Who's Attacking My URL Shortener?
A few years ago, I setup a url shortener for eliot.sh – this was in an era of wanting to self-host everything, and a bit.ly alternative seemed like a good idea at the time.1 The solution I chose, Shlink, happens to log all the requests that are made to my domain, even if there isn't a valid short url for that slug. I thought it would be cool to explore what's being pinged the most.
So, I wrote a small script to parse the CSV export from Shlink, and check which endpoints have been visited the most. I've compiled the results in the table below:
| URL | Visits |
|---|---|
| / | 632 |
| / | 446 |
| /.env | 73 |
| /admin.php | 51 |
| /wp-admin/js/about.php | 46 |
| /admin.php | 46 |
| /wp-admin/js/about.php | 46 |
| /about.php | 44 |
| /dropdown.php | 43 |
| /.env | 43 |
| /about.php | 42 |
| /wp-admin/images/about.php | 41 |
| /simple.php | 41 |
| /wp-includes/style-engine/about.php | 40 |
| /dropdown.php | 40 |
| /wp-admin/images/about.php | 40 |
| /wp-admin/images/index.php | 40 |
| /wp-admin/css/index.php | 39 |
| /wp-admin/images/index.php | 39 |
| /wp-includes/Requests/about.php | 39 |
| /alfanew.php | 38 |
| /alfanew.php | 38 |
| /wp-content/themes/seotheme/mar.php | 38 |
| /wp-admin/css/index.php | 37 |
| /wp-includes/style-engine/about.php | 37 |
| /wp-content/themes/about.php | 36 |
| /.well-known/about.php | 36 |
| /simple.php | 36 |
| /atomlib.php | 36 |
| /wp-admin/css/about.php | 36 |
| /wp-includes/ID3/about.php | 36 |
| /wp.php | 35 |
| /wp-includes/images/about.php | 35 |
| /wp-admin/includes/about.php | 35 |
| /wp-admin/css/colors/coffee/cloud.php | 35 |
| /cgi-bin/about.php | 35 |
| /classwithtostring.php | 35 |
| /wp-content/themes/about.php | 35 |
| /wp-admin/includes/about.php | 35 |
| /wp-content/about.php | 35 |
| /.well-known/pki-validation/about.php | 35 |
| /wp-includes/customize/about.php | 35 |
| /wp-admin/css/colors/index.php | 35 |
| /wp-content/plugins/seoplugins/mar.php | 35 |
| /repeater.php | 35 |
| /wp-content/plugins/Cache/Cache.php | 35 |
| /wp-admin/images/cloud.php | 35 |
| /wp-includes/rest-api/about.php | 34 |
| /wp-admin/dropdown.php | 34 |
| /wp-content/plugins/seoplugins/mar.php | 34 |
Interestingly, almost every URL on this list is a PHP URL, with the exception of .env. I guess I would have to attribute this to people being awful at configuring Wordpress instances? I would assume that these bots are basically just scanning for vulnerabilities, usually to then abuse them. Sadly, the Shlink logs don't include IP information (or at least in this export) but I'd be curious to see where these attacks are actually coming from – I'd expect they're almost entirely from outside the U.S.
Another note: while investigating some of these files, I came across some website doing SEO optimization based on user searches, which leads to hilarious sites like this being indexed. I appreciate the related search terms.2
If we filter out .php files from our results, the new "most attacked" list looks like this:
| URL | Visits |
|---|---|
| / | 632 |
| / | 446 |
| /.env | 73 |
| /.env | 43 |
| /.git/config | 29 |
| //feed/ | 26 |
| /.git/config | 22 |
| /chosen | 19 |
| /randkeyword.PhP8 | 18 |
| /index.html | 17 |
| /.well-known/ | 12 |
| /randkeyword.PhP8 | 12 |
| /.vscode/sftp.json | 12 |
| /admin/controller/extension/extension/ | 11 |
| /sites/default/files/ | 11 |
| /_next/static/chunks/main-app-f5c8d25c8479457f.js | 9 |
| /_next/static/chunks/webpack-093bf5b136190ec1.js | 9 |
| /_next/static/chunks/fd9d1056-cc48c28d170fddc2.js | 9 |
| /.vscode/sftp.json | 9 |
| /config.json | 9 |
| /debug/default/view?panel=config | 9 |
| /chosen | 8 |
| /index.html | 8 |
| /_next/static/chunks/69-1b6d135f94ac0e36.js | 8 |
| /_next/static/chunks/250-d7e0a94ebe194dac.js | 8 |
| /_next/static/chunks/app/page-4bc3ff0974b539ee.js | 8 |
| /.aws/credentials | 8 |
| /files/ | 8 |
| /images/ | 8 |
| /uploads/ | 8 |
| /?rest_route=/wp/v2/users/ | 8 |
| /telescope/requests | 8 |
| /.DS_Store | 8 |
| /_all_dbs | 8 |
| /login.action | 8 |
| /server-status | 8 |
| /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application | 8 |
| /v2/_catalog | 8 |
| /about | 8 |
| /server | 8 |
| /phpinfo | 7 |
| /new/ | 7 |
| /ynz.PhP7 | 6 |
| /randkeyword.PhP7 | 6 |
| /ioxi002.PhP7 | 6 |
| /phpinfo | 6 |
| /.env.bak | 6 |
| /wordpress/ | 6 |
| /wp/ | 6 |
There are still a few Wordpress related exploits here, but most are now unrelated. .aws/credentials is self-explanatory, as is .env.bak. I'm personally curious what information might be gained from a .DS_Store file? Maybe a way of mapping a site to find information that's not public? I also wonder why those specific _next urls are being visited so often, given the site isn't actually running NextJS.
More than anything else, though, these attacks are a sober reminder that nothing on the open internet is safe, and there are a lot of bad people who are willing to ruin your life for their personal gain. Maybe I should start redirecting /.env to a fake .env and see who tries to login with it...