Bete - AbuseIPDB User Profile

JavaScript is disabled. Some features of this site may not work properly. For a smoother experience, please enable JavaScript in your browser settings.

User Bete joined AbuseIPDB in January 2025 and has reported 721 IP addresses.

Standing (weight) is good.

INACTIVE USER

IP	Date	Comment	Categories
🇳🇱 84.31.137.84	21 May 2025	84.31.137.84 - - [21/May/2025:05:57:55 +0000] "GET /phpmyadmin1/index.php?lang=en HTTP/1.1" 404 196 ... show more 84.31.137.84 - - [21/May/2025:05:57:55 +0000] "GET /phpmyadmin1/index.php?lang=en HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" This IP (84.31.137.84) is conducting a targeted scan for phpMyAdmin and MySQL admin interfaces across multiple common paths. show less	Brute-Force Web App Attack
🇳🇱 93.123.109.229	21 May 2025	93.123.109.229 - - [21/May/2025:01:32:42 +0300] "GET /.env.save HTTP/1.1" 404 682 "-" "l9explore/1.2 ... show more 93.123.109.229 - - [21/May/2025:01:32:42 +0300] "GET /.env.save HTTP/1.1" 404 682 "-" "l9explore/1.2.2" 93.123.109.229 - - [21/May/2025:01:32:41 +0300] "GET /core/.git/config HTTP/1.1" 404 682 "-" "l9explore/1.2.2" This IP (93.123.109.229) is conducting an automated scan using l9explore/1.2.2 (a known security scanning tool) to hunt for: .env files (containing credentials, API keys, database passwords) and .git/config (exposed Git repositories can leak source code & secrets) show less	Brute-Force Web App Attack
🇺🇸 134.209.58.98	19 May 2025	134.209.58.98 - - [17/May/2025:21:08:35 +0300] "GET /%67%61%74%65%77%61%79/%61%63%74%75%61%74%6f%72/ ... show more 134.209.58.98 - - [17/May/2025:21:08:35 +0300] "GET /%67%61%74%65%77%61%79/%61%63%74%75%61%74%6f%72/%65%6e%76 HTTP/1.1" 404 682 "-" "Mozilla/5.0 (ZZ; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" This IP (134.209.58.98) is conducting an aggressive automated attack targeting sensitive .env files using URL encoding, path traversal, and obfuscation techniques. All requests returned 404 (good), but this is a high-risk reconnaissance attempt for credential theft. show less	Brute-Force Web App Attack
🇺🇸 138.68.245.6	19 May 2025	138.68.245.6 - - [18/May/2025:02:55:22 +0300] "GET /%67%61%74%65%77%61%79/%65%6e%76 HTTP/1.1" 404 68 ... show more 138.68.245.6 - - [18/May/2025:02:55:22 +0300] "GET /%67%61%74%65%77%61%79/%65%6e%76 HTTP/1.1" 404 682 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36" This IP (138.68.245.6) is conducting an automated attack attempting to access sensitive .env files (containing credentials, API keys, and configurations) using URL-encoded paths and path traversal tricks. show less	Brute-Force Web App Attack
🇨🇦 38.22.104.231	16 May 2025	38.22.104.231 - - [16/May/2025:05:09:32 +0000] "GET /local/.env HTTP/1.1" 404 197 "-" "Mozilla/5.0 ( ... show more 38.22.104.231 - - [16/May/2025:05:09:32 +0000] "GET /local/.env HTTP/1.1" 404 197 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" An automated attack from IP 38.22.104.231 attempting to steal sensitive .env** files (which often contain database credentials, API keys, and other secrets) from multiple common web directories (/app/, /laravel/, /public/, /admin/`, etc.) show less	Brute-Force Web App Attack
🇮🇩 45.121.218.43	16 May 2025	45.121.218.43 - - [15/May/2025:18:10:28 +0000] "GET /administrator/phpMyAdmin/index.php?lang=en HTTP ... show more 45.121.218.43 - - [15/May/2025:18:10:28 +0000] "GET /administrator/phpMyAdmin/index.php?lang=en HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" An automated scanning activity from IP 45.121.218.43, where an attacker probed for phpMyAdmin and other database admin interfaces (/phpmyadmin/, /mysql/admin/, etc.) within seconds, using a spoofed Chrome user agent show less	Brute-Force Web App Attack
