Bete - AbuseIPDB User Profile

User Bete joined AbuseIPDB in January 2025 and has reported 721 IP addresses.

Standing (weight) is good.

INACTIVE USER

IP	Date	Comment	Categories
84.31.137.84	21 May 2025	84.31.137.84 - - [21/May/2025:05:57:55 +0000] "GET /phpmyadmin1/index.php?lang=en HTTP/1.1" 404 196 ... show more84.31.137.84 - - [21/May/2025:05:57:55 +0000] "GET /phpmyadmin1/index.php?lang=en HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" This IP (84.31.137.84) is conducting a targeted scan for phpMyAdmin and MySQL admin interfaces across multiple common paths. show less	Brute-Force Web App Attack
93.123.109.229	21 May 2025	93.123.109.229 - - [21/May/2025:01:32:42 +0300] "GET /.env.save HTTP/1.1" 404 682 "-" "l9explore/1.2 ... show more93.123.109.229 - - [21/May/2025:01:32:42 +0300] "GET /.env.save HTTP/1.1" 404 682 "-" "l9explore/1.2.2" 93.123.109.229 - - [21/May/2025:01:32:41 +0300] "GET /core/.git/config HTTP/1.1" 404 682 "-" "l9explore/1.2.2" This IP (93.123.109.229) is conducting an automated scan using l9explore/1.2.2 (a known security scanning tool) to hunt for: .env files (containing credentials, API keys, database passwords) and .git/config (exposed Git repositories can leak source code & secrets) show less	Brute-Force Web App Attack
134.209.58.98	19 May 2025	134.209.58.98 - - [17/May/2025:21:08:35 +0300] "GET /%67%61%74%65%77%61%79/%61%63%74%75%61%74%6f%72/ ... show more134.209.58.98 - - [17/May/2025:21:08:35 +0300] "GET /%67%61%74%65%77%61%79/%61%63%74%75%61%74%6f%72/%65%6e%76 HTTP/1.1" 404 682 "-" "Mozilla/5.0 (ZZ; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" This IP (134.209.58.98) is conducting an aggressive automated attack targeting sensitive .env files using URL encoding, path traversal, and obfuscation techniques. All requests returned 404 (good), but this is a high-risk reconnaissance attempt for credential theft. show less	Brute-Force Web App Attack
138.68.245.6	19 May 2025	138.68.245.6 - - [18/May/2025:02:55:22 +0300] "GET /%67%61%74%65%77%61%79/%65%6e%76 HTTP/1.1" 404 68 ... show more138.68.245.6 - - [18/May/2025:02:55:22 +0300] "GET /%67%61%74%65%77%61%79/%65%6e%76 HTTP/1.1" 404 682 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36" This IP (138.68.245.6) is conducting an automated attack attempting to access sensitive .env files (containing credentials, API keys, and configurations) using URL-encoded paths and path traversal tricks. show less	Brute-Force Web App Attack
38.22.104.231	16 May 2025	38.22.104.231 - - [16/May/2025:05:09:32 +0000] "GET /local/.env HTTP/1.1" 404 197 "-" "Mozilla/5.0 ( ... show more38.22.104.231 - - [16/May/2025:05:09:32 +0000] "GET /local/.env HTTP/1.1" 404 197 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" An automated attack from IP 38.22.104.231 attempting to steal sensitive .env** files (which often contain database credentials, API keys, and other secrets) from multiple common web directories (/app/, /laravel/, /public/, /admin/`, etc.) show less	Brute-Force Web App Attack
45.121.218.43	16 May 2025	45.121.218.43 - - [15/May/2025:18:10:28 +0000] "GET /administrator/phpMyAdmin/index.php?lang=en HTTP ... show more45.121.218.43 - - [15/May/2025:18:10:28 +0000] "GET /administrator/phpMyAdmin/index.php?lang=en HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" An automated scanning activity from IP 45.121.218.43, where an attacker probed for phpMyAdmin and other database admin interfaces (/phpmyadmin/, /mysql/admin/, etc.) within seconds, using a spoofed Chrome user agent show less	Brute-Force Web App Attack
