100PROCENT_IT_KOMMUNIKATION |
https://www.100procent.com/ |
ACTOR_NCSC |
UK National Cyber Security Centre internet scanning. https://www.ncsc.gov.uk/information/ncsc-scanning-information |
ADWARE |
Malware delivered via advertisement |
ADWIND |
Adwind RAT, a cross-platform, multifunctional malware program also known as AlienSpy, Frutas, Unrecom, Sockrat, JSocket and jRat |
AFP_SCANNER |
AFP - Apple Filing protocol Scanner |
AFS_SCANNER |
AFSVersionRequest Scanner |
AMPEREINNOTECH |
Internet wide scanner https://ampereinnotech.com/ |
AMPLIFICATION |
Association with amplification attacks |
AMQP_SCANNER |
Scanning for a technology of Advanced Message Queuing Protocol such as RabbitMQ |
ANDROMOUSE_SCANNER |
AndroMouse Scanner - Android Wireless Mouse And Keyboard |
APACHE_AIRFLOW |
Scanning for Apache Airflow |
APACHE_COUCHDB |
Scanning for Apache CouchDB panel |
APACHE_HADOOP |
Scanning for Apache Hadoop Panel |
APACHE_JSERV_SCANNER |
The Apache JServ Protocol (AJP) is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server |
APACHE_SOLR |
Scanning for Apache Solr panel |
APPLERD_SCANNER |
Apple Remote Desktop Scanner |
ARUCER_BACKDOOR_SCANNER |
Malware |
ASTERISK_SCANNER |
Scanning for Asterisk/VOIP Technology |
ATLASSIAN_BITBUCKET_SERVER_RCE |
Exploiting Atlassian Bitbucket Server remote code execution vulnerability, CVE-2022-36804 |
ATLASSIAN_JIRA_ISSUE_MANAGEMENT |
Scanning for Atlassian Jira Issue Management Panel |
ATLASSIAN_QUESTIONS_FOR_CONFLUENCE_HARDCODED_PASSWORD |
Scanning for Atlassian Confluence hardcoded password vulnerability (CVE-2022-26138) |
AUTO_GENERATED |
Indicates rules and tags generated by an automated process. |
BACKDOOR |
Scanning for a known backdoor |
BAIDUSPIDER |
http://www.baidu.com/ |
BENIGN |
Known and confirmed actor or actions that have been classified by us as non malicious |
BGP_SCANNER |
Scanning for BGP protocol |
BINARYEDGE |
Internet wide scanner https://www.binaryedge.io/ |
BINGBOT |
https://www.bing.com/ |
BITSIGHT |
Internet wide scanner https://www.bitsight.com/ |
BITTORRENT_SCANNER |
Scanning for Bittorrent protocol |
BLUEKEEP_RDPSCAN |
https://github.com/robertdavidgraham/rdpscan |
BLUEKEEP_SCANNER |
Vulnerability affecting RDP protocol (CVE-2019-0708) |
BLUEKEEP_ZEROSUM |
https://github.com/zerosum0x0/CVE-2019-0708 |
BOTNET |
Known botnet traffic |
BUSYBOX_SCANNER |
Scanning for BusyBox |
CASSANDRA_SCANNER |
Scanning for Apache Cassandra |
CENSYS |
Internet wide scanner https://censys.io/ |
CISCO_ASA |
Scanning for Cisco ASA VPN Panel |
CISCO_LINKSYS_SCANNER |
Scanning for vulnerabilities associated with Cisco or Linksys |
CISCO_SMART_INSTALL |
Scanning for Cisco Smart Install |
CITRIX_ADC_GATEWAY |
Scanning for Citrix ADC Gateway Panel |
CITRIX_ADM |
Scanning for Citrix ADM Panel |
CITRIX_SCANNER |
Scanner looking for Citrix instances |
CITRIX_INJECTION |
Citrix NetScaler and CloudBridge devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID or CAKEPHP cookie |
CITRIX_VPN |
Scanning for Citrix VPN Panel |
CITRIX_XENMOBILE_CONSOLE |
Scanning for Citrix Xenmobile Console panel |
COAP_SCANNER |
CoAP GET .well-known/core Scanner |
COCCOC |
Cốc Cốc browser is a freeware web browser focused on the Vietnamese market, developed by Vietnamese company Cốc Cốc and based on Chromium open source code |
CODESYS_SCANNER |
Scanning for Codesys protocol, typically used in SCADA environments |
CONNECTWISE_SCREENCONNECT_AUTH_BYPASS_2024_2 |
Attempting to exploit the authentication bypass vulnerability in ConnectWise ScreenConnect that was publicised February 2024. |
CORBA_SCANNER |
The Common Object Request Broker Architecture is a standard defined by the Object Management Group designed to facilitate the communication of systems that are deployed on diverse platforms |
CRIMINALIP |
Internet wide scanner http://security.criminalip.com/ |
CRLF_INJECTION |
This event is attempting a CRLF injection. |
CROSSMATCH_SERVER |
Crossmatch Biometric server |
CRYPTOCURRENCY_SCANNER |
Scanning for cryptocurrency API or exposed nodes |
CVE-2002-1717 |
Microsoft Internet Information Server (IIS) 5.1 allows remote attackers to view path information via a GET request to (1) /_vti_pvt/access.cnf, (2) /_vti_pvt/botinfs.cnf, (3) /_vti_pvt/bots.cnf, or (4) /_vti_pvt/linkinfo.cnf. |
CVE-2012-0152 |
The Remote Desktop Protocol service in Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1 allows remote attackers to cause a denial of service via a series of crafted packets |
CVE-2012-0432 |
Stack-based buffer overflow in the Novell NCP implementation in NetIQ eDirectory 8.8.7.x before 8.8.7.2 |
CVE-2015-4852 |
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic |
CVE-2015-7808 |
The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments |
CVE-2015-8562 |
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header |
CVE-2016-2386 |
SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079. |
CVE-2016-2388 |
The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846. |
CVE-2017-12615 |
Apache Tomcat 7.0.0 to 7.0.79 has a remote code execution vulnerability |
CVE-2017-12617 |
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. |
CVE-2017-12635 |
Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges. |
CVE-2017-16894 |
In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restricting the .env permissions. The .env filename is not used exclusively by Laravel framework. |
CVE-2017-17215 |
Huawei HG532 with some customized versions has a remote code execution vulnerability |
CVE-2017-5638 |
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string |
CVE-2017-6316 |
Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID cookie. On CloudBridge (the former name of NetScaler SD-WAN) devices, the cookie name was CAKEPHP rather than CGISESSID. |
CVE-2018-15517 |
The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, leading to SSRF, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. |
CVE-2018-2628 |
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. |
CVE-2018-13379 |
Some versions of Fortinet FortiOS under SSL VPN web portal allows an unauthenticated attacker to download system files via HTTP resource requests |
CVE-2018-15961 |
Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution. |
CVE-2018-7841 |
A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered. |
CVE-2019-0604 |
Microsoft SharePoint Remote Code Execution Vulnerability |
CVE-2019-1003029 |
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM. |
CVE-2019-17662 |
ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be read via a ../../ThinVnc.ini directory traversal attack vector. |
CVE-2019-5513 |
Information Leaks in VMWare Horizon |
CVE-2019-11510 |
File reading vulnerability in Pulse Secure Pulse Connect Secure |
CVE-2019-15107 |
Command injection vulnerability on Webmin through 1.920 |
CVE-2019-19781 |
An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal |
CVE-2019-7192 |
This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions. |
CVE-2019-7194 |
This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions. |
CVE-2019-7195 |
This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions. |
CVE-2020-11978 |
A remote code/command injection vulnerability was discovered in Apache Airflow versions 1.10.10 and below. |
CVE-2020-13927 |
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. |
CVE-2020-14882 |
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. |
CVE-2020-5902 |
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages. |
CVE-2021-21974 |
OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution. |
CVE-2021-22941-EXPLOIT |
Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller. |
CVE-2021-22941-RECON |
Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller. |
CVE-2021-22986 |
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. |
CVE-2021-26086 |
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1. |
CVE-2021-39144 |
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. |
CVE-2021-44228 |
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. |
CVE-2021-45046 |
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. |
CVE-2022-1388 |
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. |
CVE-2022-22241 |
An Improper Input Validation vulnerability in the J-Web component of Juniper Networks Junos OS may allow an unauthenticated attacker to access data without proper authorization. Utilizing a crafted POST request, deserialization may occur which could lead to unauthorized local file access or the ability to execute arbitrary commands. |
CVE-2022-22242 |
A Cross-site Scripting (XSS) vulnerability in the J-Web component of Juniper Networks Junos OS allows an unauthenticated attacker to run malicious scripts reflected off of J-Web to the victim's browser in the context of their session within J-Web. |
CVE-2022-22947 |
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host. |
CVE-2022-22954 |
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution. |
CVE-2022-22963 |
Remote code execution in Spring Cloud Function by malicious Spring Expression. |
CVE-2022-22972 |
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. |
CVE-2022-24706 |
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations. |
CVE-2022-27925 |
Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal. |
CVE-2022-29499 |
The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA. |
CVE-2022-31664 |
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability. A malicious actor with local access can escalate privileges to 'root'. |
CVE-2022-31674 |
VMware vRealize Operations contains an information disclosure vulnerability. A low-privileged malicious actor with network access can access log files that lead to information disclosure. |
CVE-2022-31675 |
VMware vRealize Operations contains an authentication bypass vulnerability. An unauthenticated malicious actor with network access may be able to create a user with administrative privileges. |
CVE-2022-42122 |
A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the title field of a friendly URL. |
CVE-2023-22515 |
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. |
CVE-2023-23752 |
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints. |
CVE-2022-26138 |
The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app. |
CVE-2022-26318 |
On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. |
CVE-2022-30525 |