🇺🇸 89.116.220.31	16 May 2025	89.116.220.31 - - [15/May/2025:21:57:01 +0300] "GET /mysql/admin/index.php?lang=en HTTP/1.1" 404 682 ... show more 89.116.220.31 - - [15/May/2025:21:57:01 +0300] "GET /mysql/admin/index.php?lang=en HTTP/1.1" 404 682 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" A targeted phpMyAdmin reconnaissance attack from IP 89.116.220.31, where the attacker systematically scanned for database administration interfaces across multiple paths within 5 seconds show less	Brute-Force Web App Attack
🇸🇬 159.223.57.202	15 May 2025	159.223.57.202 - - [15/May/2025:08:20:03 +0000] "GET //shop/wp-includes/wlwmanifest.xml HTTP/1.1" 40 ... show more 159.223.57.202 - - [15/May/2025:08:20:03 +0000] "GET //shop/wp-includes/wlwmanifest.xml HTTP/1.1" 404 61016 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36" WordPress reconnaissance attack from IP 159.223.57.202, where the attacker systematically probed for WordPress installations across multiple directories within 2 seconds. The scan targeted a WordPress fingerprinting: checked for wlwmanifest.xml (Windows Live Writer manifest file), and tested 10 different directory paths (/shop/, /wp1/, /2019/, etc.) show less	Brute-Force Web App Attack
🇨🇿 80.82.156.184	15 May 2025	80.82.156.184 - - [14/May/2025:09:22:54 +0000] "GET /phpMyAdmin-5.2.1-all-languages/index.php?lang=e ... show more 80.82.156.184 - - [14/May/2025:09:22:54 +0000] "GET /phpMyAdmin-5.2.1-all-languages/index.php?lang=en HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" systematic phpMyAdmin reconnaissance attack from IP 80.82.156.184, where the attacker scanned for database administration interfaces across multiple paths within 2 seconds. Targeted Scanning: 11 different phpMyAdmin paths checked, Version-specific probes (/phpMyAdmin-5.2.1/, /phpMyAdmin-latest/), and the common alternative names (/MyAdmin/, /phppma/,...) show less	Brute-Force Web App Attack
🇸🇬 188.166.216.140	13 May 2025	188.166.216.140 - - [12/May/2025:23:55:38 +0000] "GET /.env.bak HTTP/1.1" 404 134 "-" "python-reques ... show more 188.166.216.140 - - [12/May/2025:23:55:38 +0000] "GET /.env.bak HTTP/1.1" 404 134 "-" "python-requests/2.32.3" A credential harvesting attempt from IP 188.166.216.140, where the attacker targeted to access /.env.bak show less	Web App Attack
🇺🇦 185.254.195.5	13 May 2025	185.254.195.5 - - [13/May/2025:03:42:44 +0300] "GET /_controls/responsive/Telerik.Web.UI.DialogHandl ... show more 185.254.195.5 - - [13/May/2025:03:42:44 +0300] "GET /_controls/responsive/Telerik.Web.UI.DialogHandler.aspx HTTP/1.1" 404 682 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36" A targeted Telerik UI vulnerability scan from IP 185.254.195.5, where the attacker systematically probed for the vulnerable Telerik.Web.UI.DialogHandler.aspx component across multiple paths within 2 seconds show less	Brute-Force Web App Attack
🇺🇸 54.91.200.16	12 May 2025	54.91.200.16 - - [09/May/2025:21:35:20 +0000] "GET /config.yaml HTTP/1.1" 404 12095 "-" "Mozilla/5.0 ... show more 54.91.200.16 - - [09/May/2025:21:35:20 +0000] "GET /config.yaml HTTP/1.1" 404 12095 "-" "Mozilla/5.0" 54.91.200.16 - - [09/May/2025:21:35:13 +0000] "GET /config/settings.json HTTP/1.1" 404 33 "-" "Mozilla/5.0" A systematic credential harvesting attack from IP 54.91.200.16, where the attacker scanned for sensitive configuration files across multiple directories. show less	Brute-Force Web App Attack
