Apache AccessLog 를 분석하다보니 이런 패턴이 보인다. (시도한 IP주소는 삭제했음)
[01/Jun/2018:06:46:41 +0900] "GET /phpmyadmin/index.php HTTP/1.1" 404 218
[01/Jun/2018:06:46:41 +0900] "GET /phpMyAdmin/index.php HTTP/1.1" 404 218
[01/Jun/2018:06:46:41 +0900] "GET /pmd/index.php HTTP/1.1" 404 211
[01/Jun/2018:06:46:41 +0900] "GET /pma/index.php HTTP/1.1" 200 1
[01/Jun/2018:06:46:43 +0900] "GET /pma/index.php HTTP/1.1" 200 1
[01/Jun/2018:06:46:43 +0900] "GET /PMA/index.php HTTP/1.1" 404 211
[01/Jun/2018:06:46:43 +0900] "GET /PMA2/index.php HTTP/1.1" 404 212
[01/Jun/2018:06:46:43 +0900] "GET /pmamy/index.php HTTP/1.1" 404 213
[01/Jun/2018:06:46:44 +0900] "GET /pmamy2/index.php HTTP/1.1" 404 214
[01/Jun/2018:06:46:44 +0900] "GET /mysql/index.php HTTP/1.1" 404 213
[01/Jun/2018:06:46:44 +0900] "GET /admin/index.php HTTP/1.1" 404 213
[01/Jun/2018:06:46:44 +0900] "GET /db/index.php HTTP/1.1" 404 210
[01/Jun/2018:06:46:44 +0900] "GET /dbadmin/index.php HTTP/1.1" 404 215
[01/Jun/2018:06:46:44 +0900] "GET /web/phpMyAdmin/index.php HTTP/1.1" 404 222
[01/Jun/2018:06:46:44 +0900] "GET /admin/pma/index.php HTTP/1.1" 404 217
[01/Jun/2018:06:46:44 +0900] "GET /admin/PMA/index.php HTTP/1.1" 404 217
[01/Jun/2018:06:46:44 +0900] "GET /admin/mysql/index.php HTTP/1.1" 404 219
[01/Jun/2018:06:46:44 +0900] "GET /admin/mysql2/index.php HTTP/1.1" 404 220
[01/Jun/2018:06:46:44 +0900] "GET /admin/phpmyadmin/index.php HTTP/1.1" 404 224
[01/Jun/2018:06:46:44 +0900] "GET /admin/phpMyAdmin/index.php HTTP/1.1" 404 224
[01/Jun/2018:06:46:44 +0900] "GET /admin/phpmyadmin2/index.php HTTP/1.1" 404 225
[01/Jun/2018:06:46:44 +0900] "GET /mysqladmin/index.php HTTP/1.1" 404 218
[01/Jun/2018:06:46:44 +0900] "GET /mysql-admin/index.php HTTP/1.1" 404 219
[01/Jun/2018:06:46:44 +0900] "GET /phpadmin/index.php HTTP/1.1" 404 216
[01/Jun/2018:06:46:44 +0900] "GET /phpmyadmin0/index.php HTTP/1.1" 404 219
[01/Jun/2018:06:46:44 +0900] "GET /phpmyadmin1/index.php HTTP/1.1" 404 219
[01/Jun/2018:06:46:44 +0900] "GET /phpmyadmin2/index.php HTTP/1.1" 404 219
[01/Jun/2018:06:46:44 +0900] "GET /myadmin/index.php HTTP/1.1" 404 215
[01/Jun/2018:06:46:44 +0900] "GET /myadmin2/index.php HTTP/1.1" 404 216
[01/Jun/2018:06:46:44 +0900] "GET /xampp/phpmyadmin/index.php HTTP/1.1" 404 224
[01/Jun/2018:06:46:44 +0900] "GET /phpMyadmin_bak/index.php HTTP/1.1" 404 222
[01/Jun/2018:06:46:44 +0900] "GET /www/phpMyAdmin/index.php HTTP/1.1" 404 222
[01/Jun/2018:06:46:44 +0900] "GET /tools/phpMyAdmin/index.php HTTP/1.1" 404 224
[01/Jun/2018:06:46:44 +0900] "GET /phpmyadmin-old/index.php HTTP/1.1" 404 222
[01/Jun/2018:06:46:44 +0900] "GET /phpMyAdminold/index.php HTTP/1.1" 404 221
[01/Jun/2018:06:46:44 +0900] "GET /phpMyAdmin.old/index.php HTTP/1.1" 404 222
[01/Jun/2018:06:46:44 +0900] "GET /pma-old/index.php HTTP/1.1" 404 215
[01/Jun/2018:06:46:44 +0900] "GET /claroline/phpMyAdmin/index.php HTTP/1.1" 404 228
[01/Jun/2018:06:46:44 +0900] "GET /typo3/phpmyadmin/index.php HTTP/1.1" 404 224
[01/Jun/2018:06:46:44 +0900] "GET /phpma/index.php HTTP/1.1" 404 213
[01/Jun/2018:06:46:44 +0900] "GET /phpmyadmin/phpmyadmin/index.php HTTP/1.1" 404 229
[01/Jun/2018:06:46:44 +0900] "GET /phpMyAdmin/phpMyAdmin/index.php HTTP/1.1" 404 229
404는 파일이 존재하지 않는다는 의미이고 200은 파일은 존재한다는 의미다.
phpMyAdmin 사용을 매우 주의해야겠다는 생각이 들었다.
특정한 IP에서만 접속 가능하도록 ipFiltering을 걸어두었기에 brute force 공격(무차별 root 패스워드 대입공격)은 불가능하다.
하지만 ipFiltering 을 걸어두지 않고 MySQL 패스워드를 간단하게 사용하는 사이트가 있다면 사이트가 털릴 가능성이 매우 높다.
이런 로그를 잘 살펴보지 않으면 무슨 문제가 발생하고 있는지 조차 모를 수 있다.
1. MySQL root 패스워드는 복잡하게 생성해야 한다.
2. 특정 IP 에서만 접속 허용하는 ipFiltering.php 를 만들어서 incluce_once 시켜서 접속 IP를 확인하게 만든다.
'Web 프로그램 > 암호화 처리' 카테고리의 다른 글
openssl_encrypt 를 활용한 AES 암호화, 복호화 (0) | 2018.07.01 |
---|---|
[PHP] SHA384 패스워드 만들기 (0) | 2017.01.27 |
[보안] PHP AES 암호화 예제 (0) | 2016.10.16 |
[보안] SEED PHP 사용법 (0) | 2016.10.15 |