A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device. |
CVE-2022-31711 |
VMware vRealize Log Insight contains an Information Disclosure Vulnerability. A malicious actor can remotely collect sensitive session and application information without authentication. |
CVE-2022-36804 |
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. |
CVE-2022-39952 |
A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request. |
CVE-2022-40684 |
Fortinet FortiOS and FortiProxy authentication bypass vulnerability. |
CVE-2023-0669 |
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2. |
CVE-2023-37474 |
Copyparty is a portable file server. Versions prior to 1.8.2 are subject to a path traversal vulnerability detected in the .cpr subfolder. The Path Traversal attack technique allows an attacker access to files, directories, and commands that reside outside the web document root directory. This issue has been addressed in commit 043e3c7d which has been included in release 1.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
CVE-2023-4966 |
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. |
CVE-2023-20887 |
Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution. |
CVE-2023-20198 |
Cisco IOS XE vulnerability in the web UI feature that allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. |
CVE-2023-25157 |
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore encode functions setting to mitigate strEndsWith , strStartsWith and PropertyIsLike misuse and enable the PostGIS DataStore preparedStatements setting to mitigate the FeatureId misuse. |
CVE-2023-25717 |
Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring. |
CVE-2023-27350 |
PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context of system. |
CVE-2023-27524 |
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. |
CVE-2023-28432 |
MinIO contains a vulnerability in a cluster deployment where MinIO returns all environment variables, which allows for information disclosure. |
CVE-2023-29084 |
Zoho ManageEngine ADManager Plus through 7180 allows for authenticated users to exploit command injection via Proxy settings. |
CVE-2023-29298 |
Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction. |
CVE-2023-29300 |
Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. |
CVE-2023-34362 |
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. |
CVE-2023-34723 |
An issue was discovered in TechView LA-5570 Wireless Gateway 1.0.19_T53, allows attackers to gain sensitive information via /config/system.conf. |
CVE-2023-35078 |
Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, through 11.10 allows remote attackers to obtain PII, add an administrative account, and change the configuration because of an authentication bypass, as exploited in the wild in July 2023. A patch is available. |
CVE-2023-35708 |
In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3). |
CVE-2023-36844 |
A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify certain PHP environments variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on EX Series: * All versions prior to 20.4R3-S9; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S4; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R3-S1; * 22.4 versions prior to 22.4R2-S2, 22.4R3. |
CVE-2023-36845 |
A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify a certain PHP environment variable leading to partial loss of integrity, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on SRX Series: * All versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S4; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R2-S2, 22.3R3-S1; * 22.4 versions prior to 22.4R2-S1, 22.4R3; * 23.2 versions prior to 23.2R1-S1, 23.2R2. |
CVE-2023-36846 |
A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on SRX Series: * All versions prior to 20.4R3-S8; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2-S1, 22.4R3. |
CVE-2023-36847 |
A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on EX Series: * All versions prior to 20.4R3-S8; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S4; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S1; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2-S1, 22.4R3. |
CVE-2023-46805 |
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. |
CVE-2024-21887 |
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. |
CVE-2023-42793 |
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible |
CVE-2023-49103 |
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure. |
CVE-2024-1708 |
ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems. |
CVE-2024-1709 |
ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems. |
CVE-2024-27198 |
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible |
CWE-288 |
Authentication Bypass Using an Alternate Path or Channel. A product requires authentication, but the product has an alternate path or channel that does not require authentication. |
CWE-306 |
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
CWE-473 |
A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. |
CWE-502 |
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. |
CYBERGREEN |
The CyberGreen Institute is a global non-profit and collaborative organization conducting activities focused on helping to improve the health of the global Cyber Ecosystem |
