A little bit over a year ago, I wrote about scans for GeoServer [1][2]. GeoServer is a platform to process geographic data [3]. It makes it easy to share geospatial data in various common standard formats. Recently, new vulnerabilities were discovered in GeoServer, prompting me to look again at what our honeypots pick up [4].

Let’s first look at the “big picture”: How many scans did we see? The total number of requests for URLs starting with “/geoserver” was 211,143 since the beginning of the year.

Interest in GeoServer started in 2023. It ceased after August but then came back early this year. After the latest SQL exploit was discovered (July 5th), scans for GeoServer surged.

When I wrote about the GeoServer scans last year, a reader noted that Shadowserver had just started scanning for GeoServer. Indeed, most of the time, all GeoServer scans on particular days can be attributed to researchers. In addition to Shadowserver, Internet Census (associated with BitSight) is scanning for GeoServer instances. Personally, I think this is a good thing. Shadowserver will notify ISPs who host insecure instances, and they will find them before the bad guys. 

If you are interested, you can retrieve a list of research IPs from our API [5]

Once we remove the scans we identified as “research,” these are the top countries from which scans originate:

Top Countries

Country
Count

China
26,844

South Korea
2,890

USA
2,549

Germany
1,685

Sweden
1,593

Russia
1,516

Canada
1,417

Brazil
1,137

Hong Kong
984

Indonesia
729

The most common URLs scanned:

URL
Count

/geoserver/web/
37654

/geoserver/web/wicket/bookmarkable/org.geoserver.web.AboutGeoServerPage?lang=en
4811

/geoserver/wms
1651

/geoserver
1432

/geoserver/web/wicket/bookmarkable/org.geoserver.web.AboutGeoServerPage
333

/geoserver/
37

/geoserver/bad397/
37

/geoserver/TestWfsPost
26

/geoserver/web/wicket/bookmarkable/org.geoserver.web.demo.MapPreviewPage
25

/geoserver/ows
17

“/geoserver/web” is the default “Home Page” of GeoServer. “/geoserver/wms” URLs is what we have seen in the past. Current exploits for CVE-2024-36401 use “/geoserver/wfs”. These URLs didn’t make the top 10.

 

[1] https://isc.sans.edu/diary/Geoserver+Attack+Details+More+Cryptominers+against+Unconfigured+WebApps/29936
[2] https://isc.sans.edu/diary/Ongoing+scans+for+Geoserver/29926
[3] https://geoserver.org/
[4] https://medium.com/@knownsec404team/geoserver-sql-injection-vulnerability-analysis-cve-2023-25157-413c1f9818c3
[5] https://isc.sans.edu/api
[6] https://github.com/bigb0x/CVE-2024-36401/blob/main/cve-2024-36401.py

—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.