{"report_id":"daaac401-3032-42f9-b572-4812c46a426d","version":6,"status":"done","tags":["usps","logistics","phishing","dyndns"],"date":"2023-09-16T05:19:06Z","url":{"schema":"http","addr":"usps-usa.duckdns.org/c146b89dd55f1d398da2966de1a44c2b/?token=37e01b135dee858b9ccf0f288d285afebb23da3bd39166cdb6ef6af33ccac024890d7e566c68aa83e41e5b87dd1ac22a986344055a7cd0f2357638a97ab3f5d8","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":0,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"final":{"url":{"schema":"https","addr":"usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"title":"USPS - Offer"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-28T07:17:30Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"default"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"usps-usa.duckdns.org","ip":{"addr":"143.110.232.17","port":443,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"domain_registered":"2013-04-12","domain_rank":0,"first_seen":"2023-09-16 04:04:23","last_seen":"2023-09-16 04:04:23","alert_count":87,"request_count":22,"received_data":47291,"sent_data":10909,"comment":"","tags":null,"fingerprints":null},{"fqdn":"maps.googleapis.com","ip":{"addr":"216.58.211.10","port":443,"asn":15169,"as":"GOOGLE","country":"United States","country_code":"US"},"domain_registered":"2005-01-25","domain_rank":33876,"first_seen":"2019-10-17 17:56:16","last_seen":"2023-09-15 21:01:49","alert_count":0,"request_count":2,"received_data":84214,"sent_data":892,"comment":"","tags":null,"fingerprints":null},{"fqdn":"devilsms.live","ip":{"addr":"199.188.200.254","port":443,"asn":22612,"as":"NAMECHEAP-NET","country":"United States","country_code":"US"},"domain_registered":"2021-09-16","domain_rank":0,"first_seen":"2022-06-09 23:23:15","last_seen":"2023-08-23 20:36:16","alert_count":8,"request_count":8,"received_data":40913,"sent_data":4066,"comment":"","tags":null,"fingerprints":null},{"fqdn":"www.siteground.com","ip":{"addr":"34.149.40.93","port":0,"asn":15169,"as":"GOOGLE","country":"United States","country_code":"US"},"domain_registered":"2004-03-22","domain_rank":291195,"first_seen":"2017-01-30 08:53:08","last_seen":"2023-09-03 10:20:17","alert_count":0,"request_count":1,"received_data":986,"sent_data":351,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:48Z","timestamp":1694841528,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":45133,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:48.867582+0000\",\"flow_id\":1377676169854206,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":45133,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":19569,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"A\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:48.867582+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:48Z","timestamp":1694841528,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":39777,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:48.867745+0000\",\"flow_id\":1358112593821089,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":39777,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":54884,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:48.867745+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:48Z","timestamp":1694841528,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":45133,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:48.867582+0000\",\"flow_id\":1377676169854206,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":45133,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":19569,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"A\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:48.867582+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:48Z","timestamp":1694841528,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":39777,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:48.867745+0000\",\"flow_id\":1358112593821089,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":39777,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":54884,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:48.867745+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:48Z","timestamp":1694841528,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":36226,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:48.881346+0000\",\"flow_id\":411843251696322,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":36226,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":34305,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:48.881346+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:48Z","timestamp":1694841528,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":36226,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:48.881346+0000\",\"flow_id\":411843251696322,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":36226,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":34305,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:48.881346+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:49Z","timestamp":1694841529,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":40315,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:49.389451+0000\",\"flow_id\":739935803535691,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":40315,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":43346,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:49.389451+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:49Z","timestamp":1694841529,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":40315,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:49.389451+0000\",\"flow_id\":739935803535691,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":40315,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":43346,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:49.389451+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:51Z","timestamp":1694841531,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":51161,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:51.868898+0000\",\"flow_id\":1099845473092130,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":51161,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":13991,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:51.868898+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:51Z","timestamp":1694841531,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":51161,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:51.868898+0000\",\"flow_id\":1099845473092130,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":51161,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":13991,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:51.868898+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:52Z","timestamp":1694841532,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":57594,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:52.373632+0000\",\"flow_id\":540282101478272,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":57594,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":12550,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:52.373632+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:52Z","timestamp":1694841532,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":57594,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:52.373632+0000\",\"flow_id\":540282101478272,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":57594,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":12550,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:52.373632+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:52Z","timestamp":1694841532,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":51533,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:52.545199+0000\",\"flow_id\":349576963576239,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":51533,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":8684,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:52.545199+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:52Z","timestamp":1694841532,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":51533,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:52.545199+0000\",\"flow_id\":349576963576239,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":51533,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":8684,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:52.545199+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:53Z","timestamp":1694841533,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"Client IP","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:53.522167+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"d1bf2b4ec4a91e60171a455c0832cbb2?token=ca5ffc4ffdb147edf7162448c932a70c74aa082f0047993588458a341237ac60263efdbb8b7d06c7f3194df9809cfddcbb36601daf81a93a188f90d6f41acd09\",\"length\":10},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":547,\"bytes_toclient\":770,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:53Z","timestamp":1694841533,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":36000,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:53.526126+0000\",\"flow_id\":697943908484910,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":36000,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":35246,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:53.526126+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:53Z","timestamp":1694841533,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":36000,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:53.526126+0000\",\"flow_id\":697943908484910,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":36000,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":35246,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:53.526126+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:53Z","timestamp":1694841533,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":51629,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:53.695303+0000\",\"flow_id\":549411054525447,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":51629,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":41577,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:53.695303+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:53Z","timestamp":1694841533,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":51629,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:53.695303+0000\",\"flow_id\":549411054525447,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":51629,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":41577,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:53.695303+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:53Z","timestamp":1694841533,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"Client IP","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:53.695210+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":1,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/d1bf2b4ec4a91e60171a455c0832cbb2?token=ca5ffc4ffdb147edf7162448c932a70c74aa082f0047993588458a341237ac60263efdbb8b7d06c7f3194df9809cfddcbb36601daf81a93a188f90d6f41acd09\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":301,\"redirect\":\"http://usps-usa.duckdns.org/d1bf2b4ec4a91e60171a455c0832cbb2/?token=ca5ffc4ffdb147edf7162448c932a70c74aa082f0047993588458a341237ac60263efdbb8b7d06c7f3194df9809cfddcbb36601daf81a93a188f90d6f41acd09\",\"length\":404},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":1564,\"bytes_toclient\":1722,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:53Z","timestamp":1694841533,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"Client IP","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:53.864649+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":2,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/d1bf2b4ec4a91e60171a455c0832cbb2/?token=ca5ffc4ffdb147edf7162448c932a70c74aa082f0047993588458a341237ac60263efdbb8b7d06c7f3194df9809cfddcbb36601daf81a93a188f90d6f41acd09\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"../index.php\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":7,\"pkts_toclient\":7,\"bytes_toserver\":1914,\"bytes_toclient\":2241,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:53Z","timestamp":1694841533,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":52697,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:53.864817+0000\",\"flow_id\":952412130849329,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":52697,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":55609,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:53.864817+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:53Z","timestamp":1694841533,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":52697,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:53.864817+0000\",\"flow_id\":952412130849329,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":52697,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":55609,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:53.864817+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:54Z","timestamp":1694841534,"ip_dst":{"addr":"Client IP","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"severity":"high","alert":"ETPRO HUNTING Suspicious Redirect to Recursive PHP - Possible Phishing","source":"{\"timestamp\":\"2023-09-16T05:18:54.029974+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"143.110.232.17\",\"src_port\":80,\"dest_ip\":\"10.70.215.10\",\"dest_port\":43338,\"proto\":\"TCP\",\"tx_id\":2,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2820835,\"rev\":4,\"signature\":\"ETPRO HUNTING Suspicious Redirect to Recursive PHP - Possible Phishing\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2016_06_22\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"HUNTING\"],\"mitre_tactic_id\":[\"TA0001\"],\"mitre_tactic_name\":[\"Initial_Access\"],\"mitre_technique_id\":[\"T1566\"],\"mitre_technique_name\":[\"Phishing\"],\"signature_severity\":[\"Critical\"],\"tag\":[\"Phishing\"],\"updated_at\":[\"2020_12_22\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/d1bf2b4ec4a91e60171a455c0832cbb2/?token=ca5ffc4ffdb147edf7162448c932a70c74aa082f0047993588458a341237ac60263efdbb8b7d06c7f3194df9809cfddcbb36601daf81a93a188f90d6f41acd09\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"../index.php\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":7,\"pkts_toclient\":8,\"bytes_toserver\":1914,\"bytes_toclient\":2307,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:54Z","timestamp":1694841534,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":42883,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:54.508510+0000\",\"flow_id\":1558958149911134,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":42883,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":55583,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:54.508510+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:54Z","timestamp":1694841534,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":42883,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:54.508510+0000\",\"flow_id\":1558958149911134,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":42883,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":55583,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:54.508510+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:54Z","timestamp":1694841534,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":43450,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:54.509953+0000\",\"flow_id\":600613507221505,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43450,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":44038,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:54.509953+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:54Z","timestamp":1694841534,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":43450,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:54.509953+0000\",\"flow_id\":600613507221505,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43450,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":44038,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:54.509953+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:54Z","timestamp":1694841534,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":39524,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:54.513249+0000\",\"flow_id\":2101401781982433,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":39524,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":43497,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:54.513249+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:54Z","timestamp":1694841534,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":39524,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:54.513249+0000\",\"flow_id\":2101401781982433,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":39524,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":43497,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:54.513249+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:55Z","timestamp":1694841535,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":53960,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:55.354634+0000\",\"flow_id\":1633641188780362,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":53960,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":58527,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:55.354634+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:55Z","timestamp":1694841535,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":53960,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:55.354634+0000\",\"flow_id\":1633641188780362,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":53960,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":58527,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:55.354634+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:55Z","timestamp":1694841535,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"Client