webサーバのログの分析2024 12月分

2025-01-25 技術系

遅くなりましたが、明けましておめでとうございます。
公開している web サーバのログから通常のアクセスではない通信について分析しました。
去年は年末に向けてPHPUnitのevalをリモート実行のリクエストが増えて来た印象があります。

多かったリクエスト

PHPUnitのevalをリモート実行

PHPのユニットテストツールのPHPUnitの脆弱性を利用してのeval()を実行しようとする通信

JVNDB-2017-005280 - JVN iPedia - 脆弱性対策情報データベース

//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
//app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/src/Util/PHP/eval-stdin.php               
/vendor/phpunit/phpunit/LICENSE/eval-stdin.php            
/vendor/phpunit/Util/PHP/eval-stdin.php                   
/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/phpunit/src/Util/PHP/eval-stdin.php                      
/phpunit/phpunit/src/Util/PHP/eval-stdin.php              
/phpunit/phpunit/Util/PHP/eval-stdin.php                  
/phpunit/Util/PHP/eval-stdin.php                          
/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php          
/lib/phpunit/phpunit/Util/PHP/eval-stdin.php              
/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php  
/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php   
/www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php   
/ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php    
/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php   
/lib/phpunit/src/Util/PHP/eval-stdin.php                  
/lib/phpunit/Util/PHP/eval-stdin.php                      
/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php  
/V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php     
/tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php  
/testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php   
/demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php   
/api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php    
//vendor/phpunit/phpunit/src/Util/PHP/evil.php
//app/vendor/phpunit/phpunit/src/Util/PHP/evil.php
/crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

ログイン画面へのアクセス

どのサービス化までは特定できませんでしたが、ブルートフォース目的のログイン画面へのアクセスがありました。

/admin/assets/js/views/login.js

Spring Frameworkの脆弱性

Spring FrameworkのSpring Cloud Gatewayという機能の脆弱性に関する通信みたいです。
CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability

/actuator/gateway/routes

Cisco 製 Cisco IOS XE などのネットワーク機器の Web UI の脆弱性

下記の記事のようなネットワーク機器のWeb UIにアクセスを試みる通信だと思われます。
Cisco 製 Cisco IOS XE の Web UI の脆弱性について(CVE-2023-20198 等) | 情報セキュリティ | IPA 独立行政法人 情報処理推進機構

