Tags

Scanning for vulnerable CGI scripts

Reconnaissance probe targeting Cisco ASA firewall and VPN infrastructure. Indicates scanning for Cisco ASA devices, typically preceding exploitation attempts.

CVE-2024-20253 Cisco Unified Communications Manager RCE

HTTP request targeting Citrix ADC or Citrix Gateway (formerly NetScaler ADC/Gateway) specific URL paths, indicating deliberate reconnaissance or scanning for Citrix remote access infrastructure.

Content management system discovery and enumeration

Scanning for exposed configuration files

Active exploitation of the cPanel and WHM pre-authentication bypass vulnerability, targeting the WHM admin interface and cPanel session authentication endpoints.

Reconnaissance probe targeting cPanel and WHM web hosting control panel infrastructure. Detected via cPanel-specific HTTP paths and connections to native cPanel and WHM management ports.

Scanning for database admin interfaces (phpMyAdmin, etc.)

Path traversal attack attempting to access restricted files

Probing for enterprise software (Confluence, Jenkins, etc.)

Probing Microsoft Exchange for ProxyShell/ProxyLogon vulnerabilities

Attempting to upload potentially malicious files

Probing FortiGate/FortiOS SSL VPN and admin interfaces, including path traversal exploit attempts

Probing Palo Alto GlobalProtect VPN login endpoints

Default credential stuffing attempt on telnet

CVE-2026-1281/CVE-2026-1340 Ivanti Endpoint Manager Mobile pre-auth RCE via Bash arithmetic expansion in /mifs/c/appstore/fob/ and /mifs/c/aftstore/fob/ endpoints

Scanning for exposed Model Context Protocol (MCP) and Server-Sent Events (SSE) endpoints

Mirai-specific IoT default credentials detected in telnet payload

Mirai-style port 23/2323 dual scanning pattern detected

Path traversal via encoded sequences

Scanning for exposed PHPUnit eval-stdin.php endpoint allowing arbitrary PHP code execution

Scanning 5+ ports on target host

Remote Desktop Protocol (RDP) connection attempt detected on port 3389

Redis service connection attempt detected on port 6379 (commonly associated with scanning, brute force, or exploitation attempts)

Attempting router firmware exploits (Netgear, D-Link, etc.)

Active exploitation of SharePoint vulnerabilities

SharePoint toolshell exploitation attempt

Scanning for SharePoint web shells

SIP VoIP registration scanning on port 5060

Host submitted an SMTP AUTH command to a honeypot mail server. Consistent with open-relay scouting or opportunistic credential submission.

Host made repeated SMTP AUTH attempts within a short window, strongly indicative of credential spraying against a mail server.

Probing for SolarWinds Orion endpoints

SQL injection attack detected in request

Multiple SSH authentication attempts detected

SSH connection attempt detected on port 22 or 2222

Multiple telnet authentication attempts detected

Telnet connection attempt on port 23 or 2323

Exploiting ThinkPHP framework invokefunction endpoint for remote code execution

TLS/SSL connection fingerprinting detected via Suricata

Exploiting URI parsing vulnerabilities

VNC remote desktop login attempt on port 5900/5901

Attempting OS command injection via web parameters

HTTP web crawling activity detected on web honeypots

Scanning for web shells (WSO, c99, r57, etc.)

Generic web application vulnerability exploit

WordPress authentication bypass attempt