Report - host1731685.hostland.pro/mail

Report Overview

Visited public
2024-08-17 22:41:29
Tags
URL
host1731685.hostland.pro/mail_server.txt
Finishing URL
host1731685.hostland.pro/mail_server.txt
IP / ASN
185.26.122.73
#62082 Hostland LTD
Title
host1731685.hostland.pro/mail_server.txt

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Domain / FQDN	Rank	Sent	Received	IP
r11.o.lencr.org	unknown	1.3 kB	3.5 kB	23.36.76.226
r10.o.lencr.org	unknown	981 B	2.7 kB	23.36.76.226
host1731685.hostland.pro	unknown	784 B	23 kB	185.26.122.73

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

Scan Date	Severity	Indicator	Alert
2024-08-17	medium	host1731685.hostland.pro/mail_server.txt	php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings
2024-08-17	medium	host1731685.hostland.pro/mail_server.txt	php webshell containing base64 encoded payload
2024-08-17	medium	host1731685.hostland.pro/mail_server.txt	Generic PHP webshell which uses any eval/exec function in the same line with user input
2024-08-17	medium	host1731685.hostland.pro/mail_server.txt	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k
2024-08-17	medium	host1731685.hostland.pro/mail_server.txt	Webshell which sends eval/assert via GET
2024-08-17	medium	host1731685.hostland.pro/mail_server.txt	Web Shell - file r57142.php
2024-08-17	medium	host1731685.hostland.pro/mail_server.txt	Web Shell - file 404.php
2024-08-17	medium	host1731685.hostland.pro/mail_server.txt	Semi-Auto-generated - file wso.txt
2024-08-17	medium	host1731685.hostland.pro/mail_server.txt	Semi-Auto-generated - from files multiple_php_webshells

OpenPhish

No alerts detected

PhishTank

No alerts detected

mnemonic secure dns

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

JavaScript (0)

HTTP Transactions (9)

URL IP Response Size

r11.o.lencr.org/

23.36.76.226

504 B

URL
r11.o.lencr.org/
IP
23.36.76.226:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
219f59137337a0ee601729cab5ec83f6
85f2e3496820405559fd526b44b9a915e0009a4f
f9701bf0083b06f4a573774d1a4dd491236216bc08f1006a94ce79144df70a21

HTTP Headers

POST / HTTP/1.1
Host: r11.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "F9701BF0083B06F4A573774D1A4DD491236216BC08F1006A94CE79144DF70A21"
Last-Modified: Sat, 17 Aug 2024 00:55:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=17431
Expires: Sun, 18 Aug 2024 03:31:27 GMT
Date: Sat, 17 Aug 2024 22:40:56 GMT
Connection: keep-alive

r10.o.lencr.org/

23.36.76.226

504 B

URL
r10.o.lencr.org/
IP
23.36.76.226:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
9fca859eba50e585d7c1550a61d33bc3
a33940f9c83807660f212e5ff511fe28e0413c0d
08afcf8f1ad63cfd72b781cf4c69900e3fd266ee46389de3918570cf5d682f30

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "08AFCF8F1AD63CFD72B781CF4C69900E3FD266EE46389DE3918570CF5D682F30"
Last-Modified: Fri, 16 Aug 2024 06:27:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=7600
Expires: Sun, 18 Aug 2024 00:47:36 GMT
Date: Sat, 17 Aug 2024 22:40:56 GMT
Connection: keep-alive

r10.o.lencr.org/

23.36.76.226

504 B

URL
r10.o.lencr.org/
IP
23.36.76.226:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
69a9603269726ce602d708bf57058c4c
8689e9ea81ea9636e7b08c3ed42650553a0c4e3b
1a2339d740b715f3df1900d80114c8376ead57205961a6f896edf37b3ee3a897

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "1A2339D740B715F3DF1900D80114C8376EAD57205961A6F896EDF37B3EE3A897"
Last-Modified: Sat, 17 Aug 2024 09:59:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=12797
Expires: Sun, 18 Aug 2024 02:14:13 GMT
Date: Sat, 17 Aug 2024 22:40:56 GMT
Connection: keep-alive

r10.o.lencr.org/

23.36.76.226

504 B

URL
r10.o.lencr.org/
IP
23.36.76.226:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
2ae189346fbf1c4db44f325fbc27cdd1
3bfaab5d83d905673ff9ca4dd91d7c2cb34ddb76
9d811dddbb6915131e8f2a84ab84709f47697ebdf51b0fe839150f95c924c0ae

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "9D811DDDBB6915131E8F2A84AB84709F47697EBDF51B0FE839150F95C924C0AE"
Last-Modified: Fri, 16 Aug 2024 06:57:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=7097
Expires: Sun, 18 Aug 2024 00:39:14 GMT
Date: Sat, 17 Aug 2024 22:40:57 GMT
Connection: keep-alive

host1731685.hostland.pro/mail_server.txt

185.26.122.73

200 OK

22 kB

URL User Request GET HTTP/1.1
host1731685.hostland.pro/mail_server.txt
IP
185.26.122.73:80
ASN
#62082 Hostland LTD

