公開している web サーバのログから通常のアクセスではない通信について分析しました。
今月はPHP責めに合いました。
多かったリクエスト
PHPUnitのevalをリモート実行
PHPのユニットテストツールのPHPUnitの脆弱性を利用してのeval()を実行しようとする通信
JVNDB-2017-005280 - JVN iPedia - 脆弱性対策情報データベース
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
/vendor/phpunit/Util/PHP/eval-stdin.php
/phpunit/src/Util/PHP/eval-stdin.php
/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/phpunit/phpunit/Util/PHP/eval-stdin.php
/phpunit/Util/PHP/eval-stdin.php
/panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/lib/phpunit/src/Util/PHP/eval-stdin.php
/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/lib/phpunit/phpunit/Util/PHP/eval-stdin.php
/lib/phpunit/Util/PHP/eval-stdin.php
/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/phpunit/LICENSE/eval-stdin.php
/tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Apacheのパストラバーサルの脆弱性 (CVE-2021-41773、CVE-2021-42013)を利用したシェルの実行
Apacheの脆弱性をついた攻撃の通信がありました。
Apache HTTP Serverのディレクトリトラバーサル脆弱性_CVE-2021-41773_検証 #Apache_http_server - Qiita
/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh
Cisco 製 Cisco IOS XE などのネットワーク機器の Web UI の脆弱性
下記の記事のようなネットワーク機器のWeb UIにアクセスを試みる通信だと思われます。
Cisco 製 Cisco IOS XE の Web UI の脆弱性について(CVE-2023-20198 等) | 情報セキュリティ | IPA 独立行政法人 情報処理推進機構
/webui/
GeoServerの脆弱性
GeoServer の深刻な脆弱性 CVE-2023-35042 が FIX:RCE 攻撃が観測されている – IoT OT Security News
/geoserver/web/
VSCodeのSFTPを利用するライブラリの設定の閲覧
VSCodeのSFTPを利用するライブラリの設定ファイルを閲覧しようとする通信がありました。
/.vscode/sftp.json
Telerik Report Serverを利用しているかの確認
Telerik Report Serverに深刻な脆弱性が見つかり、それを利用しようとする通信がありました。
【セキュリティ ニュース】「Telerik Report Server」に深刻な脆弱性 - 最新版へ更新を(1ページ目 / 全1ページ):Security NEXT
/ReportServer
Red Lion製DA50Nを利用しているかの確認
Red Lion製DA50Nで脆弱性が報告されており、脆弱性を突くために利用しているかの確認する通信だと思われます。
JVNVU#92503855: Red Lion製DA50Nにおける複数の脆弱性
/portal/redlion
Spring Frameworkの脆弱性
Spring FrameworkのSpring Cloud Gatewayという機能の脆弱性に関する通信みたいです。
CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability
/actuator/gateway/routes
Apache Solrの脆弱性
Apache Solrではパストラバーサルなどの複数の脆弱性が見つかっておりそれらを利用しようとする通信だと思われます。
JVNDB-2021-017399 - JVN iPedia - 脆弱性対策情報データベース
/solr/admin/info/system
/solr/admin/cores?action=STATUS&wt=json
不審な通信の一覧
| uri | count |
|---|---|
| /robots.txt | 1633 |
| /.env | 438 |
| /favicon.ico | 312 |
| /ads.txt | 207 |
| /sw.js | 194 |
| /admin/config.php | 164 |
| /.git/config | 143 |
| /wp-login.php | 134 |
| mstshash=Administr | 124 |
| /app-ads.txt | 98 |
| /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 78 |
| /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh | 71 |
| /index.xml | 66 |
| /.vscode/sftp.json | 66 |
| /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh | 63 |
| /www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 61 |
| /webui/ | 61 |
| /vendor/phpunit/src/Util/PHP/eval-stdin.php | 61 |
| /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php | 61 |
| /vendor/phpunit/Util/PHP/eval-stdin.php | 61 |
| /phpunit/src/Util/PHP/eval-stdin.php | 61 |
| /phpunit/phpunit/src/Util/PHP/eval-stdin.php | 61 |
| /phpunit/phpunit/Util/PHP/eval-stdin.php | 61 |
| /phpunit/Util/PHP/eval-stdin.php | 61 |
| /panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 61 |
| /lib/phpunit/src/Util/PHP/eval-stdin.php | 61 |
| /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 61 |
| /lib/phpunit/phpunit/Util/PHP/eval-stdin.php | 61 |
| /lib/phpunit/Util/PHP/eval-stdin.php | 61 |
| /laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 61 |
| /demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 61 |
| /cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 61 |
| /blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 61 |
| /backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 61 |
| /api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 61 |
| /admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 61 |
| /zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 60 |
| /yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 60 |
| /ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 60 |
| /ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 60 |
| /workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 60 |
