Report - update.systimes.top/upload/x.sh

Report Overview

Visited public
2025-01-03 10:34:57
Tags
Submit Tags
URL
update.systimes.top/upload/x.sh
Finishing URL
154.31.227.42/5.html
IP / ASN
154.31.227.18
#140224 STARCLOUD GLOBAL PTE., LTD.
Title
502-回源请求被中断

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Domain / FQDN	Rank	Registered	First Seen	Last Seen	Sent	Received	IP
libs.jshub.com	unknown	2008-08-17	2019-08-15	2024-12-31	1.4 kB	132 kB	206.238.215.9
update.systimes.top	unknown	2024-11-18	2025-01-03	2025-01-03	755 B	727 B	154.31.227.42
154.31.227.42	unknown	unknown	No data	No data	733 B	9.1 kB	154.31.227.42
154.31.227.132	unknown	unknown	No data	No data	271 B	8.8 kB	154.31.227.132
api.ipify.org	3267	2014-01-05	2014-10-06	2025-01-01	423 B	484 B	172.67.74.152

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Timestamp	Severity	Source IP	Destination IP	Alert
2025-01-03 10:34:36	medium	Client IP	154.31.227.132	ET INFO HTTP Request to a *.top domain
2025-01-03 10:34:37	low	Client IP	172.67.74.152	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI

Threat Detection Systems

Public InfoSec YARA rules

No alerts detected

OpenPhish

No alerts detected

PhishTank

No alerts detected

Quad9 DNS

Scan Date	Severity	Indicator	Alert
2025-01-03	medium	154.31.227.42	Sinkholed
2025-01-03	medium	154.31.227.132	Sinkholed
2025-01-03	medium	154.31.227.42	Sinkholed

ThreatFox

No alerts detected

JavaScript (1)

	URL	From	Size	First Seen	Last Seen
	154.31.227.42/5.html	ScriptElement	0 B	0001-01-01	2025-07-18
Pretty URL 154.31.227.42/5.html IP 154.31.227.42 ASN #140224 STARCLOUD GLOBAL PTE., LTD. Introduced by scriptElement Embedded in HTML true Observations First Seen0001-01-01 00:00 Last Seen2025-07-18 05:34 Times Seen5450498 Hash d41d8cd98f00b204e9800998ecf8427e da39a3ee5e6b4b0d3255bfef95601890afd80709 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Loading...

HTTP Transactions (9)

URL IP Response Size

GET update.systimes.top/upload/x.sh

154.31.227.42

302 Moved Temporarily

142 B

URL User Request GET HTTP/1.1
update.systimes.top/upload/x.sh
IP
154.31.227.42:443
ASN
#140224 STARCLOUD GLOBAL PTE., LTD.

Certificate
IssuerLet's Encrypt
Subjectupdate.systimes.top
FingerprintD9:8E:88:46:CC:CC:71:E0:B7:12:8D:B9:83:B6:28:1D:B6:1A:25:21
ValidityWed, 25 Dec 2024 01:04:41 GMT - Tue, 25 Mar 2025 01:04:40 GMT

File type
HTML document, ASCII text, with CRLF line terminators
Size
142 B (142 bytes)
Hash
82c98e8e012b79c922655461171cc2fa
0828d79135573276005b04be42d79a8a3291292b
745173bcc5c57ce9751dd019606e877e0aae13b60372fdb090f3db0470c3a43c

HTTP Headers

GET /upload/x.sh HTTP/1.1
Host: update.systimes.top
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily
Server: openresty
Date: Fri, 03 Jan 2025 10:34:34 GMT
Content-Type: text/html
Content-Length: 142
Connection: keep-alive
Location: http://154.31.227.42/5.html
Via: cn2-100m-xy-11-14

GET 154.31.227.42/5.html

154.31.227.42

200 OK

8.6 kB

URL User Request GET HTTP/1.1
154.31.227.42/5.html
IP
154.31.227.42:80
ASN
#140224 STARCLOUD GLOBAL PTE., LTD.

File type
HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Size
8.6 kB (8573 bytes)
Hash
a7213700fc81857adadadaa7dee03a2d
604622e218a6aec5a573ca495d300754370d9808
771fac5bff046c37032175dd04e49212f458be78f8c93992bef781890b1a30a8

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /5.html HTTP/1.1
Host: 154.31.227.42
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: openresty
Date: Fri, 03 Jan 2025 10:34:35 GMT
Content-Type: text/html
Content-Length: 8573
Last-Modified: Thu, 02 Jan 2025 20:01:54 GMT
Connection: keep-alive
ETag: "6776f0b2-217d"
Accept-Ranges: bytes

update.systimes.top/

154.31.227.132

302 Moved Temporarily

142 B

URL
update.systimes.top/
IP
154.31.227.132:0
ASN
#140224 STARCLOUD GLOBAL PTE., LTD.

Certificate
IssuerLet's Encrypt
Subjectupdate.systimes.top
FingerprintD9:8E:88:46:CC:CC:71:E0:B7:12:8D:B9:83:B6:28:1D:B6:1A:25:21
ValidityWed, 25 Dec 2024 01:04:41 GMT - Tue, 25 Mar 2025 01:04:40 GMT

File type
HTML document, ASCII text, with CRLF line terminators
Size
142 B (142 bytes)
Hash
82c98e8e012b79c922655461171cc2fa
0828d79135573276005b04be42d79a8a3291292b
745173bcc5c57ce9751dd019606e877e0aae13b60372fdb090f3db0470c3a43c

Detections

NIDS	Severity	Alert
suricata	medium	ET INFO HTTP Request to a *.top domain

HTTP Headers

GET / HTTP/1.1
Host: update.systimes.top
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily
Server: openresty
Date: Fri, 03 Jan 2025 10:34:35 GMT
Content-Type: text/html
Content-Length: 142
Connection: keep-alive
Location: http://154.31.227.132/5.html
Via: cn2-100m-xy-11-14

154.31.227.132/5.html

154.31.227.132

200 OK

8.6 kB

URL
154.31.227.132/5.html
IP
154.31.227.132:0
ASN
#140224 STARCLOUD GLOBAL PTE., LTD.

File type
HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Size
8.6 kB (8573 bytes)
Hash
a7213700fc81857adadadaa7dee03a2d
604622e218a6aec5a573ca495d300754370d9808
771fac5bff046c37032175dd04e49212f458be78f8c93992bef781890b1a30a8

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /5.html HTTP/1.1
Host: 154.31.227.132
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: openresty
Date: Fri, 03 Jan 2025 10:34:36 GMT
Content-Type: text/html
Content-Length: 8573
Last-Modified: Thu, 02 Jan 2025 20:01:54 GMT
Connection: keep-alive
ETag: "6776f0b2-217d"
Accept-Ranges: bytes

GET api.ipify.org/?format=json

172.67.74.152

200 OK

21 B

URL GET HTTP/2
api.ipify.org/?format=json
IP
172.67.74.152:443
ASN
#13335 CLOUDFLARENET

Requested by
http://154.31.227.42/5.html
Certificate
IssuerGoogle Trust Services
Subjectipify.org
FingerprintD4:6A:1F:31:16:85:D7:9C:B8:93:15:4F:53:86:D8:A7:4D:15:F8:64
ValidityWed, 13 Nov 2024 05:59:28 GMT - Tue, 11 Feb 2025 05:59:27 GMT

File type
JSON text data
Size
21 B (21 bytes)
Hash
7d69c71af0f191e9a72db6153f8018d1
f67c5f2887bc05654b47f76e9621e53a4091aed1
5bac6e06cf0e1ad38c55f9f9d12122272bf4b8157877629fe68cd33fe2133c65

HTTP Headers

GET /?format=json HTTP/1.1
Host: api.ipify.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://154.31.227.42/
Origin: http://154.31.227.42
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Fri, 03 Jan 2025 10:34:37 GMT
content-type: application/json
content-length: 21
access-control-allow-origin: *
vary: Origin
cf-cache-status: DYNAMIC
server: cloudflare
cf-ray: 8fc2565e99e9b529-OSL
server-timing: cfL4;desc="?proto=TCP&rtt=7582&min_rtt=1430&rtt_var=12278&sent=8&recv=11&lost=0&retrans=0&sent_bytes=3193&recv_bytes=1077&delivery_rate=2981468&cwnd=254&unsent_bytes=0&cid=793a6d2b5daf39aa&ts=138&x=0"
X-Firefox-Spdy: h2

GET 154.31.227.42/favicon.ico

154.31.227.42

404 Not Found

150 B

URL GET HTTP/1.1
154.31.227.42/favicon.ico
IP
154.31.227.42:80
ASN
#140224 STARCLOUD GLOBAL PTE., LTD.

Requested by
http://154.31.227.42/5.html

File type
HTML document, ASCII text, with CRLF line terminators
Size
150 B (150 bytes)
Hash
597ba0d4396e9c906225140ce907092c
28ae2ba65ccdb583d79f85b8cc9509fae697493b
ee1a27178227546d3dcc49e611a6d72e4f1c30080ee4493ae4085b58a49e28e6

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /favicon.ico HTTP/1.1
Host: 154.31.227.42
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Referer: http://154.31.227.42/5.html
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 404 Not Found
Server: openresty
Date: Fri, 03 Jan 2025 10:34:37 GMT
Content-Type: text/html
Content-Length: 150
Connection: keep-alive

GET libs.jshub.com/font-awesome/5.10.0-12/webfonts/fa-solid-900.woff2

206.238.215.9

200 OK

75 kB

URL GET HTTP/2
libs.jshub.com/font-awesome/5.10.0-12/webfonts/fa-solid-900.woff2
IP
206.238.215.9:443
ASN
#0

Requested by
http://154.31.227.42/5.html
Certificate
IssuerLet's Encrypt
Subjectjshub.com
Fingerprint32:EB:8B:1A:98:99:D7:4D:9A:97:C2:73:A1:BB:25:7D:7F:A5:E5:5E
ValiditySat, 16 Nov 2024 02:49:01 GMT - Fri, 14 Feb 2025 02:49:00 GMT

File type
Web Open Font Format (Version 2), TrueType, length 75388, version 330.15728
Size
75 kB (75388 bytes)
Hash
8c4c207eb242cc9e1812d2b87671d720
94d5d0723d5407fa263d2c9d09a53b619c8fd239
f2949cd5ce820f0cef3fb73e4e500de19bf07d37ba16e3cdead66009758896a1

HTTP Headers

GET /font-awesome/5.10.0-12/webfonts/fa-solid-900.woff2 HTTP/1.1
Host: libs.jshub.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Origin: http://154.31.227.42
DNT: 1
Connection: keep-alive
Referer: https://libs.jshub.com/
Sec-Fetch-Dest: font
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
server: NgxFence
date: Fri, 03 Jan 2025 10:34:37 GMT
content-type: application/octet-stream
content-length: 75388
last-modified: Sat, 08 May 2021 06:52:50 GMT
etag: "60963542-1267c"
expires: Mon, 18 Nov 2024 05:10:06 GMT
cache-control: max-age=604800
access-control-allow-origin: *
timing-allow-origin: *
x-cache: HIT
accept-ranges: bytes
X-Firefox-Spdy: h2

GET libs.jshub.com/font-awesome/5.10.0-12/css/fontawesome.min.css

206.238.215.9

200 OK

55 kB

URL GET HTTP/2
libs.jshub.com/font-awesome/5.10.0-12/css/fontawesome.min.css
IP
206.238.215.9:443
ASN
#0

Requested by
http://154.31.227.42/5.html
Certificate
IssuerLet's Encrypt
Subjectjshub.com
Fingerprint32:EB:8B:1A:98:99:D7:4D:9A:97:C2:73:A1:BB:25:7D:7F:A5:E5:5E
ValiditySat, 16 Nov 2024 02:49:01 GMT - Fri, 14 Feb 2025 02:49:00 GMT

File type
ASCII text, with very long lines (54863)
Size
55 kB (55052 bytes)
Hash
5c045b693ba1a430cf485edb1ed18001
d76ec28f4513960890693c7fb00dd753d4af48cd
30b1069dd2957763248b73c6f2bb82794e1b22a625cd4084537a41c70373042f

HTTP Headers

GET /font-awesome/5.10.0-12/css/fontawesome.min.css HTTP/1.1
Host: libs.jshub.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: http://154.31.227.42/
Sec-Fetch-Dest: style
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
server: NgxFence
date: Fri, 03 Jan 2025 10:34:36 GMT
content-type: text/css
last-modified: Sat, 08 May 2021 06:52:50 GMT
etag: W/"60963542-d70c"
expires: Mon, 18 Nov 2024 04:59:40 GMT
cache-control: max-age=604800
access-control-allow-origin: *
timing-allow-origin: *
x-cache: HIT
content-encoding: br
X-Firefox-Spdy: h2

GET libs.jshub.com/font-awesome/5.10.0-12/css/solid.min.css

206.238.215.9

200 OK

671 B

URL GET HTTP/2
libs.jshub.com/font-awesome/5.10.0-12/css/solid.min.css
IP
206.238.215.9:443
ASN
#0

Requested by
http://154.31.227.42/5.html
Certificate
IssuerLet's Encrypt
Subjectjshub.com
Fingerprint32:EB:8B:1A:98:99:D7:4D:9A:97:C2:73:A1:BB:25:7D:7F:A5:E5:5E
ValiditySat, 16 Nov 2024 02:49:01 GMT - Fri, 14 Feb 2025 02:49:00 GMT

File type
ASCII text, with very long lines (689), with no line terminators
Size
671 B (671 bytes)
Hash
8c61015bad8efc53e686b7836a359ddc
725319cd18a0ac061b6af880aed2d705921152d9
a281f967e4a9f7361ebe8dd09ef0ae530ccd5034ff64b21a510820775a6bed52

HTTP Headers

GET /font-awesome/5.10.0-12/css/solid.min.css HTTP/1.1
Host: libs.jshub.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: http://154.31.227.42/
Sec-Fetch-Dest: style
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
server: NgxFence
date: Fri, 03 Jan 2025 10:34:36 GMT
content-type: text/css
last-modified: Sat, 08 May 2021 06:52:50 GMT
etag: W/"60963542-29f"
expires: Mon, 18 Nov 2024 05:09:19 GMT
cache-control: max-age=604800
access-control-allow-origin: *
timing-allow-origin: *
x-cache: HIT
content-encoding: br
X-Firefox-Spdy: h2

Report Overview

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

Public InfoSec YARA rules

OpenPhish

PhishTank

Quad9 DNS

ThreatFox

JavaScript (1)

URL

IP

ASN

Introduced by

Embedded in HTML

Observations

Hash

HTTP Transactions (9)

URL User Request GET HTTP/1.1

IP

ASN

Certificate

File type

Size

Hash

HTTP Headers

URL User Request GET HTTP/1.1

IP

ASN

File type

Size

Hash

Detections

HTTP Headers

URL

IP

ASN

Certificate

File type

Size

Hash

Detections

HTTP Headers

URL

IP

ASN

File type

Size

Hash

Detections

HTTP Headers

URL GET HTTP/2

IP

ASN

Requested by

Certificate

File type

Size

Hash

HTTP Headers

URL GET HTTP/1.1

IP

ASN

Requested by

File type

Size

Hash

Detections

HTTP Headers

URL GET HTTP/2

IP

ASN

Requested by

Certificate

File type

Size

Hash

HTTP Headers