTP/1.1" 200 16265 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.0.04506.30)"

また 2時間くらい続いてますね.

ん?

これを書いていてふと気になりましたが,「攻撃(ということにしておきます)の開始時刻が,前日の攻撃終了時刻に近い」気がしますね.

ということは,明日の攻撃時刻は 14:15 くらいか...とかやっとれんわ!

おわりに

過去に同一IPアドレスで通常の閲覧も行われているようなので,何かに感染したのか意図的なのかはわかりませんが,とりあえず,このIPアドレスについては Deny しておきました.

今後もしばらくログを眺める日々が続きそうです.