Johannes和Didier观察到针对ZIP和其他归档文件(如.tar.zip)以及备份文件(如backup.sql、backup.json)的恶意扫描增加。这些扫描未来自研究人员,而是具有恶意意图。建议避免在Web服务器上存储此类敏感文件,并制定相关政策以防止泄露。 2025-9-14 14:40:38 Author: isc.sans.edu(查看原文) 阅读量:3 收藏
Johannes wrote a diary entry "Increasing Searches for ZIP Files" where he analyzed the increase of requests for ZIP files (like backup.zip, web.zip, ...) for our web honeypots.
I took a look at my logs, and noticed that too. But it's not only ZIP files, but other archives too:
I even had requests for .tar.zip files.
And when it comes to backup files, the following non-archive types are also popular requests:
| Filename |
| backup.sql |
| backup.json |
| backup.bak |
| backup.sh |
Looking at the User Agent Strings for these requests, none indicated that these scans were performed by researchers.
And comparing the source IPs of these requests with our researchers list: not a single match.
So it's safe to say that these scans are done with malicious intent, and that you should take Johannes' advice and don't have these types of files on your web servers, and even better, have some policy to avoid this.
Didier Stevens
Senior handler
blog.DidierStevens.com
如有侵权请联系:admin#unsafe.sh