Report - shell.prinsh.com/Nathan/marijuana.txt

Report Overview

Visited public
2024-10-11 10:26:31
Tags
Submit Tags
URL
shell.prinsh.com/Nathan/marijuana.txt
Finishing URL
shell.prinsh.com/Nathan/marijuana.txt
IP / ASN
172.67.135.60
#13335 CLOUDFLARENET
Title
shell.prinsh.com/Nathan/marijuana.txt

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Domain / FQDN	Rank	Registered	First Seen	Last Seen	Sent	Received	IP
r10.o.lencr.org	unknown	2020-06-29	2024-06-06 21:45:11	2024-10-10 13:37:19	1.3 kB	3.6 kB	23.33.119.57
shell.prinsh.com	unknown	2021-02-18	2021-07-11 07:57:45	2024-03-26 00:39:57	938 B	16 kB	172.67.135.60
r11.o.lencr.org	unknown	2020-06-29	2024-06-07 07:43:57	2024-10-10 13:37:10	654 B	1.8 kB	23.33.119.57

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

Scan Date	Severity	Indicator	Alert
2024-10-11	medium	shell.prinsh.com/Nathan/marijuana.txt	php webshell having some kind of input and using a callback to execute the payload. restricted to small files or would give lots of false positives
2024-10-11	medium	shell.prinsh.com/Nathan/marijuana.txt	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k

OpenPhish

No alerts detected

PhishTank

No alerts detected

mnemonic secure dns

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

JavaScript (0)

HTTP Transactions (8)

URL IP Response Size

r10.o.lencr.org/

23.33.119.57

504 B

URL
r10.o.lencr.org/
IP
23.33.119.57:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
8d0c1ae5484a4448ab6dd48672401aca
a0604686c65b0ef3bbd3e3d7de3cacde802019eb
53c13aa9579590c5aa281e7d8203e3a16e7fc10f1ea6137dbca2724177e7dcba

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "53C13AA9579590C5AA281E7D8203E3A16E7FC10F1EA6137DBCA2724177E7DCBA"
Last-Modified: Thu, 10 Oct 2024 16:17:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=9425
Expires: Fri, 11 Oct 2024 13:03:11 GMT
Date: Fri, 11 Oct 2024 10:26:06 GMT
Connection: keep-alive

r10.o.lencr.org/

23.33.119.57

504 B

URL
r10.o.lencr.org/
IP
23.33.119.57:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
76d4815925a4b4cf3dbb800eaa4a7770
317eb0f0486d1a342b5141b3b2f9ef4309bbdeb7
3ab4458319db72633c073ecac5c8da5994f6fa797fd44bc6170fcd3400d5eeab

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "3AB4458319DB72633C073ECAC5C8DA5994F6FA797FD44BC6170FCD3400D5EEAB"
Last-Modified: Thu, 10 Oct 2024 16:16:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=7085
Expires: Fri, 11 Oct 2024 12:24:11 GMT
Date: Fri, 11 Oct 2024 10:26:06 GMT
Connection: keep-alive

r10.o.lencr.org/

23.33.119.57

504 B

URL
r10.o.lencr.org/
IP
23.33.119.57:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
4fc341baf18d0af4cd0a80be702333a3
fb736dc59047ff1913f784fa875cb7802046b133
b6312d866ed45266b465f79c3825413745fd03f86a0075406b439586d5ac2353

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "B6312D866ED45266B465F79C3825413745FD03F86A0075406B439586D5AC2353"
Last-Modified: Thu, 10 Oct 2024 16:15:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=13711
Expires: Fri, 11 Oct 2024 14:14:37 GMT
Date: Fri, 11 Oct 2024 10:26:06 GMT
Connection: keep-alive

GET shell.prinsh.com/Nathan/marijuana.txt

172.67.135.60

200 OK

4.2 kB

URL User Request GET HTTP/2
shell.prinsh.com/Nathan/marijuana.txt
IP
172.67.135.60:443
ASN
#13335 CLOUDFLARENET

