公開しているwebサーバのログから通常のアクセスではない通信について分析しました。
多かったリクエスト
PHPUnitの脆弱性
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
laravelの脆弱性を利用した攻撃
/_ignition/execute-solution
MobileIronが提供する複数のモバイルデバイス管理製品の脆弱性を利用した攻撃
JVNDB-2020-007560 - JVN iPedia - 脆弱性対策情報データベース
/mifs/.;/services/LogService
WordPress 用プラグイン File Manager の調査
WordPress 用プラグイン File Manager の脆弱性について
/wp-content/plugins/wp-file-manager/readme.txt
Microsoft Exchange が動いているかの調査
OutlookのAutodiscover機能が動いているときにアクセスされるファイルです。
/Autodiscover/Autodiscover.xml
不審な通信の一覧
| uri | count | percent |
|---|---|---|
| /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 88 | 2.626082 |
| /index.xml | 70 | 2.088929 |
| /_ignition/execute-solution | 41 | 1.223515 |
| /mifs/.;/services/LogService | 40 | 1.193674 |
| /api/jsonws/invoke | 40 | 1.193674 |
| /wp-content/plugins/wp-file-manager/readme.txt | 39 | 1.163832 |
| /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 | 39 | 1.163832 |
| /console/ | 39 | 1.163832 |
| /Autodiscover/Autodiscover.xml | 39 | 1.163832 |
| /.env | 38 | 1.133990 |
| mstshash=Administr | 33 | 0.984781 |
| /ads.txt | 31 | 0.925097 |
| /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application | 30 | 0.895255 |
| /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f | 29 | 0.865413 |
| /wp-login.php | 25 | 0.746046 |
| /actuator/health | 25 | 0.746046 |
| /admin/config.php | 22 | 0.656520 |
| //a2billing/customer/templates/default/footer.tpl | 22 | 0.656520 |
| http://passport.baidu.com/ | 19 | 0.566995 |
| /owa/ | 17 | 0.507311 |
| /app-ads.txt | 13 | 0.387944 |
| /system_api.php | 12 | 0.358102 |
| /streaming/clients_live.php | 12 | 0.358102 |
| /stream/live.php | 12 | 0.358102 |
| /stalker_portal/c/version.js | 12 | 0.358102 |
| /c/version.js | 12 | 0.358102 |
| /post/wp-login.php | 11 | 0.328260 |
| /config/getuser?index=0 | 11 | 0.328260 |
| /bag2 | 11 | 0.328260 |
| /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ | 10 | 0.298418 |
| /GponForm/diag_Form?style/ | 9 | 0.268577 |
| /aab9 | 8 | 0.238735 |
| /aaa9 | 8 | 0.238735 |
| //.env | 8 | 0.238735 |
| /.well-known/security.txt | 8 | 0.238735 |
| /.git/config | 8 | 0.238735 |
| http://fuwu.sogou.com/404/index.html | 7 | 0.208893 |
| /web_shell_cmd.gch | 6 | 0.179051 |
| httpbin.org:443 | 5 | 0.149209 |
| 7 | 4 | 0.119367 |
| /~champiot/Laravel%20E2N%20test/tuto_laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 4 | 0.119367 |
| /~champiot/Laravel%20E2N%20test/tuto_laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin | 4 | 0.119367 |
| /login | 4 | 0.119367 |
| /flu/403.html | 4 | 0.119367 |
| /ReportServer | 4 | 0.119367 |
| //wp-content/ | 4 | 0.119367 |
| 85.206.160.115:80 | 3 | 0.089526 |
| /webfig/ | 3 | 0.089526 |
| /solr/ | 3 | 0.089526 |
| /remote/login | 3 | 0.089526 |
| /public/.env | 3 | 0.089526 |
| /owa/auth/logon.aspx | 3 | 0.089526 |
| /manager/text/list | 3 | 0.089526 |
| /manager/html | 3 | 0.089526 |
| /index.php?xml_sitemap=params= | 3 | 0.089526 |
| /index.php | 3 | 0.089526 |
| /cgi-bin/config.exp | 3 | 0.089526 |
| /cache.php | 3 | 0.089526 |
| /Telerik.Web.UI.WebResource.axd?type=rau | 3 | 0.089526 |
| //vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 3 | 0.089526 |
| http://freeze.na4u.ru/ip.php?Z71016245862Q1 | 2 | 0.059684 |
| http://5.188.210.227/echo.php | 2 | 0.059684 |
| hotmail-com.olc.protection.outlook.com:25 | 2 | 0.059684 |
