webサーバのログの分析2022 12月分

2023-01-08 技術系

公開している web サーバのログから通常のアクセスではない通信について分析しました。

多かったリクエスト

ルータなどのネットワーク機器の調査

脆弱性が報告されているルーターなどで使われているログイン画面へアクセスする通信

JVNDB-2016-004125 - JVN iPedia - 脆弱性対策情報データベース

login.cgi

.envの調査

/.env
//.env

ルータの脆弱性「CVE-2020-10173」を利用するIoTマルウェア | トレンドマイクロ セキュリティブログ

/boaform/admin/formLogin

おそらくcookieの書き換えをしようとした通信

mstshash=Administr

PHPUnitのevalをリモート実行

PHPのユニットテストツールのPHPUnitの脆弱性を利用してのeval()を実行しようとする通信

/wp-content/themes/seotheme/db.php?u
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/post/20210807//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

Wordpressの情報取集

バックドアプラグインの調査

バックドア用のプラグインが入っていないかの調査の通信

/wp-content/plugins/ioptimization/IOptimize.php?rchk 

ログイン画面の調査

/wp-login.php

プラグインの調査

/wp-content/plugins/about.php

不審な通信の一覧

uri count
login.cgi 671
/ads.txt 481
/.env 350
/sw.js 337
/wp-content/plugins/ioptimization/IOptimize.php?rchk 229
/boaform/admin/formLogin 177
mstshash=Administr 170
/sellers.json 170
/wp-content/themes/seotheme/db.php?u 164
* 160
/wp-login.php 142
/wp-content/plugins/about.php 121
/.git/config 91
//.env 74
/index.xml 68
//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 65
/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession 62
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 49
/app-ads.txt 47
/wp-plain.php 44
/post/20210807//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 43
/post/20200329/site_icons/icon-192x192.png 42
/actuator/gateway/routes 42
/wp-includes/css/css.php 37
/post/20211123//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 34
/post/wp-login.php 33
/actuator/health 33
/post/20210715//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 32
/post/20211005//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 30
/owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f 30
www.shadowserver.org:443 29
/admin/console/ 29
mstshash=Domain 28
/post/20211010//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 28
/post/20210501//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 28
/test.php 27
/sitemap.xml 27
/xmlrpc.php?rsd 26
/wp1/wp-includes/wlwmanifest.xml 26
/wp/wp-includes/wlwmanifest.xml 26
/wp-includes/wlwmanifest.xml 26
/wp-includes/fonts/css.php 26
/wordpress/wp-includes/wlwmanifest.xml 26
/web/wp-includes/wlwmanifest.xml 26
/test/wp-includes/wlwmanifest.xml 26
/site/wp-includes/wlwmanifest.xml 26
/post/20221101//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 26
/post/20210613//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 26
/post/20210415//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 26
/index.php 26
/cms/wp-includes/wlwmanifest.xml 26
/blog/wp-includes/wlwmanifest.xml 26
/ab2g 26
//env.bak 26
///sites/env.bak 26
///sites/.env 26
///site/env.bak 26
///site/.env 26
/post/20210807//.env 24
/autodiscover/autodiscover.json?@zdi/Powershell 24
/ab2h 23
\xC0/\xC00\xC0+\xC0,\xCC\xA8\xCC\xA9\xC0\x13\xC0\x09\xC0\x14\xC0 22
/post/20221218 22
/post/20221114//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 22
/info.php 22
/_profiler/phpinfo 21
/1.php 21
\x00\x00\x00\x00\x00\x00\x00 20
/system_api.php 20
/streaming/clients_live.php 20
/stream/live.php 20
/stalker_portal/c/version.js 20
/shell.php 20
/post/20200910 20
/post/20200523/site_icons/icon-192x192.png 20
/post/20200308_nikki 20
/flu/403.html 20
/c/version.js 20
/.well-known/security.txt 20
/wp2/wp-includes/wlwmanifest.xml 19
/website/wp-includes/wlwmanifest.xml 19
/sito/wp-includes/wlwmanifest.xml 19
/post/20201116 19
/news/wp-includes/wlwmanifest.xml 19
/manager/html 19
/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application 19
/admin/ 19
/post/20210211 18
7 17
/x.php 17
/post/20211123//.env 17
/post/20210715//.env 17
/archives/2022 17
/showLogin.cc 16
/wp-plugins.php 11
/wp-load.php?daksldlkdsadas=1 11
/wp-load.php 11
/wp-includes/wp-atom.php 11
/wp-includes/images/css.php 11
/wp-includes/cgialfa 11
/wp-includes/alfacgiapi 11
/wp-includes/ALFA_DATA 11
/wp-content/uploads/cgialfa 11
/wp-content/uploads/alfacgiapi 11
/wp-content/uploads/ALFA_DATA 11
/wp-content/themes/config.bak.php 11
/wp-content/plugins/wpconfig.bak.php?act=sf 11
/wp-content/plugins/ubh/up.php 11
/wp-content/plugins/backup_index.php 11
/wp-content/outcms.php?up 11
/wp-content/mu-plugins/db-safe-mode.php 11
/wp-content/mu-plugins-old/index.php?f=/NmRtJOUjAdutReQj/scRjKUhleBpzmTyO.txt 11
/wp-content/export.php 11
/wp-content/db-cache.php 11
/wp-content/cgialfa 11
/wp-content/alfacgiapi 11
/wp-content/ALFA_DATA 11
/wp-booking.php 11
/wp-admin/style.php 11
/wp-admin/cgialfa 11

follow us in feedly

comments powered by Disqus

関連記事

新着記事