CYMRU |
http://www.team-cymru.com |
DAHUA_DVR_SCANNER |
Scanning for Dahua DVR devices |
DAHUA_NVR_SCANNER |
Scanning for Dahua NVR devices |
DFIND_SCANNER |
Scanner using ZmEu vulnerability scanner |
DICT_SCANNER |
Dictionary Network Protocol |
DIGI_DISCOVERY_SCANNER |
Scanning for Digi Device Discovery |
DIRECTORY_TRAVERSAL |
TODO: Add description for this tag. |
DLINK_SCANNER |
Scanning for DLink vulnerabilities |
DNS_SCANNER |
The Domain Name System is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network |
DNS_SD_SCANNER |
Scanning for DNS Service Discovery |
DOMAINTOOLS |
https://www.domaintools.com/ |
DRDA_SCANNER |
DRDA Protocol Scanner |
DRIDEX |
Dridex also known as Bugat and Cridex is a form of malware that specializes in stealing bank credentials |
DRUPAL_SCANNER |
Scanning for Drupal framework vulnerabilities |
DTLS_SCANNER |
Valid DTLS Connections |
DUCKDUCKBOT |
https://duckduckgo.com/ |
DVR_SCANNER |
Scanning for DVR devices |
ECSHOP_SCANNER |
Scanning for eCShop |
ELASTICSEARCH_SCANNER |
Scanning for exposed Elasticsearch databases |
EMAIL_SCANNER |
Scanning for known email protocols |
EMOTET |
The Emotet banking Trojan was first identified by security researchers in 2014 |
ENTTEC_DMX |
Scanning for ENTTEC DMX devices |
EOS_NODE_SCANNER |
Scanning for EOS Blockchain nodes |
EPMD_SCANNER |
Erlang Port Mapper Daemon Scanner |
ETHEREUM_NODE_SCANNER |
Scanning for Ethereum Blockchain nodes |
EXABOT |
Exabot is a web scraper for Exalead https://www.exalead.com |
EXPLOITATION |
Validated exploitation of known vulnerability |
EXPOSURE_MONITORING |
https://www.exposuremonitoring.in/ |
F5_BIG_IP_ICONTROL_REST_BASH |
F5 BIG-IP REST endpoint allows arbitrary bash commands to be executed remotely without authentication |
F5_BIG_IP_ICONTROL_REST_INTERFACE |
F5 BIG-IP REST API authentication endpoint: (IP)/mgmt/shared/authn/login |
FACEBOOKEXTERNALHIT |
https://www.facebook.com/ crawler |
FATPIPE_WARP |
Scanning for FatPipe WARP Login panel |
FINDMALWARE |
http://research.findmalware.org/ |
FINGER_SCANNER |
Scanner for fing protocol |
FIREBIRD_SCANNER |
Firebird is an open-source SQL relational database management system |
FORTINET_FORTIGATE_SSL_VPN |
Scanning for Fortinet Fortigate SSL VPN panel |
FOX_SCANNER |
Scanner for Tridium Fox scada protocol |
FTP_SCANNER |
Scanner for FTP servers |
GAME_SERVER_STATUS_SCANNER |
Looking for status for freelancer game |
GCP |
Google Cloud Platform |
GENERICLINES |
Normal new line scanner, typically initial probe |
GIT_SCANNER |
Scanner for open git repositories |
GITLAB |
Scanning for GitLab panel |
GITLAB_OMNIAUTH |
Scanning for Gitlab OmniAuth Login panel |
GKRELLM_SCANNER |
GKrellM System Monitor Scanner |
GLPI |
Scanning for GLPI panel |
GOODOR |
Scanner for the goodor backdoor |
GOOGLE |
www.google.com hosted content |
GOOGLEBOT |
https://www.google.com/ crawler |
GOOTKIT |
Trojan.GootKit is a Trojan horse that steals confidential information and also opens a back door and downloads additional files on to the compromised computer |
GOZI |
GOZI is a spyware that monitors network traffic. It also gets login credentials stored in browsers and mail applications |
GPON_ONT_SCANNER |
Scanner for GPON Network terminals |
HADOOP_HDFS_SCANNER |
Scanning for Hadoop HDFS |
HADOOP_YARN_SCANNER |
Scanning for Hadoop Yarn |
HAMLIB_SCANNER |
Hamlib rotctld Scanner |
HISILICON_DVR |
Scanning for a remote code execution vulnerability on HiSilicon DVR devices |
HIVEMANAGER |
Scanning for a HiveManager panel |
HNAP_SCANNER |
Scanning for HNAP routers |
HTTP_CRAWLER |
HTTP Crawler |
HTTP_REFLECTION |
Source of event tried to make one of our sensors access something from 3rd party, potential DDoS |
HTTP_SCANNER |
Scanning for HTTP Services |
HUAWEI_HG532_SCANNER |
Scanning for vulnerabilities associated with the Huawei HG532 Router |
IBM_DB2_SCANNER |
Scanning for IBM DB2 databases |
IBM_MQ_SCANNER |
IBM MQ Scanner |
IBM_NJE_SCANNER |
IBM Network Job Entry Scanner |
IBM_TN3270 |
Scanning for IBM TN3270 terminals |
ICMP_ECHO_REQUEST |
Ping event |
IKE_SCANNER |
Internet Key Exchange protocol scanner |
INFORMIX_SCANNER |
IBM Informix is a product family within IBM's Information Management division that is centered on several relational database management system offerings. |
INTERNET_CENSUS |
Internet wide scanner actor seemly associated with Bitsight |
INTERNET_TTL |
http://www.internettl.org/ |
INTRINSEC |
https://intrinsecsecurity.com/ |
IPFIRE_EXPLOIT |
Scanning for IPFire router software exploits |
IPIP |
https://en.ipip.net/ |
IPMI_SCANNER |
Scanning for devices using IPMI |
IRC_SCANNER |
Scanning for IRC servers |
IS_ARCHIVER |
The Internet Archive https://archive.org/ |
JABBER_SCANNER |
Scanning for the Jabber protocol |
JANUARY |
January Malware https://bitninja.io/blog/2018/12/28/goodbye-peppa-hello-january?PageSpeed=noscript |
JAVA_SCANNER |
Scanning for JRMI endpoints |
JBIFROST |
Also called ADWind, the Adwind Remote Access Trojan (RAT) is a popular Java-based backdoor capable of infecting Windows, Linux, Mac OS and Android operating systems |
JBOSS_JMX_MANAGEMENT_CONSOLE |