🇺🇸 66.228.53.37	12 May 2025	66.228.53.37 - - [09/May/2025:13:17:07 +0000] "GET /?/../../../../../../../../../../etc/passwd HTTP/ ... show more 66.228.53.37 - - [09/May/2025:13:17:07 +0000] "GET /?/../../../../../../../../../../etc/passwd HTTP/1.1" 200 409 "-" "Mozilla/5.0 (Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" A directory traversal attack from IP 66.228.53.37, where the attacker tried to exploit a path vulnerability to access the system's /etc/passwd file. show less	Web App Attack
🇳🇱 185.224.128.88	12 May 2025	185.224.128.88 - - [02/May/2025:07:41:45 +0300] "GET / HTTP/1.1" 404 682 "-" "libwww-perl/6.78" A ... show more 185.224.128.88 - - [02/May/2025:07:41:45 +0300] "GET / HTTP/1.1" 404 682 "-" "libwww-perl/6.78" A probing attempt from IP 185.224.128.88 using the Perl LWP (libwww-perl) user agent. show less	Web App Attack
🇸🇬 159.89.197.238	12 May 2025	159.89.197.238 - - [08/May/2025:23:40:49 +0300] "GET /test/wp-includes/wlwmanifest.xml HTTP/1.1" 404 ... show more 159.89.197.238 - - [08/May/2025:23:40:49 +0300] "GET /test/wp-includes/wlwmanifest.xml HTTP/1.1" 404 564 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" This IP (159.89.197.238) conducted a systematic WordPress scan within 4 seconds, checking for: wlwmanifest.xml in 9 directories (testing /test/, /shop/, /wordpress/, etc.), license.txt in ID3 module and xmlrpc.php endpoint. show less	Brute-Force Web App Attack
🇷🇺 85.26.186.179	12 May 2025	85.26.186.179 - - [10/May/2025:10:45:30 +0300] "GET /1phpmyadmin/index.php?lang=en HTTP/1.1" 404 682 ... show more 85.26.186.179 - - [10/May/2025:10:45:30 +0300] "GET /1phpmyadmin/index.php?lang=en HTTP/1.1" 404 682 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" A targeted phpMyAdmin reconnaissance scan from IP 85.26.186.179, where the attacker systematically checked for database administration interfaces across multiple paths within 11 seconds. show less	Brute-Force Web App Attack
🇮🇩 36.92.88.90	12 May 2025	36.92.88.90 - - [11/May/2025:18:45:13 +0300] "GET /db/webdb/index.php?lang=en HTTP/1.1" 404 682 "-" ... show more 36.92.88.90 - - [11/May/2025:18:45:13 +0300] "GET /db/webdb/index.php?lang=en HTTP/1.1" 404 682 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" A systematic phpMyAdmin reconnaissance attack from IP 36.92.88.90, where the attacker scanned for database management interfaces across multiple paths within 5 seconds. show less	Brute-Force Web App Attack
🇧🇬 109.121.136.24	12 May 2025	109.121.136.24 - - [12/May/2025:06:08:26 +0300] "GET /MyAdmin/index.php?lang=en HTTP/1.1" 404 682 "- ... show more 109.121.136.24 - - [12/May/2025:06:08:26 +0300] "GET /MyAdmin/index.php?lang=en HTTP/1.1" 404 682 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" A targeted phpMyAdmin reconnaissance scan from IP 109.121.136.24, where the attacker systematically checked for 11 different phpMyAdmin installation paths within 3 seconds. show less	Brute-Force Web App Attack
🇯🇵 13.231.153.70	09 May 2025	13.231.153.70 - - [09/May/2025:02:51:46 +0000] "GET /?cda'\x22</script><script>alert(document.domain ... show more 13.231.153.70 - - [09/May/2025:02:51:46 +0000] "GET /?cda'\x22</script><script>alert(document.domain)</script>&locale=locale=de-DE HTTP/1.1" 400 5 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0" 13.231.153.70 - - [09/May/2025:02:12:37 +0000] "GET /wp-content/plugins/chopslider/get_script/index.php?id=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))A) HTTP/1.1" 302 113 "-" "Mozilla/5.0 (CentOS; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36" A distinct web application attacks from IP 13.231.153.70, demonstrating multiple exploitation attempts like XSS Injection, SQL Time-Based Blind Injection, and more show less	Brute-Force Web App Attack