89.116.220.31	16 May 2025	89.116.220.31 - - [15/May/2025:21:57:01 +0300] "GET /mysql/admin/index.php?lang=en HTTP/1.1" 404 682 ... show more89.116.220.31 - - [15/May/2025:21:57:01 +0300] "GET /mysql/admin/index.php?lang=en HTTP/1.1" 404 682 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" A targeted phpMyAdmin reconnaissance attack from IP 89.116.220.31, where the attacker systematically scanned for database administration interfaces across multiple paths within 5 seconds show less	Brute-Force Web App Attack
159.223.57.202	15 May 2025	159.223.57.202 - - [15/May/2025:08:20:03 +0000] "GET //shop/wp-includes/wlwmanifest.xml HTTP/1.1" 40 ... show more159.223.57.202 - - [15/May/2025:08:20:03 +0000] "GET //shop/wp-includes/wlwmanifest.xml HTTP/1.1" 404 61016 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36" WordPress reconnaissance attack from IP 159.223.57.202, where the attacker systematically probed for WordPress installations across multiple directories within 2 seconds. The scan targeted a WordPress fingerprinting: checked for wlwmanifest.xml (Windows Live Writer manifest file), and tested 10 different directory paths (/shop/, /wp1/, /2019/, etc.) show less	Brute-Force Web App Attack
80.82.156.184	15 May 2025	80.82.156.184 - - [14/May/2025:09:22:54 +0000] "GET /phpMyAdmin-5.2.1-all-languages/index.php?lang=e ... show more80.82.156.184 - - [14/May/2025:09:22:54 +0000] "GET /phpMyAdmin-5.2.1-all-languages/index.php?lang=en HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" systematic phpMyAdmin reconnaissance attack from IP 80.82.156.184, where the attacker scanned for database administration interfaces across multiple paths within 2 seconds. Targeted Scanning: 11 different phpMyAdmin paths checked, Version-specific probes (/phpMyAdmin-5.2.1/, /phpMyAdmin-latest/), and the common alternative names (/MyAdmin/, /phppma/,...) show less	Brute-Force Web App Attack
188.166.216.140	13 May 2025	188.166.216.140 - - [12/May/2025:23:55:38 +0000] "GET /.env.bak HTTP/1.1" 404 134 "-" "python-reques ... show more188.166.216.140 - - [12/May/2025:23:55:38 +0000] "GET /.env.bak HTTP/1.1" 404 134 "-" "python-requests/2.32.3" A credential harvesting attempt from IP 188.166.216.140, where the attacker targeted to access /.env.bak show less	Web App Attack
185.254.195.5	13 May 2025	185.254.195.5 - - [13/May/2025:03:42:44 +0300] "GET /_controls/responsive/Telerik.Web.UI.DialogHandl ... show more185.254.195.5 - - [13/May/2025:03:42:44 +0300] "GET /_controls/responsive/Telerik.Web.UI.DialogHandler.aspx HTTP/1.1" 404 682 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36" A targeted Telerik UI vulnerability scan from IP 185.254.195.5, where the attacker systematically probed for the vulnerable Telerik.Web.UI.DialogHandler.aspx component across multiple paths within 2 seconds show less	Brute-Force Web App Attack
54.91.200.16	12 May 2025	54.91.200.16 - - [09/May/2025:21:35:20 +0000] "GET /config.yaml HTTP/1.1" 404 12095 "-" "Mozilla/5.0 ... show more54.91.200.16 - - [09/May/2025:21:35:20 +0000] "GET /config.yaml HTTP/1.1" 404 12095 "-" "Mozilla/5.0" 54.91.200.16 - - [09/May/2025:21:35:13 +0000] "GET /config/settings.json HTTP/1.1" 404 33 "-" "Mozilla/5.0" A systematic credential harvesting attack from IP 54.91.200.16, where the attacker scanned for sensitive configuration files across multiple directories. show less	Brute-Force Web App Attack