Scanning for JBoss JMX Management Console Panel |
JBOSS_MALWARE |
Known Malware of JBOSS framework |
JDWP_SCANNER |
Scanning for Java Debug Wire Protocol |
JENKINS_PORTAL |
Scanning for Jenkins Portal |
JENKINS_SCANNER |
Scanning for Jenkins |
JENKINS_SCRIPT_SECURITY_PLUGIN |
Jenkins Script Security Plugin |
JOOMLA_SCANNER |
Scanning for Joomla |
JUNIPER_SCANNER |
Scanning for exposed Juniper network devices |
KERBEROS_SCANNER |
Scanning for Kerberos protocol |
KGUARD_SCANNER |
Scanning for Kguard Cameras |
KUDELSKI-NAGRA |
Internet wide scanner https://www.nagra.com/ |
KUMOFS_SCANNER |
Kumofs is a simple and fast distributed key-value store |
LANDESK_SCANNER |
Scanning for Landesk software |
LDAP_SCANNER |
Scanning for LDAP protocol |
LINUX_BACKDOOR_SCANNER |
Scanning for Linux backdoors |
LINUXSAMPLER_SCANNER |
LinuxSampler Control Protocol Scanner |
LOSEC |
Internet wide scanner lo-sec.online |
LPD_SCANNER |
Line Printer Daemon protocol |
MAIL_RU |
Mail.Ru Group, ООО (commonly referred to as Mail.Ru) is a Russian Internet company |
MALICIOUS |
Known and confirmed malicious actions |
MALIGN |
Known and confirmed malicious actions |
MALWARE |
Known and confirmed malware |
MARBLE_COIN_SCANNER |
Scanning for Marble Coin |
MASSCAN_SCANNER |
Scanner using Masscan |
MEMCACHED_SCANNER |
Scanning for exposed memcached endpoints |
METASPLOIT |
Actor using the Metasploit |
MICROSOFT_EXCHANGE |
Scanning for Microsoft Exchange Admin Center panel |
MICROSOFT_SQL_SERVER |
Scanning for exposed Microsoft SQL server |
MIKROTIK_ROUTEROS |
Scanning for a remote shell vulnerability on Mikrotik devices running certain versions of RouterOS |
MINERPOOL |
www.minerpool.net |
MIRAI |
Mirai-family botnet |
MITEL_MIVOICE_CONNECT |
Mitel MiVoice Connect Service Appliance |
MNUBOT |
MnuBot is a banking trojan discovered by IBM X-Force researchers |
MODBUS_SCANNER |
Scanning for the SCADA protocol modbus |
MONGODB_SCANNER |
Scanning for exposed mongoDB databases |
MQTT_SCANNER |
A lightweight messaging protocol for small sensors and mobile devices |
MSMQ_SCANNER |
Scanning for Microsoft Message Queueing (MSMQ) |
MUMBLE_SCANNER |
Mumble Voice Chat Server Scanner |
NETCRAFT |
Netcraft is an Internet services company based in Bath, Somerset, England. https://www.netcraft.com/ |
NETMOTION_MOBILITY_SCANNER |
NetMotion Mobility VPN Scanner |
NETSYSTEMS |
http://netsystemsresearch.com |
NEUTRINO |
Neutrino malware |
NFS_SCANNER |
NFS version 2 Scanner |
NMAP_SCANNER |
Actor using the NMAP scanner |
NOCTION_IRP |
Scanning for Noction IRP BGP software |
NOMACHINE_SCANNER |
NoMachine Network Server Scanner |
NOMAD_JOBS |
Scanning for Nomad Jobs Panel |
NOVELL_NCP_SCANNER |
Scanning for Novell NetWare Core Protocol |
NTP_SCANNER |
Scanning for NTP servers |
NUCLEI_DEFAULT_CALLBACK |
Default callback domains for Nuclei scans. https://github.com/projectdiscovery/interactsh |
NUUO_NVR_SCANNER |
Scanning for Nuuo CCTV Cameras |
NVMS9000_DVR_SCANNER |
Scanning for NVMS-9000 Digital Video Recorder devices |
ONYPHE |
Internet wide scanner https://www.onyphe.io/ |
OPENPORTSTATS |
Internet wide scanner http://openportstats.com/ |
OPENVPN_SCANNER |
OpenVPN software scanner |
ORACLE_TNS_SCANNER |
Scanning for Oracle Databases exposing the TNS endpoint |
ORACLE_WEBLOGIC |
Scanning for Oracle Weblogic Servers |
ORACLE_WEBLOGIC_UNAUTH_RCE |
Exploiting CVE-2020-14882 |
PALOALTO_NETWORKS_GLOBALPROTECT |
Scanning for Palo Alto Global Protect Panel |
PANEL |
This event is related to a login panel. |
PAN_GLOBALPROTECT_DEFAULT_KEY |
Scanning for Palo Alto Global Protect default master key |
PARALLELS_HTML5 |
Scanning for Parallels HTML5 panel |
PATH_TRAVERSAL_ATTACK |
TODO: Add description for this tag. |
PC_ANYWHERE_SCANNER |
pcAnywhere was a suite of computer programs by Symantec which allows a user of the pcAnywhere remote program on a computer to connect to a personal computer running the pcAnywhere host |
PCWORX_SCANNER |
Scanning for PCWorx protocol |
PEPPA |
Peppa malware |
PERVASIVE_SQL_SCANNER |
Pervasive PSQL is an ACID-compliant database management system (DBMS) developed by Pervasive Software |
PHP_FPM |
Scanning for PHP FastCGI Process Manager panels |
PHPMYADMIN |
Scanning for PHPMyAdmin panels |
PLC_SCANNER |
Scanning for Programmable Logic Controllers |
POC |
This event is directly related to a known exploit proof-of-concept. |
POSTGRESQL_SCANNER |
Scanning for PostgreSQL servers |
PRINTER_SCANNER |
Scanning for exposed printers |
PROBETHENET |
Internet wide scanner http://probethenet.com/ |
PROCONOS_SCANNER |
ProConOs scada protocol Scanner |
PROJECT25499 |
Internet wide scanner http://project25499.com/ |
PROXY_SCANNER |
Scanning for open proxies |
PRTG_TRAFFIC_GRAPHER |
PRTG Traffic Grapher Sensor List |
PUTTY_CLIENT |
SSH Connections using Putty Client |
QNAP_QTS_PHOTO_STATION |
QNAP QTS running Photo Station |
QUADMETRICS |
https://quadmetrics.com/ |
QUAKE_SCANNER |
Scanner for Quake 3 servers |
QUEENS_COLLEGE_UNI_NY |
https://www.qc.cuny.edu Queens College, City University of New York |
QUIC_SCANNER |
Scanning for QUIC protocol |
QWANT |
https://www.qwant.com/ Qwant, the European search engine that respects your privacy |
