{"report_id":"323e86c2-2b3a-4686-ba39-995c050eda55","version":6,"status":"done","tags":["zimbra","phishing"],"date":"2025-08-30T17:27:47Z","url":{"schema":"http","addr":"129.159.110.135/","fqdn":"129.159.110.135","domain":"129.159.110.135","tld":""},"ip":{"addr":"129.159.110.135","port":0,"asn":31898,"as":"ORACLE-BMC-31898","country":"United States","country_code":"US"},"final":{"url":{"schema":"https","addr":"129.159.110.135/","fqdn":"129.159.110.135","domain":"129.159.110.135","tld":""},"title":"Zimbra Web Client Sign In"},"submit":{"url":{"schema":"http","addr":"129.159.110.135/","fqdn":"129.159.110.135","domain":"129.159.110.135","tld":""},"ip":{"addr":"129.159.110.135","port":0,"asn":31898,"as":"ORACLE-BMC-31898","country":"United States","country_code":"US"},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-04T17:27:47Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":2,"analyzer":1}},"detection":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"DNS","title":"Quad9 DNS","description":"Quad9 DNS","scan_date":"2025-08-30","alert":"Sinkholed","trigger":"129.159.110.135","verdict":"malicious","severity":"medium","comment":"Sinkholed in DNS","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Zimbra Web Client","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Zimbra phishing","tags":["zimbra","phishing"],"meta":null},{"sensor_name":"urlquery","alert":"Phishing - Zimbra Web Client","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Zimbra phishing","tags":["zimbra","phishing"],"meta":null}]},"summary":[{"fqdn":"129.159.110.135","ip":{"addr":"0.0.0.0","port":0,"asn":0,"as":"","country":"","country_code":"zz"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":18,"request_count":9,"received_data":257623,"sent_data":4346,"comment":"","tags":null,"fingerprints":[{"name":"Nginx","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]},{"name":"Zimbra","description":"","website":"https://www.zimbra.com/","common_platform_enumeration":"cpe:2.3:a:zimbra:zimbra:*:*:*:*:*:*:*:*","icon":"Zimbra.png","categories":["Webmail"]},{"name":"Java","description":"Java is a class-based, object-oriented programming language that is designed to have as few implementation dependencies as possible.","website":"https://java.com","common_platform_enumeration":"cpe:2.3:a:oracle:jre:*:*:*:*:*:*:*:*","icon":"Java.svg","categories":["Programming languages"]}]}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":null,"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Zimbra Web Client","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Zimbra phishing","tags":["zimbra","phishing"],"meta":null}]},"javascript":{"script":[{"url":{"schema":"https","addr":"129.159.110.135/","fqdn":"129.159.110.135","domain":"129.159.110.135","tld":""},"ip":{"addr":"0.0.0.0","port":0,"asn":0,"as":"","country":"","country_code":"zz"},"introduction_type":"eventHandler","is_inline":false,"md5":"8330d67045d053b17fa969ef2bdb5e54","sha1":"041174325b27a7b4d2d1b1a0e353fa82d1cb6431","sha256":"ceecf99c8bd1f6e5f89a26d3b40e009d48860d674231297254ff75d817b9a883","sha512":"74d90352264865f9903b3845c8d7c001ae7efeee02016907f39d1726f12a1f33903ebeeed1d3643de50ff4919cd819a4e419a918b584a3950f2a4ff9ca7bb1f3","ssdeep":"","tlshash":"e7500000030030c00300000c3000000c000000c30003c000000000003c300000030030","size":9,"data":"","first_seen":"2023-04-11T04:37:13Z","last_seen":"2026-05-05T10:18:56.123396Z","times_seen":3786,"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"129.159.110.135/","fqdn":"129.159.110.135","domain":"129.159.110.135","tld":""},"ip":{"addr":"0.0.0.0","port":0,"asn":0,"as":"","country":"","country_code":"zz"},"introduction_type":"scriptElement","