66.228.53.37	12 May 2025	66.228.53.37 - - [09/May/2025:13:17:07 +0000] "GET /?/../../../../../../../../../../etc/passwd HTTP/ ... show more66.228.53.37 - - [09/May/2025:13:17:07 +0000] "GET /?/../../../../../../../../../../etc/passwd HTTP/1.1" 200 409 "-" "Mozilla/5.0 (Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" A directory traversal attack from IP 66.228.53.37, where the attacker tried to exploit a path vulnerability to access the system's /etc/passwd file. show less	Web App Attack
185.224.128.88	12 May 2025	185.224.128.88 - - [02/May/2025:07:41:45 +0300] "GET / HTTP/1.1" 404 682 "-" "libwww-perl/6.78"<br / ... show more185.224.128.88 - - [02/May/2025:07:41:45 +0300] "GET / HTTP/1.1" 404 682 "-" "libwww-perl/6.78" A probing attempt from IP 185.224.128.88 using the Perl LWP (libwww-perl) user agent. show less	Web App Attack
159.89.197.238	12 May 2025	159.89.197.238 - - [08/May/2025:23:40:49 +0300] "GET /test/wp-includes/wlwmanifest.xml HTTP/1.1" 404 ... show more159.89.197.238 - - [08/May/2025:23:40:49 +0300] "GET /test/wp-includes/wlwmanifest.xml HTTP/1.1" 404 564 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" This IP (159.89.197.238) conducted a systematic WordPress scan within 4 seconds, checking for: wlwmanifest.xml in 9 directories (testing /test/, /shop/, /wordpress/, etc.), license.txt in ID3 module and xmlrpc.php endpoint. show less	Brute-Force Web App Attack
85.26.186.179	12 May 2025	85.26.186.179 - - [10/May/2025:10:45:30 +0300] "GET /1phpmyadmin/index.php?lang=en HTTP/1.1" 404 682 ... show more85.26.186.179 - - [10/May/2025:10:45:30 +0300] "GET /1phpmyadmin/index.php?lang=en HTTP/1.1" 404 682 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" A targeted phpMyAdmin reconnaissance scan from IP 85.26.186.179, where the attacker systematically checked for database administration interfaces across multiple paths within 11 seconds. show less	Brute-Force Web App Attack
36.92.88.90	12 May 2025	36.92.88.90 - - [11/May/2025:18:45:13 +0300] "GET /db/webdb/index.php?lang=en HTTP/1.1" 404 682 "-" ... show more36.92.88.90 - - [11/May/2025:18:45:13 +0300] "GET /db/webdb/index.php?lang=en HTTP/1.1" 404 682 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" A systematic phpMyAdmin reconnaissance attack from IP 36.92.88.90, where the attacker scanned for database management interfaces across multiple paths within 5 seconds. show less	Brute-Force Web App Attack
109.121.136.24	12 May 2025	109.121.136.24 - - [12/May/2025:06:08:26 +0300] "GET /MyAdmin/index.php?lang=en HTTP/1.1" 404 682 "- ... show more109.121.136.24 - - [12/May/2025:06:08:26 +0300] "GET /MyAdmin/index.php?lang=en HTTP/1.1" 404 682 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" A targeted phpMyAdmin reconnaissance scan from IP 109.121.136.24, where the attacker systematically checked for 11 different phpMyAdmin installation paths within 3 seconds. show less	Brute-Force Web App Attack
13.231.153.70	09 May 2025	13.231.153.70 - - [09/May/2025:02:51:46 +0000] "GET /?cda'\x22</script><script>alert(document.d ... show more13.231.153.70 - - [09/May/2025:02:51:46 +0000] "GET /?cda'\x22</script><script>alert(document.domain)</script>&locale=locale=de-DE HTTP/1.1" 400 5 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0" 13.231.153.70 - - [09/May/2025:02:12:37 +0000] "GET /wp-content/plugins/chopslider/get_script/index.php?id=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))A) HTTP/1.1" 302 113 "-" "Mozilla/5.0 (CentOS; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36" A distinct web application attacks from IP 13.231.153.70, demonstrating multiple exploitation attempts like XSS Injection, SQL Time-Based Blind Injection, and more show less	Brute-Force Web App Attack
