Open maxdd opened 6 months ago
I had a rule somewhere to grab these, I'll have a look if I can find it and if it is still doing the job
ty for the feedback! Let me add more
159.223.225.251 - - [15/Apr/2024:01:51:54 +0000] "\x16\x03\x01\x00u\x01\x00\x00q\x03\x03\x13\x9F\xDE\xCB\x9E\x8D\x9B\x02\xCD=I$\x18\x07\x06G\x821\xFFkz\x8EO\xFE?!\xF9$\xF8\x9F\x22R\x00\x00\x1A\xC0/\xC0+\xC0\x11\xC0\x07\xC0\x13\xC0\x09\xC0\x14\xC0" 400 154 "-" "-"
45.33.80.243 - - [15/Apr/2024:02:23:24 +0000] "\x16\x03\x01\x00\x85\x01\x00\x00\x81\x03\x03\xF6\xFE\xBD\x1C\xD1\xA9\xB5\x86;|\x13,\x89\xFE\xCC\x14 \x99\x04Mi\xDE\xA31\xEF\x11PT\xD9G\x1F\x1B\x00\x00 \xC0/\xC00\xC0+\xC0,\xCC\xA8\xCC\xA9\xC0\x13\xC0\x09\xC0\x14\xC0" 400 154 "-" "-"
152.32.181.108 - - [15/Apr/2024:02:34:15 +0000] "\x16\x03\x01\x01\x17\x01\x00\x01\x13\x03\x031cj,\x85@e\xD4\x9E\xDCBA\x0B\x22e\xF0\xD6\xE7q\xFFI\x9E\xFF\xE5\xB2\xB5\xAEA\xFFTfg \x5C\xFFd\xCD\xD8\xA3\xB8\xF4\xB6x\xA1\xCF\xE2\xDD\xD7I\xB5s\x01.\xB5\xE4!'\xCF%j\xAF\xC3I<M\x004\xCC\xA8\xCC\xA9\xC0/\xC00\xC0+\xC0,\xC0\x09\x00\x9E\xCC\xA8\xCC\xAA\x003\x00=\x00\x16\xC0" 400 154 "-" "-"
152.32.181.108 - - [15/Apr/2024:02:34:36 +0000] "\x00\x00\x00\xC7\x00\x00\x00\xC3{\x22code\x22:105,\x22extFields\x22:{\x22Signature\x22:\x22/u5P/wZUbhjanu4LM/UzEdo2u2I=\x22,\x22topic\x22:\x22TBW102\x22,\x22AccessKey\x22:\x22rocketmq2\x22},\x22flag\x22:0,\x22language\x22:\x22JAVA\x22,\x22opaque\x22:1,\x22serializeTypeCurrentRPC\x22:\x22JSON\x22,\x22version\x22:401}" 400 154 "-" "-"
152.32.181.108 - - [15/Apr/2024:02:34:36 +0000] "\x03\x00\x00\x0B\x06\xE0\x00\x00\x00\x00\x00" 400 154 "-" "-"
152.32.181.108 - - [15/Apr/2024:02:34:37 +0000] "\x03\x00\x003.\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administrator" 400 154 "-" "-"
45.79.168.172 - - [15/Apr/2024:15:16:12 +0000] "\x00\x00\x00'\xFFSMBr\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0E\x00\x02NT LM 0.12\x00" 400 154 "-" "-"
Hopefully is not pegasus :D The first 3 are TLS handshake (xz backdoor :D ? ), other are RDP vulnerabilities scan and samba login attempt. I'm still looking into this so i might be wrong
Paste the full Domain name / Referrer String here
Is this for Addition / Removal?
Post Log Excerpt to show User-Agent behavior (10-20 lines is enough)
Additional information
Today I've received these two requests and i'm wondering what exactly that hex payload is. A rapid search of those two IPs shows some spamming/attacking activities