File type
PHP script, Unicode text, UTF-8 text, with very long lines (1240)
Size
22 kB (22008 bytes)
Hash
cddd2a3a93af83b3164c1cbf9e279bd3
6ee7518b88be62bd45a0e9c5a453b49cb55d17eb
5b16aaba4cd629f74eb5e7b9810fea2aa5b3e7fcea901fdd721d105817cce049

Detections

Analyzer	Verdict	Alert
Public Nextron YARA rules	malware	php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings
Public Nextron YARA rules	malware	php webshell containing base64 encoded payload
Public Nextron YARA rules	malware	Generic PHP webshell which uses any eval/exec function in the same line with user input
Public Nextron YARA rules	malware	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k
Public Nextron YARA rules	malware	Webshell which sends eval/assert via GET
Public Nextron YARA rules	malware	Web Shell - file r57142.php
Public Nextron YARA rules	malware	Web Shell - file 404.php
Public Nextron YARA rules	malware	Semi-Auto-generated - file wso.txt
Public Nextron YARA rules	malware	Semi-Auto-generated - from files multiple_php_webshells

HTTP Headers

GET /mail_server.txt HTTP/1.1
Host: host1731685.hostland.pro
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 17 Aug 2024 22:40:57 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Wed, 30 Nov 2022 06:48:02 GMT
ETag: W/"12edf-5eeaa7c68d123"
Content-Encoding: gzip

host1731685.hostland.pro/favicon.ico

185.26.122.73

404 Not Found

196 B

URL GET HTTP/1.1
host1731685.hostland.pro/favicon.ico
IP
185.26.122.73:80
ASN
#62082 Hostland LTD

Requested by
http://host1731685.hostland.pro/mail_server.txt

File type
HTML document, ASCII text
Size
196 B (196 bytes)
Hash
62962daa1b19bbcc2db10b7bfd531ea6
d64bae91091eda6a7532ebec06aa70893b79e1f8
80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880

HTTP Headers

GET /favicon.ico HTTP/1.1
Host: host1731685.hostland.pro
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Referer: http://host1731685.hostland.pro/mail_server.txt
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 404 Not Found
Server: nginx
Date: Sat, 17 Aug 2024 22:40:57 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 196
Connection: keep-alive

r11.o.lencr.org/

23.36.76.226

504 B

URL
r11.o.lencr.org/
IP
23.36.76.226:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
3c14cfb85dc9ceb923d7d3c3648719d2
10ea83f83398870f50ca771216ad77bd95aa66cc
bc868b2a34fe0c66d7a2dc1754676cc4031891c797fdd23e82d135559bd82c1b

HTTP Headers

POST / HTTP/1.1
Host: r11.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "BC868B2A34FE0C66D7A2DC1754676CC4031891C797FDD23E82D135559BD82C1B"
Last-Modified: Thu, 15 Aug 2024 09:16:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=6577
Expires: Sun, 18 Aug 2024 00:30:36 GMT
Date: Sat, 17 Aug 2024 22:40:59 GMT
Connection: keep-alive

r11.o.lencr.org/

23.36.76.226

504 B

URL
r11.o.lencr.org/
IP
23.36.76.226:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
3c14cfb85dc9ceb923d7d3c3648719d2
10ea83f83398870f50ca771216ad77bd95aa66cc
bc868b2a34fe0c66d7a2dc1754676cc4031891c797fdd23e82d135559bd82c1b

HTTP Headers

POST / HTTP/1.1
Host: r11.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "BC868B2A34FE0C66D7A2DC1754676CC4031891C797FDD23E82D135559BD82C1B"
Last-Modified: Thu, 15 Aug 2024 09:16:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=6577
Expires: Sun, 18 Aug 2024 00:30:36 GMT
Date: Sat, 17 Aug 2024 22:40:59 GMT
Connection: keep-alive

r11.o.lencr.org/

23.36.76.226

504 B

URL
r11.o.lencr.org/
IP
23.36.76.226:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
3c14cfb85dc9ceb923d7d3c3648719d2
10ea83f83398870f50ca771216ad77bd95aa66cc
bc868b2a34fe0c66d7a2dc1754676cc4031891c797fdd23e82d135559bd82c1b

HTTP Headers

POST / HTTP/1.1
Host: r11.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "BC868B2A34FE0C66D7A2DC1754676CC4031891C797FDD23E82D135559BD82C1B"
Last-Modified: Thu, 15 Aug 2024 09:16:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=6577
Expires: Sun, 18 Aug 2024 00:30:36 GMT
Date: Sat, 17 Aug 2024 22:40:59 GMT
Connection: keep-alive

Report Overview

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

Public InfoSec YARA rules

OpenPhish

PhishTank

mnemonic secure dns

Quad9 DNS

ThreatFox

JavaScript (0)

HTTP Transactions (9)

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL User Request GET HTTP/1.1

IP

ASN

File type

Size

Hash

Detections

HTTP Headers

URL GET HTTP/1.1

IP

ASN

Requested by

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers