{"report_id":"ac12b2c8-1598-433e-a6a5-e7af9e888d5e","version":6,"status":"done","tags":[],"date":"2025-10-11T15:13:32Z","url":{"schema":"http","addr":"www.gitlabip.xyz/Alvin9999/PAC/refs/heads/master/backup/img/1/2/ipp/naiveproxy/1/config.json","fqdn":"www.gitlabip.xyz","domain":"gitlabip.xyz","tld":"xyz"},"ip":{"addr":"62.204.54.193","port":0,"asn":201106,"as":"Spartan Host Ltd","country":"United States","country_code":"US"},"final":{"url":{"schema":"https","addr":"www.gitlabip.xyz/Alvin9999/PAC/refs/heads/master/backup/img/1/2/ipp/naiveproxy/1/config.json","fqdn":"www.gitlabip.xyz","domain":"gitlabip.xyz","tld":"xyz"},"title":"gitlabip.xyz/Alvin9999/PAC/refs/heads/master/backup/img/1/2/ipp/naiveproxy/1/config.json"},"submit":{"url":{"schema":"http","addr":"www.gitlabip.xyz/Alvin9999/PAC/refs/heads/master/backup/img/1/2/ipp/naiveproxy/1/config.json","fqdn":"www.gitlabip.xyz","domain":"gitlabip.xyz","tld":"xyz"},"ip":{"addr":"62.204.54.193","port":0,"asn":201106,"as":"Spartan Host Ltd","country":"United States","country_code":"US"},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-11-15T15:13:32Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":1,"urlquery":0,"analyzer":0}},"detection":{"ids":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-10-11T15:13:11Z","timestamp":1760195591,"ip_dst":{"addr":"172.18.0.2","port":45578,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"62.204.54.193","port":443,"asn":201106,"as":"Spartan Host Ltd","country":"United States","country_code":"US"},"severity":"medium","alert":"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)","source":"{\"timestamp\":\"2025-10-11T15:13:11.117024+0000\",\"flow_id\":1095175657421269,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"62.204.54.193\",\"src_port\":443,\"dest_ip\":\"172.18.0.2\",\"dest_port\":45578,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2025194,\"rev\":3,\"signature\":\"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"Medium\"],\"created_at\":[\"2018_01_09\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Minor\"],\"updated_at\":[\"2020_09_16\"]}},\"tls\":{\"subject\":\"CN=xyt2.cfcdn3.xyz\",\"issuerdn\":\"C=US, O=Let's Encrypt, CN=E6\",\"serial\":\"06:F4:48:C3:CB:7A:C1:1D:72:6A:E4:EC:53:2C:A9:16:62:C1\",\"fingerprint\":\"4a:f4:bb:c7:70:d3:f7:02:d4:4d:15:97:15:ed:7f:ae:e5:65:c2:7a\",\"sni\":\"www.gitlabip.xyz\",\"version\":\"TLS 1.2\",\"notbefore\":\"2025-07-28T16:21:16\",\"notafter\":\"2025-10-26T16:21:15\",\"ja3\":{\"hash\":\"0faf2a91198d40dbd58b9308f3fca2fd\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-65037,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"fe0146829eef1917ba6c2dd4f5c08905\",\"string\":\"771,49196,65281-0-11-16-23\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":1143,\"bytes_toclient\":2716,\"start\":\"2025-10-11T15:13:10.653781+0000\"}}"}],"analyzer":null,"urlquery":null},"summary":[{"fqdn":"www.gitlabip.xyz","ip":{"addr":"62.204.54.193","port":443,"asn":201106,"as":"Spartan Host Ltd","country":"United States","country_code":"US"},"domain_registered":"2023-05-09","domain_rank":0,"first_seen":"2023-05-31T04:20:37Z","last_seen":"2024-02-26T02:40:02Z","alert_count":0,"request_count":1,"received_data":1032,"sent_data":560,"comment":"","tags":null,"fingerprints":[{"name":"Fastly","description":"Fastly is a cloud computing services provider. Fastly's cloud platform provides a content delivery network, Internet security services, load balancing, and video \u0026 streaming services.","website":"https://www.fastly.com","common_platform_enumeration":"","icon":"Fastly.svg","categories":["CDN"]},{"name":"Varnish","description":"Varnish is a reverse caching proxy.","website":"https://www.varnish-cache.org","common_platform_enumeration":"cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:*:*:*:*","icon":"Varnish.svg","categories":["Caching"]},{"name":"Nginx:1.18.0","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]},{"name":"GitHub Pages","description":"GitHub Pages is a static site hosting service.","website":"https://pages.github.com/","common_platform_enumeration":"","icon":"GitHub.svg","categories":["PaaS"]},{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]}]}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-10-11T15:13:11Z","timestamp":1760195591,"ip_dst":{"addr":"172.18.0.2","port":45578,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"62.204.54.193","port":443,"asn":201106,"as":"Spartan Host Ltd","country":"United States","country_code":"US"},"severity":"medium","alert":"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)","source":"{\"timestamp\":\"2025-10-11T15:13:11.117024+0000\",\"flow_id\":1095175657421269,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"62.204.54.193\",\"src_port\":443,\"dest_ip\":\"172.18.0.2\",\"dest_port\":45578,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2025194,\"rev\":3,\"signature\":\"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"Medium\"],\"created_at\":[\"2018_01_09\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Minor\"],\"updated_at\":[\"2020_09_16\"]}},\"tls\":{\"subject\":\"CN=xyt2.cfcdn3.xyz\",\"issuerdn\":\"C=US, O=Let's Encrypt, CN=E6\",\"serial\":\"06:F4:48:C3:CB:7A:C1:1D:72:6A:E4:EC:53:2C:A9:16:62:C1\",\"fingerprint\":\"4a:f4:bb:c7:70:d3:f7:02:d4:4d:15:97:15:ed:7f:ae:e5:65:c2:7a\",\"sni\":\"www.gitlabip.xyz\",\"version\":\"TLS 1.2\",\"notbefore\":\"2025-07-28T16:21:16\",\"notafter\":\"2025-10-26T16:21:15\",\"ja3\":{\"hash\":\"0faf2a91198d40dbd58b9308f3fca2fd\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-65037,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"fe0146829eef1917ba6c2dd4f5c08905\",\"string\":\"771,49196,65281-0-11-16-23\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":1143,\"bytes_toclient\":2716,\"start\":\"2025-10-11T15:13:10.653781+0000\"}}"}]}],"analyzer":null,"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"www.gitlabip.xyz/Alvin9999/PAC/refs/heads/master/backup/img/1/2/ipp/naiveproxy/1/config.json","fqdn":"www.gitlabip.xyz","domain":"gitlabip.xyz","tld":"xyz"},"ip":{"addr":"62.204.54.193","port":443,"asn":201106,"as":"Spartan Host Ltd","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2025-10-11T15:13:10.611Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.2","cert":{"subject":{"commonName":"xyt2.cfcdn3.xyz","organization":""},"issuer":{"commonName":"E6","organization":"Let's Encrypt"},"validity":{"start":"Mon, 28 Jul 2025 16:21:16 GMT","end":"Sun, 26 Oct 2025 16:21:15 GMT"},"fingerprint":{"sha1":"4A:F4:BB:C7:70:D3:F7:02:D4:4D:15:97:15:ED:7F:AE:E5:65:C2:7A","sha256":"5A:95:7C:BE:44:D1:62:A4:16:62:52:6B:8A:31:D9:5C:97:E3:A8:F4:26:97:BD:BD:BF:8C:86:0C:EC:68:C1:E3"}}},"request":{"raw":"GET /Alvin9999/PAC/refs/heads/master/backup/img/1/2/ipp/naiveproxy/1/config.json HTTP/1.1\r\nHost: www.gitlabip.xyz\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx/1.18.0\r\nDate: Sat, 11 Oct 2025 15:12:45 GMT\r\nContent-Type: text/plain; charset=utf-8\r\nContent-Length: 115\r\nConnection: keep-alive\r\nCache-Control: max-age=300\r\nContent-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox\r\nETag: \"558f0624119aeaf8c5494c8e9a3795400477a51b2486d7d6b108b7339cdbe16c\"\r\nStrict-Transport-Security: max-age=31536000\r\nX-Content-Type-Options: nosniff\r\nX-Frame-Options: deny\r\nX-XSS-Protection: 1; mode=block\r\nX-GitHub-Request-Id: C55A:385023:8E054:AE78D:68E6BFD2\r\nAccept-Ranges: bytes\r\nVia: 1.1 varnish\r\nX-Served-By: cache-bfi-krnt7300099-BFI\r\nX-Cache: HIT\r\nX-Cache-Hits: 1\r\nX-Timer: S1760195591.199024,VS0,VE1\r\nVary: Authorization,Accept-Encoding\r\nAccess-Control-Allow-Origin: *\r\nCross-Origin-Resource-Policy: cross-origin\r\nX-Fastly-Request-ID: f49d14ecbd3012e26e737aa5b8456ad8e629cff4\r\nExpires: Sat, 11 Oct 2025 15:18:11 GMT\r\nSource-Age: 241\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Fastly","description":"Fastly is a cloud computing services provider. Fastly's cloud platform provides a content delivery network, Internet security services, load balancing, and video \u0026 streaming services.","website":"https://www.fastly.com","common_platform_enumeration":"","icon":"Fastly.svg","categories":["CDN"]},{"name":"Varnish","description":"Varnish is a reverse caching proxy.","website":"https://www.varnish-cache.org","common_platform_enumeration":"cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:*:*:*:*","icon":"Varnish.svg","categories":["Caching"]},{"name":"Nginx:1.18.0","description":"Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.","website":"https://nginx.org/en","common_platform_enumeration":"cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*","icon":"Nginx.svg","categories":["Web servers","Reverse proxies"]},{"name":"GitHub Pages","description":"GitHub Pages is a static site hosting service.","website":"https://pages.github.com/","common_platform_enumeration":"","icon":"GitHub.svg","categories":["PaaS"]},{"name":"HSTS","description":"HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.","website":"https://www.rfc-editor.org/rfc/rfc6797#section-6.1","common_platform_enumeration":"","icon":"","categories":["Security"]}],"data":{"size":115,"size_decoded":0,"mime_type":"text/plain; charset=utf-8","magic":"JSON text data","md5":"160c03b61479efbd864f67beb02041f9","sha1":"2eb073cb52259418d3cb14bd8978babd6c35fb81","sha256":"afdcd824b850b3c102c44dd900e61b2e4dc095e1db0cc0aeebbf501955945a6f","sha512":"ea8625c8b6f1b3998527b82169e5fe96536c584c9785124f153de7e79ade75bd88c7fbcd01315ae287c685d4eb54f6688a64949afb3910fb57c882580045814f","ssdeep":"","tlshash":"c7b0126244b80c5203fee290001837d3da03fc087c8ce6a6624376085d1287f433fadb","first_seen":"2025-10-11T15:13:35.389297Z","last_seen":"2025-10-11T15:13:35.389297Z","times_seen":1,"resource_available":false,"data":null}},"time_used":1170,"timings":{"blocked":506,"dns":42,"connect":152,"send":0,"wait":158,"receive":0,"ssl":308},"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]}