| \xBF\x02\x00\x88\x13\x00\x00\x87\x00\x00\x00NIMABIJIAN\x04\x03\x00\x00{\x99Caig\x9C\x03\xC7eB\xC5\x09\xC1\x18a\x11\x1A\x91\x1F\x02\x09cof\x91\xC0\x80sJ5\xD2\x80\xE6\x9A~\xB9\xC7\x83^\x96\xEEN\x16\x96\x96&\xE6\x03\xEA\xBC\x81\x02=\xAC\x10\xFA?7\x03\xC3\xDF\xF7\xE4\x98`p\xE6\x8D\xC1\xA9\x8D\xC6\x06\xDB\xAF\x91\xE7\x82s\xF7\x14H\xD4\xE1W\x9A\x93C\x9E]\xA4\x01#\x03#\x03]\x03c]CC\x05C\x03+S\x03b\xF4\x00\x00/\x9E\x16E | 2 | 0.059684 | | ||
| \x00\x00\x00\x0E2O\xAAC\xE92g\xC2W’\x17+\x1D\xD9\xC1\xF3,kN\x17\x14 | 2 | 0.059684 |
| 91.201.52.66:80 | 2 | 0.059684 |
| /wp-includes/css/wp-config.php | 2 | 0.059684 |
| /wp-includes/class.wp-date.php | 2 | 0.059684 |
| /wp-content/wp-plugins/wptimetoread/vendor/kdaviesnz/timetoread/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 2 | 0.059684 |
| /wp-content/wp-plugins/wptimetoread/vendor/kdaviesnz/timetoread/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin | 2 | 0.059684 |
| /wp-content/wp-plugins/wp-heyloyalty/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 2 | 0.059684 |
| /wp-content/wp-plugins/wp-heyloyalty/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin | 2 | 0.059684 |
| /wp-content/wp-plugins/user-export-with-their-meta-data/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 2 | 0.059684 |
| /wp-content/wp-plugins/user-export-with-their-meta-data/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin | 2 | 0.059684 |
| /wp-content/wp-plugins/shortcode-tumblr-gallery/includes/lib/Guzzle/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 2 | 0.059684 |
| /wp-content/wp-plugins/shortcode-tumblr-gallery/includes/lib/Guzzle/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin | 2 | 0.059684 |
| /wp-content/wp-plugins/rollbar/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 2 | 0.059684 |
| /wp-content/wp-plugins/rollbar/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin | 2 | 0.059684 |
| /wp-content/wp-plugins/product-lister-walmart/marketplaces/walmart/lib/walmart-signature/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 2 | 0.059684 |
| /wp-content/wp-plugins/product-lister-walmart/marketplaces/walmart/lib/walmart-signature/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin | 2 | 0.059684 |
| /wp-content/wp-plugins/mir-ad-network/base58php/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 2 | 0.059684 |
| /wp-content/wp-plugins/mir-ad-network/base58php/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin | 2 | 0.059684 |
| /wp-content/wp-plugins/message-business/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 2 | 0.059684 |
| /wp-content/wp-plugins/message-business/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin | 2 | 0.059684 |
| /wp-content/wp-plugins/jekyll-exporter/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 2 | 0.059684 |
| /wp-content/wp-plugins/jekyll-exporter/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin | 2 | 0.059684 |
| /wp-content/uploads/2019/02/20190217.png | 2 | 0.059684 |
| /wp-content/themes/twentyseventeen/footer.php | 2 | 0.059684 |
| /wp-content/themes/enfold-child/update_script/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 2 | 0.059684 |
| /wp-content/themes/enfold-child/update_script/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin | 2 | 0.059684 |
| /wp-content/plugins/woocommerce-software-license-manager/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 2 | 0.059684 |
| /wp-content/plugins/woocommerce-software-license-manager/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin | 2 | 0.059684 |