/webui/

PHPinfo

少し珍しいタイプのPHPinfo

/_profiler/phpinfo

TP-Link製ルータArcher AX21の脆弱性(CVE-2023-1389)を狙った攻撃

2023年6月度 MBSD-SOCの検知傾向トピックス | 技術者ブログ | 三井物産セキュアディレクション株式会社

/cgi-bin/luci/;stok=/locale

不審な通信の一覧

uri count
/index.xml 3765
/robots.txt 1877
/.env 724
/ 548
/favicon.ico 357
/admin/assets/js/views/login.js 261
/ads.txt 238
/sw.js 207
/.git/config 178
* 171
mstshash=Administr 145
/admin/config.php 118
//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 115
//app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 110
/.well-known/traffic-advice 105
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 96
/login.rsp 90
/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh 74
/app-ads.txt 73
/sellers.json 68
/wp 67
/wordpress 67
/old 67
/new 67
/main 67
/home 67
/bk 67
/bc 67
/backup 67
/_profiler/phpinfo 67
/webui/ 62
/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php 60
/login 60
/hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input 60
/wp-login.php 59
/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 59
/vendor/phpunit/src/Util/PHP/eval-stdin.php 59
/vendor/phpunit/phpunit/LICENSE/eval-stdin.php 59
/vendor/phpunit/Util/PHP/eval-stdin.php 59
/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 59
/actuator/gateway/routes 59
/phpunit/src/Util/PHP/eval-stdin.php 58
/phpunit/phpunit/src/Util/PHP/eval-stdin.php 58
/phpunit/phpunit/Util/PHP/eval-stdin.php 58
/phpunit/Util/PHP/eval-stdin.php 58
/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php 58
/lib/phpunit/phpunit/Util/PHP/eval-stdin.php 58
/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 57
/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 57
/www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 57
/ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 57
/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 57
/lib/phpunit/src/Util/PHP/eval-stdin.php 57
/lib/phpunit/Util/PHP/eval-stdin.php 57
/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 57
/ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 56
/V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 56
/tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 55
/testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 55
/test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 55
/demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 55
/api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 55
//vendor/phpunit/phpunit/src/Util/PHP/evil.php 55
//app/vendor/phpunit/phpunit/src/Util/PHP/evil.php 55
/crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 54
/cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 54
/workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 53
/public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 53
/panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 53
/index.php?lang=../../../../../../../../tmp/index1 53
/containers/json 53
/blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 53
/backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 53
/apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 53
/admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 53
/password/reset 50
/api/.env 42
/.env.production 35
/admin/.env 34
/.env.save 34
/cgi-bin/luci/;stok=/locale 33
/app/.env 33
/.env.prod 33
/core/.env 32
/.env.bak 32
/admin.php 31
/.env.local 31
/config.json 29
/tags/go 28
/.well-known/security.txt 28
/.aws/credentials 28
/laravel/.env 27
/t4 26
/public/.env 26
/manifest.js 26
//libs/js/iframe.js 26
/post/wp-login.php 25
/logon.htm 25
/backend/.env 24
//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js 24
//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js 21
/.env.dist 21
/sdk 20
/dns-query 20
/crm/.env 20
/application/.env 20
/HNAP1 20
//stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js 20
//ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js 20
//admin/config.php 20
/wp-admin/js/about.php 19
/phpinfo.php 19
/apply.cgi 19
/actuator/health 19
/.env.testing 19
/.env.example 19
/.env.dev 19
myip.wtf:443 18
/wp-includes/widgets/include.php 18
/wp-includes/images/include.php 18
/wp-content/plugins/WordPressCore/include.php 18
/webui 18
/user 18
/prod/.env 18
/owa/auth/logon.aspx 18
/owa/ 18
/laravel/core/.env 18
/geoserver/web/wicket/bookmarkable/org.geoserver.web.AboutGeoServerPage 18
/.well-known/acme-challenge/cloud.php 18
/.vscode/sftp.json 18
/sftp-config.json 17
/post 17
/login.asp 17
/dev/.env 17
/app_dev.php/_profiler/phpinfo 17
/index.php 16
/demo/.env 16
/cp/.env 16
/beta/.env 16
/app_dev.php/_profiler/open?file=app/config/parameters.yml 16
/kyc/.env 15
/config/.env 15
/apps/.env 15
/.env~ 15
/debug/default/view?panel=config 14
/boaform/admin/formLogin 14
/aaa9 14
/.json 14
/wp-includes/Text/about.php 13
/wp-content/ 13
/wp-admin/images/index.php 13
/wp-admin/css/index.php 13
/version 13
/dropdown.php 13
/docker/.env 13
/credentials 13
/client_secrets.json 13
/autodiscover/autodiscover.json?@zdi/Powershell 13
/aab9 13
/aab8 13
/.env.test 13
/.env.stage 13
/.env.production.local 13
/wp-content/themes/about.php 12
/wp-admin/images/about.php 12
/wp-admin/css/about.php 12
/sftp.json 12
/phpmyadmin/index.php 12
/new/.env 12
/human.aspx?arg12=infotech 12
/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application 12
/default.php 12
/content.php 12
/1.php 12
/.well-known/assetlinks.json 12
/.well-known/apple-app-site-association 12
/web/.env 11
/v2/_catalog 11
/portal/.env 11
/pmd/index.php 11
/info.php 11
/evox/about 11
/cms/.env 11
/cgi-bin/login.cgi 11
/cgi-bin/authLogin.cgi 11
/app/config/.env 11
/api/v2/.env 11
/about.php 11
/Api/.env 11
/API/.env 11
//sftp.json 11
//sftp-config.json 11
/.git/HEAD 11
/.config/sftp.json 11
/.config.yaml 11
web.realsysadm.in:443 10
/wp-includes/widgets/about.php 10
/wp-includes/style-engine/about.php 10
/wp-includes/rest-api/about.php 10
/wp-includes/block-patterns/about.php 10
/wp-content/themes/include.php 10
/wp-content/plugins/seoplugins/mar.php 10
/wp-content/plugins/include.php 10
/wp-content/plugins/core-plugin/include.php 10
/vendor/.env 10
/solr/admin/info/system 10
/solr/admin/cores?action=STATUS&wt=json 10
/server/.env 10
/resolve?name=example.com&type=A 10
/resolve 10
/query?q=SHOW+DIAGNOSTICS 10
/query?name=example.com&type=A 10
/query 10
/phpmyadmin4.8.5/index.php 10
/main.jsp 10
/index.jsp 10
/files/.git/config 10
/dns-query?name=example.com&type=A 10
/default.jsp 10
/data/.env 10
/dana-na/nc/nc_gina_ver.txt 10
/dana-cached/hc/HostCheckerInstaller.osx 10
/config.env 10
/cms/.env.production 10
/cms/.env.prod 10

follow us in feedly

comments powered by Disqus

関連記事

新着記事