RABBITMQ_SCANNER |
Scanning for RabbitMQ Protocol |
RADIUS_MANAGER_CONTROL |
Scanning for Radius Manager Control panel |
RADMIN_SCANNER |
Scanning for Radmin software https://www.radmin.com |
RADWARE_SCANNER |
Scanning for Radware software https://www.radware.com/ |
RANSOMWARE |
General ransomware tag, when we cant classify the family |
RAPID7 |
Internet wide scanner https://www.rapid7.com/ |
RCONFIG_SCANNER |
Scanning for rConfig network management tool |
RDP_SCANNER |
Scanning for Remote Desktop Protocols |
RDS_SCANNER |
Scanning for Microsoft Remote Desktop Services |
REALTEK_MINIIGD_UPNP |
Scanning for Realtek SDK Miniigd UPnP command execution vulnerability |
REDIS_SCANNER |
Scanning for exposed REDIS databases |
RFB_SCANNER |
Scanning for VNC Protocol |
RIAK_PBC_SCANNER |
Basho Riak PBC Scanner |
RLOGIN_SCANNER |
Scanning for Rlogin protocol |
ROUTER_SCANNER |
Scanning for exposed routers |
RPC_SCANNER |
Most likely looking for Ethereum Nodes |
RSA_SELF_SERVICE |
Scanning for RSA Self Service panel |
RSYNC_SCANNER |
Scanning for Rsync servers |
RTSP_SCANNER |
Scanning for Realtime Stream Protocol |
RUBY |
Actor using a Ruby-based tool |
RWTH_AACHEN_UNIVERSITY |
http://www.rwth-aachen.de RWTH Aachen University or Rheinisch-Westfälische Technische Hochschule Aachen is a research university located in Aachen, North Rhine-Westphalia, Germany |
SAP_NETWEAVER |
This event is related to SAP NetWeaver. |
SAP_SCANNER |
Scanning for SAP Servers |
SCADA_SCANNER |
Scanning for SCADA protocols |
SCANNER_ORACLE_WEBLOGIC |
IP is scanning for Oracle Weblogic. |
SCHNEIDER_ELECTRIC_UMOTION_BUILDER |
Schneider Electric U.motion Builder software |
SERIALNUMBERD |
Scanning for serialnumberd |
SERVICES_HELP |
Services Help Scanner |
SEZNAM |
https://www.seznam.cz/ crawler |
SHADOWSERVER |
https://www.shadowserver.org/wiki/ scanner |
SHAREPOINT_EXPLOIT |
Exploit for Sharepoint |
SHAREPOINT_SCANNER |
Scanning for Sharepoint |
SHODAN |
Internet wide scanner https://www.shodan.io/ |
SIP_SCANNER |
Scanning for SIP /VOIP Servers |
SLURP |
Slurp bot for Yahoo |
SMB_SCANNER |
Scanner for SMB Protocol often affiliated with exploitation of Microsoft Windows |
SMTP_SCANNER |
Scanner for SMTP protocol |
SNMP_SCANNER |
Scanner for SNMP protocol |
SOAP_SCANNER |
Scanning for software based on SOAP requests |
SOCKS_SCANNER |
Scanning for SOCKS |
SOGOU |
https://www.sogou.com/ |
SOLARWINDS_ORION_EXPOSED |
Scanning for Solarwinds Orion Network Performance Monitor |
SOLARWINDS_ORION_SCANNER |
Scanner for Solarwinds Orion |
SONARQUBE |
Scanning for SonarQube panel |
SONICWALL_VIRTUAL_OFFICE_PANEL |
Scanning for Sonicwall Virtual Office panel |
SOURCE_ENGINE |
Valve Source Engine - Games |
SPHIDER_ADMIN |
Scanning for Sphider Admin panel |
SPRING_CLOUD_CONNECTOR_EXPLOIT |
Exploit for Spring Cloud Function - see: CVE-2022-22963 |
SQLPING_SCANNER |
Sqlping Scanner |
SQUEEZECENTER_SCANNER |
SqueezeCenter is the media server component of Slim Devices's (now a Logitech company) media playing devices such as Squeezebox |
SSH_SCANNER |
Valid SSH connections |
SSL_SCANNER |
Valid SSL Connections |
STANFORD_UNIVERSITY |
https://www.stanford.edu/ Leland Stanford Junior University is a private research university in Stanford, California |
STRATUM_SCANNER |
Scanning for Stratum software |
STRETCHOID |
http://stretchoid.com/ Stetchoid is a platform that helps identify an organization's online services |
STRUTS_OGNL_SCANNER |
Apache Struts Jakarta Multipart Parser OGNL Injection Scanner |
SYBASE_ASA_DISCOVER |
Scanning for Sybase Anywhere servers on the LAN by sending broadcast discovery messages |
TALAIA |
https://www.talaia.io/ A highly scalable, NetFlow/IPFIX based big-data platform that is designed for network operators taking complex decisions |
TARANTOOL_SCANNER |
Tarantool is an open-source NoSQL database management system and Lua application server |
TCP_SYN |
SYN packet received |
TEAMSPEAK2_SCANNER |
Team Speak 2 VoIp Communication Server |
TECHNOLOGY_3CX_MANAGEMENT_CONSOLE |
This event is related to 3CX Management Console. |
TECHNOLOGY_ADOBE_COLDFUSION |
This event is related to Adobe ColdFusion. |
TECHNOLOGY_ADOBE_EXPERIENCE_MANAGER |
This event is related to Adobe Experience Manager. |
TECHNOLOGY_APACHE_COUCHDB |
This event is related to Apache Couchdb. |
TECHNOLOGY_APACHE_GUACAMOLE |
This event is related to Apache Guacamole. |
TECHNOLOGY_APACHE_SOLR |
This event is related to Apache Solr. |
TECHNOLOGY_APACHE_SUPERSET |
This event is related to Apache Superset. |
TECHNOLOGY_APACHE_TOMCAT |
This event is related to Apache Tomcat. |
TECHNOLOGY_ATLASSIAN_CONFLUENCE_DATA_CENTER |
This event is related to Atlassian Confluence Data Center. |
TECHNOLOGY_ATLASSIAN_CONFLUENCE_SERVER |
This event is related to Atlassian Confluence Server. |
TECHNOLOGY_ATLASSIAN_JIRA |
This event is related to Atlassian Jira. |
TECHNOLOGY_BASIC_B2B |
This event is related to Basic B2b. |
TECHNOLOGY_CISCO_IOS_XE |
This event is related to Cisco IOS XE |
TECHNOLOGY_CITRIX_NETSCALER_ADC |
This event is related to Citrix NetScaler ADC. |
TECHNOLOGY_CITRIX_NETSCALER_GATEWAY |
This event is related to Citrix NetScaler Gateway. |
TECHNOLOGY_CONNECTWISE_R1SOFT |
