公開している web サーバのログから通常のアクセスではない通信について分析しました。
多かったリクエスト
ルータなどのネットワーク機器の調査
脆弱性が報告されているルーターなどで使われているログイン画面へアクセスする通信
JVNDB-2016-004125 - JVN iPedia - 脆弱性対策情報データベース
login.cgi
.envの調査
/.env
//.env
Netlink GPONルータ 脆弱性
ルータの脆弱性「CVE-2020-10173」を利用するIoTマルウェア | トレンドマイクロ セキュリティブログ
/boaform/admin/formLogin
おそらくcookieの書き換えをしようとした通信
mstshash=Administr
PHPUnitのevalをリモート実行
PHPのユニットテストツールのPHPUnitの脆弱性を利用してのeval()を実行しようとする通信
/wp-content/themes/seotheme/db.php?u
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/post/20210807//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Wordpressの情報取集
バックドアプラグインの調査
バックドア用のプラグインが入っていないかの調査の通信
/wp-content/plugins/ioptimization/IOptimize.php?rchk
ログイン画面の調査
/wp-login.php
プラグインの調査
/wp-content/plugins/about.php
不審な通信の一覧
| uri | count |
|---|---|
| login.cgi | 671 |
| /ads.txt | 481 |
| /.env | 350 |
| /sw.js | 337 |
| /wp-content/plugins/ioptimization/IOptimize.php?rchk | 229 |
| /boaform/admin/formLogin | 177 |
| mstshash=Administr | 170 |
| /sellers.json | 170 |
| /wp-content/themes/seotheme/db.php?u | 164 |
| * | 160 |
| /wp-login.php | 142 |
| /wp-content/plugins/about.php | 121 |
| /.git/config | 91 |
| //.env | 74 |
| /index.xml | 68 |
| //vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 65 |
| /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession | 62 |
| /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 49 |
| /app-ads.txt | 47 |
| /wp-plain.php | 44 |
| /post/20210807//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 43 |
| /post/20200329/site_icons/icon-192x192.png | 42 |
| /actuator/gateway/routes | 42 |
| /wp-includes/css/css.php | 37 |
| /post/20211123//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 34 |
| /post/wp-login.php | 33 |
| /actuator/health | 33 |
| /post/20210715//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 32 |
| /post/20211005//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 30 |
| /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f | 30 |
| www.shadowserver.org:443 | 29 |
| /admin/console/ | 29 |
| mstshash=Domain | 28 |
| /post/20211010//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 28 |
| /post/20210501//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 28 |
| /test.php | 27 |
| /sitemap.xml | 27 |
| /xmlrpc.php?rsd | 26 |
| /wp1/wp-includes/wlwmanifest.xml | 26 |
| /wp/wp-includes/wlwmanifest.xml | 26 |
| /wp-includes/wlwmanifest.xml | 26 |
| /wp-includes/fonts/css.php | 26 |
| /wordpress/wp-includes/wlwmanifest.xml | 26 |
| /web/wp-includes/wlwmanifest.xml | 26 |
| /test/wp-includes/wlwmanifest.xml | 26 |
| /site/wp-includes/wlwmanifest.xml | 26 |
| /post/20221101//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 26 |
| /post/20210613//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 26 |
| /post/20210415//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 26 |
| /index.php | 26 |
| /cms/wp-includes/wlwmanifest.xml | 26 |
| /blog/wp-includes/wlwmanifest.xml | 26 |
| /ab2g | 26 |
| //env.bak | 26 |
| ///sites/env.bak | 26 |
| ///sites/.env | 26 |
| ///site/env.bak | 26 |
| ///site/.env | 26 |
| /post/20210807//.env | 24 |
| /autodiscover/autodiscover.json?@zdi/Powershell | 24 |
| /ab2h | 23 |
| \xC0/\xC00\xC0+\xC0,\xCC\xA8\xCC\xA9\xC0\x13\xC0\x09\xC0\x14\xC0 | 22 |
| /post/20221218 | 22 |
| /post/20221114//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 22 |
| /info.php | 22 |
| /_profiler/phpinfo | 21 |
| /1.php | 21 |
| \x00\x00\x00\x00\x00\x00\x00 | 20 |
| /system_api.php | 20 |
| /streaming/clients_live.php | 20 |
| /stream/live.php | 20 |
| /stalker_portal/c/version.js | 20 |
| /shell.php | 20 |
| /post/20200910 | 20 |
| /post/20200523/site_icons/icon-192x192.png | 20 |
| /post/20200308_nikki | 20 |
| /flu/403.html | 20 |
| /c/version.js | 20 |
| /.well-known/security.txt | 20 |
| /wp2/wp-includes/wlwmanifest.xml | 19 |
| /website/wp-includes/wlwmanifest.xml | 19 |
| /sito/wp-includes/wlwmanifest.xml | 19 |
| /post/20201116 | 19 |
| /news/wp-includes/wlwmanifest.xml | 19 |
| /manager/html | 19 |
| /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application | 19 |
| /admin/ | 19 |
| /post/20210211 | 18 |
| 7 | 17 |
| /x.php | 17 |
| /post/20211123//.env | 17 |
| /post/20210715//.env | 17 |
| /archives/2022 | 17 |
| /showLogin.cc | 16 |
| /wp-plugins.php | 11 |
| /wp-load.php?daksldlkdsadas=1 | 11 |
| /wp-load.php | 11 |
| /wp-includes/wp-atom.php | 11 |
| /wp-includes/images/css.php | 11 |
| /wp-includes/cgialfa | 11 |
| /wp-includes/alfacgiapi | 11 |
| /wp-includes/ALFA_DATA | 11 |
| /wp-content/uploads/cgialfa | 11 |
| /wp-content/uploads/alfacgiapi | 11 |
| /wp-content/uploads/ALFA_DATA | 11 |
| /wp-content/themes/config.bak.php | 11 |
| /wp-content/plugins/wpconfig.bak.php?act=sf | 11 |
| /wp-content/plugins/ubh/up.php | 11 |
| /wp-content/plugins/backup_index.php | 11 |
| /wp-content/outcms.php?up | 11 |
| /wp-content/mu-plugins/db-safe-mode.php | 11 |
| /wp-content/mu-plugins-old/index.php?f=/NmRtJOUjAdutReQj/scRjKUhleBpzmTyO.txt | 11 |
| /wp-content/export.php | 11 |
| /wp-content/db-cache.php | 11 |
| /wp-content/cgialfa | 11 |
| /wp-content/alfacgiapi | 11 |
| /wp-content/ALFA_DATA | 11 |
| /wp-booking.php | 11 |
| /wp-admin/style.php | 11 |
| /wp-admin/cgialfa | 11 |