is_inline":true,"md5":"2bf757b5a31ba05d4de39cd7292849ad","sha1":"e6424cce6daf2ce359f022e87a2e0edbe0f42411","sha256":"bf8c3dc243533ba967c459aea46873e0d1c6ece9e2a23d1c85f3c628cf15e81c","sha512":"ab7e3ee3988c1061886c446a1691a7b20f1d271d6376818767c9a8b073b755776c4525dcacf44e7143246109651c3c67acea481674d716111b53a5c42af2a18e","ssdeep":"384:RxUT4OJYXhl2Ei0m5HDpupShi4i2iZi5iFieigiMiniHiNJci8ii:RxUT4OJ6tc/oVHgA0v9BiCNJRxi","tlshash":"3a7287ba35ea14510aa770bc89df111834b098171009df047dfc91a87f75e7a16a7bfe","size":16516,"data":"","first_seen":"2025-08-21T19:34:43.109741Z","last_seen":"2025-11-09T15:34:56.229016Z","times_seen":4,"alerts":{"ids":null,"analyzer":null,"urlquery":null}}],"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"129.159.110.135/","fqdn":"129.159.110.135","domain":"129.159.110.135","tld":""},"ip":{"addr":"0.0.0.0","port":0,"asn":0,"as":"","country":"","country_code":"zz"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2025-08-30T17:27:24.320Z","timestamp":0,"http_version":"","security_state":"broken","security_info":null,"request":{"raw":"GET / HTTP/1.1\r\nHost: 129.159.110.135\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":0,"size_decoded":0,"mime_type":"","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-05-05T16:09:50.836081Z","times_seen":14695563,"resource_available":true,"data":null}},"time_used":195,"timings":{"blocked":0,"dns":0,"connect":93,"send":0,"wait":0,"receive":0,"ssl":100},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"DNS","title":"Quad9 DNS","description":"Quad9 DNS","scan_date":"2025-08-30","alert":"Sinkholed","trigger":"129.159.110.135","verdict":"malicious","severity":"medium","comment":"Sinkholed in DNS","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Zimbra Web Client","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Zimbra phishing","tags":["zimbra","phishing"],"meta":null}]}},{"url":{"schema":"http","addr":"129.159.110.135/","fqdn":"129.159.110.135","domain":"129.159.110.135","tld":""},"ip":{"addr":"129.159.110.135","port":80,"asn":31898,"as":"ORACLE-BMC-31898","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2025-08-30T17:27:24.532Z","timestamp":0,"http_version":"","security_state":"insecure","security_info":null,"request":{"raw":"GET / HTTP/1.1\r\nHost: 129.159.110.135\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 302 Moved Temporarily\r\nServer: nginx\r\nDate: Sat, 30 Aug 2025 17:27:24 GMT\r\nContent-Type: text/html\r\nContent-Length: 138\r\nConnection: keep-alive\r\nLocation: https://129.159.110.135/\r\n\r\n","headers":null,"cookies":null,"status_code":"302","status_text":"Moved Temporarily","fingerprints":[{"name":"Nginx","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]}],"data":{"size":0,"size_decoded":0,"mime_type":"","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-05-05T16:09:50.836081Z","times_seen":14695563,"resource_available":true,"data":null}},"time_used":288,"timings":{"blocked":91,"dns":0,"connect":92,"send":0,"wait":104,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"DNS","title":"Quad9 DNS","description":"Quad9 DNS","scan_date":"2025-08-30","alert":"Sinkholed","trigger":"129.159.110.135","verdict":"malicious","severity":"medium","comment":"Sinkholed in DNS","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Zimbra Web Client","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Zimbra phishing","tags":["zimbra","phishing"],"meta":null}]}},{"url":{"schema":"https","addr":"129.159.110.135/img/new-back-ground-image.png","fqdn":"129.159.110.135","domain":"129.159.110.135","tld":""},"ip":{"addr":"129.159.110.135","port":443,"asn":31898,"as":"ORACLE-BMC-31898","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://129.159.110.135/","date":"2025-08-30T17:27:26.648Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.av-mx.com","organization":""},"issuer":{"commonName":"R10","organization":"Let's