Scanning for ConnectWise R1Soft Panel |
TECHNOLOGY_CONNECTWISE_SCREENCONNECT |
This event is related to ConnectWise ScreenConnect. |
TECHNOLOGY_CONSUL |
This event is related to Consul. |
TECHNOLOGY_COPYPARTY |
This event is related to Copyparty. |
TECHNOLOGY_DLINK_CENTRAL_WIFIMANAGER |
This event is related to Dlink Central Wifimanager. |
TECHNOLOGY_DLNA |
This event is related to Dlna. |
TECHNOLOGY_DOCKER |
This event is related to Docker. |
TECHNOLOGY_ELASTICSEARCH |
This event is related to Elasticsearch. |
TECHNOLOGY_F5_BIG_IP_TMUI |
This event is related to F5 Big Ip Tmui. |
TECHNOLOGY_FORTINET_FORTICLIENT_EMS |
This event is related to Fortinet FortiClient EMS. |
TECHNOLOGY_FORTINET_FORTINAC |
This event is related to Fortinet FortiNAC. |
TECHNOLOGY_FORTINET_FORTIOS |
This event is related to Fortinet Fortios. |
TECHNOLOGY_FORTINET_FORTIPROXY |
This event is related to Fortinet Fortiproxy. |
TECHNOLOGY_FORTINET_FORTISWITCHMANAGER |
This event is related to Fortinet Fortiswitchmanager. |
TECHNOLOGY_FORTRA_GOANYWHERE_MFT |
This event is related to Fortra GoAnywhere MFT. |
TECHNOLOGY_GEOSERVER |
This event is related to GeoServer. |
TECHNOLOGY_GLPI |
This event is related to Glpi. |
TECHNOLOGY_GRAFANA |
This event is related to Grafana. |
TECHNOLOGY_HTMLAWED |
This event is related to Htmlawed. |
TECHNOLOGY_IBM_WEBSPHERE_PORTAL |
This event is related to Ibm Websphere Portal. |
TECHNOLOGY_IVANTI_ENDPOINT_MANAGER_MOBILE |
This event is related to Ivanti Endpoint Manager Mobile (formerly MobileIron Core). |
TECHNOLOGY_IVANTI_CONNECT_SECURE |
This event is related to Ivanti Connect Secure. |
TECHNOLOGY_IVANTI_POLICY_SECURE |
This event is related to Ivanti Policy Secure. |
TECHNOLOGY_IWEB_OFFICE |
This event is related to Iweb Office. |
TECHNOLOGY_JBOSS_JMX_CONSOLE |
This event is related to Jboss Jmx Console. |
TECHNOLOGY_JBOSS_MANAGEMENT_CONSOLE |
This event is related to Jboss Management Console. |
TECHNOLOGY_JMX |
This event is related to Jmx. |
TECHNOLOGY_JOLOKIA |
This event is related to Jolokia. |
TECHNOLOGY_JOOMLA |
This event is related to Joomla. |
TECHNOLOGY_LARAVEL |
This event is related to Laravel. |
TECHNOLOGY_LETS_ENCRYPT |
This event is related to Lets Encrypt. |
TECHNOLOGY_LIFERAY_PORTAL |
This event is related to Liferay Portal. |
TECHNOLOGY_LUCEE |
This event is related to Lucee. |
TECHNOLOGY_MICROSOFT_IIS |
This event is related to Microsoft Iis. |
TECHNOLOGY_NUXEO |
This event is related to Nuxeo. |
TECHNOLOGY_ORACLE_TALARI_SDWAN |
This event is related to Oracle Talari Sdwan. |
TECHNOLOGY_ORACLE_WEBLOGIC |
This event is related to Oracle Weblogic. |
TECHNOLOGY_JOOMLA_CMS |
This event is related to Joomla! CMS. |
TECHNOLOGY_JUNIPER_NETWORKS_JUNOS_OS |
This event is related to Juniper Networks Junos OS. |
TECHNOLOGY_JUNIPER_NETWORKS_WEB_DEVICE_MANAGER |
This event is related to Juniper Networks Web Device Manager. |
TECHNOLOGY_MICROSOFT_REMOTE_DESKTOP_2008 |
This event is related to Miscrosoft Remote Desktop 2008. |
TECHNOLOGY_MICROSOFT_REMOTE_DESKTOP_2012 |
This event is related to Miscrosoft Remote Desktop 2012. |
TECHNOLOGY_MICROSOFT_REMOTE_DESKTOP_2016 |
This event is related to Miscrosoft Remote Desktop 2016. |
TECHNOLOGY_MICROSOFT_REMOTE_DESKTOP_2019 |
This event is related to Miscrosoft Remote Desktop 2019. |
TECHNOLOGY_MICROSOFT_REMOTE_DESKTOP_2022 |
This event is related to Miscrosoft Remote Desktop 2022. |
TECHNOLOGY_MINIO |
This event is related to MinIO. |
TECHNOLOGY_MOBILEIRON_CORE |
This event is related to MobileIron Core (now Ivanti Endpoint Manager Mobile). |
TECHNOLOGY_MOVEIT_TRANSFER |
This event is related to MOVEit Transfer. |
TECHNOLOGY_MSMQ |
This event is related to Microsoft Message Queuing (MSMQ) |
TECHNOLOGY_OWNCLOUD |
This event is related to ownCloud. |
TECHNOLOGY_PAPERCUT_MF |
This event is related to PaperCut MF |
TECHNOLOGY_PAPERCUT_NG |
This event is related to PaperCut NG |
TECHNOLOGY_PHPMYADMIN |
This event is related to Phpmyadmin. |
TECHNOLOGY_POSTNUKE |
This event is related to Postnuke. |
TECHNOLOGY_PULSE_CONNECT_SECURE |
This event is related to Pulse Connect Secure. |
TECHNOLOGY_RUCKUS_WIRELESS_ADMIN |
This event is related to Ruckus Wireless Admin. |
TECHNOLOGY_SAVVII |
This event is related to Savvii. |
TECHNOLOGY_SSL_PKI_VALIDATION |
This event is related to Ssl Pki Validation. |
TECHNOLOGY_JETBRAINS_TEAMCITY |
This event is related to TeamCity, a popular Continuous Integration and Continuous Deployment (CI/CD) server from JetBrains. |
TECHNOLOGY_TECHVIEW_LA5570_WIRELESS_GATEWAY |
This event is related to Techview La5570 Wireless Gateway. |
TECHNOLOGY_THINKPHP |
This event is related to Thinkphp. |
TECHNOLOGY_THINVNC |
This event is related to Thinvnc. |
TECHNOLOGY_UPNP |
This event is related to Upnp. |
TECHNOLOGY_VMWARE_ARIA_OPERATIONS |
This event is related to VMware Aria Operations. |
TECHNOLOGY_VMWARE_ESXI This event is related to VMware ESXi. |
|
TECHNOLOGY_VMWARE_HORIZON |
This event is related to Vmware Horizon. |
TECHNOLOGY_VMWARE_NSX_MANAGER |
This event is related to Vmware Nsx Manager. |
TECHNOLOGY_VMWARE_SPRING_CLOUD_GATEWAY |
This event is related to Vmware Spring Cloud Gateway. |
TECHNOLOGY_VMWARE_VREALIZE_LOG_INSIGHT |
