公開している web サーバのログから通常のアクセスではない通信について分析しました。
多かったリクエスト
gitのconfigファイルへのアクセス
/.git/config
.envファイルへのアクセス
/.env
//.env
/app/.env
/core/.env
/prod/.env
/.env.save
/back/.env
PHPUnitのevalをリモート実行
PHPのユニットテストツールのPHPUnitの脆弱性を利用してのeval()を実行しようとする通信
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Netlink GPONルータ 脆弱性
ルータの脆弱性「CVE-2020-10173」を利用するIoTマルウェア | トレンドマイクロ セキュリティブログ
/boaform/admin/formLogin
thinkPHPの脆弱性を利用した攻撃
/index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21
Apacheのパストラバーサルの脆弱性
/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh
Spring Frameworkの脆弱性
Spring FrameworkのSpring Cloud Gatewayという機能の脆弱性に関する通信みたいです。
CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability
/actuator/gateway/routes
GeoServerの脆弱性
GeoServer の深刻な脆弱性 CVE-2023-35042 が FIX:RCE 攻撃が観測されている – IoT OT Security News
/geoserver/web/
/geoserver
phpinfoへのアクセス
/phpinfo.php
/_profiler/phpinfo
MobileIron Core および Connector における脆弱性
/mifs/.;/services/LogService
Wordpressの情報取集
バックドアプラグインの調査
バックドア用のプラグインが入っていないかの調査の通信
/wp-content/plugins/ioptimization/IOptimize.php?rchk
ログイン画面の調査
/wp-login.php
使用しているテーマやプラグインの調査
/wp-content/themes/pridmag/db.php?u
/wp-content/plugins/ccx/index.php
/wp-content/themes/seotheme/mar.php
/wp-content/plugins/seoplugins/mar.php
wlwmanifest.xmlの調査
Windows Live Writerというツールの設定ファイルが入っているかの調査みたいです。ブログ投稿用のツールでWordPressのプラグインもあるみたいなのでそのプラグインが入っているかの調査だと思われます。
/wp2/wp-includes/wlwmanifest.xml
/wp1/wp-includes/wlwmanifest.xml
/wp/wp-includes/wlwmanifest.xml
/wordpress/wp-includes/wlwmanifest.xml
/website/wp-includes/wlwmanifest.xml
/web/wp-includes/wlwmanifest.xml
不審な通信の一覧
| uri | count |
|---|---|
| /robots.txt | 1146 |
| /favicon.ico | 539 |
| /ads.txt | 459 |
| /sw.js | 358 |
| /.env | 303 |
| * | 135 |
| /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 129 |
| /boaform/admin/formLogin | 127 |
| mstshash=Administr | 111 |
| /index.xml | 84 |
| /wp-content/plugins/ioptimization/IOptimize.php?rchk | 82 |
| /index.php?3x=3x | 80 |
| /wp-login.php | 79 |
| /wp-content/themes/pridmag/db.php?u | 79 |
| /wp-content/plugins/ccx/index.php | 79 |
| /wp-content/themes/seotheme/mar.php | 77 |
| /wp-content/plugins/seoplugins/mar.php | 77 |
| /.git/config | 77 |
| //.env | 63 |
| /geoserver/web/ | 58 |
| /Autodiscover/Autodiscover.xml | 53 |
| /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 | 49 |
| /console/ | 48 |
| /_ignition/execute-solution | 46 |
| /app-ads.txt | 43 |
| /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh | 42 |
| /actuator/gateway/routes | 40 |
| /aab8 | 40 |
| /1.php | 40 |
| /geoserver | 38 |
| /aaa9 | 38 |
| /sellers.json | 37 |
| /upl.php | 36 |
| /geoip/ | 36 |
| /client/get_targets | 36 |
| /bundle.js | 36 |
| /_profiler/phpinfo | 35 |
| /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f | 29 |
| /files/ | 29 |
| /solr/admin/info/system?wt=json | 26 |
| /wso112233.php | 24 |
| /wp-includes/wp-class.php | 24 |