| /vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 60 |
| /vendor/phpunit/phpunit/LICENSE/eval-stdin.php | 60 |
| /tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 60 |
| /testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 60 |
| /test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 60 |
| /public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 60 |
| /public/index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello | 60 |
| /lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 60 |
| /index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello | 60 |
| /index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/+/tmp/index1.php | 60 |
| /index.php?lang=../../../../../../../../tmp/index1 | 60 |
| /crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 60 |
| /apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 60 |
| /app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 60 |
| /V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 60 |
| /.well-known/traffic-advice | 58 |
| /geoserver/web/ | 57 |
| \x84\xB4,\x85\xAFn\xE3Y\xBBbhl\xFF(=’:\xA9\x82\xD9o\xC8\xA2\xD7\x93\x98\xB4\xEF\x80\xE5\xB9\x90\x00(\xC0 | 55 |
| /sftp-config.json | 55 |
| /actuator/gateway/routes | 55 |
| /post/wp-login.php | 48 |
| /_profiler/phpinfo | 42 |
| /v2/_catalog | 36 |
| /cgi-bin/authLogin.cgi | 34 |
| /solr/admin/info/system | 32 |
| /solr/admin/cores?action=STATUS&wt=json | 32 |
| /query?q=SHOW+DIAGNOSTICS | 32 |
| /sellers.json | 29 |
| /wp-admin/admin-ajax.php?action=add_custom_font | 28 |
| /HNAP1 | 28 |
| /sdk | 27 |
| /dns-query | 26 |
| /config.json | 22 |
| /actuator/health | 22 |
| /evox/about | 21 |
| /owa/auth/logon.aspx | 20 |
| /.well-known/security.txt | 20 |
| /.DS_Store | 20 |
| /contact | 19 |
| 7 | 17 |
| /info.php | 16 |
| /wp | 15 |
| /wordpress | 15 |
| /teorema505?t=1 | 15 |
| /t4 | 15 |
| /new | 15 |
| /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application | 15 |
| /autodiscover/autodiscover.json?@zdi/Powershell | 15 |
| /alive.php | 15 |
| /ab2h | 15 |
| /ab2g | 15 |
| /+CSCOE+/logon.html | 15 |
| /owa/ | 14 |
| /old | 14 |
| /manager/html | 14 |
| /main | 14 |
| /home | 14 |
| /bk | 14 |
| /bc | 14 |
| /backup | 14 |
| //pagead2.googlesyndication.com/pagead/js/adsbygoogle.js | 14 |
| /version | 13 |
| /manifest.js | 13 |
| /api/.env | 13 |
| /.env.production | 13 |
| /webui | 12 |
| /user | 12 |
| /resolve?name=example.com&type=A | 12 |
| /resolve | 12 |
| /remote/login?lang=en | 12 |
| /query?name=example.com&type=A | 12 |
| /query | 12 |
| /human.aspx | 12 |
| /druid/index.html | 12 |
| /dns-query?name=example.com&type=A | 12 |
| /cdn-cgi/trace | 12 |
| /1.php | 12 |
| /.well-known/assetlinks.json | 12 |
| /.well-known/apple-app-site-association | 12 |
| /wp-includes/widgets/include.php | 11 |
| /wp-includes/images/include.php | 11 |
| /upl.php | 11 |
| /systembc/password.php | 11 |
| /sendgrid/.env | 11 |
| /phpinfo.php | 11 |
| /password.php | 11 |
| /page/3/site_icons/icon-192x192.png | 11 |
| /owa/auth/x.js | 11 |
| /hudson | 11 |
| /geoip/ | 11 |
| /form.html | 11 |
| /wp-content/themes/include.php | 10 |
| /wp-content/plugins/include.php | 10 |
| /wp-content/plugins/WordPressCore/include.php | 10 |
| /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ | 10 |
| /redmine/.env | 10 |
| /portal/redlion | 10 |
| /page/2/site_icons/icon-192x192.png | 10 |
| /index.asp | 10 |
| /debug/default/view?panel=config | 10 |
| /contact/site_icons/icon-192x192.png | 10 |
| /app/.env | 10 |
| /aab8 | 10 |
| /.env.prod | 10 |
| mstshash=Domain | 9 |
| /wp-content/ | 9 |
| /phpmyadmin/index.php | 9 |
| /manager/text/list | 9 |
| /about/site_icons/icon-192x192.png | 9 |
| /ReportServer | 9 |
| /FD873AC4-CF86-4FED-84EC-4BD59C6F17A7 | 9 |
| \x00\x00BBBB\xBA\x8C\xC1\xABDAAA | 8 |
| /xmlrpc.php?rsd | 8 |
| /wp1/wp-includes/wlwmanifest.xml | 8 |
| /wp/wp-includes/wlwmanifest.xml | 8 |
| /wordpress/wp-includes/wlwmanifest.xml | 8 |
| /web/wp-includes/wlwmanifest.xml | 8 |
| /test/wp-includes/wlwmanifest.xml | 8 |
| /site/wp-includes/wlwmanifest.xml | 8 |
| /shop/wp-includes/wlwmanifest.xml | 8 |
