公開している web サーバのログから通常のアクセスではない通信について分析しました。
多かったリクエスト
Cisco 製 Cisco IOS XE などのネットワーク機器の Web UI の脆弱性
下記の記事のようなネットワーク機器のWeb UIにアクセスを試みる通信だと思われます。
Cisco 製 Cisco IOS XE の Web UI の脆弱性について(CVE-2023-20198 等) | 情報セキュリティ | IPA 独立行政法人 情報処理推進機構
/webui/
GeoServerの脆弱性
GeoServer の深刻な脆弱性 CVE-2023-35042 が FIX:RCE 攻撃が観測されている – IoT OT Security News
/geoserver/web/
Netlink GPONルータ 脆弱性
ルータの脆弱性「CVE-2020-10173」を利用するIoTマルウェア | トレンドマイクロ セキュリティブログ
/boaform/admin/formLogin
Spring Frameworkの脆弱性
Spring FrameworkのSpring Cloud Gatewayという機能の脆弱性に関する通信みたいです。
CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability
/actuator/gateway/routes
PHPUnitのevalをリモート実行
PHPのユニットテストツールのPHPUnitの脆弱性を利用してのeval()を実行しようとする通信
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Microsoft Exchangeの脆弱性を攻撃するものと思われる通信
Microsoft Exchangeの脆弱性を利用してPowershellを起動しようとしている通信。
Microsoft Exchangeのゼロデイ脆弱性に関する最新情報 | FortiGuard Labs
Microsoft Exchange に2つの深刻なゼロデイ脆弱性:積極的な悪用を検出 – IoT OT Security News
/autodiscover/autodiscover.json?@zdi/Powershell
jQueryの脆弱性
脆弱性があるバージョンを利用しているか確認する通信
//ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js
//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js
Atlassian製Confluenceの脆弱性
ハニーポット観測 Atlassian製Confluenceの脆弱性を狙った攻撃 - DucklingStudio
/template/aui/text-inline.vm
Wordpressの情報取集
使用しているプラグインなどの調査
/wp-includes/widgets/
/wp-includes/rest-api/
/wp-includes/pomo/
/wp-includes/images/
/wp-includes/fonts/
/wp-includes/customize/
/wp-includes/css/
/wp-includes/certificates/
/wp-includes/blocks/
/wp-includes/Text/
/wp-includes/SimplePie/
/wp-includes/Requests/
/wp-includes/IXR/
/wp-includes/ID3/
/wp-content/themes/
/wp-content/plugins/td-composer/license.txt
/wp-content/plugins/core/include.php
/wp-content/plugins/
不審な通信の一覧
| uri | count |
|---|---|
| //.env | 1445 |
| /robots.txt | 1435 |
| /sw.js | 573 |
| //wp-content/ | 502 |
| /.env | 390 |
| / | 372 |
| /favicon.ico | 358 |
| /ads.txt | 223 |
| /wp-login.php | 158 |
| * | 143 |
| mstshash=Administr | 107 |
| /.git/config | 93 |
| /style.php | 87 |
| /.well-known/traffic-advice | 84 |
| /app-ads.txt | 80 |
| /index.xml | 76 |
| /webui/ | 62 |
| /geoserver/web/ | 60 |
| /boaform/admin/formLogin | 59 |
| /api/.env | 48 |
| /actuator/gateway/routes | 48 |
| /laravel/.env | 45 |
| /manifest.js | 44 |
| //pagead2.googlesyndication.com/pagead/js/adsbygoogle.js | 44 |
| /inputs.php | 42 |
| /post/wp-login.php | 40 |
| /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 36 |
| //vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 34 |
| /sellers.json | 31 |
| /core/.env | 26 |
| /.well-known/security.txt | 24 |
| /manage/account/login | 22 |
| /logon.htm | 22 |
| /autodiscover/autodiscover.json?@zdi/Powershell | 22 |
| /.well-known/ | 22 |
| /+CSCOE+/logon.html | 22 |
| /login.jsp | 21 |
| /cgi-bin/login.cgi | 21 |
| /admin/index.html | 21 |
| /_profiler/phpinfo | 21 |
| /aab8 | 20 |
| //ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js | 20 |
| /.DS_Store | 20 |
| /admin.php | 19 |
| /actuator/health | 19 |
| /about | 19 |
| //cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js | 19 |
| /.vscode/sftp.json | 19 |
| //stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js | 18 |
