IP Blocked - 91.193.232.136; Incident date: 2026-07-13; UTC time: 15:02:04; Blocked by: Cloudflare W ...
show moreIP Blocked - 91.193.232.136; Incident date: 2026-07-13; UTC time: 15:02:04; Blocked by: Cloudflare WAF; Two unauthorized login attempts; GET URL path: /wp-login.php;
show less
This host is conducting automated, high-volume directory brute-forcing (fuzzing) and active scanning ...
show moreThis host is conducting automated, high-volume directory brute-forcing (fuzzing) and active scanning (MITRE ATT&CK T1190) targeting multiple web application frameworks, config files, and credentials.
In a single burst, the IP generated over 1,860 rapid-fire parallel requests, attempting to probe and exploit known vulnerabilities.
Targeted paths identified in this campaign include:
- Critical Credential Leaks & Env Files: /.env, /backend/.env, /public/.env, /.aws/config, /.ssh/id_rsa, /.dockercfg
- Remote Code Execution (RCE): /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
- Framework probes: Next.js (/__nextjs_action, /_next/image), Laravel, GraphQL (/v4/playground, /graphql/console), Elasticsearch, Node.js (/var/task/package.json)
- CI/CD & Deploy configs: /.github/workflows/deploy.yml, /docker-compose.prod.yml
User-Agents utilized: "curl/8.7.1" and "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36". All requests were successfully mitigated at the Edge (WAF Cloudflare)
show less
Cloudflare custom firewall blocked an aggressive automated vulnerability scan from 20.226.26.5 ; The ...
show moreCloudflare custom firewall blocked an aggressive automated vulnerability scan from 20.226.26.5 ; The host generated multiple rapid GET requests in a 4-second window, scanning the root directory for potential PHP backdoors, web shells, and malicious entry points (e.g., /wp-cliner.php, /wp-firewall.php, /666.php, /reyna.php, /ma1.php). All malicious requests were strictly blocked by the WAF.
Log Sample:
- 2026-07-13T13:10:07Z | GET /wp-cliner.php | Action: block
- 2026-07-13T13:10:07Z | GET /reyna.php | Action: block
- 2026-07-13T13:10:06Z | GET /w1px.php | Action: block
- 2026-07-13T13:10:04Z | GET /wp-firewall.php | Action: block
- 2026-07-13T13:10:03Z | GET /666.php | Action: block
show less
IP Blocked: 185.200.234.1; Incident Date - 2026-07-13; Blocked by: Cloudflare WAF - managed challeng ...
show moreIP Blocked: 185.200.234.1; Incident Date - 2026-07-13; Blocked by: Cloudflare WAF - managed challenge; UTC Time - 09:34:29; Access attempt to xml-rpc: POST "clientRequestPath": "/xmlrpc.php";
show less
IP Blocked: 45.251.75.102; 2027-07-09; UTC Time - 03:30:34; User Agent - Mozilla/5.0 (Windows NT 10. ...
show moreIP Blocked: 45.251.75.102; 2027-07-09; UTC Time - 03:30:34; User Agent - Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.43 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36 OPR/121.0.0.0; Blocked by - Cloudflare WAF; unauthorized login attempt: URL path - POST /wp-login.php;
show less
IP Blocked: 2804:1dc8:cd05:af00:9da4:967c:71a0:96a8; Incident Date: 2026-07-07; UTC Time: 17:51:12; ...
show moreIP Blocked: 2804:1dc8:cd05:af00:9da4:967c:71a0:96a8; Incident Date: 2026-07-07; UTC Time: 17:51:12; Blocked by Cloudflare WAF; XML-RPC attack targeting brute-force: POST /xmlrpc.php;
show less
Incident Date: 2026-07-07; UTC Time: 23:32:54; Blocked by Cloudflare WAF; Unauthorized login attempt ...
show moreIncident Date: 2026-07-07; UTC Time: 23:32:54; Blocked by Cloudflare WAF; Unauthorized login attempt via POST method: POST /wp-login.php;
show less
Incident Date: 2026-07-06; UTC Time: 15:26:33; Blocked by Cloudflare WAF; Within a span of just one ...
show moreIncident Date: 2026-07-06; UTC Time: 15:26:33; Blocked by Cloudflare WAF; Within a span of just one second, the attacker executed rapid, automated directory discovery scans and "backdoor hunting" probes, searching for web shells, exploit traces, and sensitive paths.
