公開している web サーバのログから通常のアクセスではない通信について分析しました。
多かったリクエスト
.envファイルへのアクセス
あらゆるものの.envにアクセスしようとする通信
/.env
/docker/.env
/api/.env
/laravel/.env
/app/.env
/core/.env
/.env.old
/.env.save
/.env.production
/.env.prod
/.env.development
/local/.env
/apps/.env
/application/.env
/system/.env
/shared/.env
/script/.env
/rest/.env
/live_env
/fedex/.env
/enviroments/.env
/cp/.env
/back/.env
/.env.dist
/private/.env
/development/.env
/cms/.env
/.env.project
/sources/.env
/enviroments/.env.production
PHPUnitのevalをリモート実行
PHPのユニットテストツールのPHPUnitの脆弱性を利用してのeval()を実行しようとする通信
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
Netlink GPONルータ 脆弱性
ルータの脆弱性「CVE-2020-10173」を利用するIoTマルウェア | トレンドマイクロ セキュリティブログ
/boaform/admin/formLogin
GeoServerの脆弱性
GeoServer の深刻な脆弱性 CVE-2023-35042 が FIX:RCE 攻撃が観測されている – IoT OT Security News
/geoserver/web/
Spring Frameworkの脆弱性
Spring FrameworkのSpring Cloud Gatewayという機能の脆弱性に関する通信みたいです。
CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability
/actuator/gateway/routes
jQueryの脆弱性
脆弱性があるバージョンを利用しているか確認する通信
//ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js
//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js
Wordpressの情報取集
使用しているプラグインなどの調査
/wp-includes/widgets/include.php
/wp-includes/images/include.php
/wp-content/plugins/core-plugin/include.php
/wp-content/themes/twentyfive/include.php
/wp-content/themes/sketch/404.php
/wp-content/themes/include.php
/wp-content/plugins/include.php
不審な通信の一覧
| uri | count |
|---|---|
| /robots.txt | 1706 |
| /.env | 442 |
| /sw.js | 432 |
| /favicon.ico | 371 |
| /ads.txt | 271 |
| * | 161 |
| /.git/config | 134 |
| mstshash=Administr | 133 |
| /inputs.php | 116 |
| /app-ads.txt | 86 |
| /geoserver/web/ | 69 |
| /boaform/admin/formLogin | 67 |
| /wp-includes/widgets/include.php | 64 |
| /wp-includes/images/include.php | 63 |
| /wp-content/plugins/core-plugin/include.php | 63 |
| /actuator/gateway/routes | 55 |
| /docker/.env | 51 |
| /sellers.json | 47 |
| /.well-known/ | 45 |
| /wp-content/ | 43 |
| /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 43 |
| /wp-admin/ | 42 |
| /api/.env | 41 |
| /.well-known/acme-challenge/ | 41 |
| /.well-known/security.txt | 39 |
| /wp-includes/ | 38 |
| /wp-content/uploads/ | 38 |
| /wp-content/themes/ | 38 |
| /wp-content/plugins/ | 38 |
| /webui/ | 38 |
| //pagead2.googlesyndication.com/pagead/js/adsbygoogle.js | 37 |
| /wp-login.php | 36 |
| /laravel/.env | 36 |
| /app/.env | 36 |
| /_profiler/phpinfo | 36 |
| /manifest.js | 35 |
| /css/ | 35 |
| /.well-known/pki-validation/ | 35 |
| /login | 34 |
| /info.php | 34 |
| /core/.env | 33 |
| /NPClient.html | 31 |
| /.env.old | 31 |
| /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application | 30 |
| /.env.save | 30 |
| /.env.production | 30 |
| /.env.prod | 30 |
| /.env.development | 30 |
| mstshash=Domain | 29 |
| /local/.env | 29 |
| /apps/.env | 29 |
| /application/.env | 29 |
| /system/.env | 28 |
| /sitemap.txt | 28 |
| /shared/.env | 28 |
| /script/.env | 28 |
| /rest/.env | 28 |
| /live_env | 28 |
| /fedex/.env | 28 |
| /enviroments/.env | 28 |
| /cp/.env | 28 |
| /back/.env | 28 |
| /autodiscover/autodiscover.json?@zdi/Powershell | 28 |
| /.env.dist | 28 |
| /private/.env | 27 |
| /development/.env | 27 |
| /cms/.env | 27 |
| /.env.project | 27 |
| /sources/.env | 26 |
| /owa/auth/logon.aspx | 26 |
| /enviroments/.env.production | 26 |
| /admin-app/.env | 26 |
| \xC0/\xC00\xC0+\xC0,\xCC\xA8\xCC\xA9\xC0\x13\xC0\x09\xC0\x14\xC0 | 25 |
| /index.asp | 25 |
| /sitemap | 24 |
| /config.json | 24 |
| /aaa9 | 24 |
| /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 23 |
| /lib/phpunit/phpunit/Util/PHP/eval-stdin.php | 23 |
| /.vscode/sftp.json | 23 |
| /phpinfo.php | 22 |
| /lib/phpunit/src/Util/PHP/eval-stdin.php | 22 |
| /debug/default/view?panel=config | 22 |
| /actuator/health | 22 |
| ../../proc/ | 22 |
| /aab8 | 21 |
| /showLogin.cc | 20 |
| /login.html | 20 |
| /.aws/credentials | 20 |
| /.DS_Store | 20 |
| /HNAP1 | 19 |
| /global-protect/login.esp | 18 |
| /cgi-bin/login.cgi | 18 |
| //ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js | 18 |
| /+CSCOE+/logon.html | 18 |
| /vpn/index.html | 17 |
| /sftp-config.json | 17 |
| /portal | 17 |
| /index.php | 17 |
| /apps | 17 |
| /WebViewer.html | 17 |
| /Login.html | 17 |
| //stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js | 17 |
| //cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js | 17 |
| //.env | 17 |
| /wp-content/themes/twentyfive/include.php | 16 |
| /wp-content/themes/sketch/404.php | 16 |
| /wp-content/themes/include.php | 16 |
| /wp-content/plugins/include.php | 16 |
| /webui | 16 |
| /video.html | 16 |
| /ui | 16 |
| /sdk | 16 |
| /manager/html | 16 |
| /login.rsp | 16 |
| /login.cs | 16 |
| /doc/page/login.asp | 16 |
| /dns-query | 16 |
| /api/v1/charts | 16 |
| /admin/index.html | 16 |
| /admin/ | 16 |
| /wp-content/include.php | 15 |
| /web/index.html | 15 |
| /vendor/phpunit/src/Util/PHP/eval-stdin.php | 15 |
| /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php | 15 |