| /actuator/health | 24 |
| /.env.save | 24 |
| \xC0/\xC00\xC0+\xC0,\xCC\xA8\xCC\xA9\xC0\x13\xC0\x09\xC0\x14\xC0 | 23 |
| mstshash=Domain | 21 |
| /phpinfo.php | 21 |
| /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application | 21 |
| /xleet-shell.php | 20 |
| /wp-content/shell20211028.php | 20 |
| /mifs/.;/services/LogService | 20 |
| /wp-content/wso112233.php | 19 |
| /wp-content/plugins/sid/sidwso.php | 19 |
| /config/getuser?index=0 | 19 |
| /bala.php | 19 |
| /app/.env | 19 |
| /wp-class.php | 18 |
| /laravel/.env | 18 |
| google.com:443 | 17 |
| /core/.env | 17 |
| /.well-known/security.txt | 17 |
| /wp-content/themes/seotheme/db.php?u | 16 |
| /wp-content/ | 16 |
| /owa/auth/x.js | 16 |
| /autodiscover/autodiscover.json?@zdi/Powershell | 16 |
| /wp-includes/wlwmanifest.xml | 15 |
| /wp-content/updates.php | 15 |
| /sitemap.xml | 15 |
| /phpinfo | 15 |
| /wp-includes/ | 14 |
| /wp-content/uploads/ | 14 |
| /wp-content/themes/ | 14 |
| /wp-content/plugins/ | 14 |
| /wp-admin/ | 14 |
| /owa/auth/logon.aspx | 14 |
| /css/ | 14 |
| /config.json | 14 |
| /.well-known/pki-validation/ | 14 |
| /.well-known/acme-challenge/ | 14 |
| /.well-known/ | 14 |
| 7 | 13 |
| /prod/.env | 13 |
| /dns-query | 13 |
| /api/.env | 13 |
| /ab2g | 13 |
| //vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 13 |
| /t4 | 12 |
| /repeater.php | 12 |
| /private/api/v1/service/premaster | 12 |
| /manager/html | 12 |
| /env.js | 12 |
| /beta/.env | 12 |
| /HNAP1/ | 12 |
| /.env.production | 12 |
| /.env.php | 12 |
| /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ | 11 |
| /index.php | 11 |
| /development/.env | 11 |
| /debug/default/view?panel=config | 11 |
| /cp/.env | 11 |
| /apps/.env | 11 |
| /ab2h | 11 |
| /HNAP1 | 11 |
| //pagead2.googlesyndication.com/pagead/js/adsbygoogle.js | 11 |
| /.well-known/assetlinks.json | 11 |
| /.well-known/apple-app-site-association | 11 |
| /xmlrpc.php?rsd | 10 |
| /wp2/wp-includes/wlwmanifest.xml | 10 |
| /wp1/wp-includes/wlwmanifest.xml | 10 |
| /wp/wp-includes/wlwmanifest.xml | 10 |
| /wordpress/wp-includes/wlwmanifest.xml | 10 |
| /website/wp-includes/wlwmanifest.xml | 10 |
| /web/wp-includes/wlwmanifest.xml | 10 |
| /version | 10 |
| /test/wp-includes/wlwmanifest.xml | 10 |
| /system/.env | 10 |
| /sito/wp-includes/wlwmanifest.xml | 10 |
| /site/wp-includes/wlwmanifest.xml | 10 |
| /shared/.env | 10 |
| /sdk | 10 |
| /rest/.env | 10 |
| /private/.env | 10 |
| /news/wp-includes/wlwmanifest.xml | 10 |
| /manifest.js | 10 |
| /local/.env | 10 |
| /info.php | 10 |
| /docker/.env | 10 |
| /cms/wp-includes/wlwmanifest.xml | 10 |
| /blog/wp-includes/wlwmanifest.xml | 10 |
| /back/.env | 10 |
| /application/.env | 10 |
| /.env.prod | 10 |
| /.env.old | 10 |
| /.env.development | 10 |
| /tags/python | 9 |
| /index.htm | 9 |
| /hudson | 9 |
| /frontend_dev.php/$ | 9 |
| /ReportServer | 9 |
| /FD873AC4-CF86-4FED-84EC-4BD59C6F17A7 | 9 |
