公開している web サーバのログから通常のアクセスではない通信について分析しました。
多かったリクエスト
ルータなどのネットワーク機器の調査
脆弱性が報告されているルーターなどで使われているログイン画面へアクセスする通信
JVNDB-2016-004125 - JVN iPedia - 脆弱性対策情報データベース
login.cgi
.envの調査
/.env
//.env
Netlink GPONルータ 脆弱性
ルータの脆弱性「CVE-2020-10173」を利用するIoTマルウェア | トレンドマイクロ セキュリティブログ
/boaform/admin/formLogin
おそらくcookieの書き換えをしようとした通信
mstshash=Administr
PHPUnitのevalをリモート実行
PHPのユニットテストツールのPHPUnitの脆弱性を利用してのeval()を実行しようとする通信
/wp-content/themes/seotheme/db.php?u
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/post/20210807//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Wordpressの情報取集
バックドアプラグインの調査
バックドア用のプラグインが入っていないかの調査の通信
/wp-content/plugins/ioptimization/IOptimize.php?rchk
ログイン画面の調査
/wp-login.php
プラグインの調査
/wp-content/plugins/about.php
不審な通信の一覧
uri | count |
---|---|
login.cgi | 671 |
/ads.txt | 481 |
/.env | 350 |
/sw.js | 337 |
/wp-content/plugins/ioptimization/IOptimize.php?rchk | 229 |
/boaform/admin/formLogin | 177 |
mstshash=Administr | 170 |
/sellers.json | 170 |
/wp-content/themes/seotheme/db.php?u | 164 |
* | 160 |
/wp-login.php | 142 |
/wp-content/plugins/about.php | 121 |
/.git/config | 91 |
//.env | 74 |
/index.xml | 68 |
//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 65 |
/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession | 62 |
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 49 |
/app-ads.txt | 47 |
/wp-plain.php | 44 |
/post/20210807//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 43 |
/post/20200329/site_icons/icon-192x192.png | 42 |
/actuator/gateway/routes | 42 |
/wp-includes/css/css.php | 37 |
/post/20211123//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 34 |
/post/wp-login.php | 33 |
/actuator/health | 33 |
/post/20210715//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 32 |
/post/20211005//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 30 |
/owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f | 30 |
www.shadowserver.org:443 | 29 |
/admin/console/ | 29 |
mstshash=Domain | 28 |
/post/20211010//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 28 |
/post/20210501//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 28 |
/test.php | 27 |
/sitemap.xml | 27 |
/xmlrpc.php?rsd | 26 |
/wp1/wp-includes/wlwmanifest.xml | 26 |
/wp/wp-includes/wlwmanifest.xml | 26 |
/wp-includes/wlwmanifest.xml | 26 |
/wp-includes/fonts/css.php | 26 |
/wordpress/wp-includes/wlwmanifest.xml | 26 |
/web/wp-includes/wlwmanifest.xml | 26 |
/test/wp-includes/wlwmanifest.xml | 26 |
/site/wp-includes/wlwmanifest.xml | 26 |
/post/20221101//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 26 |
/post/20210613//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 26 |
/post/20210415//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 26 |
/index.php | 26 |
/cms/wp-includes/wlwmanifest.xml | 26 |
/blog/wp-includes/wlwmanifest.xml | 26 |
/ab2g | 26 |
//env.bak | 26 |
///sites/env.bak | 26 |
///sites/.env | 26 |
///site/env.bak | 26 |
///site/.env | 26 |
/post/20210807//.env | 24 |
/autodiscover/autodiscover.json?@zdi/Powershell | 24 |
/ab2h | 23 |
\xC0/\xC00\xC0+\xC0,\xCC\xA8\xCC\xA9\xC0\x13\xC0\x09\xC0\x14\xC0 | 22 |
/post/20221218 | 22 |
/post/20221114//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 22 |
/info.php | 22 |
/_profiler/phpinfo | 21 |
/1.php | 21 |
\x00\x00\x00\x00\x00\x00\x00 | 20 |
/system_api.php | 20 |
/streaming/clients_live.php | 20 |
/stream/live.php | 20 |
/stalker_portal/c/version.js | 20 |
/shell.php | 20 |
/post/20200910 | 20 |
/post/20200523/site_icons/icon-192x192.png | 20 |
/post/20200308_nikki | 20 |
/flu/403.html | 20 |
/c/version.js | 20 |
/.well-known/security.txt | 20 |
/wp2/wp-includes/wlwmanifest.xml | 19 |
/website/wp-includes/wlwmanifest.xml | 19 |
/sito/wp-includes/wlwmanifest.xml | 19 |
/post/20201116 | 19 |
/news/wp-includes/wlwmanifest.xml | 19 |
/manager/html | 19 |
/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application | 19 |
/admin/ | 19 |
/post/20210211 | 18 |
7 | 17 |
/x.php | 17 |
/post/20211123//.env | 17 |
/post/20210715//.env | 17 |
/archives/2022 | 17 |
/showLogin.cc | 16 |
/wp-plugins.php | 11 |
/wp-load.php?daksldlkdsadas=1 | 11 |
/wp-load.php | 11 |
/wp-includes/wp-atom.php | 11 |
/wp-includes/images/css.php | 11 |
/wp-includes/cgialfa | 11 |
/wp-includes/alfacgiapi | 11 |
/wp-includes/ALFA_DATA | 11 |
/wp-content/uploads/cgialfa | 11 |
/wp-content/uploads/alfacgiapi | 11 |
/wp-content/uploads/ALFA_DATA | 11 |
/wp-content/themes/config.bak.php | 11 |
/wp-content/plugins/wpconfig.bak.php?act=sf | 11 |
/wp-content/plugins/ubh/up.php | 11 |
/wp-content/plugins/backup_index.php | 11 |
/wp-content/outcms.php?up | 11 |
/wp-content/mu-plugins/db-safe-mode.php | 11 |
/wp-content/mu-plugins-old/index.php?f=/NmRtJOUjAdutReQj/scRjKUhleBpzmTyO.txt | 11 |
/wp-content/export.php | 11 |
/wp-content/db-cache.php | 11 |
/wp-content/cgialfa | 11 |
/wp-content/alfacgiapi | 11 |
/wp-content/ALFA_DATA | 11 |
/wp-booking.php | 11 |
/wp-admin/style.php | 11 |
/wp-admin/cgialfa | 11 |