Ever so often, I see requests for files in .well-known recorded by our honeypots. As an example:
GET /.well-known/xin1.php?p Host: [honeypot host name]
The file names indicate that they are likely looking for webshells. In my opinion, the reason they are looking in .well-known is that this makes a decent place to hide webshells without having them overwritten by an update to the site.
The .well-known directory is meant to be used for various informational files [1], and for example, for ACME TLS challenges. As a result, it is the only directory or file starting with “.” that must be accessible via the web server. But it is also “hidden” to Unix command line users. I have written about the various legitimate users of .well-known before [2].
We also see some requests for PHP files in the acme-challenge subdirectory, as well as the pki-challenge subdirectory:
Here are some of the more common, but not “standard” URLs in .well-known hit in our honeypots:
/.well-known/pki-validation/about.php
/.well-known/about.php
/.well-known/acme-challenge/cloud.php
/.well-known/acme-challenge/about.php
/.well-known/pki-validation/xmrlpc.php
/.well-known/acme-challenge/index.php
[1] https://datatracker.ietf.org/doc/html/rfc8615
[2] https://isc.sans.edu/diary/26564
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