Encrypt"},"validity":{"start":"Mon, 23 Jun 2025 13:14:55 GMT","end":"Sun, 21 Sep 2025 13:14:54 GMT"},"fingerprint":{"sha1":"F0:85:18:50:29:13:D3:0A:F9:BF:3D:40:E8:9C:AB:0C:8B:5F:EA:D6","sha256":"CD:07:53:D1:F5:C1:F6:7E:1F:8B:51:91:64:29:3C:B8:64:30:61:CE:CD:3C:AC:6E:42:13:08:FB:C0:7A:5B:2A"}}},"request":{"raw":"GET /img/new-back-ground-image.png HTTP/1.1\r\nHost: 129.159.110.135\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nCookie: ZM_TEST=true; ZM_LOGIN_CSRF=79d9f3ee-c7a4-4b67-ac31-0f255a269499\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Sat, 30 Aug 2025 17:27:26 GMT\r\nContent-Type: image/png\r\nContent-Length: 141674\r\nConnection: keep-alive\r\nX-Content-Type-Options: nosniff\r\nX-Robots-Tag: noindex\r\nReferrer-Policy: no-referrer\r\nX-Frame-Options: SAMEORIGIN\r\nExpires: Mon, 29 Sep 2025 18:27:26 GMT\r\nCache-Control: public, max-age=2595600\r\nLast-Modified: Tue, 01 Jul 2025 07:40:50 GMT\r\nAccept-Ranges: bytes\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Nginx","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]}],"data":{"size":141674,"size_decoded":0,"mime_type":"image/png","magic":"PNG image data, 1440 x 1024, 8-bit colormap, non-interlaced","md5":"5a09af857512a874f5e2a6e01b80742b","sha1":"8c87bcfd42ee8fab57f08c3664abd1424e608b6a","sha256":"18b729cd6f3dd2b5657c1680e1388b825dc2c2d1e732e03478006714ac7ebc2d","sha512":"0f5a6c382957c3ee0078db97ae58f109e3ecc04d31609cd6047b4904b220bd45ff055e4a6abb058a6e0c760c4a4beba7f114a6d86b5179fccdcd5d334e835a1f","ssdeep":"3072:Xp4eV0s/ltkbEd0U+sl5mk0Xy0X+9uZPkB584B5DMs:Xd/ltka0LXmQw58EDL","tlshash":"00d3122e58f35215dce8e8bc3cbeb8fb295e23b44474dbfa5258c2050e99a36c4d8d11","first_seen":"2023-05-12T19:43:56Z","last_seen":"2026-05-03T14:30:14.919554Z","times_seen":843,"resource_available":false,"data":null}},"time_used":376,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":95,"receive":281,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"DNS","title":"Quad9 DNS","description":"Quad9 DNS","scan_date":"2025-08-30","alert":"Sinkholed","trigger":"129.159.110.135","verdict":"malicious","severity":"medium","comment":"Sinkholed in DNS","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Zimbra Web Client","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Zimbra phishing","tags":["zimbra","phishing"],"meta":null}]}},{"url":{"schema":"https","addr":"129.159.110.135/skins/_base/logos/LoginBanner.png?v=250701080115","fqdn":"129.159.110.135","domain":"129.159.110.135","tld":""},"ip":{"addr":"129.159.110.135","port":443,"asn":31898,"as":"ORACLE-BMC-31898","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://129.159.110.135/","date":"2025-08-30T17:27:26.652Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.av-mx.com","organization":""},"issuer":{"commonName":"R10","organization":"Let's Encrypt"},"validity":{"start":"Mon, 23 Jun 2025 13:14:55 GMT","end":"Sun, 21 Sep 2025 13:14:54 GMT"},"fingerprint":{"sha1":"F0:85:18:50:29:13:D3:0A:F9:BF:3D:40:E8:9C:AB:0C:8B:5F:EA:D6","sha256":"CD:07:53:D1:F5:C1:F6:7E:1F:8B:51:91:64:29:3C:B8:64:30:61:CE:CD:3C:AC:6E:42:13:08:FB:C0:7A:5B:2A"}}},"request":{"raw":"GET /skins/_base/logos/LoginBanner.png?v=250701080115 HTTP/1.1\r\nHost: 129.159.110.135\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nCookie: ZM_TEST=true; ZM_LOGIN_CSRF=79d9f3ee-c7a4-4b67-ac31-0f255a269499\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Sat, 30 Aug 2025 17:27:26 GMT\r\nContent-Type: image/png\r\nContent-Length: 