🇮🇳 157.245.109.127	09 May 2025	157.245.109.127 - - [08/May/2025:11:16:07 +0300] "GET /test/wp-includes/wlwmanifest.xml HTTP/1.1" 40 ... show more 157.245.109.127 - - [08/May/2025:11:16:07 +0300] "GET /test/wp-includes/wlwmanifest.xml HTTP/1.1" 404 564 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" A WordPress reconnaissance attack from IP 157.245.109.127, where the attacker systematically probed for WordPress installations across multiple directories (/test/, /shop/, /wordpress/,..) within 2 seconds show less	Brute-Force Web App Attack
🇨🇳 122.51.242.63	09 May 2025	122.51.242.63 - - [08/May/2025:18:21:21 +0300] "HEAD /%E4%BC%A0%E5%A5%87%E7%A7%81%E6%9C%8D%E7%99%BB% ... show more 122.51.242.63 - - [08/May/2025:18:21:21 +0300] "HEAD /%E4%BC%A0%E5%A5%87%E7%A7%81%E6%9C%8D%E7%99%BB%E9%99%86%E5%99%A8.tar.gz HTTP/1.1" 404 0 "-" "python-requests/2.31.0" 122.51.242.63 - - [08/May/2025:18:21:20 +0300] "HEAD /banben.tar.gz HTTP/1.1" 404 0 "-" "python-requests/2.31.0" An automated backup file discovery scan from IP 122.51.242.63, where the attacker used Python's Requests library to systematically check for sensitive archive files (.tar.gz) via lightweight HEAD requests. show less	Brute-Force Web App Attack
🇸🇬 159.89.197.238	09 May 2025	159.89.197.238 - - [08/May/2025:23:40:49 +0300] "GET /test/wp-includes/wlwmanifest.xml HTTP/1.1" 404 ... show more 159.89.197.238 - - [08/May/2025:23:40:49 +0300] "GET /test/wp-includes/wlwmanifest.xml HTTP/1.1" 404 564 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" A WordPress reconnaissance attack from IP 159.89.197.238, where the attacker systematically probed for WordPress installations across dozens of different directories (/test/, /shop/, /wordpress/,...) within 4 seconds show less	Brute-Force Web App Attack
🇩🇪 91.107.166.37	09 May 2025	91.107.166.37 - - [09/May/2025:00:12:11 +0300] "GET /_controls/responsive/Telerik.Web.UI.DialogHandl ... show more 91.107.166.37 - - [09/May/2025:00:12:11 +0300] "GET /_controls/responsive/Telerik.Web.UI.DialogHandler.aspx HTTP/1.1" 404 682 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36" A targeted Telerik UI exploit scan from IP 91.107.166.37, where the attacker systematically checked for dozens of different paths to Telerik.Web.UI.DialogHandler.aspx within 2 seconds - a known vulnerable component that could allow remote code execution (CVE-2017-11317, CVE-2017-11357) if unpatched show less	Brute-Force Web App Attack
🇲🇩 159.253.120.209	08 May 2025	159.253.120.209 - - [08/May/2025:04:01:47 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 16 ... show more 159.253.120.209 - - [08/May/2025:04:01:47 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 162 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" A targeted attack attempt from IP 159.253.120.209, where the attacker specifically probed for a known phpMyAdmin vulnerability (CVE-2018-12613) by attempting to access /phpmyadmin/scripts/setup.php - a file that could allow remote code execution in vulnerable phpMyAdmin versions. show less	Web App Attack
🇷🇺 88.214.50.14	08 May 2025	A brute-force attack was attempted from IP 88.214.50.14 using NTLM authentication. This attacker tri ... show more A brute-force attack was attempted from IP 88.214.50.14 using NTLM authentication. This attacker tried logging into [REDACTED] server dozens of times with an invalid username, triggering multiple failed logins show less	Brute-Force