Certificate
IssuerGoogle Trust Services
Subjectprinsh.com
Fingerprint22:86:A5:AD:65:C0:51:3E:17:5F:43:AF:CD:0F:15:77:3B:85:A6:47
ValiditySun, 01 Sep 2024 23:04:55 GMT - Sat, 30 Nov 2024 23:04:54 GMT

File type
JavaScript source, ASCII text, with CRLF line terminators
Size
4.2 kB (4183 bytes)
Hash
95f745a5db131b1ca34e44848fd52edb
5fae94432540ade68eabce94140c9a5be153b3c8
0df17ad20bf796ed549c240856ac2bf9ceb19f21a8cae2dbd7d99369ecd317ef

Detections

Analyzer	Verdict	Alert
Public Nextron YARA rules	malware	php webshell having some kind of input and using a callback to execute the payload. restricted to small files or would give lots of false positives
Public Nextron YARA rules	malware	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k

HTTP Headers

GET /Nathan/marijuana.txt HTTP/1.1
Host: shell.prinsh.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Fri, 11 Oct 2024 10:26:06 GMT
content-type: text/plain; charset=utf-8
content-length: 4183
last-modified: Mon, 16 May 2022 15:18:36 GMT
access-control-allow-origin: *
etag: W/"62826b4c-3aa2"
expires: Fri, 11 Oct 2024 10:36:06 GMT
cache-control: max-age=600
content-encoding: gzip
x-proxy-cache: MISS
x-github-request-id: F2AE:350288:1217349:1288DC3:6708FD3D
accept-ranges: bytes
via: 1.1 varnish
age: 0
x-served-by: cache-osl6542-OSL
x-cache: MISS
x-cache-hits: 0
x-timer: S1728642367.571161,VS0,VE125
vary: Accept-Encoding
x-fastly-request-id: 61bac92a6c3b8ccef7cd466519c326e14b3e2430
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1BUx7J%2F880xovGFfxrHGxgUyEBvwyUXZRZgn%2FXdlMnYbhjmRLg7uV%2FK1vQay3Ix2p3bImEIwOSPm%2BNiVMXa4fH%2BUguT5eZ7BBgVaWdn2hc0XfJZN6grGtPR4cn63NF4nspdw"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
author: Nathan Prinsley
x-powered-by: Prinsh.com
server: cloudflare
cf-ray: 8d0e2666fa0f56c7-OSL
alt-svc: h3=":443"; ma=86400
X-Firefox-Spdy: h2

r10.o.lencr.org/

23.33.119.57

504 B

URL
r10.o.lencr.org/
IP
23.33.119.57:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
79cc92870c237da0a800ef6a3c32181e
db1eafb8715ecab04572ae3a2509e1482604e857
678a9d9c7a94705e293236ab03c6db471fec41d7b2ee0dc2f2ae92a59c9b21f6

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "678A9D9C7A94705E293236AB03C6DB471FEC41D7B2EE0DC2F2AE92A59C9B21F6"
Last-Modified: Fri, 11 Oct 2024 01:38:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=21253
Expires: Fri, 11 Oct 2024 16:20:20 GMT
Date: Fri, 11 Oct 2024 10:26:07 GMT
Connection: keep-alive

r11.o.lencr.org/

23.33.119.57

504 B

URL
r11.o.lencr.org/
IP
23.33.119.57:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
ccb7c0a230775ffeed6f8a2d5495f2f4
b64d41f2ff0740b511f8043dd7f00db3d937bdc8
c1086024116cc032f78be5a4521af542f33df4c8534249eaf15c5eeccf4ec5f7

