遅くなりましたが、明けましておめでとうございます。
公開している web サーバのログから通常のアクセスではない通信について分析しました。
去年は年末に向けてPHPUnitのevalをリモート実行のリクエストが増えて来た印象があります。
多かったリクエスト
PHPUnitのevalをリモート実行
PHPのユニットテストツールのPHPUnitの脆弱性を利用してのeval()を実行しようとする通信
JVNDB-2017-005280 - JVN iPedia - 脆弱性対策情報データベース
//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
//app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/src/Util/PHP/eval-stdin.php
/vendor/phpunit/phpunit/LICENSE/eval-stdin.php
/vendor/phpunit/Util/PHP/eval-stdin.php
/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/phpunit/src/Util/PHP/eval-stdin.php
/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/phpunit/phpunit/Util/PHP/eval-stdin.php
/phpunit/Util/PHP/eval-stdin.php
/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/lib/phpunit/phpunit/Util/PHP/eval-stdin.php
/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/lib/phpunit/src/Util/PHP/eval-stdin.php
/lib/phpunit/Util/PHP/eval-stdin.php
/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
//vendor/phpunit/phpunit/src/Util/PHP/evil.php
//app/vendor/phpunit/phpunit/src/Util/PHP/evil.php
/crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
ログイン画面へのアクセス
どのサービス化までは特定できませんでしたが、ブルートフォース目的のログイン画面へのアクセスがありました。
/admin/assets/js/views/login.js
Spring Frameworkの脆弱性
Spring FrameworkのSpring Cloud Gatewayという機能の脆弱性に関する通信みたいです。
CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability
/actuator/gateway/routes
Cisco 製 Cisco IOS XE などのネットワーク機器の Web UI の脆弱性
下記の記事のようなネットワーク機器のWeb UIにアクセスを試みる通信だと思われます。
Cisco 製 Cisco IOS XE の Web UI の脆弱性について(CVE-2023-20198 等) | 情報セキュリティ | IPA 独立行政法人 情報処理推進機構
/webui/
PHPinfo
少し珍しいタイプのPHPinfo
/_profiler/phpinfo
TP-Link製ルータArcher AX21の脆弱性(CVE-2023-1389)を狙った攻撃
2023年6月度 MBSD-SOCの検知傾向トピックス | 技術者ブログ | 三井物産セキュアディレクション株式会社
/cgi-bin/luci/;stok=/locale
不審な通信の一覧
uri | count |
---|---|
/index.xml | 3765 |
/robots.txt | 1877 |
/.env | 724 |
/ | 548 |
/favicon.ico | 357 |
/admin/assets/js/views/login.js | 261 |
/ads.txt | 238 |
/sw.js | 207 |
/.git/config | 178 |
* | 171 |
mstshash=Administr | 145 |
/admin/config.php | 118 |
//vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 115 |
//app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 110 |
/.well-known/traffic-advice | 105 |
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 96 |
/login.rsp | 90 |
/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh | 74 |
/app-ads.txt | 73 |
/sellers.json | 68 |
/wp | 67 |
/wordpress | 67 |
/old | 67 |
/new | 67 |
/main | 67 |
/home | 67 |
/bk | 67 |
/bc | 67 |
/backup | 67 |
/_profiler/phpinfo | 67 |
/webui/ | 62 |
/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php | 60 |
/login | 60 |
/hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input | 60 |
/wp-login.php | 59 |
/vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 59 |
/vendor/phpunit/src/Util/PHP/eval-stdin.php | 59 |
/vendor/phpunit/phpunit/LICENSE/eval-stdin.php | 59 |
/vendor/phpunit/Util/PHP/eval-stdin.php | 59 |
/app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 59 |
/actuator/gateway/routes | 59 |
/phpunit/src/Util/PHP/eval-stdin.php | 58 |
/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 58 |
/phpunit/phpunit/Util/PHP/eval-stdin.php | 58 |
/phpunit/Util/PHP/eval-stdin.php | 58 |
/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 58 |
/lib/phpunit/phpunit/Util/PHP/eval-stdin.php | 58 |
/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 57 |
/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 57 |
/www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 57 |
/ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 57 |
/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 57 |
/lib/phpunit/src/Util/PHP/eval-stdin.php | 57 |
/lib/phpunit/Util/PHP/eval-stdin.php | 57 |
/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 57 |
/ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 56 |
/V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 56 |
/tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 55 |
/testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 55 |
/test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 55 |
/demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 55 |
/api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 55 |
//vendor/phpunit/phpunit/src/Util/PHP/evil.php | 55 |
//app/vendor/phpunit/phpunit/src/Util/PHP/evil.php | 55 |
/crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 54 |
/cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 54 |
/workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 53 |
