Common website vulnerability scans found in logs

📅 Posted 2018-04-06

The other day I had a look around some website traffic logs and I found a lot of references to the following files. After a bit of Google ‘research’, I thought I’d write something down.

I do like to monitor the number of 404 errors over time to keep things clean and going through logs is a great way to do this. Favicon.ico is a classic missing file (which I haven’t got around to doing for this site yet!) but there are some far more interesting files also commonly requested which I don’t need to do anything about at the moment…

So here is the list. These are a few I’ve noticed, but I’m sure there are far more scans for specific files going on out there and plenty more examples.

Keys stored in shell profiles

/.ssh/id_dsa

/.ssh/id_ecdsa

/.ssh/id_ed25519

/.ssh/id_rsa

/.git/config

/.hg/hgrc

/.svn/wc.db

These requests sound like profile files which store SSH keys, Git source code repository keys, Mercurial source code repository keys (that’s “hg”) and Subversion source code repository keys. Having any of these files being delivered on your webserver is a very bad thing, even if your repositories can’t be accessed over the public internet.

Wordpress

/blog/wp-admin/admin-ajax.php

/wp-includes/js/comment-reply.js

/wordpress/wp-admin/admin-ajax.php

/wp-admin/admin-ajax.php

/wp-login.php

/wp/wp-admin/admin-ajax.php

Goes without saying that Wordpress is a huge target for scans because so many websites use Wordpress these days. Here’s just a few samples which no doubt would indicate an active Wordpress install and could potentially leak which version, as well.

I would always have fears of leaving some old crusty unpatched install of Wordpress around somewhere on an old server.

When I used to use Wordpress on a few sites, I remember I used to have more hits to the Wordpress admin login screen than all other pages for some sites.

Tunneling for blocked news sites in China

/ogPipe.aspx

/ogShow.aspx

/op69okl

/op69okl.aspx

/os86369.aspx

/show.aspx

I can’t find the actual application, however I can find lots of references to these files appearing in all manners of server logs. Most requests seem to come from clients in China, and a lot of reports seem to talk about tunneling requests via these .NET scripts to let people in China browse sites which are normally blocked by the Great Firewall of China.

Sublime SFTP

/sftp_config.json

It’s worth saying this vulnerability doesn’t really have a lot to do with Sublime SFTP itself, more what you inadvertently do with config files created by the software.

This file contains a list of SFTP connections including servers, usernames and passwords in plaintext. You normally wouldn’t upload this file to a webserver, but hey, it could happen. Seeing Sublime reminded me of Sublime Text and actually it’s a companion program to assist with workflows when using Sublime Text as an editor.

PHPUnit

/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php

/vendor/phpunit/src/Util/PHP/eval-stdin.php

/vendor/phpunit/Util/PHP/eval-stdin.php

/phpunit/phpunit/Util/PHP/eval-stdin.php

/phpunit/Util/PHP/eval-stdin.php

/lib/phpunit/phpunit/Util/PHP/eval-stdin.php

/lib/phpunit/Util/PHP/eval-stdin.php

/wp-content/plugins/dzs-videogallery/class_parts/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

Update: 4-Nov-2019: Found a couple more:

/vendor/phpunit/phpunit/src/Util/PHP/king.php

/vendor/phpunit/phpunit/src/Util/PHP/kill.php

I feel like this is a pretty big one and I’ve seen so many different variations all referring back to the same thing. Deploying a component, which is bundled with other software, which allows remote execution of arbitrary PHP code, seems kinda bad. Yikes. It makes sense to have such a feature in a code unit testing framework for PHP, but maybe just be a little careful about where this script goes. More details here and here.

Uploadify

/scripts/uploadify/uploadify.css

/plugins/uploadify/uploadify.css

/plugins/js/uploadify/uploadify.css

There appear to be several reports of XSS (Cross Site Scripting) vulnerabilities with Uploadify. I guess the script is sensing the existing of the utility by looking at css files, even though they don’t contain active scripts themselves.

elFinder

/plugins/elfinder/php/connector.minimal.php

/plugins/elfinder-2.1/php/connector.minimal.php

A quick look at the elFinder Github page says:

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Creation is inspired by simplicity and convenience of Finder program used in Mac OS X operating system.

Also this:

WARNING: IF YOU HAVE OLDER (IN PARTICULAR 2.1.48 OR EARLIER) VERSIONS OF ELFINDER ON PUBLIC SERVERS, IT MAY CAUSE SERIOUS DAMAGE TO YOUR SERVER AND VISITED USER. YOU SHOULD UPDATE TO THE LATEST VERSION OR REMOVE IT FROM THE SERVER.

Having a look at this, it seems an attacker can download and delete any files on the server under PHP execution privilege. Yikes!

Joomla

/components/com_b2jcontact/css/b2jcontact.css

It’s been a long time since I’ve used Joomla! but they are still around with the latest release only a few days ago. And here is one such request, for B2J Contact. It’s a fully responsive, advanced and well-supported custom form-creating component for Joomla 3+, which allows you to create customized forms. I can see this being a popular addition to Joomla to provide extra dynamic functionality. I also feel like contact forms are quite a common attack surface, as they require things to be more dynamic than most static sites can deliver, therefore having dynamic code executing behind the scenes to provide such functionality.

/configuration.php_new

/configuration.php_bak

/configuration.php_Old

/configuration.php.old

/configuration.php.new

/configuration.php.bak

/configuration.php-bak

/configuration.bak

(and many more creative variants on the same theme)

Your Joomla configuration, but renamed because you took a backup and left it behind on the webserver. Probably a bad idea.

Magento Mass Importer (MAGMI)

Added March 2020

/magmi/web/download_file.php

/magmi/web/ajax_pluginconf.php

/magmi/conf/magmi.ini

/magmi-importer/web/download_file.php

/magmi-importer/conf/magmi.ini

Some bad vulnerabilities here for MAGMI:

  • Multiple cross-site scripting (XSS) vulnerabilities in the MAGMI (aka Magento Mass Importer) plugin for Magento Server
  • Directory traversal vulnerability in web/ajax_pluginconf.php in the MAGMI (aka Magento Mass Importer) plugin for Magento Server

More details here.

Others

/.DS_Store

A common hidden file you’ll see on drives touched by Macs, this appears to store Finder preferences such as column sorting and file arrangement. Perhaps it could potentially leak folder listings when listings are normally disabled?

/.svn/entries

Another place to store folder listings, more info here.

/var/resource_config.json

Pretty much the same, this is the ‘alternative media store system’.

/.idea/WebServers.xml

Slightly different case, but this appears to be locations, credentials and URLs for webservers and FTP services for a project built using JetBrain’s IntelliJ IDEA. Perhaps it could be used to gain further access into an application?

/wallet.dat

/wallet/wallet.dat

This is a Bitcoin (or other crypto coin) wallet file which you probably shouldn’t be sharing around the place. Not a great thing to deploy to your website!

So what?

So no doubt by now you are asking, So what? Well with my new architecture based on static sites, I was quite confident with not having to worry about vulnerabilities involving dynamic code like in PHP or .NET. However, this ignores all the other files which could still pose different kinds of exposure through leaking credentials or names of servers by publishing to a static host, including S3.

It was interesting to see what all the different kinds of files were and speculate what would be the purpose of gaining access to such files. I can only imagine how many different scans are constantly being run to seek out common vulnerabilities in software, particularly on old servers long forgotten.


Like this post? Subscribe to my RSS Feed RSS Feed Icon or   Buy me a coffeeBuy me a coffee

Comments (0)

Comments are closed