157.245.109.127	09 May 2025	157.245.109.127 - - [08/May/2025:11:16:07 +0300] "GET /test/wp-includes/wlwmanifest.xml HTTP/1.1" 40 ... show more157.245.109.127 - - [08/May/2025:11:16:07 +0300] "GET /test/wp-includes/wlwmanifest.xml HTTP/1.1" 404 564 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" A WordPress reconnaissance attack from IP 157.245.109.127, where the attacker systematically probed for WordPress installations across multiple directories (/test/, /shop/, /wordpress/,..) within 2 seconds show less	Brute-Force Web App Attack
122.51.242.63	09 May 2025	122.51.242.63 - - [08/May/2025:18:21:21 +0300] "HEAD /%E4%BC%A0%E5%A5%87%E7%A7%81%E6%9C%8D%E7%99%BB% ... show more122.51.242.63 - - [08/May/2025:18:21:21 +0300] "HEAD /%E4%BC%A0%E5%A5%87%E7%A7%81%E6%9C%8D%E7%99%BB%E9%99%86%E5%99%A8.tar.gz HTTP/1.1" 404 0 "-" "python-requests/2.31.0" 122.51.242.63 - - [08/May/2025:18:21:20 +0300] "HEAD /banben.tar.gz HTTP/1.1" 404 0 "-" "python-requests/2.31.0" An automated backup file discovery scan from IP 122.51.242.63, where the attacker used Python's Requests library to systematically check for sensitive archive files (.tar.gz) via lightweight HEAD requests. show less	Brute-Force Web App Attack
159.89.197.238	09 May 2025	159.89.197.238 - - [08/May/2025:23:40:49 +0300] "GET /test/wp-includes/wlwmanifest.xml HTTP/1.1" 404 ... show more159.89.197.238 - - [08/May/2025:23:40:49 +0300] "GET /test/wp-includes/wlwmanifest.xml HTTP/1.1" 404 564 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" A WordPress reconnaissance attack from IP 159.89.197.238, where the attacker systematically probed for WordPress installations across dozens of different directories (/test/, /shop/, /wordpress/,...) within 4 seconds show less	Brute-Force Web App Attack
91.107.166.37	09 May 2025	91.107.166.37 - - [09/May/2025:00:12:11 +0300] "GET /_controls/responsive/Telerik.Web.UI.DialogHandl ... show more91.107.166.37 - - [09/May/2025:00:12:11 +0300] "GET /_controls/responsive/Telerik.Web.UI.DialogHandler.aspx HTTP/1.1" 404 682 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36" A targeted Telerik UI exploit scan from IP 91.107.166.37, where the attacker systematically checked for dozens of different paths to Telerik.Web.UI.DialogHandler.aspx within 2 seconds - a known vulnerable component that could allow remote code execution (CVE-2017-11317, CVE-2017-11357) if unpatched show less	Brute-Force Web App Attack
159.253.120.209	08 May 2025	159.253.120.209 - - [08/May/2025:04:01:47 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 16 ... show more159.253.120.209 - - [08/May/2025:04:01:47 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 162 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" A targeted attack attempt from IP 159.253.120.209, where the attacker specifically probed for a known phpMyAdmin vulnerability (CVE-2018-12613) by attempting to access /phpmyadmin/scripts/setup.php - a file that could allow remote code execution in vulnerable phpMyAdmin versions. show less	Web App Attack
88.214.50.14	08 May 2025	A brute-force attack was attempted from IP 88.214.50.14 using NTLM authentication. This attacker tri ... show moreA brute-force attack was attempted from IP 88.214.50.14 using NTLM authentication. This attacker tried logging into [REDACTED] server dozens of times with an invalid username, triggering multiple failed logins show less	Brute-Force