公開している web サーバのログから通常のアクセスではない通信について分析しました。
多かったリクエスト
.envの調査
/.env
ルータなどのネットワーク機器の調査
脆弱性が報告されているルーターなどで使われているログイン画面へアクセスする通信
JVNDB-2017-004375 - JVN iPedia - 脆弱性対策情報データベース
login.cgi
こちらもおそらくwebカメラなどのログイン画面の調査
/ftptest.cgi?loginuse=&loginpas=
PHPUnitのevalをリモート実行
PHPのユニットテストツールのPHPUnitの脆弱性を利用してのeval()を実行しようとする通信
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Wordpressの情報取集
wordpressのdb.phpへのアクセス
/wp-content/themes/seotheme/db.php?u
ログイン画面の調査
/wp-login.php
/post/wp-login.php
/wp-admin/css/
wlwmanifest.xmlの調査
Windows Live Writerというツールの設定ファイルがあるかの調査
/wp1/wp-includes/wlwmanifest.xml
/wp/wp-includes/wlwmanifest.xml
/wordpress/wp-includes/wlwmanifest.xml
/web/wp-includes/wlwmanifest.xml
/test/wp-includes/wlwmanifest.xml
/site/wp-includes/wlwmanifest.xml
/cms/wp-includes/wlwmanifest.xml
/blog/wp-includes/wlwmanifest.xml
不審な通信の一覧
| uri | count |
|---|---|
| /.env | 381 |
| /wp-content/themes/seotheme/db.php?u | 339 |
| login.cgi | 319 |
| /sellers.json | 156 |
| /wp-login.php | 147 |
| /ftptest.cgi?loginuse=&loginpas= | 135 |
| * | 120 |
| /wp-admin/css/ | 85 |
| /uploads/ | 85 |
| /sites/default/files/ | 85 |
| /images/ | 85 |
| /.well-known/ | 85 |
| /admin/controller/extension/extension/ | 84 |
| /ab2g | 78 |
| /test_404_page/ | 77 |
| /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 76 |
| //favicon.ico | 76 |
| /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession | 71 |
| 45.85.219.125:4444 | 68 |
| /ab2h | 61 |
| /config/getuser?index=0 | 59 |
| /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f | 56 |
| /boaform/admin/formLogin | 55 |
| /actuator/gateway/routes | 50 |
| mstshash=Administr | 48 |
| /post/wp-login.php | 45 |
| /wp-includes/wlwmanifest.xml | 43 |
| /xmlrpc.php?rsd | 42 |
| /wp1/wp-includes/wlwmanifest.xml | 41 |
| /wp/wp-includes/wlwmanifest.xml | 41 |
| /wordpress/wp-includes/wlwmanifest.xml | 41 |
| /web/wp-includes/wlwmanifest.xml | 41 |
| /test/wp-includes/wlwmanifest.xml | 41 |
| /site/wp-includes/wlwmanifest.xml | 41 |
| /cms/wp-includes/wlwmanifest.xml | 41 |
| /blog/wp-includes/wlwmanifest.xml | 41 |
| \x00\x00\x00\x00\x00\x00\x00 | 40 |
| /shop/wp-includes/wlwmanifest.xml | 39 |
| /2019/wp-includes/wlwmanifest.xml | 39 |
| /wp2/wp-includes/wlwmanifest.xml | 35 |
| /website/wp-includes/wlwmanifest.xml | 35 |
| /sito/wp-includes/wlwmanifest.xml | 35 |
| /news/wp-includes/wlwmanifest.xml | 35 |
| /.git/config | 33 |
| /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application | 32 |
| /actuator/health | 31 |
| /owa/auth/logon.aspx | 30 |
| /owa/auth/x.js | 29 |
| /archives/2019 | 29 |
| //vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 29 |
| /HNAP1/ | 28 |
| //.env | 28 |
| /2020/wp-includes/wlwmanifest.xml | 26 |
| /app-ads.txt | 23 |
| mstshash=Domain | 22 |
| /system_api.php | 19 |
| /streaming/clients_live.php | 19 |
| /stream/live.php | 19 |
| /stalker_portal/c/version.js | 19 |
| /flu/403.html | 19 |
| /c/version.js | 19 |
| /.well-known/security.txt | 19 |
| /autodiscover/autodiscover.json?@zdi/Powershell | 18 |
| /wp-commentin.php | 16 |
| /sitemap.xml | 16 |
| /manager/html | 16 |
| /ftptest.cgi | 15 |
| /HNAP1 | 15 |
| /media/wp-includes/wlwmanifest.xml | 13 |
| /GponForm/diag_Form?images/ | 13 |
| /Deadcode1975xxxxxxxxxxxxxxxxxxxxxxxxxxxx.php | 13 |
| /2018/wp-includes/wlwmanifest.xml | 13 |
| /1index.php | 13 |
| /upload.php | 12 |
| /up.php | 12 |
| /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ | 12 |
| /sdk | 12 |
| /api/v2/cmdb/system/admin/admin | 12 |
| /0bef | 12 |
