webサーバのログの分析2024 12月分

2025-01-25 技術系

遅くなりましたが、明けましておめでとうございます。
公開している web サーバのログから通常のアクセスではない通信について分析しました。
去年は年末に向けてPHPUnitのevalをリモート実行のリクエストが増えて来た印象があります。

多かったリクエスト

PHPUnitのevalをリモート実行

PHPのユニットテストツールのPHPUnitの脆弱性を利用してのeval()を実行しようとする通信

JVNDB-2017-005280 - JVN iPedia - 脆弱性対策情報データベース

//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
//app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/src/Util/PHP/eval-stdin.php               
/vendor/phpunit/phpunit/LICENSE/eval-stdin.php            
/vendor/phpunit/Util/PHP/eval-stdin.php                   
/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/phpunit/src/Util/PHP/eval-stdin.php                      
/phpunit/phpunit/src/Util/PHP/eval-stdin.php              
/phpunit/phpunit/Util/PHP/eval-stdin.php                  
/phpunit/Util/PHP/eval-stdin.php                          
/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php          
/lib/phpunit/phpunit/Util/PHP/eval-stdin.php              
/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php  
/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php   
/www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php   
/ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php    
/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php   
/lib/phpunit/src/Util/PHP/eval-stdin.php                  
/lib/phpunit/Util/PHP/eval-stdin.php                      
/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php  
/V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php     
/tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php  
/testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php   
/demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php   
/api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php    
//vendor/phpunit/phpunit/src/Util/PHP/evil.php
//app/vendor/phpunit/phpunit/src/Util/PHP/evil.php
/crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

ログイン画面へのアクセス

どのサービス化までは特定できませんでしたが、ブルートフォース目的のログイン画面へのアクセスがありました。

/admin/assets/js/views/login.js

Spring Frameworkの脆弱性

Spring FrameworkのSpring Cloud Gatewayという機能の脆弱性に関する通信みたいです。
CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability

/actuator/gateway/routes

Cisco 製 Cisco IOS XE などのネットワーク機器の Web UI の脆弱性

下記の記事のようなネットワーク機器のWeb UIにアクセスを試みる通信だと思われます。
Cisco 製 Cisco IOS XE の Web UI の脆弱性について(CVE-2023-20198 等) | 情報セキュリティ | IPA 独立行政法人情報処理推進機構