IP","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:55.360857+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":3,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"b0db981ec094cad0212aca67bdd572e1?token=1cf8d4f400785e3d55357008321eb302420cf3240700453e30969c1323b4cae1034a33b37f281402ea682115164796e9cb398eb525ddc1eaf76ee985a41633b3\",\"length\":10},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":8,\"pkts_toclient\":9,\"bytes_toserver\":2422,\"bytes_toclient\":2936,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:55Z","timestamp":1694841535,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":35930,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:55.533063+0000\",\"flow_id\":2201483109933639,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":35930,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":927,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:55.533063+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:55Z","timestamp":1694841535,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"Client IP","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:55.532935+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":4,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/b0db981ec094cad0212aca67bdd572e1?token=1cf8d4f400785e3d55357008321eb302420cf3240700453e30969c1323b4cae1034a33b37f281402ea682115164796e9cb398eb525ddc1eaf76ee985a41633b3\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":301,\"redirect\":\"http://usps-usa.duckdns.org/b0db981ec094cad0212aca67bdd572e1/?token=1cf8d4f400785e3d55357008321eb302420cf3240700453e30969c1323b4cae1034a33b37f281402ea682115164796e9cb398eb525ddc1eaf76ee985a41633b3\",\"length\":404},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":9,\"pkts_toclient\":11,\"bytes_toserver\":2931,\"bytes_toclient\":3888,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:55Z","timestamp":1694841535,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":35930,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:55.533063+0000\",\"flow_id\":2201483109933639,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":35930,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":927,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:55.533063+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:55Z","timestamp":1694841535,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":33253,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:55.704488+0000\",\"flow_id\":590597643550696,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":33253,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":39194,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:55.704488+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:55Z","timestamp":1694841535,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"Client IP","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:55.704481+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":5,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/b0db981ec094cad0212aca67bdd572e1/?token=1cf8d4f400785e3d55357008321eb302420cf3240700453e30969c1323b4cae1034a33b37f281402ea682115164796e9cb398eb525ddc1eaf76ee985a41633b3\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"../index.php\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":10,\"pkts_toclient\":12,\"bytes_toserver\":3281,\"bytes_toclient\":4341,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:55Z","timestamp":1694841535,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":33253,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:55.704488+0000\",\"flow_id\":590597643550696,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":33253,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":39194,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:55.704488+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:55Z","timestamp":1694841535,"ip_dst":{"addr":"Client IP","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"severity":"high","alert":"ETPRO HUNTING Suspicious Redirect to Recursive PHP - Possible Phishing","source":"{\"timestamp\":\"2023-09-16T05:18:55.911623+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"143.110.232.17\",\"src_port\":80,\"dest_ip\":\"10.70.215.10\",\"dest_port\":43338,\"proto\":\"TCP\",\"tx_id\":5,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2820835,\"rev\":4,\"signature\":\"ETPRO HUNTING Suspicious Redirect to Recursive PHP - Possible Phishing\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2016_06_22\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"HUNTING\"],\"mitre_tactic_id\":[\"TA0001\"],\"mitre_tactic_name\":[\"Initial_Access\"],\"mitre_technique_id\":[\"T1566\"],\"mitre_technique_name\":[\"Phishing\"],\"signature_severity\":[\"Critical\"],\"tag\":[\"Phishing\"],\"updated_at\":[\"2020_12_22\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/b0db981ec094cad0212aca67bdd572e1/?token=1cf8d4f400785e3d55357008321eb302420cf3240700453e30969c1323b4cae1034a33b37f281402ea682115164796e9cb398eb525ddc1eaf76ee985a41633b3\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"../index.php\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":10,\"pkts_toclient\":13,\"bytes_toserver\":3281,\"bytes_toclient\":4407,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:56Z","timestamp":1694841536,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":50400,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:56.017369+0000\",\"flow_id\":111208426390489,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":50400,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":37873,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:56.017369+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:56Z","timestamp":1694841536,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":50400,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:56.017369+0000\",\"flow_id\":111208426390489,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":50400,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":37873,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:56.017369+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:57Z","timestamp":1694841537,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":55684,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:57.170698+0000\",\"flow_id\":1639450132191946,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":55684,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":56933,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:57.170698+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:57Z","timestamp":1694841537,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":55684,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:57.170698+0000\",\"flow_id\":1639450132191946,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":55684,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":56933,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:57.170698+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:57Z","timestamp":1694841537,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"Client IP","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:57.171171+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":6,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"9b968f12bc64edf305346aa76d6a1690?token=4f930c799c7c1a2fe4ac010497acf3354fcc3d6eb56cd00680d3c5976ab18287ff40776316e37eb664cdacc10d621f8e912c9242fcaf1cfd8f5be8645dc7b358\",\"length\":10},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":11,\"pkts_toclient\":14,\"bytes_toserver\":3789,\"bytes_toclient\":5036,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:57Z","timestamp":1694841537,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":59848,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:57.342464+0000\",\"flow_id\":595962057800128,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":59848,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":50630,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:57.342464+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:57Z","timestamp":1694841537,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":59848,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:57.342464+0000\",\"flow_id\":595962057800128,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":59848,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":50630,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:57.342464+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:57Z","timestamp":1694841537,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"Client IP","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:57.342549+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":7,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/9b968f12bc64edf305346aa76d6a1690?token=4f930c799c7c1a2fe4ac010497acf3354fcc3d6eb56cd00680d3c5976ab18287ff40776316e37eb664cdacc10d621f8e912c9242fcaf1cfd8f5be8645dc7b358\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":301,\"redirect\":\"http://usps-usa.duckdns.org/9b968f12bc64edf305346aa76d6a1690/?token=4f930c799c7c1a2fe4ac010497acf3354fcc3d6eb56cd00680d3c5976ab18287ff40776316e37eb664cdacc10d621f8e912c9242fcaf1cfd8f5be8645dc7b358\",\"length\":404},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":12,\"pkts_toclient\":16,\"bytes_toserver\":4298,\"bytes_toclient\":5988,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:57Z","timestamp":1694841537,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":35367,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:57.513940+0000\",\"flow_id\":1822003422156692,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":35367,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":23911,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:57.513940+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:57Z","timestamp":1694841537,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":35367,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:57.513940+0000\",\"flow_id\":1822003422156692,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":35367,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":23911,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:57.513940+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:57Z","timestamp":1694841537,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"Client IP","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:57.513952+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":8,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/9b968f12bc64edf305346aa76d6a1690/?token=4f930c799c7c1a2fe4ac010497acf3354fcc3d6eb56cd00680d3c5976ab18287ff40776316e37eb664cdacc10d621f8e912c9242fcaf1cfd8f5be8645dc7b358\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"../index.php\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":13,\"pkts_toclient\":18,\"bytes_toserver\":4648,\"bytes_toclient\":6507,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:57Z","timestamp":1694841537,"ip_dst":{"addr":"Client IP","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"severity":"high","alert":"ETPRO HUNTING Suspicious Redirect to Recursive PHP - Possible Phishing","source":"{\"timestamp\":\"2023-09-16T05:18:57.680488+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"143.110.232.17\",\"src_port\":80,\"dest_ip\":\"10.70.215.10\",\"dest_port\":43338,\"proto\":\"TCP\",\"tx_id\":8,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2820835,\"rev\":4,\"signature\":\"ETPRO HUNTING Suspicious Redirect to Recursive PHP - Possible Phishing\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2016_06_22\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"HUNTING\"],\"mitre_tactic_id\":[\"TA0001\"],\"mitre_tactic_name\":[\"Initial_Access\"],\"mitre_technique_id\":[\"T1566\"],\"mitre_technique_name\":[\"Phishing\"],\"signature_severity\":[\"Critical\"],\"tag\":[\"Phishing\"],\"updated_at\":[\"2020_12_22\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/9b968f12bc64edf305346aa76d6a1690/?token=4f930c799c7c1a2fe4ac010497acf3354fcc3d6eb56cd00680d3c5976ab18287ff40776316e37eb664cdacc10d621f8e912c9242fcaf1cfd8f5be8645dc7b358\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"../index.php\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":13,\"pkts_toclient\":19,\"bytes_toserver\":4648,\"bytes_toclient\":6573,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:58Z","timestamp":1694841538,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":51149,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:58.967717+0000\",\"flow_id\":726155401544741,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":51149,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":35211,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:58.967717+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:58Z","timestamp":1694841538,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":51149,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:58.967717+0000\",\"flow_id\":726155401544741,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":51149,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":35211,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:58.967717+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:58Z","timestamp":1694841538,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"Client IP","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:58.968735+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":9,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"e00fe48ad337e14753e20981433f22d1?token=b3b76ac6191f7b94688b7f8ed69ac949412990037c4fb16e61c9399f37e3598298ba08fb93eed228f32a062da629926ce993e3d7eb1f2d6615417a8548fa0061\",\"length\":10},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":14,\"pkts_toclient\":20,\"bytes_toserver\":5156,\"bytes_toclient\":7202,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:59Z","timestamp":1694841539,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"Client