公開している web サーバのログから通常のアクセスではない通信について分析しました。
先月に比べてネットワーク機器への攻撃が少なくなってどのフレームワークを利用しているかの調査がたくさん来ていました。
多かったリクエスト
gitのconfigファイルへのアクセス
/.git/config
.envファイルへのアクセス
/.env
//.env
/back/.env
/private/.env
/rest/.env
/application/.env
/fedex/.env
PHPUnitのevalをリモート実行
PHPのユニットテストツールのPHPUnitの脆弱性を利用してのeval()を実行しようとする通信
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
phpinfoへのアクセス
/phpinfo.php
Spring Frameworkの脆弱性
Spring FrameworkのSpring Cloud Gatewayという機能の脆弱性に関する通信みたいです。
CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability
/actuator/gateway/routes
Wordpressの情報取集
バックドアプラグインの調査
バックドア用のプラグインが入っていないかの調査の通信
/wp-content/plugins/ioptimization/IOptimize.php?rchk
特定のプラグインを利用しているかの調査
/wp-content/plugins/seoplugins/mar.php
/wp-content/plugins/ccx/index.php
特定のテーマを利用しているかの調査
/wp-content/themes/seotheme/mar.php
/wp-content/themes/pridmag/db.php?u
不審な通信の一覧
| uri | count |
|---|---|
| /robots.txt | 1167 |
| /.git/config | 875 |
| / | 473 |
| /ads.txt | 460 |
| /sw.js | 434 |
| /favicon.ico | 420 |
| /.env | 392 |
| //.env | 372 |
| * | 215 |
| //wp-content/ | 213 |
| /.env.prod | 137 |
| /application/.env | 133 |
| mstshash=Administr | 131 |
| /boaform/admin/formLogin | 129 |
| /back/.env | 127 |
| /private/.env | 122 |
| /rest/.env | 119 |
| /.env.project | 115 |
| /index.php?3x=3x | 106 |
| /wp-content/plugins/ioptimization/IOptimize.php?rchk | 105 |
| /fedex/.env | 104 |
| /wp-content/themes/seotheme/mar.php | 102 |
| /wp-content/plugins/seoplugins/mar.php | 101 |
| /wp-content/plugins/ccx/index.php | 101 |
| /wp-content/themes/pridmag/db.php?u | 99 |
| /local/.env | 91 |
| /admin-app/.env | 90 |
| /_profiler/phpinfo | 90 |
| /wp-login.php | 79 |
| /.env.dist | 78 |
| /api/.env | 77 |
| /app/.env | 74 |
| /core/.env | 72 |
| /apps/.env | 72 |
| /wso112233.php | 68 |
| /wp-content/wso112233.php | 65 |
| /wp-content/shell20211028.php | 65 |
| /index.xml | 65 |
| /wp-includes/wp-class.php | 63 |
| /laravel/.env | 62 |
| /cms/.env | 62 |
| /script/.env | 61 |
| /bala.php | 61 |
| /.env.save | 61 |
| /wp-content/plugins/sid/sidwso.php | 59 |
| /docker/.env | 59 |
| /.env.production | 59 |
| /xleet-shell.php | 58 |
| /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 58 |
| /cp/.env | 58 |
| /sources/.env | 57 |
| /geoserver/web/ | 57 |
| /.env.old | 57 |
| /.env.development | 57 |
| /wp-class.php | 56 |
| /enviroments/.env.production | 55 |
| /shared/.env | 54 |
| /system/.env | 53 |
| /live_env | 53 |
| /enviroments/.env | 53 |
| /development/.env | 53 |
| /phpinfo.php | 43 |
| /actuator/gateway/routes | 43 |
| /app-ads.txt | 41 |
| /HNAP1/ | 40 |
| /info.php | 39 |
| /debug/default/view?panel=config | 38 |
| /upl.php | 36 |
| /sellers.json | 36 |
| /geoip/ | 36 |
| /client/get_targets | 36 |
| /config.json | 35 |
| /.aws/credentials | 33 |
| mstshash=Domain | 30 |
| /frontend_dev.php/$ | 30 |
| /.json | 29 |
| /wp-content/plugins/core-stab/index.php | 27 |
| /aaa9 | 27 |
| www.shadowserver.org:443 | 26 |
| /wp-content/ | 26 |
| /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f | 26 |
| /_ignition/execute-solution | 26 |
| /aab8 | 25 |
| /1.php | 25 |
| /wp-content/updates.php | 24 |
| /t4 | 23 |
| //vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 23 |
| /private/api/v1/service/premaster | 22 |
| /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application | 22 |
| /dispatch.asp | 22 |
| /ab2g | 22 |
| /shell?cd+/tmp;rm+-rf+*;wget+ | 21 |
| /owa/auth/logon.aspx | 20 |
| /ab2h | 20 |
| /owa/auth/x.js | 19 |
| \xC0/\xC00\xC0+\xC0,\xCC\xA8\xCC\xA9\xC0\x13\xC0\x09\xC0\x14\xC0 | 18 |
| /wp-content/themes/seotheme/db.php?u | 18 |
| /wp-content/themes/classic/inc/index.php | 18 |
| /tags/%E3%83%A1%E3%83%A2 | 18 |
| /manager/html | 17 |
| /actuator/health | 17 |
| /.well-known/security.txt | 17 |
| /sitemap.xml | 16 |
| /wp-content/.env | 15 |
| /new/.env | 15 |
| /library/.env | 15 |
| /conf/.env | 15 |
| /autodiscover/autodiscover.json?@zdi/Powershell | 15 |
| /public/.env | 14 |
| /post/wp-login.php | 14 |
| 7 | 13 |
| /www/.env | 13 |
| /wso.php | 13 |
| /wp-admin/.env | 13 |
| /src/.env | 13 |
| /sites/all/libraries/mailchimp/.env | 13 |
| /shell.php | 13 |
| /protected/.env | 13 |
| /old/.env | 13 |
| /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 | 13 |
| /database/.env | 13 |
| /crm/.env | 13 |
| /console/ | 13 |
| /cgi-bin/.env | 13 |
| /base/.env | 13 |
| /audio/.env | 13 |
| /app/config/.env | 13 |
| /a.php | 13 |
| /.env.dev | 13 |
| /shop/.env | 12 |
| /production/.env | 12 |
| /phpinfo | 12 |
| /dashboard/.env | 12 |
| /_static/.env | 12 |
| /Autodiscover/Autodiscover.xml | 12 |
| /.env_sample | 12 |
| /.env_1 | 12 |
| /.env.www | 12 |
| /.env.backup | 12 |
| /.docker/.env | 12 |
| /.c9/metadata/environment/.env | 12 |
| /wp-includes/wlwmanifest.xml | 11 |
| /x.php | 10 |
| /version | 10 |
| /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ | 10 |
| /sdk | 10 |
| /index.php | 10 |
| /dns-query | 10 |
| /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh | 10 |
| /HNAP1 | 10 |
| google.com:443 | 9 |
| /ws.php | 9 |
| /style.php?sig=update&domain=51.79.124.111 | 9 |