/webui/

PHPinfo

少し珍しいタイプのPHPinfo

/_profiler/phpinfo

TP-Link製ルータArcher AX21の脆弱性（CVE-2023-1389）を狙った攻撃

2023年6月度 MBSD-SOCの検知傾向トピックス | 技術者ブログ | 三井物産セキュアディレクション株式会社

/cgi-bin/luci/;stok=/locale

不審な通信の一覧

uri	count
/index.xml	3765
/robots.txt	1877
/.env	724
/	548
/favicon.ico	357
/admin/assets/js/views/login.js	261
/ads.txt	238
/sw.js	207
/.git/config	178
*	171
mstshash=Administr	145
/admin/config.php	118
//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	115
//app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	110
/.well-known/traffic-advice	105
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	96
/login.rsp	90
/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh	74
/app-ads.txt	73
/sellers.json	68
/wp	67
/wordpress	67
/old	67
/new	67
/main	67
/home	67
/bk	67
/bc	67
/backup	67
/_profiler/phpinfo	67
/webui/	62
/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php	60
/login	60
/hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input	60
/wp-login.php	59
/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	59
/vendor/phpunit/src/Util/PHP/eval-stdin.php	59
/vendor/phpunit/phpunit/LICENSE/eval-stdin.php	59
/vendor/phpunit/Util/PHP/eval-stdin.php	59
/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	59
/actuator/gateway/routes	59
/phpunit/src/Util/PHP/eval-stdin.php	58
/phpunit/phpunit/src/Util/PHP/eval-stdin.php	58
/phpunit/phpunit/Util/PHP/eval-stdin.php	58
/phpunit/Util/PHP/eval-stdin.php	58
/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php	58
/lib/phpunit/phpunit/Util/PHP/eval-stdin.php	58
/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	57
/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	57
/www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	57
/ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	57
/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	57
/lib/phpunit/src/Util/PHP/eval-stdin.php	57
/lib/phpunit/Util/PHP/eval-stdin.php	57
/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	57
/ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	56
/V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	56
/tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	55
/testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	55
/test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	55
/demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	55
/api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	55
//vendor/phpunit/phpunit/src/Util/PHP/evil.php	55
//app/vendor/phpunit/phpunit/src/Util/PHP/evil.php	55
/crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	54
/cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	54
/workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	53
/public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	53
/panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	53
/index.php?lang=../../../../../../../../tmp/index1	53
/containers/json	53
/blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	53
/backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	53
/apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	53
/admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php	53
/password/reset	50
/api/.env	42
/.env.production	35
/admin/.env	34
/.env.save	34
/cgi-bin/luci/;stok=/locale	33
/app/.env	33
/.env.prod	33
/core/.env	32
/.env.bak	32
/admin.php	31
/.env.local	31
/config.json	29
/tags/go	28
/.well-known/security.txt	28
/.aws/credentials	28
/laravel/.env	27
/t4	26
/public/.env	26
/manifest.js	26
//libs/js/iframe.js	26
/post/wp-login.php	25
/logon.htm	25
/backend/.env	24
//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js	24
//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js	21
/.env.dist	21
/sdk	20
/dns-query	20
/crm/.env	20
/application/.env	20
/HNAP1	20
//stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js	20
//ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js	20
//admin/config.php	20
/wp-admin/js/about.php	19
/phpinfo.php	19
/apply.cgi	19
/actuator/health	19
/.env.testing	19
/.env.example	19
/.env.dev	19
myip.wtf:443	18
/wp-includes/widgets/include.php	18
/wp-includes/images/include.php	18
/wp-content/plugins/WordPressCore/include.php	18
/webui	18
/user	18
/prod/.env	18
/owa/auth/logon.aspx	18
/owa/	18
/laravel/core/.env	18
/geoserver/web/wicket/bookmarkable/org.geoserver.web.AboutGeoServerPage	18
/.well-known/acme-challenge/cloud.php	18
/.vscode/sftp.json	18
/sftp-config.json	17
/post	17
/login.asp	17
/dev/.env	17
/app_dev.php/_profiler/phpinfo	17
/index.php	16
/demo/.env	16
/cp/.env	16
/beta/.env	16
/app_dev.php/_profiler/open?file=app/config/parameters.yml	16
/kyc/.env	15
/config/.env	15
/apps/.env	15
/.env~	15
/debug/default/view?panel=config	14
/boaform/admin/formLogin	14
/aaa9	14
/.json	14
/wp-includes/Text/about.php	13
/wp-content/	13
/wp-admin/images/index.php	13
/wp-admin/css/index.php	13
/version	13
/dropdown.php	13
/docker/.env	13
/credentials	13
/client_secrets.json	13
/autodiscover/autodiscover.json?@zdi/Powershell	13
/aab9	13
/aab8	13
/.env.test	13
/.env.stage	13
/.env.production.local	13
/wp-content/themes/about.php	12
/wp-admin/images/about.php	12
/wp-admin/css/about.php	12
/sftp.json	12
/phpmyadmin/index.php	12
/new/.env	12
/human.aspx?arg12=infotech	12
/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application	12
/default.php	12
/content.php	12
/1.php	12
/.well-known/assetlinks.json	12
/.well-known/apple-app-site-association	12
/web/.env	11
/v2/_catalog	11
/portal/.env	11
/pmd/index.php	11
/info.php	11
/evox/about	11
/cms/.env	11
/cgi-bin/login.cgi	11
/cgi-bin/authLogin.cgi	11
/app/config/.env	11
/api/v2/.env	11
/about.php	11
/Api/.env	11
/API/.env	11
//sftp.json	11
//sftp-config.json	11
/.git/HEAD	11
/.config/sftp.json	11
/.config.yaml	11
web.realsysadm.in:443	10
/wp-includes/widgets/about.php	10
/wp-includes/style-engine/about.php	10
/wp-includes/rest-api/about.php	10
/wp-includes/block-patterns/about.php	10
/wp-content/themes/include.php	10
/wp-content/plugins/seoplugins/mar.php	10
/wp-content/plugins/include.php	10
/wp-content/plugins/core-plugin/include.php	10
/vendor/.env	10
/solr/admin/info/system	10
/solr/admin/cores?action=STATUS&wt=json	10
/server/.env	10
/resolve?name=example.com&type=A	10
/resolve	10
/query?q=SHOW+DIAGNOSTICS	10
/query?name=example.com&type=A	10
/query	10
/phpmyadmin4.8.5/index.php	10
/main.jsp	10
/index.jsp	10
/files/.git/config	10
/dns-query?name=example.com&type=A	10
/default.jsp	10
/data/.env	10
/dana-na/nc/nc_gina_ver.txt	10
/dana-cached/hc/HostCheckerInstaller.osx	10
/config.env	10
/cms/.env.production	10
/cms/.env.prod	10

＜ 2024年に見た映画で印象に残った映画

映画「ドリーム・シナリオ」の感想＞