| \xC0/\xC00\xC0+\xC0,\xCC\xA8\xCC\xA9\xC0\x13\xC0\x09\xC0\x14\xC0 | 17 |
| /aaa9 | 17 |
| /.well-known/acme-challenge/ | 16 |
| 12.1.2 | 15 |
| /admin/config.php | 15 |
| /HNAP1 | 15 |
| /wp-content/ | 14 |
| /template/aui/text-inline.vm | 14 |
| /public/.env | 14 |
| /local/.env | 14 |
| /admin/.env | 14 |
| /static/177094b2891a478c0dfc14d7124117e1/19dda/NERVE.webp | 13 |
| /sdk | 13 |
| /config.json | 13 |
| /app/.env | 13 |
| /.well-known/assetlinks.json | 13 |
| /.well-known/apple-app-site-association | 13 |
| /.git/HEAD | 13 |
| 7 | 12 |
| /wp-includes/ | 12 |
| /wp-content/uploads/ | 12 |
| /style.php?sig=rename | 12 |
| /sitemap.txt | 12 |
| /page-data/category/%E2%98%85%E2%98%85%E2%98%85%E2%98%85%E2%98%86/page-data.json | 12 |
| /page-data/blog/%E6%B5%B7%E5%BA%9547m/page-data.json | 12 |
| /index.php | 12 |
| /index.jsp | 12 |
| /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application | 12 |
| /b0.php | 12 |
| /admin/ | 12 |
| /.well-known/pki-validation/x.php | 12 |
| /.well-known/fierzashell.php | 12 |
| /wp-includes/widgets/ | 11 |
| /wp-includes/rest-api/ | 11 |
| /wp-includes/pomo/ | 11 |
| /wp-includes/images/ | 11 |
| /wp-includes/fonts/ | 11 |
| /wp-includes/customize/ | 11 |
| /wp-includes/css/ | 11 |
| /wp-includes/certificates/ | 11 |
| /wp-includes/blocks/ | 11 |
| /wp-includes/Text/ | 11 |
| /wp-includes/SimplePie/ | 11 |
| /wp-includes/Requests/ | 11 |
| /wp-includes/IXR/ | 11 |
| /wp-includes/ID3/ | 11 |
| /wp-admin/ | 11 |
| /vendor/.env | 11 |
| /storage/.env | 11 |
| /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ | 11 |
| /repeater.php | 11 |
| /manager/html | 11 |
| /main.php | 11 |
| /info.php | 11 |
| /aab9 | 11 |
| /ALFA_DATA/ | 11 |
| /.well-knownold/ | 11 |
| /wp-includes/wp-class.php | 10 |
| /wp-includes/js/ | 10 |
| /wp-includes/css/buttons.css | 10 |
| /wp-head.php | 10 |
| /wp-content/themes/ | 10 |
| /wp-content/plugins/td-composer/license.txt | 10 |
| /wp-content/plugins/core/include.php | 10 |
| /wp-content/plugins/ | 10 |
| /version | 10 |
| /telescope/requests | 10 |
| /static/d5210b1253c2e969c9e2c4c9fd02dc31/19dda/%E6%B5%B7%E5%BA%9547m.webp | 10 |
| /static/admin/javascript/hetong.js | 10 |
| /sitemap | 10 |
| /server-status | 10 |
| /page-data/category/%E3%83%A1%E3%83%A2/page-data.json | 10 |
| /page-data/category/%E2%98%85%E2%98%85%E2%98%85%E2%98%85%E2%98%85/page-data.json | 10 |
| /page-data/blog/NERVE/page-data.json | 10 |
| /menu.php | 10 |
| /media/system/js/core.js | 10 |
| /manager/text/list | 10 |
| /login | 10 |
| /dns-query | 10 |
| /default.php | 10 |
| /debug/default/view?panel=config | 10 |
| /Public/home/js/check.js | 10 |
| /.aws/credentials | 10 |
| default.asp | 9 |
| /xleet.php | 9 |
| /wp-content/plugins/core-stab/index.php | 9 |
| /worm0.PhP7 | 9 |
| /v2/_catalog | 9 |
| /start.shtml | 9 |
| /start.pl | 9 |
| /start.php | 9 |
| /start.jsp | 9 |
| /start.jsa | 9 |
| /start.jhtml | 9 |
| /start.html | 9 |
| /start.cgi | 9 |
| /start.cfm | 9 |
| /start.aspx | 9 |
| /start.asp | 9 |
| /sitemap.xml | 9 |
| /readme.txt | 9 |
| /portal/redlion | 9 |
| /pools/default/buckets | 9 |
| /pools | 9 |
| /menu.shtml | 9 |
| /menu.pl | 9 |
| /menu.jsp | 9 |
| /menu.jsa | 9 |