IP","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:59.136943+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":10,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/e00fe48ad337e14753e20981433f22d1?token=b3b76ac6191f7b94688b7f8ed69ac949412990037c4fb16e61c9399f37e3598298ba08fb93eed228f32a062da629926ce993e3d7eb1f2d6615417a8548fa0061\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":301,\"redirect\":\"http://usps-usa.duckdns.org/e00fe48ad337e14753e20981433f22d1/?token=b3b76ac6191f7b94688b7f8ed69ac949412990037c4fb16e61c9399f37e3598298ba08fb93eed228f32a062da629926ce993e3d7eb1f2d6615417a8548fa0061\",\"length\":404},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":15,\"pkts_toclient\":22,\"bytes_toserver\":5665,\"bytes_toclient\":8154,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:59Z","timestamp":1694841539,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":54638,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:59.137034+0000\",\"flow_id\":2146183258773322,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":54638,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":42840,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:59.137034+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:59Z","timestamp":1694841539,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":54638,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:18:59.137034+0000\",\"flow_id\":2146183258773322,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":54638,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":42840,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:18:59.137034+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:19:00Z","timestamp":1694841540,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"Client IP","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:19:00.467152+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":11,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/e00fe48ad337e14753e20981433f22d1/?token=b3b76ac6191f7b94688b7f8ed69ac949412990037c4fb16e61c9399f37e3598298ba08fb93eed228f32a062da629926ce993e3d7eb1f2d6615417a8548fa0061\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"../index.php\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":16,\"pkts_toclient\":24,\"bytes_toserver\":6015,\"bytes_toclient\":8673,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:19:00Z","timestamp":1694841540,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":37180,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:19:00.467380+0000\",\"flow_id\":2059085617045940,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":37180,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042936,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":28361,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:19:00.467380+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:19:00Z","timestamp":1694841540,"ip_dst":{"addr":"Internal IP","port":53,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"Client IP","port":37180,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"low","alert":"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain","source":"{\"timestamp\":\"2023-09-16T05:19:00.467380+0000\",\"flow_id\":2059085617045940,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":37180,\"dest_ip\":\"10.70.215.1\",\"dest_port\":53,\"proto\":\"UDP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2022918,\"rev\":4,\"signature\":\"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2016_06_27\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_08_18\"]}},\"dns\":{\"query\":[{\"type\":\"query\",\"id\":28361,\"rrname\":\"usps-usa.duckdns.org\",\"rrtype\":\"AAAA\",\"tx_id\":0}]},\"app_proto\":\"dns\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":91,\"bytes_toclient\":0,\"start\":\"2023-09-16T05:19:00.467380+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:19:00Z","timestamp":1694841540,"ip_dst":{"addr":"Client IP","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"severity":"high","alert":"ETPRO HUNTING Suspicious Redirect to Recursive PHP - Possible Phishing","source":"{\"timestamp\":\"2023-09-16T05:19:00.631958+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"143.110.232.17\",\"src_port\":80,\"dest_ip\":\"10.70.215.10\",\"dest_port\":43338,\"proto\":\"TCP\",\"tx_id\":11,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2820835,\"rev\":4,\"signature\":\"ETPRO HUNTING Suspicious Redirect to Recursive PHP - Possible Phishing\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2016_06_22\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"HUNTING\"],\"mitre_tactic_id\":[\"TA0001\"],\"mitre_tactic_name\":[\"Initial_Access\"],\"mitre_technique_id\":[\"T1566\"],\"mitre_technique_name\":[\"Phishing\"],\"signature_severity\":[\"Critical\"],\"tag\":[\"Phishing\"],\"updated_at\":[\"2020_12_22\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/e00fe48ad337e14753e20981433f22d1/?token=b3b76ac6191f7b94688b7f8ed69ac949412990037c4fb16e61c9399f37e3598298ba08fb93eed228f32a062da629926ce993e3d7eb1f2d6615417a8548fa0061\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"../index.php\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":16,\"pkts_toclient\":25,\"bytes_toserver\":6015,\"bytes_toclient\":8739,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:19:03Z","timestamp":1694841543,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"Client IP","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:19:03.126755+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":12,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"https://www.siteground.com\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":17,\"pkts_toclient\":26,\"bytes_toserver\":6081,\"bytes_toclient\":9206,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - US Postal Service","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with US Postal Service phishing","tags":["usps","logistics","phishing"],"meta":null},{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]},"javascript":{"script":[{"url":{"schema":"https","addr":"maps.googleapis.com/maps-api-v3/api/js/38/11/intl/nl_ALL/common.js","fqdn":"maps.googleapis.com","domain":"maps.googleapis.com","tld":"googleapis.com"},"ip":{"addr":"216.58.211.10","port":443,"asn":15169,"as":"GOOGLE","country":"United States","country_code":"US"},"introduction_type":"scriptElement","is_inline":false,"md5":"2005cff13e09393e76f625c7c3e6d0b7","sha1":"47d240c168d611f38c102cf2b6320ea582e69e46","sha256":"50c76b6340f567a536017cdf52bef65fdbbec4d637253e823543059ac68c2fd1","sha512":"b7122caa3f4501f20c507addf63dc80c49f42dc7f3e28180db2a495d8b931ee2acd55517cd7a856402e2330975070a16c5cc49b5e36e1e5b57d58f6d31db5032","ssdeep":"1536:Nj2K0IVivAXiR1TtgigxMPZe0N+A//hMOhWv5iZqkQzV39NEkle8h:DVGAXmWiwo+A//hMOh85QqkQl9N95h","tlshash":"2273c59d725275a69317f0b9123f000ab13a64adf4484dacb24cd9e29ef585d02bbf7c","size":77983,"data":"","first_seen":"2023-03-07T13:02:45Z","last_seen":"2026-02-12T07:32:12.530746Z","times_seen":53,"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"maps.googleapis.com/maps-api-v3/api/js/38/11/intl/nl_ALL/util.js","fqdn":"maps.googleapis.com","domain":"maps.googleapis.com","tld":"googleapis.com"},"ip":{"addr":"216.58.211.10","port":443,"asn":15169,"as":"GOOGLE","country":"United States","country_code":"US"},"introduction_type":"scriptElement","is_inline":false,"md5":"16b73dc0de9683fb153b38cf6b5a6e6d","sha1":"22261377b57577dcd8046a8970ef5c80aefdf5dc","sha256":"d9f2fabff1b5fdcf2833cdcca025f1ec73c4889c41410e8a018cb1a84bb6ac79","sha512":"1a7e0c0b5f44faf69fe8368b24ae68b95d0839a285785cf7b5a805837425da75e2b89e2f3d50624cc6eca540dde0bea983bed5c29581d2c3f1e11d74502bdf05","ssdeep":"3072:lfTnZQ5U/ay5v5b681Czm83dsFkP3T+jq:lfaMayV5b68EfNskP3T+jq","tlshash":"43e32aa8724270a98277f5f6053f104aa53e985af8054c7cb288d9e1ddf8c9d11bbf78","size":146194,"data":"","first_seen":"2023-03-07T13:02:45Z","last_seen":"2026-02-12T07:32:12.522809Z","times_seen":53,"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":443,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"introduction_type":"scriptElement","is_inline":true,"md5":"bcc09075b1751dac2dd0df99783c78a3","sha1":"4d730f4032ac21b115905910d2853eb7249d563a","sha256":"96c875d292aaab9b960846cc196f292b70f8ee3c8e557470a95e9eccbb76b2bc","sha512":"12cbe195b1efe8c793d0b0d259f644f3ea03fe0e85e47ed849454cf2f02f6e59d8bd2d403e871c93e1ce145826b5dc588d23785a983d3afb232ac63227326ff1","ssdeep":"","tlshash":"2bf05976a1522830476635a96046468ee8b008200a1dd7d1c81c64f22c70b3df077b98","size":478,"data":"","first_seen":"2023-03-07T13:02:45Z","last_seen":"2024-11-07T10:09:02.591779Z","times_seen":46,"alerts":{"ids":null,"analyzer":null,"urlquery":null}}],"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"usps-usa.duckdns.org/c146b89dd55f1d398da2966de1a44c2b/?token=37e01b135dee858b9ccf0f288d285afebb23da3bd39166cdb6ef6af33ccac024890d7e566c68aa83e41e5b87dd1ac22a986344055a7cd0f2357638a97ab3f5d8","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":443,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2023-09-16T05:18:48.882Z","timestamp":1694841528882,"http_version":"HTTP/1.1","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET /c146b89dd55f1d398da2966de1a44c2b/?token=37e01b135dee858b9ccf0f288d285afebb23da3bd39166cdb6ef6af33ccac024890d7e566c68aa83e41e5b87dd1ac22a986344055a7cd0f2357638a97ab3f5d8 HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 302 Found\r\nDate: Sat, 16 Sep 2023 05:18:49 GMT\r\nServer: Apache\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate\r\nPragma: no-cache\r\nSet-Cookie: PHPSESSID=4349d9f6b5a5bd302e3fa97a7aef4249; path=/\r\nLocation: ../index.php\r\nContent-Length: 0\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=UTF-8\r\n","headers":null,"cookies":null,"status_code":"302","status_text":"Found","fingerprints":null,"data":{"size":0,"size_decoded":0,"mime_type":"text/html; charset=UTF-8","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-05-11T22:03:05.977395Z","times_seen":15027444,"resource_available":true,"data":null}},"time_used":840,"timings":{"blocked":337,"dns":1,"connect":165,"send":0,"wait":165,"receive":0,"ssl":170},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/index.php","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":443,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2023-09-16T05:18:49.390Z","timestamp":1694841529390,"http_version":"HTTP/1.1","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET /index.php HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nCookie: PHPSESSID=4349d9f6b5a5bd302e3fa97a7aef4249\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 302 Found\r\nDate: Sat, 16 Sep 2023 05:18:49 GMT\r\nServer: Apache\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate\r\nPragma: no-cache\r\nLocation: 81e77f48f75fd1157dc49df034f7f013?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff\r\nKeep-Alive: timeout=5, max=99\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html; charset=UTF-8\r\n","headers":null,"cookies":null,"status_code":"302","status_text":"Found","fingerprints":null,"data":{"size":2,"size_decoded":0,"mime_type":"text/html; charset=UTF-8","magic":"ASCII text","md5":"d784fa8b6d98d27699781bd9a7cf19f0","sha1":"dd122581c8cd44d0227f9c305581ffcb4b6f1b46","sha256":"e16f1596201850fd4a63680b27f603cb64e67176159be3d8ed78a4403fdb1700","sha512":"f8aca02e28996a586f535eed5de9f4533b8b2910762f524459f6fae6fb3f8f7540db5f2c809c1c07167a95b33f6f3f85589af99182e2d2bf93f964de169dd4c0","ssdeep":"","tlshash":"c710000000000000000000300000000000000000000000000000003000000000000000","first_seen":"2023-03-07T01:32:15Z","last_seen":"2026-05-11T13:55:44.658179Z","times_seen":2477,"resource_available":true,"data":null}},"time_used":2976,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":2976,"receive":0,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:55Z","timestamp":1694841535,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:55.360857+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":3,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"b0db981ec094cad0212aca67bdd572e1?token=1cf8d4f400785e3d55357008321eb302420cf3240700453e30969c1323b4cae1034a33b37f281402ea682115164796e9cb398eb525ddc1eaf76ee985a41633b3\",\"length\":10},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":8,\"pkts_toclient\":9,\"bytes_toserver\":2422,\"bytes_toclient\":2936,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:57Z","timestamp":1694841537,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:57.171171+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":6,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"9b968f12bc64edf305346aa76d6a1690?token=4f930c799c7c1a2fe4ac010497acf3354fcc3d6eb56cd00680d3c5976ab18287ff40776316e37eb664cdacc10d621f8e912c9242fcaf1cfd8f5be8645dc7b358\",\"length\":10},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":11,\"pkts_toclient\":14,\"bytes_toserver\":3789,\"bytes_toclient\":5036,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:58Z","timestamp":1694841538,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:58.968735+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":9,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"e00fe48ad337e14753e20981433f22d1?token=b3b76ac6191f7b94688b7f8ed69ac949412990037c4fb16e61c9399f37e3598298ba08fb93eed228f32a062da629926ce993e3d7eb1f2d6615417a8548fa0061\",\"length\":10},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":14,\"pkts_toclient\":20,\"bytes_toserver\":5156,\"bytes_toclient\":7202,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:19:03Z","timestamp":1694841543,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:19:03.126755+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":12,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"https://www.siteground.com\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":17,\"pkts_toclient\":26,\"bytes_toserver\":6081,\"bytes_toclient\":9206,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"}],"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - US Postal Service","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with US Postal Service phishing","tags":["usps","logistics","phishing"],"meta":null},{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":443,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2023-09-16T05:18:52.374Z","timestamp":1694841532374,"http_version":"HTTP/1.1","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET /81e77f48f75fd1157dc49df034f7f013?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nCookie: PHPSESSID=4349d9f6b5a5bd302e3fa97a7aef4249\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 301 Moved Permanently\r\nDate: Sat, 16 Sep 2023 05:18:52 GMT\r\nServer: Apache\r\nLocation: https://usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff\r\nContent-Length: 405\r\nKeep-Alive: timeout=5, max=98\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n","headers":null,"cookies":null,"status_code":"301","status_text":"Moved Permanently","fingerprints":null,"data":{"size":405,"size_decoded":0,"mime_type":"text/html; charset=UTF-8","magic":"HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- exported SGML document, ASCII text","md5":"f2061fe1e0f5827d60f13bcb7b50d545","sha1":"6f2a61fa824d14f92f59adb414b94d0e26983131","sha256":"b9471321b3bf762a93ab39329311772b89d85d2174cf97365860bb844f17ac0c","sha512":"9054aee0c8e0d8a9bf1daaf7ae1ac01bc1bdba07758f0230d829c75e35947799198979e19498cf57decb346fa666c7edef12eec854ab84483ffd9a384addf87b","ssdeep":"","tlshash":"52e0f1ec931130c1f9273b80dcd7f0f2605f0150668d58ea2bea2c85e8261b1ad870d5","first_seen":"2023-09-16T07:19:08Z","last_seen":"2023-09-16T07:19:08Z","times_seen":1,"resource_available":false,"data":null}},"time_used":166,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":166,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":0,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2023-09-16T05:18:53.526960286Z","timestamp":1694841533526,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET / HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 302 Found\r\nDate: Sat, 16 Sep 2023 05:18:51 GMT\r\nServer: Apache\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate\r\nPragma: no-cache\r\nSet-Cookie: PHPSESSID=0ee227cd50b1614b30ee41fb14c555cf; path=/\r\nLocation: d1bf2b4ec4a91e60171a455c0832cbb2?token=ca5ffc4ffdb147edf7162448c932a70c74aa082f0047993588458a341237ac60263efdbb8b7d06c7f3194df9809cfddcbb36601daf81a93a188f90d6f41acd09\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html; charset=UTF-8\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":2,"size_decoded":0,"mime_type":"text/plain; charset=utf-8","magic":"ASCII