17558\r\nConnection: keep-alive\r\nX-Content-Type-Options: nosniff\r\nX-Robots-Tag: noindex\r\nReferrer-Policy: no-referrer\r\nX-Frame-Options: SAMEORIGIN\r\nExpires: Mon, 29 Sep 2025 18:27:26 GMT\r\nCache-Control: public, max-age=2595600\r\nLast-Modified: Tue, 01 Jul 2025 07:40:50 GMT\r\nAccept-Ranges: bytes\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Nginx","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]}],"data":{"size":17558,"size_decoded":0,"mime_type":"image/png","magic":"PNG image data, 646 x 159, 8-bit/color RGBA, non-interlaced","md5":"2ae279fe9cf9754c36ae09a0e0ffefdb","sha1":"c2cc3a3c4f3a655178d31c9050dca9dfc362b9b8","sha256":"cd9f7ba4d4b05e9fa1bbf57d12b039f7d1e61328bb1d76d3deef4c216e5ec0c5","sha512":"13f20eef6be4fc8d1be0224776f0a95534a4283be22e8f888e1e660f3a563b4901db6710d4f4adfcd471f81a8832a216e0faed32dd05b6331666f49fcf93c737","ssdeep":"384:4wx0CAoDq5dgoZzPdgaWYVQtSl5Zq+eYFQxnhLduXRfFvlSahwLXF24Do:Fx0C7q5xjdgiVQtSPpeoblTcXMAo","tlshash":"9f72c074e34bea46a33a633d36b146403e52c12e524309de41c71a743f2951fe99e27e","first_seen":"2023-05-15T04:08:15Z","last_seen":"2026-05-02T08:46:44.45956Z","times_seen":534,"resource_available":false,"data":null}},"time_used":593,"timings":{"blocked":198,"dns":0,"connect":93,"send":0,"wait":103,"receive":93,"ssl":103},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"DNS","title":"Quad9 DNS","description":"Quad9 DNS","scan_date":"2025-08-30","alert":"Sinkholed","trigger":"129.159.110.135","verdict":"malicious","severity":"medium","comment":"Sinkholed in DNS","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Zimbra Web Client","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Zimbra phishing","tags":["zimbra","phishing"],"meta":null}]}},{"url":{"schema":"https","addr":"129.159.110.135/img/logo/favicon.ico","fqdn":"129.159.110.135","domain":"129.159.110.135","tld":""},"ip":{"addr":"129.159.110.135","port":443,"asn":31898,"as":"ORACLE-BMC-31898","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://129.159.110.135/","date":"2025-08-30T17:27:27.051Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.av-mx.com","organization":""},"issuer":{"commonName":"R10","organization":"Let's Encrypt"},"validity":{"start":"Mon, 23 Jun 2025 13:14:55 GMT","end":"Sun, 21 Sep 2025 13:14:54 GMT"},"fingerprint":{"sha1":"F0:85:18:50:29:13:D3:0A:F9:BF:3D:40:E8:9C:AB:0C:8B:5F:EA:D6","sha256":"CD:07:53:D1:F5:C1:F6:7E:1F:8B:51:91:64:29:3C:B8:64:30:61:CE:CD:3C:AC:6E:42:13:08:FB:C0:7A:5B:2A"}}},"request":{"raw":"GET /img/logo/favicon.ico HTTP/1.1\r\nHost: 129.159.110.135\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nCookie: ZM_TEST=true; ZM_LOGIN_CSRF=79d9f3ee-c7a4-4b67-ac31-0f255a269499\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Sat, 30 Aug 2025 17:27:27 GMT\r\nContent-Type: image/x-icon\r\nContent-Length: 1150\r\nConnection: keep-alive\r\nX-Content-Type-Options: nosniff\r\nX-Robots-Tag: noindex\r\nReferrer-Policy: no-referrer\r\nX-Frame-Options: SAMEORIGIN\r\nExpires: Mon, 29 Sep 2025 18:27:27 GMT\r\nCache-Control: public, max-age=2595600\r\nLast-Modified: Tue, 01 Jul 2025 07:40:50 GMT\r\nAccept-Ranges: bytes\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Nginx","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]}],"data":{"size":1150,"size_decoded":0,"mime_type":"image/x-icon","magic":"MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel","md5":"8c7d1c14e4b9c42f07bd6b800d93b806","sha1":"87e49826ffb3bc1ddac38feebb6bb98eaef568b2","sha256":"1afd891aacc433e75265e3ddc9cb4fc63b88259977811384426c535037711637","sha512":"cd34625876aaf6e8e3cb6da2a9277bab3375cb3515bc701d3a3a05796557c39e442f33c66ae056501c49a810b172a7f6f9c7a32f0b4000ce8472d14ba3e4f41b","ssdeep":"","tlshash":"902152fe66839d2de04c1a7fca7a8a3716cbcd4694e431120b79b209de33c9410e943c","first_seen":"2023-05-02T08:50:11Z","last_seen":"2026-05-04T18:03:55.031689Z","times_seen":3189,"resource_available":false,"data":null}},"time_used":104,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":103,"receive":1,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"DNS","title":"Quad9 DNS","description":"Quad9 DNS","scan_date":"2025-08-30","alert":"Sinkholed","trigger":"129.159.110.135","verdict":"malicious","severity":"medium","comment":"Sinkholed in DNS","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Zimbra Web Client","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Zimbra phishing","tags":["zimbra","phishing"],"meta":null}]}},{"url":{"schema":"https","addr":"129.159.110.135/","fqdn":"129.159.110.135","domain":"129.159.110.135","tld":""},"ip":{"addr":"0.0.0.0","port":0,"asn":0,"as":"","country":"","country_code":"zz"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2025-08-30T17:27:24.734Z","timestamp":0,"http_version":"","security_state":"broken","security_info":null,"request":{"raw":"GET / HTTP/1.1\r\nHost: 129.159.110.135\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":0,"size_decoded":0,"mime_type":"","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-05-05T16:09:50.836081Z","times_seen":14695563,"resource_available":true,"data":null}},"time_used":196,"timings":{"blocked":0,"dns":0,"connect":94,"send":0,"wait":0,"receive":0,"ssl":100},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"DNS","title":"Quad9 DNS","description":"Quad9 DNS","scan_date":"2025-08-30","alert":"Sinkholed","trigger":"129.159.110.135","verdict":"malicious","severity":"medium","comment":"Sinkholed in DNS","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Zimbra Web Client","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Zimbra phishing","tags":["zimbra","phishing"],"meta":null}]}},{"url":{"schema":"https","addr":"129.159.110.135/","fqdn":"129.159.110.135","domain":"129.159.110.135","tld":""},"ip":{"addr":"129.159.110.135","port":443,"asn":31898,"as":"ORACLE-BMC-31898","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2025-08-30T17:27:26.021Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.av-mx.com","organization":""},"issuer":{"commonName":"R10","organization":"Let's Encrypt"},"validity":{"start":"Mon, 23 Jun 2025 13:14:55 GMT","end":"Sun, 21 Sep 2025 13:14:54 GMT"},"fingerprint":{"sha1":"F0:85:18:50:29:13:D3:0A:F9:BF:3D:40:E8:9C:AB:0C:8B:5F:EA:D6","sha256":"CD:07:53:D1:F5:C1:F6:7E:1F:8B:51:91:64:29:3C:B8:64:30:61:CE:CD:3C:AC:6E:42:13:08:FB:C0:7A:5B:2A"}}},"request":{"raw":"GET / HTTP/1.1\r\nHost: 129.159.110.135\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Sat, 30 Aug 2025 17:27:26 GMT\r\nContent-Type: text/html;charset=utf-8\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nX-Content-Type-Options: nosniff\r\nX-Robots-Tag: noindex\r\nReferrer-Policy: no-referrer\r\nX-Frame-Options: SAMEORIGIN\r\nExpires: -1\r\nCache-Control: no-store, no-cache, must-revalidate, max-age=0\r\nPragma: no-cache\r\nContent-Language: en-US\r\nSet-Cookie: ZM_TEST=true\nZM_LOGIN_CSRF=79d9f3ee-c7a4-4b67-ac31-0f255a269499; HttpOnly\r\nX-UA-Compatible: IE=edge\r\nVary: User-Agent, Accept-Encoding\r\nContent-Encoding: gzip\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Nginx","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]},{"name":"Zimbra","description":"","website":"https://www.zimbra.com/","common_platform_enumeration":"cpe:2.3:a:zimbra:zimbra:*:*:*:*:*:*:*:*","icon":"Zimbra.png","categories":["Webmail"]},{"name":"Java","description":"Java is a class-based, object-oriented programming language that is designed to have as few implementation dependencies as possible.","website":"https://java.com","common_platform_enumeration":"cpe:2.3:a:oracle:jre:*:*:*:*:*:*:*:*","icon":"Java.svg","categories":["Programming languages"]}],"data":{"size":23281,"size_decoded":0,"mime_type":"text/html; charset=utf-8","magic":"HTML document, Unicode text, UTF-8 text, with very long lines (631)","md5":"aa1fd0f1eb1abf64fedbd1691d3b6f9f","sha1":"ed44ee4543e4e92985e9b3649ad80740f411de55","sha256":"dfbf133013e1e1616ef00752385097a6b96e356fc125fcb8fca411eb111b67d8","sha512":"c52e2998c4800bd3f04281efe6e8e5850eb565015128cacf778a4fc7cd54a091fafad53165450abf039ddcbe7d8502fc5adcc9b4563c4577bedbe27fa6591e5e","ssdeep":"384:KUTkwmMO7YhkxUT4OJYXhl2Ei0m5HDpupShi4i2iZi5iFieigiMiniHiNJci8ir:RTm7YhkxUT4OJ6tc/oVHgA0v9BiCNJR1","tlshash":"88a2e86625e518610aa370bc59cf111934b4dc270009ce087dfc92ac3fb6e7a56a7bfe","first_seen":"2025-08-30T17:27:51.240621Z","last_seen":"2025-08-30T17:27:51.240621Z","times_seen":1,"resource_available":false,"data":null}},"time_used":510,"timings":{"blocked":193,"dns":0,"connect":93,"send":0,"wait":123,"receive":1,"ssl":98},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"DNS","title":"Quad9 DNS","description":"Quad9 DNS","scan_date":"2025-08-30","alert":"Sinkholed","trigger":"129.159.110.135","verdict":"malicious","severity":"medium","comment":"Sinkholed in DNS","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Zimbra Web Client","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Zimbra phishing","tags":["zimbra","phishing"],"meta":null}]}},{"url":{"schema":"https","addr":"129.159.110.135/css/common,login,zhtml,skin.css?skin=harmony\u0026v=250701080115","fqdn":"129.159.110.135","domain":"129.159.110.135","tld":""},"ip":{"addr":"129.159.110.135","port":443,"asn":31898,"as":"ORACLE-BMC-31898","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"stylesheet","requested_by":"https://129.159.110.135/","date":"2025-08-30T17:27:26.439Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.av-mx.com","organization":""},"issuer":{"commonName":"R10","organization":"Let's Encrypt"},"validity":{"start":"Mon, 23 Jun 2025 13:14:55 GMT","end":"Sun, 21 Sep 2025 13:14:54 GMT"},"fingerprint":{"sha1":"F0:85:18:50:29:13:D3:0A:F9:BF:3D:40:E8:9C:AB:0C:8B:5F:EA:D6","sha256":"CD:07:53:D1:F5:C1:F6:7E:1F:8B:51:91:64:29:3C:B8:64:30:61:CE:CD:3C:AC:6E:42:13:08:FB:C0:7A:5B:2A"}}},"request":{"raw":"GET /css/common,login,zhtml,skin.css?skin=harmony\u0026v=250701080115 HTTP/1.1\r\nHost: 129.159.110.135\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/css,*/*;q=0.1\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nCookie: ZM_TEST=true; ZM_LOGIN_CSRF=79d9f3ee-c7a4-4b67-ac31-0f255a269499\r\nSec-Fetch-Dest: style\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Sat, 30 Aug 2025 17:27:26 GMT\r\nContent-Type: text/css\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nX-Content-Type-Options: nosniff\r\nX-Robots-Tag: noindex\r\nReferrer-Policy: no-referrer\r\nX-Frame-Options: SAMEORIGIN\r\nExpires: Mon, 29 Sep 2025 18:27:26 GMT\r\nCache-Control: public, max-age=2595600\r\nVary: User-Agent, Accept-Encoding\r\nContent-Encoding: gzip\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Nginx","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]}],"data":{"size":65814,"size_decoded":0,"mime_type":"text/css","magic":"ASCII text, with very long lines (751)","md5":"85e669fea23872cc180c93656c66e6c1","sha1":"54511d1b212fa013c72a766324bc40a4a75aece7","sha256":"4a30d694850d81e0553a39772d0871f40fdb1199074b05867f52be1832387f7a","sha512":"2b91822a6c1ad8366efd019c7fa0697dc84630de6023a092bda954c06c0b142eb4fe7941201a36dfc98c69d034056af79abce70e5fdec8e4203b8e939254dcae","ssdeep":"384:twGDVYTNgzXv1ZQeZmluez98yseDrx+QMc4rp9VPCErf+TRmyiFEu+jF9a/C/WY1:tFfv1Zuuw954LmaEu+0C/mDU/twc/","tlshash":"4f53d831f342201eb02bc46ee453fad8692a9153c9675f79f937b479eac60dd1a23306","first_seen":"2025-07-29T07:10:10.413771Z","last_seen":"2025-11-09T15:34:56.227653Z","times_seen":17,"resource_available":false,"data":null}},"time_used":192,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":191,"receive":1,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"DNS","title":"Quad9 DNS","description":"Quad9 DNS","scan_date":"2025-08-30","alert":"Sinkholed","trigger":"129.159.110.135","verdict":"malicious","severity":"medium","comment":"Sinkholed in DNS","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Zimbra Web Client","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Zimbra phishing","tags":["zimbra","phishing"],"meta":null}]}},{"url":{"schema":"https","addr":"129.159.110.135/img/questionMark.png","fqdn":"129.159.110.135","domain":"129.159.110.135","tld":""},"ip":{"addr":"129.159.110.135","port":443,"asn":31898,"as":"ORACLE-BMC-31898","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://129.159.110.135/","date":"2025-08-30T17:27:26.655Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.av-mx.com","organization":""},"issuer":{"commonName":"R10","organization":"Let's Encrypt"},"validity":{"start":"Mon, 23 Jun 2025 13:14:55 GMT","end":"Sun, 21 Sep 2025 13:14:54 GMT"},"fingerprint":{"sha1":"F0:85:18:50:29:13:D3:0A:F9:BF:3D:40:E8:9C:AB:0C:8B:5F:EA:D6","sha256":"CD:07:53:D1:F5:C1:F6:7E:1F:8B:51:91:64:29:3C:B8:64:30:61:CE:CD:3C:AC:6E:42:13:08:FB:C0:7A:5B:2A"}}},"request":{"raw":"GET /img/questionMark.png HTTP/1.1\r\nHost: 129.159.110.135\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nCookie: ZM_TEST=true; ZM_LOGIN_CSRF=79d9f3ee-c7a4-4b67-ac31-0f255a269499\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Sat, 30 Aug 2025 17:27:26 GMT\r\nContent-Type: image/png\r\nContent-Length: 5359\r\nConnection: keep-alive\r\nX-Content-Type-Options: nosniff\r\nX-Robots-Tag: noindex\r\nReferrer-Policy: no-referrer\r\nX-Frame-Options: SAMEORIGIN\r\nExpires: Mon, 29 Sep 2025 18:27:26 GMT\r\nCache-Control: public, max-age=2595600\r\nLast-Modified: Tue, 01 Jul 2025 07:40:50 GMT\r\nAccept-Ranges: bytes\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Nginx","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]}],"data":{"size":5359,"size_decoded":0,"mime_type":"image/png","magic":"PNG image data, 225 x 225, 8-bit/color RGBA, non-interlaced","md5":"5d496d46fe9801cf0e92af8337b3b6af","sha1":"6f9e34028d56b0229759aad8dab4f0c30be30a7e","sha256":"395b89ffffb5b6ea44d2933531396f8d2ae8ff84bae554a1c245d0777af59034","sha512":"1a0c2ff7c5a88ae03d8df8d31473144e969f007ecf4cea45af065770ec3279fb72d3ceb2b28d684becffb65bc60f9681f7c65e503279d8ed4a5aa44132ba9ba0","ssdeep":"96:iDA+MJVudjvxHeroWIEqS9gLNUMvCIRubbiCIdhDdUrEGZ1AkNnlakE:izBjYrdILS0NVtBU11AkrvE","tlshash":"72b18ed0dae8ef886981a95adb2f14e0cb05b15f52fe3cd90b370a0d154f584c53a1be","first_seen":"2023-05-12T15:26:00Z","last_seen":"2026-05-03T14:30:14.912771Z","times_seen":755,"resource_available":false,"data":null}},"time_used":494,"timings":{"blocked":196,"dns":0,"connect":96,"send":0,"wait":99,"receive":1,"ssl":99},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"DNS","title":"Quad9 DNS","description":"Quad9 DNS","scan_date":"2025-08-30","alert":"Sinkholed","trigger":"129.159.110.135","verdict":"malicious","severity":"medium","comment":"Sinkholed in DNS","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - Zimbra Web Client","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with Zimbra phishing","tags":["zimbra","phishing"],"meta":null}]}}]}