webサーバのログの分析2024 6月分

2024-07-13 技術系

公開している web サーバのログから通常のアクセスではない通信について分析しました。

多かったリクエスト

PHPUnitのevalをリモート実行

PHPのユニットテストツールのPHPUnitの脆弱性を利用してのeval()を実行しようとする通信

JVNDB-2017-005280 - JVN iPedia - 脆弱性対策情報データベース

/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
/vendor/phpunit/Util/PHP/eval-stdin.php
/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/phpunit/LICENSE/eval-stdin.php
/phpunit/src/Util/PHP/eval-stdin.php
/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/phpunit/phpunit/Util/PHP/eval-stdin.php
/phpunit/Util/PHP/eval-stdin.php
/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/lib/phpunit/src/Util/PHP/eval-stdin.php
/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/lib/phpunit/phpunit/Util/PHP/eval-stdin.php
/lib/phpunit/Util/PHP/eval-stdin.php

Apacheのパストラバーサルの脆弱性 (CVE-2021-41773、CVE-2021-42013)を利用したシェルの実行

Apacheの脆弱性をついた攻撃の通信がありました。

Apache HTTP Serverのディレクトリトラバーサル脆弱性_CVE-2021-41773_検証 #Apache_http_server - Qiita

/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh

Cisco 製 Cisco IOS XE などのネットワーク機器の Web UI の脆弱性

下記の記事のようなネットワーク機器のWeb UIにアクセスを試みる通信だと思われます。
Cisco 製 Cisco IOS XE の Web UI の脆弱性について(CVE-2023-20198 等) | 情報セキュリティ | IPA 独立行政法人情報処理推進機構

/webui/

GeoServerの脆弱性

GeoServer の深刻な脆弱性 CVE-2023-35042 が FIX：RCE 攻撃が観測されている – IoT OT Security News

/geoserver/web/

Spring Frameworkの脆弱性

Spring FrameworkのSpring Cloud Gatewayという機能の脆弱性に関する通信みたいです。
CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability

/actuator/gateway/routes

Apache Solrの稼働状況を確認する通信

/solr/admin/info/system
/solr/admin/cores?action=STATUS&wt=json

不審な通信の一覧

uri	count
/robots.txt	1828
/.env	542
/	523
/favicon.ico	430
/sw.js	292
/wp-login.php	270
/ads.txt	244
/.git/config	214
/admin/config.php	138
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	123
/app-ads.txt	117
/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh	110
mstshash=Administr	104
/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh	96
/vendor/phpunit/src/Util/PHP/eval-stdin.php	93
/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php	93
/vendor/phpunit/Util/PHP/eval-stdin.php	93
/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	91
/vendor/phpunit/phpunit/LICENSE/eval-stdin.php	91
/phpunit/src/Util/PHP/eval-stdin.php	91
/phpunit/phpunit/src/Util/PHP/eval-stdin.php	91
/phpunit/phpunit/Util/PHP/eval-stdin.php	91
/phpunit/Util/PHP/eval-stdin.php	91
/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	91
/lib/phpunit/src/Util/PHP/eval-stdin.php	91
/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php	91
/lib/phpunit/phpunit/Util/PHP/eval-stdin.php	91
/lib/phpunit/Util/PHP/eval-stdin.php	91
/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	91
/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	90
/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	90
/www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	90
/ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	90
/ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	90
/workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	90
/tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	90
/testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	90
/test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	90
/public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	90
/panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	90
/index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello	90
/demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	90
/crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	90
/cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	90
/blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	90
/backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	90
/apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	90
/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	90
/api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	90
/admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	90
/V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	90
/public/index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello	88
/index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/+/tmp/index1.php	88
/index.php?lang=../../../../../../../../tmp/index1	88
/webui/	72
/geoserver/web/	68
/actuator/gateway/routes	64
/index.xml	50
/info.php	49
/sellers.json	42
/aab9	41
/.DS_Store	40
/teorema505?t=1	38
/t4	38
/alive.php	38
/ab2h	38
/ab2g	38
/aaa9	38
/sendgrid/.env	36
/HNAP1	35
/.vscode/sftp.json	34
/sdk	33
/owa/	33
/1.php	32
/.well-known/security.txt	32
/files/	31
/webui	30
/user	30
/upl.php	30
/systembc/password.php	30
/password.php	30
/human.aspx	30
/geoip/	30
/form.html	30
/bundle.js	30
/dns-query	29
/v2/_catalog	27
/index.php	26
/home	26
/_profiler/phpinfo	26
/cgi-bin/authLogin.cgi	25
/wp	24
/wordpress	24
/old	24
/new	24
/actuator/health	24
/.env.prod	24
/main	23
/bk	23
/bc	23
/backup	23
/.env.production	23
/wp-content/plugins/WordPressCore/include.php	22
/redmine/.env	22
/query?q=SHOW+DIAGNOSTICS	21
/page-data/app-data.json	21
/index.jsp	21
/api/.env	21
/phpinfo.php	20
/manager/html	20
/solr/admin/info/system	19
/solr/admin/cores?action=STATUS&wt=json	19
/laravel/.env	19
/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application	19
/debug/default/view?panel=config	19
/.well-known/assetlinks.json	19
/.well-known/apple-app-site-association	19
/+CSCOE+/logon.html	19
/evox/about	18
/config.json	18
/pools/default/buckets	17
/owa/auth/logon.aspx	17
/public/.env	16
/manifest.js	16
/dana-na/nc/nc_gina_ver.txt	16
/dana-cached/hc/HostCheckerInstaller.osx	16
/base.php	16
/autodiscover/autodiscover.json?@zdi/Powershell	16
/app/.env	16
/admin/.env	16
/about	16
/.aws/credentials	16
/start.shtml	15
/start.pl	15
/start.php	15
/start.jhtml	15
/start.asp	15
/readme.txt	15
/menu.shtml	15
/menu.php	15
/menu.jsp	15
/menu.jsa	15
/menu.jhtml	15
/menu.html	15
/menu.cgi	15
/menu.cfm	15
/menu.aspx	15
/main.shtml	15
/main.php	15
/main.jsp	15
/main.jsa	15
/main.jhtml	15
/main.cgi	15
/main.cfm	15
/main.aspx	15
/main.asp	15
/localstart.shtml	15
/localstart.pl	15
/localstart.php	15
/localstart.jsa	15
/localstart.jhtml	15
/localstart.html	15
/localstart.cgi	15
/localstart.cfm	15
/localstart.aspx	15
/inicio.shtml	15
/inicio.php	15
/inicio.jsa	15
/inicio.jhtml	15
/inicio.html	15
/inicio.cgi	15
/inicio.cfm	15
/inicio.aspx	15
/inicio.asp	15
/indice.shtml	15
/indice.pl	15
/indice.php	15
/indice.jsa	15
/indice.jhtml	15
/indice.html	15
/indice.cgi	15
/indice.cfm	15
/indice.aspx	15
/index.shtml	15
/index.pl	15
/index.jsa	15
/index.jhtml	15
/index.cfm	15
/index.aspx	15
/home.shtml	15
/home.pl	15
/home.jsp	15
/home.jsa	15
/home.jhtml	15
/home.html	15
/home.cgi	15
/home.cfm	15
/home.aspx	15
/home.asp	15
/docs/cplugError.html/	15
/default.shtml	15
/default.pl	15
/default.php	15
/default.jhtml	15
/default.cgi	15
/default.cfm	15
/default.aspx	15
/default.asp	15
/core/.env	15
/base.shtml	15
/base.pl	15

＜映画「あのコはだぁれ？」の感想

webサーバのログの分析2024 5月分＞