LORG Detection Results [lorg]

Summary: 5 incidents discovered from 2 clients

185.7.214.218 | 3 incidents | impact ∑: 39

attacks only

Description: A random scan from France yesterday. A total of 3 incidents where discovered by phpids detection modules. The incident happened during unusual working hours in France, so it might be carried out by a hobbyist on caffeine.

152.89.196.211 | 2 incidents | impact ∑: 24

attacks only

Description: A random scan and targeted scan yesterday. A total of 2 incidents where discovered by phpids detection modules.

Impact	Tags	Remote-City	Remote-Host	Remote-Logname	Remote-User	Date	Request	Final-Status	Bytes-Sent	Referer	User-Agent
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 02:17:33 +0100	POST /cgi-bin/../../../../bin/sh HTTP/1.1	400	5978	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 07:22:52 +0100	POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1	302	522	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 07:22:52 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 07:34:33 +0100	GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1	302	522	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 07:34:33 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 07:45:42 +0100	GET /solr/admin/info/system?wt=json HTTP/1.1	302	482	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 07:45:42 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 07:46:10 +0100	GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1	302	658	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 07:46:11 +0100	\x16\x03\x01	400	-	-	-
12	xss csrf id rfe lfi	-	152.89.196.211	-	-	Sat, 19 Nov 2022 08:03:02 +0100	GET /?a=fetch&content=die(@md5(HelloThinkCMF)) HTTP/1.1	302	542	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 08:03:02 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 08:32:23 +0100	GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1	302	482	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 08:32:23 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 08:35:22 +0100	GET /console/ HTTP/1.1	302	438	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 08:35:23 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 08:47:27 +0100	POST /Autodiscover/Autodiscover.xml HTTP/1.1	302	480	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 08:47:27 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 08:53:49 +0100	GET /_ignition/execute-solution HTTP/1.1	302	474	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 08:53:49 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 09:02:41 +0100	GET / HTTP/1.1	302	422	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 09:02:41 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 09:26:40 +0100	GET / HTTP/1.1	302	422	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 09:26:40 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 09:28:07 +0100	GET /actuator/gateway/routes HTTP/1.1	302	468	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 09:28:07 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 11:22:22 +0100	GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1	302	6770	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 12:34:26 +0100	GET / HTTP/1.1	302	6770	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 12:34:26 +0100	GET /?rt=Login/Index HTTP/1.1	200	8462	https://91.223.222.18:443	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 13:41:52 +0100	GET / HTTP/1.1	302	6770	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 13:41:52 +0100	GET /?rt=Login/Index HTTP/1.1	200	8462	https://91.223.222.18:443/	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 14:47:46 +0100	GET /actuator/gateway/routes HTTP/1.1	404	5946	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 18:15:41 +0100	POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1	302	522	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 18:15:42 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 18:28:09 +0100	GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1	302	522	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 18:28:09 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 18:36:50 +0100	GET /solr/admin/info/system?wt=json HTTP/1.1	302	482	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 18:36:50 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 18:47:48 +0100	GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1	302	658	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 18:47:48 +0100	\x16\x03\x01	400	-	-	-
12	xss csrf id rfe lfi	-	152.89.196.211	-	-	Sat, 19 Nov 2022 18:55:29 +0100	GET /?a=fetch&content=die(@md5(HelloThinkCMF)) HTTP/1.1	302	542	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 18:55:29 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 19:07:25 +0100	GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1	302	482	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 19:07:25 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 19:33:30 +0100	GET /console/ HTTP/1.1	302	438	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 19:33:30 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 19:41:50 +0100	POST /Autodiscover/Autodiscover.xml HTTP/1.1	302	480	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 19:41:50 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 19:49:00 +0100	GET /_ignition/execute-solution HTTP/1.1	302	474	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 19:49:00 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 19:56:23 +0100	GET / HTTP/1.1	302	422	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 19:56:23 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 20:13:15 +0100	GET / HTTP/1.1	302	422	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 20:13:15 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 20:20:10 +0100	GET /actuator/gateway/routes HTTP/1.1	302	468	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Sat, 19 Nov 2022 20:20:10 +0100	\x16\x03\x01	400	-	-	-