Common website vulnerability scans found in logs

The other day I had a look around some website traffic logs and I found a lot of references to the following files. After a bit of Google ‘research’, I thought I’d write something down.

I do like to monitor the number of 404 errors over time to keep things clean and going through logs is a great way to do this. Favicon.ico is a classic missing file (which I haven’t got around to doing for this site yet!) but there are some far more interesting files also commonly requested which I don’t need to do anything about at the moment…

So here is the list. These are a few I’ve noticed, but I’m sure there are far more scans for specific files going on out there and plenty more examples.

Keys stored in shell profiles

/.ssh/id_dsa

/.ssh/id_ecdsa

/.ssh/id_ed25519

/.ssh/id_rsa

/.git/config

/.hg/hgrc

/.svn/wc.db

These requests sound like profile files which store SSH keys, Git source code repository keys, Mercurial source code repository keys (that’s “hg”) and Subversion source code repository keys. Having any of these files being delivered on your webserver is a very bad thing, even if your repositories can’t be accessed over the public internet.

Wordpress

/blog/wp-admin/admin-ajax.php

/wp-includes/js/comment-reply.js

/wordpress/wp-admin/admin-ajax.php

/wp-admin/admin-ajax.php

/wp-login.php

/wp/wp-admin/admin-ajax.php

Goes without saying that Wordpress is a huge target for scans because so many websites use Wordpress these days. Here’s just a few samples which no doubt would indicate an active Wordpress install and could potentially leak which version, as well.

I would always have fears of leaving some old crusty unpatched install of Wordpress around somewhere on an old server.

When I used to use Wordpress on a few sites, I remember I used to have more hits to the Wordpress admin login screen than all other pages for some sites.

Tunneling for blocked news sites in China

/ogPipe.aspx

/ogShow.aspx

/op69okl

/op69okl.aspx

/os86369.aspx

/show.aspx

I can’t find the actual application, however I can find lots of references to these files appearing in all manners of server logs. Most requests seem to come from clients in China, and a lot of reports seem to talk about tunneling requests via these .NET scripts to let people in China browse sites which are normally blocked by the Great Firewall of China.

Sublime SFTP

/sftp_config.json

It’s worth saying this vulnerability doesn’t really have a lot to do with Sublime SFTP itself, more what you inadvertently do with config files created by the software.

This file contains a list of SFTP connections including servers, usernames and passwords in plaintext. You normally wouldn’t upload this file to a webserver, but hey, it could happen. Seeing Sublime reminded me of Sublime Text and actually it’s a companion program to assist with workflows when using Sublime Text as an editor.

PHPUnit

/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php

/vendor/phpunit/src/Util/PHP/eval-stdin.php

/vendor/phpunit/Util/PHP/eval-stdin.php

/phpunit/phpunit/Util/PHP/eval-stdin.php

/phpunit/Util/PHP/eval-stdin.php

/lib/phpunit/phpunit/Util/PHP/eval-stdin.php

/lib/phpunit/Util/PHP/eval-stdin.php

/wp-content/plugins/dzs-videogallery/class_parts/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

I feel like this is a pretty big one and I’ve seen so many different variations all referring back to the same thing. Deploying a component, which is bundled with other software, which allows remote execution of arbitrary PHP code, seems kinda bad. Yikes. It makes sense to have such a feature in a code unit testing framework for PHP, but maybe just be a little careful about where this script goes. More details here and here.

Joomla

/components/com_b2jcontact/css/b2jcontact.css

It’s been a long time since I’ve used Joomla! but they are still around with the latest release only a few days ago. And here is one such request, for B2J Contact. It’s a fully responsive, advanced and well-supported custom form-creating component for Joomla 3+, which allows you to create customized forms. I can see this being a popular addition to Joomla to provide extra dynamic functionality. I also feel like contact forms are quite a common attack surface, as they require things to be more dynamic than most static sites can deliver, therefore having dynamic code executing behind the scenes to provide such functionality.

Others

/.DS_Store

A common hidden file you’ll see on drives touched by Macs, this appears to store Finder preferences such as column sorting and file arrangement. Perhaps it could potentially leak folder listings when listings are normally disabled?

/.idea/WebServers.xml

Slightly different case, but this appears to be locations, credentials and URLs for webservers and FTP services for a project built using JetBrain’s IntelliJ IDEA. Perhaps it could be used to gain further access into an application?

So what?

So no doubt by now you are asking, So what? Well with my new architecture based on static sites, I was quite confident with not having to worry about vulnerabilities involving dynamic code like in PHP or .NET. However, this ignores all the other files which could also pose different kinds of exposure through leaking credentials or names of servers.

It was interesting to see what all the different kids of files were and speculate what would be the purpose of gaining access to such files. I can only imagine how many different scans are constantly being run to seek out common vulnerabilities in software, particularly on old servers long forgotten.