/public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 53 |
/panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 53 |
/index.php?lang=../../../../../../../../tmp/index1 | 53 |
/containers/json | 53 |
/blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 53 |
/backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 53 |
/apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 53 |
/admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | 53 |
/password/reset | 50 |
/api/.env | 42 |
/.env.production | 35 |
/admin/.env | 34 |
/.env.save | 34 |
/cgi-bin/luci/;stok=/locale | 33 |
/app/.env | 33 |
/.env.prod | 33 |
/core/.env | 32 |
/.env.bak | 32 |
/admin.php | 31 |
/.env.local | 31 |
/config.json | 29 |
/tags/go | 28 |
/.well-known/security.txt | 28 |
/.aws/credentials | 28 |
/laravel/.env | 27 |
/t4 | 26 |
/public/.env | 26 |
/manifest.js | 26 |
//libs/js/iframe.js | 26 |
/post/wp-login.php | 25 |
/logon.htm | 25 |
/backend/.env | 24 |
//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js | 24 |
//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js | 21 |
/.env.dist | 21 |
/sdk | 20 |
/dns-query | 20 |
/crm/.env | 20 |
/application/.env | 20 |
/HNAP1 | 20 |
//stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js | 20 |
//ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js | 20 |
//admin/config.php | 20 |
/wp-admin/js/about.php | 19 |
/phpinfo.php | 19 |
/apply.cgi | 19 |
/actuator/health | 19 |
/.env.testing | 19 |
/.env.example | 19 |
/.env.dev | 19 |
myip.wtf:443 | 18 |
/wp-includes/widgets/include.php | 18 |
/wp-includes/images/include.php | 18 |
/wp-content/plugins/WordPressCore/include.php | 18 |
/webui | 18 |
/user | 18 |
/prod/.env | 18 |
/owa/auth/logon.aspx | 18 |
/owa/ | 18 |
/laravel/core/.env | 18 |
/geoserver/web/wicket/bookmarkable/org.geoserver.web.AboutGeoServerPage | 18 |
/.well-known/acme-challenge/cloud.php | 18 |
/.vscode/sftp.json | 18 |
/sftp-config.json | 17 |
/post | 17 |
/login.asp | 17 |
/dev/.env | 17 |
/app_dev.php/_profiler/phpinfo | 17 |
/index.php | 16 |
/demo/.env | 16 |
/cp/.env | 16 |
/beta/.env | 16 |
/app_dev.php/_profiler/open?file=app/config/parameters.yml | 16 |
/kyc/.env | 15 |
/config/.env | 15 |
/apps/.env | 15 |
/.env~ | 15 |
/debug/default/view?panel=config | 14 |
/boaform/admin/formLogin | 14 |
/aaa9 | 14 |
/.json | 14 |
/wp-includes/Text/about.php | 13 |
/wp-content/ | 13 |
/wp-admin/images/index.php | 13 |
/wp-admin/css/index.php | 13 |
/version | 13 |
/dropdown.php | 13 |
/docker/.env | 13 |
/credentials | 13 |
/client_secrets.json | 13 |
/autodiscover/autodiscover.json?@zdi/Powershell | 13 |
/aab9 | 13 |
/aab8 | 13 |
/.env.test | 13 |
/.env.stage | 13 |
/.env.production.local | 13 |
/wp-content/themes/about.php | 12 |
/wp-admin/images/about.php | 12 |
/wp-admin/css/about.php | 12 |
/sftp.json | 12 |
/phpmyadmin/index.php | 12 |
/new/.env | 12 |
/human.aspx?arg12=infotech | 12 |
/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application | 12 |
/default.php | 12 |
/content.php | 12 |
/1.php | 12 |
/.well-known/assetlinks.json | 12 |
/.well-known/apple-app-site-association | 12 |
/web/.env | 11 |
/v2/_catalog | 11 |
/portal/.env | 11 |
/pmd/index.php | 11 |
/info.php | 11 |
/evox/about | 11 |
/cms/.env | 11 |
/cgi-bin/login.cgi | 11 |
/cgi-bin/authLogin.cgi | 11 |
/app/config/.env | 11 |
/api/v2/.env | 11 |
/about.php | 11 |
/Api/.env | 11 |
/API/.env | 11 |
//sftp.json | 11 |
//sftp-config.json | 11 |
/.git/HEAD | 11 |
/.config/sftp.json | 11 |
/.config.yaml | 11 |
web.realsysadm.in:443 | 10 |
/wp-includes/widgets/about.php | 10 |
/wp-includes/style-engine/about.php | 10 |
/wp-includes/rest-api/about.php | 10 |
/wp-includes/block-patterns/about.php | 10 |
/wp-content/themes/include.php | 10 |
/wp-content/plugins/seoplugins/mar.php | 10 |
/wp-content/plugins/include.php | 10 |
/wp-content/plugins/core-plugin/include.php | 10 |
/vendor/.env | 10 |
/solr/admin/info/system | 10 |
/solr/admin/cores?action=STATUS&wt=json | 10 |
/server/.env | 10 |
/resolve?name=example.com&type=A | 10 |
/resolve | 10 |
/query?q=SHOW+DIAGNOSTICS | 10 |
/query?name=example.com&type=A | 10 |
/query | 10 |
/phpmyadmin4.8.5/index.php | 10 |
/main.jsp | 10 |
/index.jsp | 10 |
/files/.git/config | 10 |
/dns-query?name=example.com&type=A | 10 |
/default.jsp | 10 |
/data/.env | 10 |
/dana-na/nc/nc_gina_ver.txt | 10 |
/dana-cached/hc/HostCheckerInstaller.osx | 10 |
/config.env | 10 |
/cms/.env.production | 10 |
/cms/.env.prod | 10 |