HTTP Headers

POST / HTTP/1.1
Host: r11.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "C1086024116CC032F78BE5A4521AF542F33DF4C8534249EAF15C5EECCF4EC5F7"
Last-Modified: Wed, 09 Oct 2024 23:02:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=10966
Expires: Fri, 11 Oct 2024 13:28:54 GMT
Date: Fri, 11 Oct 2024 10:26:08 GMT
Connection: keep-alive

r11.o.lencr.org/

23.33.119.57

504 B

URL
r11.o.lencr.org/
IP
23.33.119.57:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
ccb7c0a230775ffeed6f8a2d5495f2f4
b64d41f2ff0740b511f8043dd7f00db3d937bdc8
c1086024116cc032f78be5a4521af542f33df4c8534249eaf15c5eeccf4ec5f7

HTTP Headers

POST / HTTP/1.1
Host: r11.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "C1086024116CC032F78BE5A4521AF542F33DF4C8534249EAF15C5EECCF4EC5F7"
Last-Modified: Wed, 09 Oct 2024 23:02:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=10966
Expires: Fri, 11 Oct 2024 13:28:54 GMT
Date: Fri, 11 Oct 2024 10:26:08 GMT
Connection: keep-alive

GET shell.prinsh.com/favicon.ico

172.67.135.60

404 Not Found

9.4 kB

URL GET HTTP/3
shell.prinsh.com/favicon.ico
IP
172.67.135.60:443
ASN
#13335 CLOUDFLARENET

Requested by
https://shell.prinsh.com/Nathan/marijuana.txt
Certificate
IssuerGoogle Trust Services
Subjectprinsh.com
Fingerprint22:86:A5:AD:65:C0:51:3E:17:5F:43:AF:CD:0F:15:77:3B:85:A6:47
ValiditySun, 01 Sep 2024 23:04:55 GMT - Sat, 30 Nov 2024 23:04:54 GMT

File type
HTML document, ASCII text, with very long lines (9520), with no line terminators
Size
9.4 kB (9379 bytes)
Hash
7d4a08d023766e058cf750d81c90eded
2627c31cc129380652f15dc035b38e098d67b443
e88ab256717967b6efb3117d47379214d8982e3e1d764ff9ed4baa7832c54993

HTTP Headers

GET /favicon.ico HTTP/1.1
Host: shell.prinsh.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://shell.prinsh.com/Nathan/marijuana.txt
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache

HTTP/3 404 Not Found
date: Fri, 11 Oct 2024 10:26:07 GMT
content-type: text/html; charset=utf-8
access-control-allow-origin: *
content-security-policy: default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self'
x-proxy-cache: MISS
x-github-request-id: 0ADD:37F890:121163F:12831E6:6708FD3F
via: 1.1 varnish
x-served-by: cache-fra-eddf8230085-FRA
x-cache: MISS
x-cache-hits: 0
x-timer: S1728642367.128628,VS0,VE112
vary: Accept-Encoding
x-fastly-request-id: 3b90010a4b638351770dd8dee55b6c97c9b127e0
cache-control: max-age=14400
cf-cache-status: MISS
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1JDSEp4n7BSrocKzaNMmrAiLfOGlf4jshEUyicjW%2BKICahIG9TPkLx%2Ff8CIwvTWWvuP8NfRlvH2aQWux%2Bb8q8vFGDIjEwvYqbVHZmdhfc756s6Q%2FtsmvYYIYbGn5%2B86woijZ"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
speculation-rules: "/cdn-cgi/speculation"
author: Nathan Prinsley
x-powered-by: Prinsh.com
server: cloudflare
cf-ray: 8d0e266a5ff2ca99-HAM
content-encoding: br
alt-svc: h3=":443"; ma=86400

Report Overview

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

Public InfoSec YARA rules

OpenPhish

PhishTank

mnemonic secure dns

Quad9 DNS

ThreatFox

JavaScript (0)

HTTP Transactions (8)

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL User Request GET HTTP/2

IP

ASN

Certificate

File type

Size

Hash

Detections

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL GET HTTP/3

IP

ASN

Requested by

Certificate

File type

Size

Hash

HTTP Headers