This event is related to Vmware Vrealize Log Insight. |
TECHNOLOGY_VMWARE_VREALIZE_NETWORK_INSIGHT |
This event is related to VMware vRealize Network Insight. |
TECHNOLOGY_WEBADMIN |
This event is related to Webadmin. |
TECHNOLOGY_WEBUPLOADER |
This event is related to Webuploader. |
TECHNOLOGY_WORDPRESS |
This event is related to Wordpress. |
TECHNOLOGY_XCHAIN |
This event is related to Xchain. |
TECHNOLOGY_XSTREAM |
This event is related to Xstream. |
TECHNOLOGY_ZENTAO |
This event is related to Zentao. |
TECHNOLOGY_ZK_SPRINGBOOT |
This event is related to Zk Springboot. |
TECHNOLOGY_ZOHO_MANAGE_ENGINE_ADMANAGER_PLUS |
This event is related to Zoho ManageEngine ADManager Plus. |
TFTP_SCANNER |
Scanner for FTP servers |
THINK_PHP |
Exploitation of ThinkPHP vulnerability |
THINKCMF_SCANNER |
ThinkCMF RCE |
TOFSEE |
Backdoor.Tofsee is capable of making changes to the settings on affected systems and stealing information from them. Once executed, it is capable of tracking users online activities, opening affected systems for infiltration to steal personal information and credentials, and changing browser and DNS settings |
TOR |
Tor node |
TOR_SCANNER |
Scanning for the Tor Protocol |
TORRENTLOCKER |
TorrentLocker is a ransomware trojan targeting Microsoft Windows. TorrentLocker scans the system for programs and files, and conceals the contents through AES encryption leaving ransom instructions to the victim on what has to be done, and how to pay the decryption ransom |
TREND_MICRO_OFFICESCAN_SCANNER |
Trendmicro endpoint protection |
TRICKBOT |
Trickbot Malware |
TROJAN |
A trojan horse or trojan is a type of malware that is often disguised as legitimate software |
TROLDESH |
Ransom.Troldesh is a Trojan horse that encrypts files on the compromised computer and asks the user to pay in order to decrypt them. It may also download potentially malicious files |
UBIQUITI_SCANNER |
Scanning for Ubiquiti devices |
UNIFI_SCANNER |
Scanning for Ubiquiti devices - UNIFI family |
UNIVERSITY_BERKELEY |
https://www.berkeley.edu/ The University of California, Berkeley is a public research university in Berkeley, California |
UNIVERSITY_BROWN |
https://www.brown.edu/ Brown University is a private Ivy League research university in Providence, Rhode Island |
UNIVERSITY_MICHIGAN |
https://umich.edu/ The University of Michigan, often simply referred to as Michigan, is a public research university in Ann Arbor, Michigan |
UPNP_SCANNER |
Scanner for UPNP protocol |
VBULLETIN_SCANNER |
Scanner for vBulletin software |
VMWARE_HORIZON |
Scanning for VMWare Horizon panel |
VMWARE_IDENTITY_MANAGER |
This event is related to VMware Identity manager. |
VMWARE_SITE_RECOVERY_MANAGER |
VMWare Site Recovery Manager landing page |
VMWARE_SPRING_CLOUD_GATEWAY_INJECTION |
VMware Spring Cloud Gateway allows arbitrary remote code execution when the Gateway Actuator endpoint is enabled, exposed and unsecured |
VMWARE_VREALIZE_AUTOMATION |
This event is related to VMware vRealize Automation. |
VMWARE_VREALIZE_LOG_INSIGHT |
VMware vRealize Log Insight |
VMWARE_VREALIZE_OPERATIONS_MANAGER |
VMware vRealize Operations Manager |
VMWARE_WORKSPACE_ONE |
VMware Workspace ONE authentication endpoint: /catalog-portal/ui/oauth/verify |
VMWARE_WORKSPACE_ONE_UEM_AIRWATCH |
Scanning for VMWare Workspace ONE Unified Endpoint Management (UEM) AirWatch Panel |
VNC_SCANNER |
Scanner for the VNC Protocol |
VOIP_SCANNER |
Scanning for the Voice Over IP protocol. |
VTIGERCRM_SCANNER |
Scanner for the Vtiger CRM |
VULN_CCTV_DVR_RCE |
This indicates an attack attempt to exploit a Remote Code Execution vulnerability in Multiple CCTV DVR products. The vulnerability is due to insufficient sanitization of user supplied inputs in the application. A remote attacker may be able to exploit this to execute arbitrary code within the context of the application, via a crafted request. https://www.fortiguard.com/encyclopedia/ips/43360 |
VXWORKS_DOS |
VxWorks vulnerability that can cause a Denial of Service |
VXWORKS_SCANNER |
Scanning for VxWorks systems |
WATCHGUARD_EXPLOIT |
A Watchguard Firebox vulnerability and XTM and classified as critical. |
WEBLOGIC_SCANNER |
Weblogic Scanner - Java Deserialization |
WEBMIN |
Scanning for Webmin |
WMSREQUEST_SCANNER |
Web Map Service request |
WORDPRESS_SCANNER |
Scanning for Wordpress |
WSDISCOVERY_SCANNER |
Scanning for Web Services Dynamic Discovery protocol |
WWWOFFLE_SCANNER |
WWWOFFLE is a proxy server and web caching software |
X11_SCANNER |
Scanning for the X11 protocol |
XMLRPC_JAVA_DESERIALIZATION_EXPLOIT |
Exploitation of XMLRPC Java Deserialization, nonspecific service or application |
YANDEXBOT |
https://yandex.com/ |
ZEND_JAVA_BRIDGE_SCANNER |
Zend Java Bridge Scanner |
ZENNOLAB_SCANNER |
Scanning for Zennolab tools |
ZGRAB_SCANNER |
Scanner using zgrab software - https://github.com/zmap/zgrab2 |
ZIMBRA_COLLABORATION |
Zimbra Collaboration aka ZCS |
ZMAP_SCANNER |
Scanner using zmap software - https://github.com/zmap/zmap |
ZMEU_SCANNER |
Scanner using ZmEu vulnerability scanner |
ZTE_F460_SCANNER |
Scanning for ZTE F460 Routers |
ZTE_F660_SCANNER |
Scanning for ZTE F660 Routers |
ZYXEL_CGI |
ZyXel Common Gate Interface |