text","md5":"d784fa8b6d98d27699781bd9a7cf19f0","sha1":"dd122581c8cd44d0227f9c305581ffcb4b6f1b46","sha256":"e16f1596201850fd4a63680b27f603cb64e67176159be3d8ed78a4403fdb1700","sha512":"f8aca02e28996a586f535eed5de9f4533b8b2910762f524459f6fae6fb3f8f7540db5f2c809c1c07167a95b33f6f3f85589af99182e2d2bf93f964de169dd4c0","ssdeep":"","tlshash":"c710000000000000000000300000000000000000000000000000003000000000000000","first_seen":"2023-03-07T01:32:15Z","last_seen":"2026-05-11T13:55:44.658179Z","times_seen":2477,"resource_available":true,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:53Z","timestamp":1694841533,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:53.522167+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"d1bf2b4ec4a91e60171a455c0832cbb2?token=ca5ffc4ffdb147edf7162448c932a70c74aa082f0047993588458a341237ac60263efdbb8b7d06c7f3194df9809cfddcbb36601daf81a93a188f90d6f41acd09\",\"length\":10},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":547,\"bytes_toclient\":770,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"}],"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - US Postal Service","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with US Postal Service phishing","tags":["usps","logistics","phishing"],"meta":null},{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/d1bf2b4ec4a91e60171a455c0832cbb2?token=ca5ffc4ffdb147edf7162448c932a70c74aa082f0047993588458a341237ac60263efdbb8b7d06c7f3194df9809cfddcbb36601daf81a93a188f90d6f41acd09","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":0,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2023-09-16T05:18:53.696217243Z","timestamp":1694841533696,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET /d1bf2b4ec4a91e60171a455c0832cbb2?token=ca5ffc4ffdb147edf7162448c932a70c74aa082f0047993588458a341237ac60263efdbb8b7d06c7f3194df9809cfddcbb36601daf81a93a188f90d6f41acd09 HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 301 Moved Permanently\r\nDate: Sat, 16 Sep 2023 05:18:53 GMT\r\nServer: Apache\r\nLocation: http://usps-usa.duckdns.org/d1bf2b4ec4a91e60171a455c0832cbb2/?token=ca5ffc4ffdb147edf7162448c932a70c74aa082f0047993588458a341237ac60263efdbb8b7d06c7f3194df9809cfddcbb36601daf81a93a188f90d6f41acd09\r\nContent-Length: 404\r\nKeep-Alive: timeout=5, max=99\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":404,"size_decoded":0,"mime_type":"text/html; charset=utf-8","magic":"HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- exported SGML document, ASCII text","md5":"c309b948c7115e0374301f8a0bf6e776","sha1":"557d2490d5c2233601cd0e60f9b926cdaf853b7c","sha256":"876423bddd077768f7e5598fc0a13fc61e0b9c6c81a2afd39b0d56f1d0ff84e8","sha512":"c832ac20a72172ef80ed7c2e51abf774939df4e8a754267c49a62d09ae63aff4d5a2bc713ac9644d24e37d76c45c46abeb1b319b3899dc63db64bff8932c208f","ssdeep":"","tlshash":"c6e0f1fcd28621e571233f18dd4100d0a05f04f3a1cd995910d61808983e035c88a0d8","first_seen":"2023-09-16T07:19:08Z","last_seen":"2023-09-16T07:19:08Z","times_seen":1,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:53Z","timestamp":1694841533,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:53.695210+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":1,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/d1bf2b4ec4a91e60171a455c0832cbb2?token=ca5ffc4ffdb147edf7162448c932a70c74aa082f0047993588458a341237ac60263efdbb8b7d06c7f3194df9809cfddcbb36601daf81a93a188f90d6f41acd09\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":301,\"redirect\":\"http://usps-usa.duckdns.org/d1bf2b4ec4a91e60171a455c0832cbb2/?token=ca5ffc4ffdb147edf7162448c932a70c74aa082f0047993588458a341237ac60263efdbb8b7d06c7f3194df9809cfddcbb36601daf81a93a188f90d6f41acd09\",\"length\":404},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":1564,\"bytes_toclient\":1722,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"}],"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/d1bf2b4ec4a91e60171a455c0832cbb2/?token=ca5ffc4ffdb147edf7162448c932a70c74aa082f0047993588458a341237ac60263efdbb8b7d06c7f3194df9809cfddcbb36601daf81a93a188f90d6f41acd09","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":0,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2023-09-16T05:18:53.862703911Z","timestamp":1694841533862,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET /d1bf2b4ec4a91e60171a455c0832cbb2/?token=ca5ffc4ffdb147edf7162448c932a70c74aa082f0047993588458a341237ac60263efdbb8b7d06c7f3194df9809cfddcbb36601daf81a93a188f90d6f41acd09 HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 302 Found\r\nDate: Sat, 16 Sep 2023 05:18:53 GMT\r\nServer: Apache\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate\r\nPragma: no-cache\r\nSet-Cookie: PHPSESSID=45aa11468168aeddc41c83db8efa4b33; path=/\r\nLocation: ../index.php\r\nContent-Length: 0\r\nKeep-Alive: timeout=5, max=98\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=UTF-8\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":0,"size_decoded":0,"mime_type":"","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-05-11T22:03:05.977395Z","times_seen":15027444,"resource_available":true,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:53Z","timestamp":1694841533,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:53.864649+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":2,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/d1bf2b4ec4a91e60171a455c0832cbb2/?token=ca5ffc4ffdb147edf7162448c932a70c74aa082f0047993588458a341237ac60263efdbb8b7d06c7f3194df9809cfddcbb36601daf81a93a188f90d6f41acd09\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"../index.php\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":7,\"pkts_toclient\":7,\"bytes_toserver\":1914,\"bytes_toclient\":2241,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:54Z","timestamp":1694841534,"ip_dst":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"severity":"high","alert":"ETPRO HUNTING Suspicious Redirect to Recursive PHP - Possible Phishing","source":"{\"timestamp\":\"2023-09-16T05:18:54.029974+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"143.110.232.17\",\"src_port\":80,\"dest_ip\":\"10.70.215.10\",\"dest_port\":43338,\"proto\":\"TCP\",\"tx_id\":2,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2820835,\"rev\":4,\"signature\":\"ETPRO HUNTING Suspicious Redirect to Recursive PHP - Possible Phishing\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2016_06_22\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"HUNTING\"],\"mitre_tactic_id\":[\"TA0001\"],\"mitre_tactic_name\":[\"Initial_Access\"],\"mitre_technique_id\":[\"T1566\"],\"mitre_technique_name\":[\"Phishing\"],\"signature_severity\":[\"Critical\"],\"tag\":[\"Phishing\"],\"updated_at\":[\"2020_12_22\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/d1bf2b4ec4a91e60171a455c0832cbb2/?token=ca5ffc4ffdb147edf7162448c932a70c74aa082f0047993588458a341237ac60263efdbb8b7d06c7f3194df9809cfddcbb36601daf81a93a188f90d6f41acd09\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"../index.php\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":7,\"pkts_toclient\":8,\"bytes_toserver\":1914,\"bytes_toclient\":2307,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"}],"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":443,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2023-09-16T05:18:52.545Z","timestamp":1694841532545,"http_version":"HTTP/1.1","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET /81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nCookie: PHPSESSID=4349d9f6b5a5bd302e3fa97a7aef4249\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Sat, 16 Sep 2023 05:18:52 GMT\r\nServer: Apache\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate\r\nPragma: no-cache\r\nKeep-Alive: timeout=5, max=97\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html; charset=UTF-8\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":11960,"size_decoded":0,"mime_type":"text/html; charset=UTF-8","magic":"HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- assembler source, Unicode text, UTF-8 text, with very long lines (420)","md5":"39220b0c7646a8beaccc3eb12ded39d4","sha1":"50482435b2a7f30422003a90831edb4bba1e9d27","sha256":"fb65bcae7e1a016f4f5292708b14863e9864323cebbedbfb8bce67b64738aa67","sha512":"5d2c8b68757a560d48b2a4f5b95f0d660166046961e7a211c2da421c1e8ee78c53a161774a4a1b475b9fdecb9860fe17b1c3fc1a46b452825d7f71b7ad4cd93c","ssdeep":"96:GquG1GJoC1VW6tdSIDEepFZoC4kmy1WfD4h9HD7hhQY1ABfRnhTIyW8P8PetxDw3:GjU67S+EeoMKD4hrhQCyjG80V","tlshash":"4732969384f14c7a026259b63eebb64e9fa15453c50a2d8075ac33c82fd7e51cd8336e","first_seen":"2023-09-16T07:19:08Z","last_seen":"2023-09-16T07:19:08Z","times_seen":1,"resource_available":false,"data":null}},"time_used":1813,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":1650,"receive":163,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"https","addr":"maps.googleapis.com/maps-api-v3/api/js/38/11/intl/nl_ALL/common.js","fqdn":"maps.googleapis.com","domain":"maps.googleapis.com","tld":"googleapis.com"},"ip":{"addr":"216.58.211.10","port":443,"asn":15169,"as":"GOOGLE","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"script","requested_by":"https://usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff","date":"2023-09-16T05:18:54.525Z","timestamp":1694841534525,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"upload.video.google.com","organization":""},"issuer":{"commonName":"GTS CA 1C3","organization":"Google Trust Services LLC"},"validity":{"start":"Mon, 14 Aug 2023 08:22:09 GMT","end":"Mon, 06 Nov 2023 08:22:08 GMT"},"fingerprint":{"sha1":"09:AB:BF:F5:D0:04:69:59:E1:EA:AC:DA:8B:68:CF:62:94:2E:50:38","sha256":"51:9F:EC:84:6E:75:1D:8B:F5:23:58:A2:24:2B:C1:8E:91:C4:20:61:49:69:0D:3E:83:47:F0:3C:36:08:DF:BA"}}},"request":{"raw":"GET /maps-api-v3/api/js/38/11/intl/nl_ALL/common.js HTTP/1.1\r\nHost: maps.googleapis.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://usps-usa.duckdns.org/\r\nSec-Fetch-Dest: script\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\naccept-ranges: bytes\r\nvary: Accept-Encoding, Origin\r\ncontent-encoding: gzip\r\ncontent-type: text/javascript\r\ncontent-security-policy-report-only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/maps-api-js\r\ncross-origin-resource-policy: cross-origin\r\ncross-origin-opener-policy: same-origin; report-to=\"maps-api-js\"\r\nreport-to: {\"group\":\"maps-api-js\",\"max_age\":2592000,\"endpoints\":[{\"url\":\"https://csp.withgoogle.com/csp/report-to/maps-api-js\"}]}\r\ncontent-length: 28568\r\ndate: Sat, 16 Sep 2023 05:18:54 GMT\r\nexpires: Sun, 15 Sep 2024 05:18:54 GMT\r\ncache-control: public, max-age=31536000\r\nlast-modified: Mon, 04 Nov 2019 22:32:04 GMT\r\nx-content-type-options: nosniff\r\nserver: sffe\r\nx-xss-protection: 0\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":28568,"size_decoded":0,"mime_type":"text/javascript","magic":"ASCII text, with very long lines (1601)","md5":"2005cff13e09393e76f625c7c3e6d0b7","sha1":"47d240c168d611f38c102cf2b6320ea582e69e46","sha256":"50c76b6340f567a536017cdf52bef65fdbbec4d637253e823543059ac68c2fd1","sha512":"b7122caa3f4501f20c507addf63dc80c49f42dc7f3e28180db2a495d8b931ee2acd55517cd7a856402e2330975070a16c5cc49b5e36e1e5b57d58f6d31db5032","ssdeep":"1536:Nj2K0IVivAXiR1TtgigxMPZe0N+A//hMOhWv5iZqkQzV39NEkle8h:DVGAXmWiwo+A//hMOh85QqkQl9N95h","tlshash":"2273c59d725275a69317f0b9123f000ab13a64adf4484dacb24cd9e29ef585d02bbf7c","first_seen":"2023-03-07T13:02:45Z","last_seen":"2026-02-12T07:32:12.530746Z","times_seen":53,"resource_available":true,"data":null}},"time_used":105,"timings":{"blocked":24,"dns":1,"connect":8,"send":0,"wait":34,"receive":8,"ssl":26},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"maps.googleapis.com/maps-api-v3/api/js/38/11/intl/nl_ALL/util.js","fqdn":"maps.googleapis.com","domain":"maps.googleapis.com","tld":"googleapis.com"},"ip":{"addr":"216.58.211.10","port":443,"asn":15169,"as":"GOOGLE","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"script","requested_by":"https://usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff","date":"2023-09-16T05:18:54.529Z","timestamp":1694841534529,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"upload.video.google.com","organization":""},"issuer":{"commonName":"GTS CA 1C3","organization":"Google Trust Services LLC"},"validity":{"start":"Mon, 14 Aug 2023 08:22:09 GMT","end":"Mon, 06 Nov 2023 08:22:08 GMT"},"fingerprint":{"sha1":"09:AB:BF:F5:D0:04:69:59:E1:EA:AC:DA:8B:68:CF:62:94:2E:50:38","sha256":"51:9F:EC:84:6E:75:1D:8B:F5:23:58:A2:24:2B:C1:8E:91:C4:20:61:49:69:0D:3E:83:47:F0:3C:36:08:DF:BA"}}},"request":{"raw":"GET /maps-api-v3/api/js/38/11/intl/nl_ALL/util.js HTTP/1.1\r\nHost: maps.googleapis.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://usps-usa.duckdns.org/\r\nSec-Fetch-Dest: script\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\naccept-ranges: bytes\r\nvary: Accept-Encoding, Origin\r\ncontent-encoding: gzip\r\ncontent-type: text/javascript\r\ncontent-security-policy-report-only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/maps-api-js\r\ncross-origin-resource-policy: cross-origin\r\ncross-origin-opener-policy: same-origin; report-to=\"maps-api-js\"\r\nreport-to: {\"group\":\"maps-api-js\",\"max_age\":2592000,\"endpoints\":[{\"url\":\"https://csp.withgoogle.com/csp/report-to/maps-api-js\"}]}\r\ncontent-length: 53998\r\ndate: Sat, 16 Sep 2023 05:18:54 GMT\r\nexpires: Sun, 15 Sep 2024 05:18:54 GMT\r\ncache-control: public, max-age=31536000\r\nlast-modified: Mon, 04 Nov 2019 22:32:04 GMT\r\nx-content-type-options: nosniff\r\nserver: sffe\r\nx-xss-protection: 0\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":53998,"size_decoded":0,"mime_type":"text/javascript","magic":"ASCII text, with very long lines (3412)","md5":"16b73dc0de9683fb153b38cf6b5a6e6d","sha1":"22261377b57577dcd8046a8970ef5c80aefdf5dc","sha256":"d9f2fabff1b5fdcf2833cdcca025f1ec73c4889c41410e8a018cb1a84bb6ac79","sha512":"1a7e0c0b5f44faf69fe8368b24ae68b95d0839a285785cf7b5a805837425da75e2b89e2f3d50624cc6eca540dde0bea983bed5c29581d2c3f1e11d74502bdf05","ssdeep":"3072:lfTnZQ5U/ay5v5b681Czm83dsFkP3T+jq:lfaMayV5b68EfNskP3T+jq","tlshash":"43e32aa8724270a98277f5f6053f104aa53e985af8054c7cb288d9e1ddf8c9d11bbf78","first_seen":"2023-03-07T13:02:45Z","last_seen":"2026-02-12T07:32:12.522809Z","times_seen":53,"resource_available":true,"data":null}},"time_used":122,"timings":{"blocked":22,"dns":6,"connect":8,"send":0,"wait":41,"receive":21,"ssl":20},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/content/marktplaats/client.min.css","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":443,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"stylesheet","requested_by":"https://usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff","date":"2023-09-16T05:18:54.522Z","timestamp":1694841534522,"http_version":"HTTP/1.1","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET /content/marktplaats/client.min.css HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: text/css,*/*;q=0.1\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff\r\nCookie: PHPSESSID=4349d9f6b5a5bd302e3fa97a7aef4249\r\nSec-Fetch-Dest: style\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 404 Not Found\r\nDate: Sat, 16 Sep 2023 05:18:54 GMT\r\nServer: Apache\r\nContent-Length: 315\r\nKeep-Alive: timeout=5, max=96\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n","headers":null,"cookies":null,"status_code":"404","status_text":"Not Found","fingerprints":null,"data":{"size":315,"size_decoded":0,"mime_type":"text/html; charset=iso-8859-1","magic":"HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- exported SGML document, ASCII text","md5":"a34ac19f4afae63adc5d2f7bc970c07f","sha1":"a82190fc530c265aa40a045c21770d967f4767b8","sha256":"d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3","sha512":"42e53d96e5961e95b7a984d9c9778a1d3bd8ee0c87b8b3b515fa31f67c2d073c8565afc2f4b962c43668c4efa1e478da9bb0ecffa79479c7e880731bc4c55765","ssdeep":"","tlshash":"b0e0e75f41473347402252907dc110d1d505236b797161fd3d85b4ab501dc3dc99f7dc","first_seen":"2023-03-07T01:02:33Z","last_seen":"2026-05-11T20:12:52.475412Z","times_seen":145299,"resource_available":true,"data":null}},"time_used":163,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":163,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - US Postal Service","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with US Postal Service phishing","tags":["usps","logistics","phishing"],"meta":null},{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/content/marktplaats/normalize.112272e5.css","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":443,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"stylesheet","requested_by":"https://usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff","date":"2023-09-16T05:18:54.524Z","timestamp":1694841534524,"http_version":"HTTP/1.1","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET /content/marktplaats/normalize.112272e5.css HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: text/css,*/*;q=0.1\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff\r\nCookie: PHPSESSID=4349d9f6b5a5bd302e3fa97a7aef4249\r\nSec-Fetch-Dest: style\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 404 Not Found\r\nDate: Sat, 16 Sep 2023 05:18:54 GMT\r\nServer: Apache\r\nContent-Length: 315\r\nKeep-Alive: timeout=5, max=95\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n","headers":null,"cookies":null,"status_code":"404","status_text":"Not Found","fingerprints":null,"data":{"size":315,"size_decoded":0,"mime_type":"text/html; charset=iso-8859-1","magic":"HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- exported SGML document, ASCII text","md5":"a34ac19f4afae63adc5d2f7bc970c07f","sha1":"a82190fc530c265aa40a045c21770d967f4767b8","sha256":"d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3","sha512":"42e53d96e5961e95b7a984d9c9778a1d3bd8ee0c87b8b3b515fa31f67c2d073c8565afc2f4b962c43668c4efa1e478da9bb0ecffa79479c7e880731bc4c55765","ssdeep":"","tlshash":"b0e0e75f41473347402252907dc110d1d505236b797161fd3d85b4ab501dc3dc99f7dc","first_seen":"2023-03-07T01:02:33Z","last_seen":"2026-05-11T20:12:52.475412Z","times_seen":145299,"resource_available":true,"data":null}},"time_used":312,"timings":{"blocked":149,"dns":0,"connect":0,"send":0,"wait":163,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - US Postal Service","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with US Postal Service phishing","tags":["usps","logistics","phishing"],"meta":null},{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/index.php","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":443,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2023-09-16T05:18:49.390Z","timestamp":1694841529390,"http_version":"HTTP/1.1","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET /index.php HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 302 Found\r\nDate: Sat, 16 Sep 2023 05:18:53 GMT\r\nServer: Apache\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate\r\nPragma: no-cache\r\nSet-Cookie: PHPSESSID=c2a966c1585542c69e323d96ce87c1ff; path=/\r\nLocation: b0db981ec094cad0212aca67bdd572e1?token=1cf8d4f400785e3d55357008321eb302420cf3240700453e30969c1323b4cae1034a33b37f281402ea682115164796e9cb398eb525ddc1eaf76ee985a41633b3\r\nKeep-Alive: timeout=5, max=97\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html; charset=UTF-8\r\n","headers":null,"cookies":null,"status_code":"302","status_text":"Found","fingerprints":null,"data":{"size":2,"size_decoded":0,"mime_type":"text/html; charset=UTF-8","magic":"ASCII text","md5":"d784fa8b6d98d27699781bd9a7cf19f0","sha1":"dd122581c8cd44d0227f9c305581ffcb4b6f1b46","sha256":"e16f1596201850fd4a63680b27f603cb64e67176159be3d8ed78a4403fdb1700","sha512":"f8aca02e28996a586f535eed5de9f4533b8b2910762f524459f6fae6fb3f8f7540db5f2c809c1c07167a95b33f6f3f85589af99182e2d2bf93f964de169dd4c0","ssdeep":"","tlshash":"c710000000000000000000300000000000000000000000000000003000000000000000","first_seen":"2023-03-07T01:32:15Z","last_seen":"2026-05-11T13:55:44.658179Z","times_seen":2477,"resource_available":true,"data":null}},"time_used":2976,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":2976,"receive":0,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:55Z","timestamp":1694841535,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:55.360857+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":3,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"b0db981ec094cad0212aca67bdd572e1?token=1cf8d4f400785e3d55357008321eb302420cf3240700453e30969c1323b4cae1034a33b37f281402ea682115164796e9cb398eb525ddc1eaf76ee985a41633b3\",\"length\":10},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":8,\"pkts_toclient\":9,\"bytes_toserver\":2422,\"bytes_toclient\":2936,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:57Z","timestamp":1694841537,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:57.171171+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":6,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"9b968f12bc64edf305346aa76d6a1690?token=4f930c799c7c1a2fe4ac010497acf3354fcc3d6eb56cd00680d3c5976ab18287ff40776316e37eb664cdacc10d621f8e912c9242fcaf1cfd8f5be8645dc7b358\",\"length\":10},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":11,\"pkts_toclient\":14,\"bytes_toserver\":3789,\"bytes_toclient\":5036,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:58Z","timestamp":1694841538,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:58.968735+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":9,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"e00fe48ad337e14753e20981433f22d1?token=b3b76ac6191f7b94688b7f8ed69ac949412990037c4fb16e61c9399f37e3598298ba08fb93eed228f32a062da629926ce993e3d7eb1f2d6615417a8548fa0061\",\"length\":10},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":14,\"pkts_toclient\":20,\"bytes_toserver\":5156,\"bytes_toclient\":7202,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:19:03Z","timestamp":1694841543,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:19:03.126755+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":12,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"https://www.siteground.com\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":17,\"pkts_toclient\":26,\"bytes_toserver\":6081,\"bytes_toclient\":9206,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"}],"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - US Postal Service","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with US Postal Service phishing","tags":["usps","logistics","phishing"],"meta":null},{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/b0db981ec094cad0212aca67bdd572e1?token=1cf8d4f400785e3d55357008321eb302420cf3240700453e30969c1323b4cae1034a33b37f281402ea682115164796e9cb398eb525ddc1eaf76ee985a41633b3","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":0,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2023-09-16T05:18:55.534214471Z","timestamp":1694841535534,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET /b0db981ec094cad0212aca67bdd572e1?token=1cf8d4f400785e3d55357008321eb302420cf3240700453e30969c1323b4cae1034a33b37f281402ea682115164796e9cb398eb525ddc1eaf76ee985a41633b3 HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 301 Moved Permanently\r\nDate: Sat, 16 Sep 2023 05:18:55 GMT\r\nServer: Apache\r\nLocation: http://usps-usa.duckdns.org/b0db981ec094cad0212aca67bdd572e1/?token=1cf8d4f400785e3d55357008321eb302420cf3240700453e30969c1323b4cae1034a33b37f281402ea682115164796e9cb398eb525ddc1eaf76ee985a41633b3\r\nContent-Length: 404\r\nKeep-Alive: timeout=5, max=96\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":404,"size_decoded":0,"mime_type":"text/html; charset=utf-8","magic":"HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- exported SGML document, ASCII text","md5":"7482f5aad01e3cb4919950c600354bd6","sha1":"1db613d4609b1dfc70787c69e6f7cfd08b3b1937","sha256":"d4de89fe15e2dc898327cbad11ce74bb8ef17d872baa4ceae691c3a8e7d7e158","sha512":"e6723f3d2b7c1371a441b7ecc53041351e73b607d0c0aa7b9da81fe1689fb3fb9643c8d36e70af8ef893c6c5d98ae441adbfe8ffeae62f5ffdd4e131acf8dd36","ssdeep":"","tlshash":"80e0f1ec87011084691b3f00eec100f5719a2175abc98da616f62856d8144b1ecc70e7","first_seen":"2023-09-16T07:19:08Z","last_seen":"2023-09-16T07:19:08Z","times_seen":1,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:55Z","timestamp":1694841535,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:55.532935+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":4,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/b0db981ec094cad0212aca67bdd572e1?token=1cf8d4f400785e3d55357008321eb302420cf3240700453e30969c1323b4cae1034a33b37f281402ea682115164796e9cb398eb525ddc1eaf76ee985a41633b3\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":301,\"redirect\":\"http://usps-usa.duckdns.org/b0db981ec094cad0212aca67bdd572e1/?token=1cf8d4f400785e3d55357008321eb302420cf3240700453e30969c1323b4cae1034a33b37f281402ea682115164796e9cb398eb525ddc1eaf76ee985a41633b3\",\"length\":404},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":9,\"pkts_toclient\":11,\"bytes_toserver\":2931,\"bytes_toclient\":3888,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"}],"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"https","addr":"devilsms.live/css/usps/main.css","fqdn":"devilsms.live","domain":"devilsms.live","tld":"live"},"ip":{"addr":"199.188.200.254","port":443,"asn":22612,"as":"NAMECHEAP-NET","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"stylesheet","requested_by":"https://usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff","date":"2023-09-16T05:18:54.521Z","timestamp":1694841534521,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"devilsms.live","organization":""},"issuer":{"commonName":"Sectigo RSA Domain Validation Secure Server CA","organization":"Sectigo Limited"},"validity":{"start":"Thu, 18 Aug 2022 00:00:00 GMT","end":"Sat, 16 Sep 2023 23:59:59 GMT"},"fingerprint":{"sha1":"72:C0:D3:B1:19:FB:CD:8A:B3:B2:6D:62:78:A9:37:61:9F:B9:AA:6C","sha256":"1C:4F:35:01:63:27:0B:C4:90:DF:FC:74:3F:CE:95:CD:34:A3:1F:11:29:AC:0B:26:23:33:27:CD:B6:9C:50:43"}}},"request":{"raw":"GET /css/usps/main.css HTTP/1.1\r\nHost: devilsms.live\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: text/css,*/*;q=0.1\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://usps-usa.duckdns.org/\r\nSec-Fetch-Dest: style\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ncache-control: public, max-age=604800\r\nexpires: Sat, 23 Sep 2023 05:18:55 GMT\r\ncontent-type: text/css\r\nlast-modified: Wed, 20 Oct 2021 03:52:19 GMT\r\naccept-ranges: bytes\r\ncontent-encoding: br\r\nvary: Accept-Encoding\r\ncontent-length: 30024\r\ndate: Sat, 16 Sep 2023 05:18:55 GMT\r\nserver: LiteSpeed\r\nx-turbo-charged-by: LiteSpeed\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":30024,"size_decoded":0,"mime_type":"text/css","magic":"assembler source, ASCII text, with very long lines (348), with CRLF line terminators","md5":"36277e4fba035d5002b28b28b3656109","sha1":"244ec24c6b302f36a3a174fc3bf225c3b906603b","sha256":"877c9ecef0ce6e991b965a744c396fb8f8f3968aefa053c966b1a8e806d77c5a","sha512":"1f0a89dffad97d31df67b66b2a79ae776ce03350de44c5c6219913010ca5e48067f8093c4d126031c9bf31289f1cdf9195daf335d8d9b2c59e72518d1e264350","ssdeep":"1536:88OAvNEBXUZ2CZUs2DUV2HOOPrT0qU+d2DPSKSg93zOMwFfIxqNM9wQSDU12Wxr:UOOPrT0sgPlPxqNMuQSY","tlshash":"8134c921d981958e72378c159bb01d44ea7c0047da821abcbf5cb7798fb7d858a62fcc","first_seen":"2023-04-12T09:17:26Z","last_seen":"2023-09-16T07:19:08Z","times_seen":26,"resource_available":false,"data":null}},"time_used":1578,"timings":{"blocked":531,"dns":199,"connect":169,"send":0,"wait":175,"receive":329,"ssl":172},"alerts":{"ids":null,"analyzer":null,"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - US Postal Service","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with US Postal Service phishing","tags":["usps","logistics","phishing"],"meta":null}]}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/b0db981ec094cad0212aca67bdd572e1/?token=1cf8d4f400785e3d55357008321eb302420cf3240700453e30969c1323b4cae1034a33b37f281402ea682115164796e9cb398eb525ddc1eaf76ee985a41633b3","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":0,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2023-09-16T05:18:55.701157301Z","timestamp":1694841535701,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET /b0db981ec094cad0212aca67bdd572e1/?token=1cf8d4f400785e3d55357008321eb302420cf3240700453e30969c1323b4cae1034a33b37f281402ea682115164796e9cb398eb525ddc1eaf76ee985a41633b3 HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 302 Found\r\nDate: Sat, 16 Sep 2023 05:18:55 GMT\r\nServer: Apache\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate\r\nPragma: no-cache\r\nSet-Cookie: PHPSESSID=8b849216ba391df0fb5506d4f63835a3; path=/\r\nLocation: ../index.php\r\nContent-Length: 0\r\nKeep-Alive: timeout=5, max=95\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=UTF-8\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":0,"size_decoded":0,"mime_type":"","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-05-11T22:03:05.977395Z","times_seen":15027444,"resource_available":true,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:55Z","timestamp":1694841535,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:55.704481+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":5,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/b0db981ec094cad0212aca67bdd572e1/?token=1cf8d4f400785e3d55357008321eb302420cf3240700453e30969c1323b4cae1034a33b37f281402ea682115164796e9cb398eb525ddc1eaf76ee985a41633b3\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"../index.php\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":10,\"pkts_toclient\":12,\"bytes_toserver\":3281,\"bytes_toclient\":4341,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:55Z","timestamp":1694841535,"ip_dst":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"severity":"high","alert":"ETPRO HUNTING Suspicious Redirect to Recursive PHP - Possible Phishing","source":"{\"timestamp\":\"2023-09-16T05:18:55.911623+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"143.110.232.17\",\"src_port\":80,\"dest_ip\":\"10.70.215.10\",\"dest_port\":43338,\"proto\":\"TCP\",\"tx_id\":5,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2820835,\"rev\":4,\"signature\":\"ETPRO HUNTING Suspicious Redirect to Recursive PHP - Possible Phishing\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2016_06_22\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"HUNTING\"],\"mitre_tactic_id\":[\"TA0001\"],\"mitre_tactic_name\":[\"Initial_Access\"],\"mitre_technique_id\":[\"T1566\"],\"mitre_technique_name\":[\"Phishing\"],\"signature_severity\":[\"Critical\"],\"tag\":[\"Phishing\"],\"updated_at\":[\"2020_12_22\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/b0db981ec094cad0212aca67bdd572e1/?token=1cf8d4f400785e3d55357008321eb302420cf3240700453e30969c1323b4cae1034a33b37f281402ea682115164796e9cb398eb525ddc1eaf76ee985a41633b3\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"../index.php\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":10,\"pkts_toclient\":13,\"bytes_toserver\":3281,\"bytes_toclient\":4407,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"}],"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"https","addr":"devilsms.live/css/usps/Marktplaats.Sprite.svg","fqdn":"devilsms.live","domain":"devilsms.live","tld":"live"},"ip":{"addr":"199.188.200.254","port":443,"asn":22612,"as":"NAMECHEAP-NET","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff","date":"2023-09-16T05:18:55.648Z","timestamp":1694841535648,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"devilsms.live","organization":""},"issuer":{"commonName":"Sectigo RSA Domain Validation Secure Server CA","organization":"Sectigo Limited"},"validity":{"start":"Thu, 18 Aug 2022 00:00:00 GMT","end":"Sat, 16 Sep 2023 23:59:59 GMT"},"fingerprint":{"sha1":"72:C0:D3:B1:19:FB:CD:8A:B3:B2:6D:62:78:A9:37:61:9F:B9:AA:6C","sha256":"1C:4F:35:01:63:27:0B:C4:90:DF:FC:74:3F:CE:95:CD:34:A3:1F:11:29:AC:0B:26:23:33:27:CD:B6:9C:50:43"}}},"request":{"raw":"GET /css/usps/Marktplaats.Sprite.svg HTTP/1.1\r\nHost: devilsms.live\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://devilsms.live/css/usps/main.css\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nTE: trailers\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 404 Not Found\r\ncache-control: private, no-cache, no-store, must-revalidate, max-age=0\r\npragma: no-cache\r\ncontent-type: text/html\r\ncontent-length: 1238\r\ndate: Sat, 16 Sep 2023 05:18:55 GMT\r\nserver: LiteSpeed\r\nx-turbo-charged-by: LiteSpeed\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"404","status_text":"Not Found","fingerprints":null,"data":{"size":1238,"size_decoded":0,"mime_type":"text/html","magic":"HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- exported SGML document, ASCII text, with CRLF, LF line terminators","md5":"0bde7d4b3da67537eaf9188e6f8049cf","sha1":"64300fc482d01d38b40ab20e15960b6509665e5a","sha256":"5dc1ae0b875dc0d78dbc5532226f5f31b762b4d1229984f605d27bf895ab6807","sha512":"2d4d27ab5b3dd2a701a944e9b5372b40ee4f8b3267f133be7ad0d4b42528302aaa002b6132722e2ad1fe629fc3e8baf1011c8dad326062e9c0946d6f1b6eafb4","ssdeep":"","tlshash":"8d21423ec1c1150a80271154fb81e2942619825192470fa1379e7167f6cc0f756937c8","first_seen":"2023-03-07T01:03:24Z","last_seen":"2026-05-11T20:57:19.734228Z","times_seen":40583,"resource_available":true,"data":null}},"time_used":169,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":169,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - US Postal Service","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with US Postal Service phishing","tags":["usps","logistics","phishing"],"meta":null}]}},{"url":{"schema":"https","addr":"devilsms.live/css/usps/Roboto-Regular-webfont.woff2","fqdn":"devilsms.live","domain":"devilsms.live","tld":"live"},"ip":{"addr":"199.188.200.254","port":443,"asn":22612,"as":"NAMECHEAP-NET","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"font","requested_by":"https://usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff","date":"2023-09-16T05:18:55.655Z","timestamp":1694841535655,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"devilsms.live","organization":""},"issuer":{"commonName":"Sectigo RSA Domain Validation Secure Server CA","organization":"Sectigo Limited"},"validity":{"start":"Thu, 18 Aug 2022 00:00:00 GMT","end":"Sat, 16 Sep 2023 23:59:59 GMT"},"fingerprint":{"sha1":"72:C0:D3:B1:19:FB:CD:8A:B3:B2:6D:62:78:A9:37:61:9F:B9:AA:6C","sha256":"1C:4F:35:01:63:27:0B:C4:90:DF:FC:74:3F:CE:95:CD:34:A3:1F:11:29:AC:0B:26:23:33:27:CD:B6:9C:50:43"}}},"request":{"raw":"GET /css/usps/Roboto-Regular-webfont.woff2 HTTP/1.1\r\nHost: devilsms.live\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nOrigin: https://usps-usa.duckdns.org\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://devilsms.live/\r\nSec-Fetch-Dest: font\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nTE: trailers\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 404 Not Found\r\ncache-control: private, no-cache, no-store, must-revalidate, max-age=0\r\npragma: no-cache\r\ncontent-type: text/html\r\ncontent-length: 1238\r\ndate: Sat, 16 Sep 2023 05:18:55 GMT\r\nserver: LiteSpeed\r\nx-turbo-charged-by: LiteSpeed\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"404","status_text":"Not Found","fingerprints":null,"data":{"size":1238,"size_decoded":0,"mime_type":"text/html","magic":"HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- exported SGML document, ASCII text, with CRLF, LF line terminators","md5":"0bde7d4b3da67537eaf9188e6f8049cf","sha1":"64300fc482d01d38b40ab20e15960b6509665e5a","sha256":"5dc1ae0b875dc0d78dbc5532226f5f31b762b4d1229984f605d27bf895ab6807","sha512":"2d4d27ab5b3dd2a701a944e9b5372b40ee4f8b3267f133be7ad0d4b42528302aaa002b6132722e2ad1fe629fc3e8baf1011c8dad326062e9c0946d6f1b6eafb4","ssdeep":"","tlshash":"8d21423ec1c1150a80271154fb81e2942619825192470fa1379e7167f6cc0f756937c8","first_seen":"2023-03-07T01:03:24Z","last_seen":"2026-05-11T20:57:19.734228Z","times_seen":40583,"resource_available":true,"data":null}},"time_used":169,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":169,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - US Postal Service","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with US Postal Service phishing","tags":["usps","logistics","phishing"],"meta":null}]}},{"url":{"schema":"https","addr":"devilsms.live/css/usps/Roboto-Light-webfont.woff2","fqdn":"devilsms.live","domain":"devilsms.live","tld":"live"},"ip":{"addr":"199.188.200.254","port":443,"asn":22612,"as":"NAMECHEAP-NET","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"font","requested_by":"https://usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff","date":"2023-09-16T05:18:55.657Z","timestamp":1694841535657,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"devilsms.live","organization":""},"issuer":{"commonName":"Sectigo RSA Domain Validation Secure Server CA","organization":"Sectigo Limited"},"validity":{"start":"Thu, 18 Aug 2022 00:00:00 GMT","end":"Sat, 16 Sep 2023 23:59:59 GMT"},"fingerprint":{"sha1":"72:C0:D3:B1:19:FB:CD:8A:B3:B2:6D:62:78:A9:37:61:9F:B9:AA:6C","sha256":"1C:4F:35:01:63:27:0B:C4:90:DF:FC:74:3F:CE:95:CD:34:A3:1F:11:29:AC:0B:26:23:33:27:CD:B6:9C:50:43"}}},"request":{"raw":"GET /css/usps/Roboto-Light-webfont.woff2 HTTP/1.1\r\nHost: devilsms.live\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nOrigin: https://usps-usa.duckdns.org\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://devilsms.live/\r\nSec-Fetch-Dest: font\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nTE: trailers\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 404 Not Found\r\ncache-control: private, no-cache, no-store, must-revalidate, max-age=0\r\npragma: no-cache\r\ncontent-type: text/html\r\ncontent-length: 1238\r\ndate: Sat, 16 Sep 2023 05:18:55 GMT\r\nserver: LiteSpeed\r\nx-turbo-charged-by: LiteSpeed\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"404","status_text":"Not Found","fingerprints":null,"data":{"size":1238,"size_decoded":0,"mime_type":"text/html","magic":"HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- exported SGML document, ASCII text, with CRLF, LF line terminators","md5":"0bde7d4b3da67537eaf9188e6f8049cf","sha1":"64300fc482d01d38b40ab20e15960b6509665e5a","sha256":"5dc1ae0b875dc0d78dbc5532226f5f31b762b4d1229984f605d27bf895ab6807","sha512":"2d4d27ab5b3dd2a701a944e9b5372b40ee4f8b3267f133be7ad0d4b42528302aaa002b6132722e2ad1fe629fc3e8baf1011c8dad326062e9c0946d6f1b6eafb4","ssdeep":"","tlshash":"8d21423ec1c1150a80271154fb81e2942619825192470fa1379e7167f6cc0f756937c8","first_seen":"2023-03-07T01:03:24Z","last_seen":"2026-05-11T20:57:19.734228Z","times_seen":40583,"resource_available":true,"data":null}},"time_used":169,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":169,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - US Postal Service","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with US Postal Service phishing","tags":["usps","logistics","phishing"],"meta":null}]}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/images/logo-mini-sb.png","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":443,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff","date":"2023-09-16T05:18:54.531Z","timestamp":1694841534531,"http_version":"HTTP/1.1","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET /81e77f48f75fd1157dc49df034f7f013/images/logo-mini-sb.png HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff\r\nCookie: PHPSESSID=4349d9f6b5a5bd302e3fa97a7aef4249\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Sat, 16 Sep 2023 05:18:55 GMT\r\nServer: Apache\r\nLast-Modified: Sat, 16 Sep 2023 05:18:51 GMT\r\nAccept-Ranges: bytes\r\nContent-Length: 23625\r\nKeep-Alive: timeout=5, max=94\r\nConnection: Keep-Alive\r\nContent-Type: image/png\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":23625,"size_decoded":0,"mime_type":"image/png","magic":"PNG image data, 135 x 16, 8-bit/color RGBA, non-interlaced\\012- data","md5":"43707dd65a8c8ec7754b7b45fd483488","sha1":"f258a5de57dfa37baf13296da6055e8f8881d742","sha256":"585262db6911000f59795831f9db7bb41477bcafb135c82b51b0473363134fcf","sha512":"4f821dbcb766cfca452c7a1350e36231fbf82d2d62426e7309e56595813138aaec56daa0c28274a73972977e6d2026aba1ba8866cbdace5c6f5ac276e5664921","ssdeep":"","tlshash":"","first_seen":"2023-05-01T22:22:00Z","last_seen":"2025-10-30T01:12:08.805508Z","times_seen":84,"resource_available":false,"data":null}},"time_used":1352,"timings":{"blocked":1025,"dns":0,"connect":0,"send":0,"wait":164,"receive":163,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - US Postal Service","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with US Postal Service phishing","tags":["usps","logistics","phishing"],"meta":null},{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"https","addr":"devilsms.live/css/usps/Roboto-Regular-webfont.woff","fqdn":"devilsms.live","domain":"devilsms.live","tld":"live"},"ip":{"addr":"199.188.200.254","port":443,"asn":22612,"as":"NAMECHEAP-NET","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"font","requested_by":"https://usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff","date":"2023-09-16T05:18:55.835Z","timestamp":1694841535835,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"devilsms.live","organization":""},"issuer":{"commonName":"Sectigo RSA Domain Validation Secure Server CA","organization":"Sectigo Limited"},"validity":{"start":"Thu, 18 Aug 2022 00:00:00 GMT","end":"Sat, 16 Sep 2023 23:59:59 GMT"},"fingerprint":{"sha1":"72:C0:D3:B1:19:FB:CD:8A:B3:B2:6D:62:78:A9:37:61:9F:B9:AA:6C","sha256":"1C:4F:35:01:63:27:0B:C4:90:DF:FC:74:3F:CE:95:CD:34:A3:1F:11:29:AC:0B:26:23:33:27:CD:B6:9C:50:43"}}},"request":{"raw":"GET /css/usps/Roboto-Regular-webfont.woff HTTP/1.1\r\nHost: devilsms.live\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nOrigin: https://usps-usa.duckdns.org\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://devilsms.live/\r\nSec-Fetch-Dest: font\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nTE: trailers\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 404 Not Found\r\ncache-control: private, no-cache, no-store, must-revalidate, max-age=0\r\npragma: no-cache\r\ncontent-type: text/html\r\ncontent-length: 1238\r\ndate: Sat, 16 Sep 2023 05:18:55 GMT\r\nserver: LiteSpeed\r\nx-turbo-charged-by: LiteSpeed\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"404","status_text":"Not Found","fingerprints":null,"data":{"size":1238,"size_decoded":0,"mime_type":"text/html","magic":"HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- exported SGML document, ASCII text, with CRLF, LF line terminators","md5":"0bde7d4b3da67537eaf9188e6f8049cf","sha1":"64300fc482d01d38b40ab20e15960b6509665e5a","sha256":"5dc1ae0b875dc0d78dbc5532226f5f31b762b4d1229984f605d27bf895ab6807","sha512":"2d4d27ab5b3dd2a701a944e9b5372b40ee4f8b3267f133be7ad0d4b42528302aaa002b6132722e2ad1fe629fc3e8baf1011c8dad326062e9c0946d6f1b6eafb4","ssdeep":"","tlshash":"8d21423ec1c1150a80271154fb81e2942619825192470fa1379e7167f6cc0f756937c8","first_seen":"2023-03-07T01:03:24Z","last_seen":"2026-05-11T20:57:19.734228Z","times_seen":40583,"resource_available":true,"data":null}},"time_used":169,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":169,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - US Postal Service","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with US Postal Service phishing","tags":["usps","logistics","phishing"],"meta":null}]}},{"url":{"schema":"https","addr":"devilsms.live/css/usps/Roboto-Light-webfont.woff","fqdn":"devilsms.live","domain":"devilsms.live","tld":"live"},"ip":{"addr":"199.188.200.254","port":443,"asn":22612,"as":"NAMECHEAP-NET","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"font","requested_by":"https://usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff","date":"2023-09-16T05:18:55.837Z","timestamp":1694841535837,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"devilsms.live","organization":""},"issuer":{"commonName":"Sectigo RSA Domain Validation Secure Server CA","organization":"Sectigo Limited"},"validity":{"start":"Thu, 18 Aug 2022 00:00:00 GMT","end":"Sat, 16 Sep 2023 23:59:59 GMT"},"fingerprint":{"sha1":"72:C0:D3:B1:19:FB:CD:8A:B3:B2:6D:62:78:A9:37:61:9F:B9:AA:6C","sha256":"1C:4F:35:01:63:27:0B:C4:90:DF:FC:74:3F:CE:95:CD:34:A3:1F:11:29:AC:0B:26:23:33:27:CD:B6:9C:50:43"}}},"request":{"raw":"GET /css/usps/Roboto-Light-webfont.woff HTTP/1.1\r\nHost: devilsms.live\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nOrigin: https://usps-usa.duckdns.org\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://devilsms.live/\r\nSec-Fetch-Dest: font\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nTE: trailers\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 404 Not Found\r\ncache-control: private, no-cache, no-store, must-revalidate, max-age=0\r\npragma: no-cache\r\ncontent-type: text/html\r\ncontent-length: 1238\r\ndate: Sat, 16 Sep 2023 05:18:55 GMT\r\nserver: LiteSpeed\r\nx-turbo-charged-by: LiteSpeed\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"404","status_text":"Not Found","fingerprints":null,"data":{"size":1238,"size_decoded":0,"mime_type":"text/html","magic":"HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- exported SGML document, ASCII text, with CRLF, LF line terminators","md5":"0bde7d4b3da67537eaf9188e6f8049cf","sha1":"64300fc482d01d38b40ab20e15960b6509665e5a","sha256":"5dc1ae0b875dc0d78dbc5532226f5f31b762b4d1229984f605d27bf895ab6807","sha512":"2d4d27ab5b3dd2a701a944e9b5372b40ee4f8b3267f133be7ad0d4b42528302aaa002b6132722e2ad1fe629fc3e8baf1011c8dad326062e9c0946d6f1b6eafb4","ssdeep":"","tlshash":"8d21423ec1c1150a80271154fb81e2942619825192470fa1379e7167f6cc0f756937c8","first_seen":"2023-03-07T01:03:24Z","last_seen":"2026-05-11T20:57:19.734228Z","times_seen":40583,"resource_available":true,"data":null}},"time_used":169,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":169,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - US Postal Service","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with US Postal Service phishing","tags":["usps","logistics","phishing"],"meta":null}]}},{"url":{"schema":"https","addr":"devilsms.live/css/usps/Roboto-Regular-webfont.ttf?v1","fqdn":"devilsms.live","domain":"devilsms.live","tld":"live"},"ip":{"addr":"199.188.200.254","port":443,"asn":22612,"as":"NAMECHEAP-NET","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"font","requested_by":"https://usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff","date":"2023-09-16T05:18:56.019Z","timestamp":1694841536019,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"devilsms.live","organization":""},"issuer":{"commonName":"Sectigo RSA Domain Validation Secure Server CA","organization":"Sectigo Limited"},"validity":{"start":"Thu, 18 Aug 2022 00:00:00 GMT","end":"Sat, 16 Sep 2023 23:59:59 GMT"},"fingerprint":{"sha1":"72:C0:D3:B1:19:FB:CD:8A:B3:B2:6D:62:78:A9:37:61:9F:B9:AA:6C","sha256":"1C:4F:35:01:63:27:0B:C4:90:DF:FC:74:3F:CE:95:CD:34:A3:1F:11:29:AC:0B:26:23:33:27:CD:B6:9C:50:43"}}},"request":{"raw":"GET /css/usps/Roboto-Regular-webfont.ttf?v1 HTTP/1.1\r\nHost: devilsms.live\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nOrigin: https://usps-usa.duckdns.org\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://devilsms.live/\r\nSec-Fetch-Dest: font\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nTE: trailers\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 404 Not Found\r\ncache-control: private, no-cache, no-store, must-revalidate, max-age=0\r\npragma: no-cache\r\ncontent-type: text/html\r\ncontent-length: 1238\r\ndate: Sat, 16 Sep 2023 05:18:55 GMT\r\nserver: LiteSpeed\r\nx-turbo-charged-by: LiteSpeed\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"404","status_text":"Not Found","fingerprints":null,"data":{"size":1238,"size_decoded":0,"mime_type":"text/html","magic":"HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- exported SGML document, ASCII text, with CRLF, LF line terminators","md5":"0bde7d4b3da67537eaf9188e6f8049cf","sha1":"64300fc482d01d38b40ab20e15960b6509665e5a","sha256":"5dc1ae0b875dc0d78dbc5532226f5f31b762b4d1229984f605d27bf895ab6807","sha512":"2d4d27ab5b3dd2a701a944e9b5372b40ee4f8b3267f133be7ad0d4b42528302aaa002b6132722e2ad1fe629fc3e8baf1011c8dad326062e9c0946d6f1b6eafb4","ssdeep":"","tlshash":"8d21423ec1c1150a80271154fb81e2942619825192470fa1379e7167f6cc0f756937c8","first_seen":"2023-03-07T01:03:24Z","last_seen":"2026-05-11T20:57:19.734228Z","times_seen":40583,"resource_available":true,"data":null}},"time_used":169,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":169,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - US Postal Service","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with US Postal Service phishing","tags":["usps","logistics","phishing"],"meta":null}]}},{"url":{"schema":"https","addr":"devilsms.live/css/usps/Roboto-Light-webfont.ttf?v1","fqdn":"devilsms.live","domain":"devilsms.live","tld":"live"},"ip":{"addr":"199.188.200.254","port":443,"asn":22612,"as":"NAMECHEAP-NET","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"font","requested_by":"https://usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff","date":"2023-09-16T05:18:56.021Z","timestamp":1694841536021,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"devilsms.live","organization":""},"issuer":{"commonName":"Sectigo RSA Domain Validation Secure Server CA","organization":"Sectigo Limited"},"validity":{"start":"Thu, 18 Aug 2022 00:00:00 GMT","end":"Sat, 16 Sep 2023 23:59:59 GMT"},"fingerprint":{"sha1":"72:C0:D3:B1:19:FB:CD:8A:B3:B2:6D:62:78:A9:37:61:9F:B9:AA:6C","sha256":"1C:4F:35:01:63:27:0B:C4:90:DF:FC:74:3F:CE:95:CD:34:A3:1F:11:29:AC:0B:26:23:33:27:CD:B6:9C:50:43"}}},"request":{"raw":"GET /css/usps/Roboto-Light-webfont.ttf?v1 HTTP/1.1\r\nHost: devilsms.live\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nOrigin: https://usps-usa.duckdns.org\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://devilsms.live/\r\nSec-Fetch-Dest: font\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nTE: trailers\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 404 Not Found\r\ncache-control: private, no-cache, no-store, must-revalidate, max-age=0\r\npragma: no-cache\r\ncontent-type: text/html\r\ncontent-length: 1238\r\ndate: Sat, 16 Sep 2023 05:18:55 GMT\r\nserver: LiteSpeed\r\nx-turbo-charged-by: LiteSpeed\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"404","status_text":"Not Found","fingerprints":null,"data":{"size":1238,"size_decoded":0,"mime_type":"text/html","magic":"HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- exported SGML document, ASCII text, with CRLF, LF line terminators","md5":"0bde7d4b3da67537eaf9188e6f8049cf","sha1":"64300fc482d01d38b40ab20e15960b6509665e5a","sha256":"5dc1ae0b875dc0d78dbc5532226f5f31b762b4d1229984f605d27bf895ab6807","sha512":"2d4d27ab5b3dd2a701a944e9b5372b40ee4f8b3267f133be7ad0d4b42528302aaa002b6132722e2ad1fe629fc3e8baf1011c8dad326062e9c0946d6f1b6eafb4","ssdeep":"","tlshash":"8d21423ec1c1150a80271154fb81e2942619825192470fa1379e7167f6cc0f756937c8","first_seen":"2023-03-07T01:03:24Z","last_seen":"2026-05-11T20:57:19.734228Z","times_seen":40583,"resource_available":true,"data":null}},"time_used":169,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":169,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - US Postal Service","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with US Postal Service phishing","tags":["usps","logistics","phishing"],"meta":null}]}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/content/marktplaats/favicon-192x192.png","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":443,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff","date":"2023-09-16T05:18:56.195Z","timestamp":1694841536195,"http_version":"HTTP/1.1","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET /content/marktplaats/favicon-192x192.png HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff\r\nCookie: PHPSESSID=4349d9f6b5a5bd302e3fa97a7aef4249\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 404 Not Found\r\nDate: Sat, 16 Sep 2023 05:18:56 GMT\r\nServer: Apache\r\nContent-Length: 315\r\nKeep-Alive: timeout=5, max=93\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n","headers":null,"cookies":null,"status_code":"404","status_text":"Not Found","fingerprints":null,"data":{"size":315,"size_decoded":0,"mime_type":"text/html; charset=iso-8859-1","magic":"HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- exported SGML document, ASCII text","md5":"a34ac19f4afae63adc5d2f7bc970c07f","sha1":"a82190fc530c265aa40a045c21770d967f4767b8","sha256":"d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3","sha512":"42e53d96e5961e95b7a984d9c9778a1d3bd8ee0c87b8b3b515fa31f67c2d073c8565afc2f4b962c43668c4efa1e478da9bb0ecffa79479c7e880731bc4c55765","ssdeep":"","tlshash":"b0e0e75f41473347402252907dc110d1d505236b797161fd3d85b4ab501dc3dc99f7dc","first_seen":"2023-03-07T01:02:33Z","last_seen":"2026-05-11T20:12:52.475412Z","times_seen":145299,"resource_available":true,"data":null}},"time_used":163,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":163,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - US Postal Service","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with US Postal Service phishing","tags":["usps","logistics","phishing"],"meta":null},{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/content/marktplaats/favicon.ico","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":443,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff","date":"2023-09-16T05:18:56.198Z","timestamp":1694841536198,"http_version":"HTTP/1.1","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET /content/marktplaats/favicon.ico HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://usps-usa.duckdns.org/81e77f48f75fd1157dc49df034f7f013/?token=e3af4f0b0bff355508e4c810cc9dbc41c9f94aec7a0da627d0eacaa7f8300c50ae33a7b2c100f08f758d4ca566e6a59bcf02742dbb2d0a0c5b1d36d81ce982ff\r\nCookie: PHPSESSID=4349d9f6b5a5bd302e3fa97a7aef4249\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 404 Not Found\r\nDate: Sat, 16 Sep 2023 05:18:56 GMT\r\nServer: Apache\r\nContent-Length: 315\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n","headers":null,"cookies":null,"status_code":"404","status_text":"Not Found","fingerprints":null,"data":{"size":315,"size_decoded":0,"mime_type":"text/html; charset=iso-8859-1","magic":"HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- exported SGML document, ASCII text","md5":"a34ac19f4afae63adc5d2f7bc970c07f","sha1":"a82190fc530c265aa40a045c21770d967f4767b8","sha256":"d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3","sha512":"42e53d96e5961e95b7a984d9c9778a1d3bd8ee0c87b8b3b515fa31f67c2d073c8565afc2f4b962c43668c4efa1e478da9bb0ecffa79479c7e880731bc4c55765","ssdeep":"","tlshash":"b0e0e75f41473347402252907dc110d1d505236b797161fd3d85b4ab501dc3dc99f7dc","first_seen":"2023-03-07T01:02:33Z","last_seen":"2026-05-11T20:12:52.475412Z","times_seen":145299,"resource_available":true,"data":null}},"time_used":164,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":164,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - US Postal Service","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with US Postal Service phishing","tags":["usps","logistics","phishing"],"meta":null},{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/index.php","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":443,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2023-09-16T05:18:49.390Z","timestamp":1694841529390,"http_version":"HTTP/1.1","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET /index.php HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 302 Found\r\nDate: Sat, 16 Sep 2023 05:18:55 GMT\r\nServer: Apache\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate\r\nPragma: no-cache\r\nSet-Cookie: PHPSESSID=6d8dc6a43384def499740a2b327cd1b0; path=/\r\nLocation: 9b968f12bc64edf305346aa76d6a1690?token=4f930c799c7c1a2fe4ac010497acf3354fcc3d6eb56cd00680d3c5976ab18287ff40776316e37eb664cdacc10d621f8e912c9242fcaf1cfd8f5be8645dc7b358\r\nKeep-Alive: timeout=5, max=94\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html; charset=UTF-8\r\n","headers":null,"cookies":null,"status_code":"302","status_text":"Found","fingerprints":null,"data":{"size":2,"size_decoded":0,"mime_type":"text/html; charset=UTF-8","magic":"ASCII text","md5":"d784fa8b6d98d27699781bd9a7cf19f0","sha1":"dd122581c8cd44d0227f9c305581ffcb4b6f1b46","sha256":"e16f1596201850fd4a63680b27f603cb64e67176159be3d8ed78a4403fdb1700","sha512":"f8aca02e28996a586f535eed5de9f4533b8b2910762f524459f6fae6fb3f8f7540db5f2c809c1c07167a95b33f6f3f85589af99182e2d2bf93f964de169dd4c0","ssdeep":"","tlshash":"c710000000000000000000300000000000000000000000000000003000000000000000","first_seen":"2023-03-07T01:32:15Z","last_seen":"2026-05-11T13:55:44.658179Z","times_seen":2477,"resource_available":true,"data":null}},"time_used":2976,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":2976,"receive":0,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:55Z","timestamp":1694841535,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:55.360857+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":3,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"b0db981ec094cad0212aca67bdd572e1?token=1cf8d4f400785e3d55357008321eb302420cf3240700453e30969c1323b4cae1034a33b37f281402ea682115164796e9cb398eb525ddc1eaf76ee985a41633b3\",\"length\":10},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":8,\"pkts_toclient\":9,\"bytes_toserver\":2422,\"bytes_toclient\":2936,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:57Z","timestamp":1694841537,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:57.171171+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":6,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"9b968f12bc64edf305346aa76d6a1690?token=4f930c799c7c1a2fe4ac010497acf3354fcc3d6eb56cd00680d3c5976ab18287ff40776316e37eb664cdacc10d621f8e912c9242fcaf1cfd8f5be8645dc7b358\",\"length\":10},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":11,\"pkts_toclient\":14,\"bytes_toserver\":3789,\"bytes_toclient\":5036,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:58Z","timestamp":1694841538,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:58.968735+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":9,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"e00fe48ad337e14753e20981433f22d1?token=b3b76ac6191f7b94688b7f8ed69ac949412990037c4fb16e61c9399f37e3598298ba08fb93eed228f32a062da629926ce993e3d7eb1f2d6615417a8548fa0061\",\"length\":10},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":14,\"pkts_toclient\":20,\"bytes_toserver\":5156,\"bytes_toclient\":7202,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:19:03Z","timestamp":1694841543,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:19:03.126755+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":12,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"https://www.siteground.com\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":17,\"pkts_toclient\":26,\"bytes_toserver\":6081,\"bytes_toclient\":9206,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"}],"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - US Postal Service","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with US Postal Service phishing","tags":["usps","logistics","phishing"],"meta":null},{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/9b968f12bc64edf305346aa76d6a1690?token=4f930c799c7c1a2fe4ac010497acf3354fcc3d6eb56cd00680d3c5976ab18287ff40776316e37eb664cdacc10d621f8e912c9242fcaf1cfd8f5be8645dc7b358","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":0,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2023-09-16T05:18:57.344543076Z","timestamp":1694841537344,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET /9b968f12bc64edf305346aa76d6a1690?token=4f930c799c7c1a2fe4ac010497acf3354fcc3d6eb56cd00680d3c5976ab18287ff40776316e37eb664cdacc10d621f8e912c9242fcaf1cfd8f5be8645dc7b358 HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 301 Moved Permanently\r\nDate: Sat, 16 Sep 2023 05:18:57 GMT\r\nServer: Apache\r\nLocation: http://usps-usa.duckdns.org/9b968f12bc64edf305346aa76d6a1690/?token=4f930c799c7c1a2fe4ac010497acf3354fcc3d6eb56cd00680d3c5976ab18287ff40776316e37eb664cdacc10d621f8e912c9242fcaf1cfd8f5be8645dc7b358\r\nContent-Length: 404\r\nKeep-Alive: timeout=5, max=93\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":404,"size_decoded":0,"mime_type":"text/html; charset=utf-8","magic":"HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- exported SGML document, ASCII text","md5":"d88aaf91f7d09c54b5ddd57aa61ed4dc","sha1":"00d5ab090b58f47b952095c7c8c62d1843d8a204","sha256":"4675db182f7feaabc71465ca0aa5779d77af0f0480de85c5eccf20b8c559a7ef","sha512":"a5762d6329aa487ac900131bd716f50be8ebafa1d72fc4544052ac4dc8eb648ca7c67e0cd92e5b2f828db60105f70a6516576f4973e8e920a9a09ece09187311","ssdeep":"","tlshash":"a9e0f1ec0a8210d9745b3f44a5e134e6605800f00594296f21a678cd88581bfb9863ee","first_seen":"2023-09-16T07:19:08Z","last_seen":"2023-09-16T07:19:08Z","times_seen":1,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:57Z","timestamp":1694841537,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:57.342549+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":7,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/9b968f12bc64edf305346aa76d6a1690?token=4f930c799c7c1a2fe4ac010497acf3354fcc3d6eb56cd00680d3c5976ab18287ff40776316e37eb664cdacc10d621f8e912c9242fcaf1cfd8f5be8645dc7b358\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":301,\"redirect\":\"http://usps-usa.duckdns.org/9b968f12bc64edf305346aa76d6a1690/?token=4f930c799c7c1a2fe4ac010497acf3354fcc3d6eb56cd00680d3c5976ab18287ff40776316e37eb664cdacc10d621f8e912c9242fcaf1cfd8f5be8645dc7b358\",\"length\":404},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":12,\"pkts_toclient\":16,\"bytes_toserver\":4298,\"bytes_toclient\":5988,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"}],"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/9b968f12bc64edf305346aa76d6a1690/?token=4f930c799c7c1a2fe4ac010497acf3354fcc3d6eb56cd00680d3c5976ab18287ff40776316e37eb664cdacc10d621f8e912c9242fcaf1cfd8f5be8645dc7b358","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":0,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2023-09-16T05:18:57.511281932Z","timestamp":1694841537511,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET /9b968f12bc64edf305346aa76d6a1690/?token=4f930c799c7c1a2fe4ac010497acf3354fcc3d6eb56cd00680d3c5976ab18287ff40776316e37eb664cdacc10d621f8e912c9242fcaf1cfd8f5be8645dc7b358 HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 302 Found\r\nDate: Sat, 16 Sep 2023 05:18:57 GMT\r\nServer: Apache\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate\r\nPragma: no-cache\r\nSet-Cookie: PHPSESSID=a96a59f0304e02c616efe24d58193264; path=/\r\nLocation: ../index.php\r\nContent-Length: 0\r\nKeep-Alive: timeout=5, max=92\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=UTF-8\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":0,"size_decoded":0,"mime_type":"","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-05-11T22:03:05.977395Z","times_seen":15027444,"resource_available":true,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:57Z","timestamp":1694841537,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:57.513952+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":8,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/9b968f12bc64edf305346aa76d6a1690/?token=4f930c799c7c1a2fe4ac010497acf3354fcc3d6eb56cd00680d3c5976ab18287ff40776316e37eb664cdacc10d621f8e912c9242fcaf1cfd8f5be8645dc7b358\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"../index.php\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":13,\"pkts_toclient\":18,\"bytes_toserver\":4648,\"bytes_toclient\":6507,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:57Z","timestamp":1694841537,"ip_dst":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"severity":"high","alert":"ETPRO HUNTING Suspicious Redirect to Recursive PHP - Possible Phishing","source":"{\"timestamp\":\"2023-09-16T05:18:57.680488+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"143.110.232.17\",\"src_port\":80,\"dest_ip\":\"10.70.215.10\",\"dest_port\":43338,\"proto\":\"TCP\",\"tx_id\":8,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2820835,\"rev\":4,\"signature\":\"ETPRO HUNTING Suspicious Redirect to Recursive PHP - Possible Phishing\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2016_06_22\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"HUNTING\"],\"mitre_tactic_id\":[\"TA0001\"],\"mitre_tactic_name\":[\"Initial_Access\"],\"mitre_technique_id\":[\"T1566\"],\"mitre_technique_name\":[\"Phishing\"],\"signature_severity\":[\"Critical\"],\"tag\":[\"Phishing\"],\"updated_at\":[\"2020_12_22\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/9b968f12bc64edf305346aa76d6a1690/?token=4f930c799c7c1a2fe4ac010497acf3354fcc3d6eb56cd00680d3c5976ab18287ff40776316e37eb664cdacc10d621f8e912c9242fcaf1cfd8f5be8645dc7b358\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"../index.php\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":13,\"pkts_toclient\":19,\"bytes_toserver\":4648,\"bytes_toclient\":6573,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"}],"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/index.php","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":443,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2023-09-16T05:18:49.390Z","timestamp":1694841529390,"http_version":"HTTP/1.1","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET /index.php HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 302 Found\r\nDate: Sat, 16 Sep 2023 05:18:57 GMT\r\nServer: Apache\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate\r\nPragma: no-cache\r\nSet-Cookie: PHPSESSID=243a8fc9f5c357a589fb2808c2329747; path=/\r\nLocation: e00fe48ad337e14753e20981433f22d1?token=b3b76ac6191f7b94688b7f8ed69ac949412990037c4fb16e61c9399f37e3598298ba08fb93eed228f32a062da629926ce993e3d7eb1f2d6615417a8548fa0061\r\nKeep-Alive: timeout=5, max=91\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html; charset=UTF-8\r\n","headers":null,"cookies":null,"status_code":"302","status_text":"Found","fingerprints":null,"data":{"size":2,"size_decoded":0,"mime_type":"text/html; charset=UTF-8","magic":"ASCII text","md5":"d784fa8b6d98d27699781bd9a7cf19f0","sha1":"dd122581c8cd44d0227f9c305581ffcb4b6f1b46","sha256":"e16f1596201850fd4a63680b27f603cb64e67176159be3d8ed78a4403fdb1700","sha512":"f8aca02e28996a586f535eed5de9f4533b8b2910762f524459f6fae6fb3f8f7540db5f2c809c1c07167a95b33f6f3f85589af99182e2d2bf93f964de169dd4c0","ssdeep":"","tlshash":"c710000000000000000000300000000000000000000000000000003000000000000000","first_seen":"2023-03-07T01:32:15Z","last_seen":"2026-05-11T13:55:44.658179Z","times_seen":2477,"resource_available":true,"data":null}},"time_used":2976,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":2976,"receive":0,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:55Z","timestamp":1694841535,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:55.360857+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":3,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"b0db981ec094cad0212aca67bdd572e1?token=1cf8d4f400785e3d55357008321eb302420cf3240700453e30969c1323b4cae1034a33b37f281402ea682115164796e9cb398eb525ddc1eaf76ee985a41633b3\",\"length\":10},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":8,\"pkts_toclient\":9,\"bytes_toserver\":2422,\"bytes_toclient\":2936,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:57Z","timestamp":1694841537,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:57.171171+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":6,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"9b968f12bc64edf305346aa76d6a1690?token=4f930c799c7c1a2fe4ac010497acf3354fcc3d6eb56cd00680d3c5976ab18287ff40776316e37eb664cdacc10d621f8e912c9242fcaf1cfd8f5be8645dc7b358\",\"length\":10},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":11,\"pkts_toclient\":14,\"bytes_toserver\":3789,\"bytes_toclient\":5036,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:58Z","timestamp":1694841538,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:58.968735+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":9,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"e00fe48ad337e14753e20981433f22d1?token=b3b76ac6191f7b94688b7f8ed69ac949412990037c4fb16e61c9399f37e3598298ba08fb93eed228f32a062da629926ce993e3d7eb1f2d6615417a8548fa0061\",\"length\":10},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":14,\"pkts_toclient\":20,\"bytes_toserver\":5156,\"bytes_toclient\":7202,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:19:03Z","timestamp":1694841543,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:19:03.126755+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":12,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"https://www.siteground.com\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":17,\"pkts_toclient\":26,\"bytes_toserver\":6081,\"bytes_toclient\":9206,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"}],"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Phishing - US Postal Service","verdict":"phishing","severity":"medium","comment":"Asset commenly seen with US Postal Service phishing","tags":["usps","logistics","phishing"],"meta":null},{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/e00fe48ad337e14753e20981433f22d1?token=b3b76ac6191f7b94688b7f8ed69ac949412990037c4fb16e61c9399f37e3598298ba08fb93eed228f32a062da629926ce993e3d7eb1f2d6615417a8548fa0061","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":0,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2023-09-16T05:18:59.138547241Z","timestamp":1694841539138,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET /e00fe48ad337e14753e20981433f22d1?token=b3b76ac6191f7b94688b7f8ed69ac949412990037c4fb16e61c9399f37e3598298ba08fb93eed228f32a062da629926ce993e3d7eb1f2d6615417a8548fa0061 HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 301 Moved Permanently\r\nDate: Sat, 16 Sep 2023 05:18:58 GMT\r\nServer: Apache\r\nLocation: http://usps-usa.duckdns.org/e00fe48ad337e14753e20981433f22d1/?token=b3b76ac6191f7b94688b7f8ed69ac949412990037c4fb16e61c9399f37e3598298ba08fb93eed228f32a062da629926ce993e3d7eb1f2d6615417a8548fa0061\r\nContent-Length: 404\r\nKeep-Alive: timeout=5, max=90\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":404,"size_decoded":0,"mime_type":"text/html; charset=utf-8","magic":"HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- HTML document text\\012- exported SGML document, ASCII text","md5":"cf29ca76209becdc909f9e949619c6a1","sha1":"0dd0c940d664511eb26fd354cccdea980f67161f","sha256":"8cad4a161135454b89c2efcacc7194c5f97db60e11d43b15a4f27595ffe00bcf","sha512":"a1b4df84a05e91c11c1a123de3b5db29aff67f0473d51b0152cb988fa11235dc5219732c0fa930f30b81390139e49810f602d074e7135c888fc784c9cc975483","ssdeep":"","tlshash":"1de0f1ecc782204076ab7f28ffd254d1459f14922ac688a575e77c8dd574073cd4e0d8","first_seen":"2023-09-16T07:19:08Z","last_seen":"2023-09-16T07:19:08Z","times_seen":1,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:59Z","timestamp":1694841539,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:59.136943+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":10,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/e00fe48ad337e14753e20981433f22d1?token=b3b76ac6191f7b94688b7f8ed69ac949412990037c4fb16e61c9399f37e3598298ba08fb93eed228f32a062da629926ce993e3d7eb1f2d6615417a8548fa0061\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":301,\"redirect\":\"http://usps-usa.duckdns.org/e00fe48ad337e14753e20981433f22d1/?token=b3b76ac6191f7b94688b7f8ed69ac949412990037c4fb16e61c9399f37e3598298ba08fb93eed228f32a062da629926ce993e3d7eb1f2d6615417a8548fa0061\",\"length\":404},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":15,\"pkts_toclient\":22,\"bytes_toserver\":5665,\"bytes_toclient\":8154,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"}],"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/e00fe48ad337e14753e20981433f22d1/?token=b3b76ac6191f7b94688b7f8ed69ac949412990037c4fb16e61c9399f37e3598298ba08fb93eed228f32a062da629926ce993e3d7eb1f2d6615417a8548fa0061","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":0,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2023-09-16T05:19:00.46482613Z","timestamp":1694841540464,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET /e00fe48ad337e14753e20981433f22d1/?token=b3b76ac6191f7b94688b7f8ed69ac949412990037c4fb16e61c9399f37e3598298ba08fb93eed228f32a062da629926ce993e3d7eb1f2d6615417a8548fa0061 HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 302 Found\r\nDate: Sat, 16 Sep 2023 05:18:59 GMT\r\nServer: Apache\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate\r\nPragma: no-cache\r\nSet-Cookie: PHPSESSID=b97c7b8230b8071bb5c6722840696469; path=/\r\nLocation: ../index.php\r\nContent-Length: 0\r\nKeep-Alive: timeout=5, max=89\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=UTF-8\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":0,"size_decoded":0,"mime_type":"","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-05-11T22:03:05.977395Z","times_seen":15027444,"resource_available":true,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:19:00Z","timestamp":1694841540,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:19:00.467152+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":11,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/e00fe48ad337e14753e20981433f22d1/?token=b3b76ac6191f7b94688b7f8ed69ac949412990037c4fb16e61c9399f37e3598298ba08fb93eed228f32a062da629926ce993e3d7eb1f2d6615417a8548fa0061\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"../index.php\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":16,\"pkts_toclient\":24,\"bytes_toserver\":6015,\"bytes_toclient\":8673,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:19:00Z","timestamp":1694841540,"ip_dst":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"severity":"high","alert":"ETPRO HUNTING Suspicious Redirect to Recursive PHP - Possible Phishing","source":"{\"timestamp\":\"2023-09-16T05:19:00.631958+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"143.110.232.17\",\"src_port\":80,\"dest_ip\":\"10.70.215.10\",\"dest_port\":43338,\"proto\":\"TCP\",\"tx_id\":11,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2820835,\"rev\":4,\"signature\":\"ETPRO HUNTING Suspicious Redirect to Recursive PHP - Possible Phishing\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2016_06_22\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"HUNTING\"],\"mitre_tactic_id\":[\"TA0001\"],\"mitre_tactic_name\":[\"Initial_Access\"],\"mitre_technique_id\":[\"T1566\"],\"mitre_technique_name\":[\"Phishing\"],\"signature_severity\":[\"Critical\"],\"tag\":[\"Phishing\"],\"updated_at\":[\"2020_12_22\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/e00fe48ad337e14753e20981433f22d1/?token=b3b76ac6191f7b94688b7f8ed69ac949412990037c4fb16e61c9399f37e3598298ba08fb93eed228f32a062da629926ce993e3d7eb1f2d6615417a8548fa0061\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"../index.php\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":16,\"pkts_toclient\":25,\"bytes_toserver\":6015,\"bytes_toclient\":8739,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"}],"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"https","addr":"usps-usa.duckdns.org/index.php","fqdn":"usps-usa.duckdns.org","domain":"usps-usa.duckdns.org","tld":"duckdns.org"},"ip":{"addr":"143.110.232.17","port":443,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2023-09-16T05:18:49.390Z","timestamp":1694841529390,"http_version":"HTTP/1.1","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"mail.usps-usa.duckdns.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Sat, 16 Sep 2023 01:03:42 GMT","end":"Fri, 15 Dec 2023 01:03:41 GMT"},"fingerprint":{"sha1":"97:33:1A:35:4A:1D:B1:BF:91:34:2A:82:F9:02:CE:B7:C2:2E:28:DF","sha256":"64:83:84:CD:69:E4:C5:EA:3D:D4:69:5E:A0:74:95:F9:7D:C1:92:62:D5:71:1C:12:25:D1:41:80:C5:44:75:D1"}}},"request":{"raw":"GET /index.php HTTP/1.1\r\nHost: usps-usa.duckdns.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 302 Found\r\nDate: Sat, 16 Sep 2023 05:19:00 GMT\r\nServer: Apache\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate\r\nPragma: no-cache\r\nSet-Cookie: PHPSESSID=e0a63ff675b129bd071031a5b80aaa16; path=/\r\nLocation: https://www.siteground.com\r\nContent-Length: 0\r\nKeep-Alive: timeout=5, max=88\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=UTF-8\r\n","headers":null,"cookies":null,"status_code":"302","status_text":"Found","fingerprints":null,"data":{"size":0,"size_decoded":0,"mime_type":"text/html; charset=UTF-8","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-05-11T22:03:05.977395Z","times_seen":15027444,"resource_available":true,"data":null}},"time_used":2976,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":2976,"receive":0,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:55Z","timestamp":1694841535,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:55.360857+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":3,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"b0db981ec094cad0212aca67bdd572e1?token=1cf8d4f400785e3d55357008321eb302420cf3240700453e30969c1323b4cae1034a33b37f281402ea682115164796e9cb398eb525ddc1eaf76ee985a41633b3\",\"length\":10},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":8,\"pkts_toclient\":9,\"bytes_toserver\":2422,\"bytes_toclient\":2936,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:57Z","timestamp":1694841537,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:57.171171+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":6,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"9b968f12bc64edf305346aa76d6a1690?token=4f930c799c7c1a2fe4ac010497acf3354fcc3d6eb56cd00680d3c5976ab18287ff40776316e37eb664cdacc10d621f8e912c9242fcaf1cfd8f5be8645dc7b358\",\"length\":10},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":11,\"pkts_toclient\":14,\"bytes_toserver\":3789,\"bytes_toclient\":5036,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:18:58Z","timestamp":1694841538,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:18:58.968735+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":9,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"e00fe48ad337e14753e20981433f22d1?token=b3b76ac6191f7b94688b7f8ed69ac949412990037c4fb16e61c9399f37e3598298ba08fb93eed228f32a062da629926ce993e3d7eb1f2d6615417a8548fa0061\",\"length\":10},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":14,\"pkts_toclient\":20,\"bytes_toserver\":5156,\"bytes_toclient\":7202,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-09-16T05:19:03Z","timestamp":1694841543,"ip_dst":{"addr":"143.110.232.17","port":80,"asn":14061,"as":"DIGITALOCEAN-ASN","country":"United States","country_code":"US"},"ip_src":{"addr":"10.70.215.10","port":43338,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain","source":"{\"timestamp\":\"2023-09-16T05:19:03.126755+0000\",\"flow_id\":1099980764564002,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.10\",\"src_port\":43338,\"dest_ip\":\"143.110.232.17\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":12,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042937,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_12_15\"]}},\"http\":{\"hostname\":\"usps-usa.duckdns.org\",\"url\":\"/index.php\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":302,\"redirect\":\"https://www.siteground.com\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":17,\"pkts_toclient\":26,\"bytes_toserver\":6081,\"bytes_toclient\":9206,\"start\":\"2023-09-16T05:18:51.870946+0000\"}}"}],"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-16","alert":"Sinkholed","trigger":"usps-usa.duckdns.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}},{"url":{"schema":"http","addr":"www.siteground.com/","fqdn":"www.siteground.com","domain":"siteground.com","tld":"com"},"ip":{"addr":"34.149.40.93","port":0,"asn":15169,"as":"GOOGLE","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2023-09-16T05:19:03.41500378Z","timestamp":1694841543415,"http_version":"","security_state":"","security_info":null,"request":{"raw":"GET / HTTP/1.1\r\nHost: www.siteground.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nConnection: keep-alive\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/2 302 Found\r\nserver: nginx\r\ndate: Sat, 16 Sep 2023 05:19:03 GMT\r\ncontent-type: text/html; charset=UTF-8\r\ncontent-length: 0\r\nlocation: https://eu.siteground.com\r\nset-cookie: PHPSESSID=35f6e1546d9890d15ccd68cd8ac07874; path=/; domain=.siteground.com; secure; HttpOnly\r\nexpires: Thu, 19 Nov 1981 08:52:00 GMT\r\ncache-control: no-store, no-cache, must-revalidate\r\npragma: no-cache\r\nx-httpd-modphp: 1\r\nstrict-transport-security: max-age=31536000; preload\r\nx-content-type-options: nosniff\r\nx-xss-protection: 1\r\nx-frame-options: DENY\r\nx-server: 0, 0, 0\r\nhost-header: 192fc2e7e50945beb8231a492d6a8024, 192fc2e7e50945beb8231a492d6a8024, 192fc2e7e50945beb8231a492d6a8024\r\nx-proxy-cache: MISS, MISS, MISS\r\nx-proxy-cache-info: d302 NC:000000 UP:SKIP_CACHE_NO_CACHE, d302 NC:000000 UP:SKIP_CACHE_NO_CACHE, d302 NC:000000 UP:SKIP_CACHE_NO_CACHE\r\nalt-svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000, h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000\r\nage: 0\r\nvia: 1.1 google\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":0,"size_decoded":0,"mime_type":"","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-05-11T22:03:05.977395Z","times_seen":15027444,"resource_available":true,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]}