Zenn
🌟

[セキュリティ] アクセスログを見て分かったWebサーバーへの攻撃手法 [注意喚起]

2023/10/05に公開
http
Security
攻撃手法
tech

概要

Ruby on RailsのWebサーバーを管理してます。
アクセスログを見てると「こえー」と思うGET/POSTなどのログが出まくってたので纏めました。

何が起こった

下記、見てくださると分かると思います。

method=GET	path=/.aws/credentials
method=GET	path=/.env
method=GET	path=/.env.development
method=GET	path=/.env.dist
method=GET	path=/.env.old
method=GET	path=/.env.prod
method=GET	path=/.env.production
method=GET	path=/.env.project
method=GET	path=/.env.save
method=GET	path=/.git/HEAD
method=GET	path=/.git/config
...

※ 全文は後述

管理しているサーバーでは上記すべて404 or 500 エラーになっていますが、こういうログが毎日出ています。
しかも複数のIPからのもの。

トレンドの開発事情をくみ取った巧妙な攻撃をしてきてます。

全Webサーバー管理者は、これらの HTTP リクエストがエラーになることの定期監視も組み込んだほうが良さそうです。

全文

method=GET	path=/.aws/credentials
method=GET	path=/.env
method=GET	path=/.env.development
method=GET	path=/.env.dist
method=GET	path=/.env.old
method=GET	path=/.env.prod
method=GET	path=/.env.production
method=GET	path=/.env.project
method=GET	path=/.env.save
method=GET	path=/.git/HEAD
method=GET	path=/.git/config
method=GET	path=/.json
method=GET	path=/7Ewi
method=GET	path=/PHPConf.php
method=GET	path=/Public/home/js/check.js
method=GET	path=/TkUI
method=GET	path=/_ignition/execute-solution
method=GET	path=/_phpinfo.php
method=GET	path=/_profiler/phpinfo
method=GET	path=/_wpeprivate/config.json
method=GET	path=/actuator/gateway/routes
method=GET	path=/admin-app/.env
method=GET	path=/admin.php
method=GET	path=/admin/.env
method=GET	path=/admin/phpinfo.php
method=GET	path=/api/.env
method=GET	path=/app/.env
method=GET	path=/app/config/.env
method=GET	path=/application/.env
method=GET	path=/apps/.env
method=GET	path=/autodiscover/autodiscover.json
method=GET	path=/back/.env
method=GET	path=/blog/.env
method=GET	path=/charge
method=GET	path=/cms/.env
method=GET	path=/config.env.js
method=GET	path=/config.js
method=GET	path=/config.json
method=GET	path=/config/aws.yml
method=GET	path=/console
method=GET	path=/core/.env
method=GET	path=/debug/default/view
method=GET	path=/development/.env
method=GET	path=/dns-query
method=GET	path=/docker/.env
method=GET	path=/dqgqoeCXckuwPtxov
method=GET	path=/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application
method=GET	path=/enviroments/.env
method=GET	path=/enviroments/.env.production
method=GET	path=/frontend_dev.php/$
method=GET	path=/geoserver
method=GET	path=/geoserver/web
method=GET	path=/info.php
method=GET	path=/info/info.php
method=GET	path=/info/phpinfo.php
method=GET	path=/infophp.php
method=GET	path=/information
method=GET	path=/information.php
method=GET	path=/laravel/.env
method=GET	path=/latest_usage
method=GET	path=/live_env
method=GET	path=/local/.env
method=GET	path=/php-info.php
method=GET	path=/php.php
method=GET	path=/php_info.php
method=GET	path=/phpinfo
method=GET	path=/phpinfo.php
method=GET	path=/phpinfo/phpinfo.php
method=GET	path=/phpinformation
method=GET	path=/phpmyadmin/index.php
method=GET	path=/phptest.php
method=GET	path=/phpversion.php
method=GET	path=/pinfo.php
method=GET	path=/pmd/index.php
method=GET	path=/private/.env
method=GET	path=/public/.env
method=GET	path=/script/.env
method=GET	path=/scripts/phpinfo.php
method=GET	path=/shared/.env
method=GET	path=/solr/admin/info/system
method=GET	path=/sources/.env
method=GET	path=/stream
method=GET	path=/system/.env
method=GET	path=/temp.php
method=GET	path=/testphpinfo
method=GET	path=/testphpinfo.php
method=GET	path=/usages
method=GET	path=/vendor/.env
method=GET	path=/vendor/laravel/.env
method=GET	path=/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
method=GET	path=/viewinfo.php
method=GET	path=/web/.env
method=GET	path=/wp-config.php
method=GET	path=/ws/btcusdt@depth@0ms
method=HEAD	path=/Core/Skin/Login.aspx
method=POST	path=/.aws/credentials
method=POST	path=/.env
method=POST	path=/.env.development
method=POST	path=/.env.dist
method=POST	path=/.env.old
method=POST	path=/.env.prod
method=POST	path=/.env.production
method=POST	path=/.env.project
method=POST	path=/.env.save
method=POST	path=/Autodiscover/Autodiscover.xml
method=POST	path=/admin-app/.env
method=POST	path=/api/.env
method=POST	path=/api/v1/orders
method=POST	path=/app/.env
method=POST	path=/application/.env
method=POST	path=/apps/.env
method=POST	path=/back/.env
method=POST	path=/boaform/admin/formLogin
method=POST	path=/cms/.env
method=POST	path=/core/.env
method=POST	path=/development/.env
method=POST	path=/docker/.env
method=POST	path=/enviroments/.env
method=POST	path=/enviroments/.env.production
method=POST	path=/laravel/.env
method=POST	path=/live_env
method=POST	path=/private/.env
method=POST	path=/script/.env
method=POST	path=/shared/.env
method=POST	path=/sources/.env
method=POST	path=/system/.env
method=POST	path=/users/access_token
method=POST	path=/users/sign_in
method=POST	path=/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

Discussion