Key indicators of malicious activity:
- Probing for generic web shells and backdoor scripts (/mini.php, /mah.php, /gg.php, /test1.php, /file56.php, /1.php).
- Attempting to fingerprint core libraries and potential attack vector files (/wp-includes/PHPMailer/, /wp-includes/SimplePie/about.php, /wp-configs.php).
- The host is currently flagged by Spamhaus as an active spam sender, indicating that these probes aim to compromise the server for use as a spam relay.
Log excerpt:
[2026-07-06 12:26:33/34 BRT] GET /mini.php
[2026-07-06 12:26:33/34 BRT] GET /mah.php
[2026-07-06 12:26:33/34 BRT] GET /wp-configs.php
[2026-07-06 12:26:33/34 BRT] GET /wp-includes/PHPMailer/
[2026-07-06 12:26:33/34 BRT] GET /wp-content/themes/alera/alpha.php
show less
Blocked IP: 52.231.68.76; Incident Date: 2026-07-03; UTC Time: 19:13:48; Number of blocked requests: ...
show moreBlocked IP: 52.231.68.76; Incident Date: 2026-07-03; UTC Time: 19:13:48; Number of blocked requests: 132; Blocked by: Cloudflare WAF; Attempt to locate/install PHP backdoors, search for known vulnerabilities, search for alternative authentication paths, and mass scanning; GET URL paths: /aa.php; /9.php; /send.php; /size.php; /gifclass.php; /file56.php; /php.php; /1.php; /222.php; /mini.php; /as.php; /about.php; /wp-content/uploads/wp-login.php; /wp-content/uploads/wp-login.php; /wp-content/plugins/WordPressCore/; /wp-content/plugins/core-plugin/include.php; /wp-content/admin.php;
show less
Incident date: 2026-07-03; UTC time: 11:55:30; Automated scanning attack blocked by Wordfence; GET U ...
show moreIncident date: 2026-07-03; UTC time: 11:55:30; Automated scanning attack blocked by Wordfence; GET URL paths: GET /wp-content/plugins/fix/up.php; /wp-plain.php; /wp-content/themes/seotheme/db.php?u ; /alfacgiapi/perl.alfa;
show less
IP found scanning for common vulnerabilities and known web shells / backdoors. Automated botnet acti ...
show moreIP found scanning for common vulnerabilities and known web shells / backdoors. Automated botnet activity detected (matching Andromeda/Gamarue behavior). Blocked 122 requests. Triggered WAF rules for unauthorized directory traversal and exploit attempts.
Targeted paths included:
- /lock360.php
- /wp-content/uploads/min.php
- /zoom1.php
- /wp-admin/classwithtostring.php
- /randkeyword.PhP7
- /sagax1.php
- /NewFile.php
- /abcd.php
- /admin/controller/extension/
- /xleet.php
- /96i.php
- /155.php
- /php8.php
IP heavily listed as an active malware-infected device (Andromeda C2 communication reported by abuse.ch). Permanently blocked at Cloudflare edge.
show less
Blocked IP: 2.58.56.23; Blocked by: Cloudflare WAF; Incident Date: 2026-07-01; UTC Time: 07:32:51; N ...
show moreBlocked IP: 2.58.56.23; Blocked by: Cloudflare WAF; Incident Date: 2026-07-01; UTC Time: 07:32:51; Number of blocked requests: 10; Bot-executed vulnerability scanning attack; URL paths: POST /wp-plain.php; POST /ALFA_DATA/alfacgiapi/perl.alfa; GET /wp-content/themes/seotheme/db.php?u; GET /; GET /wp-content/plugins/fix/up.php; POST /alfacgiapi/perl.alfa; GET /xpefoexv.php?Fox=d3wL7; GET /wp-content/themes/seotheme/db.php; POST /wp-plain.php; GET /ufyhyfpr.php?Fox=d3wL7;
show less
HackingBad Web BotWeb App Attack
By clicking โAccept allโ, you agree to the storing of cookies on your device to remember preferences and
analyze site usage.
Read more
- Required to log into your AbuseIPDB account, and store these cookie preferences.