Détails IP 35.189.180.191

Synthèse exécutive

Profil de menace

Score de risque 67/100 Élevé

Première observation 04/06/2026 14:40 UTC

Dernière observation 04/06/2026 14:40 UTC

Événements (période) 302

MITRE ATT&CK principal —

risque 67/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

web_attack

Comparaison ASN / FAI

ASN 396982 · 35.189.160.0/19 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 302 événements sur la période pour cette IP.

162.216.149.133 Sonde port 18/06/2026 07:18 UTC
205.210.31.44 Scanner web 18/06/2026 07:18 UTC
205.210.31.163 Scanner web 18/06/2026 07:17 UTC
35.203.210.41 Scanner web 18/06/2026 07:14 UTC
162.216.149.54 Scanner web 18/06/2026 07:13 UTC
147.185.132.13 Sonde port 18/06/2026 07:13 UTC
162.216.150.99 Scanner web 18/06/2026 07:13 UTC
35.203.211.140 Scanner web 18/06/2026 07:11 UTC

Événements (filtres)

302

Première observation

04/06/2026 14:40 UTC

Dernière observation

04/06/2026 14:40 UTC

Dernière activité (filtres)

04/06/2026 14:40 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

—

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 151 TLS TCP 151

HTTP

151

TLS

151

Géolocalisation

Origine réseau déclarée

Taïwan unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 8091 web_attack

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Aperçu payload

GET /wp/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (iPad; CPU OS 9_3_2 like Mac OS X) AppleWebKit/601.1.46 (K

Port / service

8091

Recommandation

Investiguer

Confiance

100%

Famille de menace

unknown

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

302 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

302 événement(s) — page 2/7

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /data/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /data/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; MI 9) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /data/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Linux; Android 9; MI 9) AppleWebKit/537.36 (KHTML, like Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "637ce5322bb77a61de6800d960f9df95080fd8e7", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "e54cfac955f5c42596d11eab4b07481d7b35d55b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.402794569639906, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "db917263c86066afa8d63d3ebbfdd49093415e4e", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d14870c6fbb2acb77d15af60a1d43119", "payload_hash": "4adb62377598226ab32dd74e51f008dd", "path_pattern_hash": "24a4726ce7edb9d3428cf8684d193cc9" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/data\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like", "event_signature": "efd01c7c62cb801811bf2d7c7fd65eb06788de87", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 67
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 35 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /uploads/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /uploads/.env Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (OS/2; Warp 4.5; rv:31.0) Gecko/20100101 Firefox/31.0 SeaMonkey/2.28 Règles WAF 950318:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /uploads/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:31.0) Gecko/20100101 Firefox/31.0 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "e2366cd6340fdaabe73d8948c21341db33fcabe3", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "ce47452b1fa5a36e3e2ab6ad357d27ce11d38e66", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 212, "payload_entropy": 5.3084003391024615, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 8, "anomaly_count": 0, "campaign_key": "4f88260dc97b98e5cd209259d581204d5c1e629e", "event_fingerprint": "8e68de5db9473f4e1524f397e264c01400ffd34e", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "36d11d9201a94a72d10ce27241e60eb7", "payload_hash": "38a40ca07e53bdbc4b106459f11bd06f", "path_pattern_hash": "12e1063037a0428b03f9617844274d0a" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/uploads\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:31.0) Gecko\/20100101 Firefox\/31.0", "event_signature": "c8ea1aab6296a97bbb6c6508ae19f9df38c59fe7", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_probe_uploads", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /deploy/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /deploy/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.2; es-US ) AppleWebKit/540.0 (KHTML like Gecko) Version/6.0 Safari/8900.00 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /deploy/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.2; es-US ) AppleWebKit/540.0 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "e36fbfcddf8f569925ca81cd99bda5386bdf8d8f", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "88f51b1ca7bef99bb6c035fd80f97ade7f3602a8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 243, "payload_entropy": 5.3559864674778845, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "e3d5a1cfa9677063b27e7e5750519dfe5638a554", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "fee7623d41e5f35678e67384320fdd32", "payload_hash": "579710a642062761030e7a9cc8320569", "path_pattern_hash": "cf92621b9e3f2982786aa63fff3e305e" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/deploy\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.2; es-US ) AppleWebKit\/540.0", "event_signature": "87908fcb70b1ea67e92db3a8614a9ca649803f12", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /var/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /var/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.19 Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /var/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (K Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "db6deb7ef6a82c1e4be54ac4070c6ce34533a2c9", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "7f1fb2a1c5b72e520b988cd8c8a970a6662732b5", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.4112067152499135, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "ccdab33d8f011763b14a81988546053c473d995a", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "69569121d784b2495a4e49f811f9eceb", "payload_hash": "fd84014abd6debf113a29db8221548e0", "path_pattern_hash": "0d0f9087dce4407a1a8d5052b0a9d1bf" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/var\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (K", "event_signature": "8b9f8d9b0bb07e46a3ebfaebe8e43a16313a0225", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /cms/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /cms/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /cms/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, l Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "101f08546915744f849da0d5b99ff8b8f9b8dcb5", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "83c0a8815eca606b22325f7ae33170918a4904ee", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 242, "payload_entropy": 5.432307038229214, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "c4be2bcf02fedbe6e25e58c62168fff52163c302", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "189c5262cf21079a4cb04660fe26305d", "payload_hash": "7c3c466f92ae42ace14ba66b77f37987", "path_pattern_hash": "202848a338e2a8411edbe9c852ffc90f" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, l", "event_signature": "e9d2de2e985121d179570400c597d3aea55bbbdf", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /dist/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /dist/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /dist/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "cbad830bdd4b822ffdddb6c2dac7856143406481", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "81857e1267b33a1f581fba5ddd161461d38f8919", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 247, "payload_entropy": 5.360604170294796, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "69442ecf562a691ad295e46c860975dccb1c7586", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6563296a7f163a1c1c3d95555ed88fa7", "payload_hash": "e08ee86ddfd42e6b1aa0ed2c59e31632", "path_pattern_hash": "66871996c0444a7924edba6da98b9137" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/dist\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit\/534.55.3 ", "event_signature": "2c20fc460999a419fafdc3598dd35772e09b53c4", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /tmp/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /tmp/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:16.0) Gecko/16.0 Firefox/16.0 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /tmp/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:16.0) Gecko/16.0 Firefox/ Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "23a822de2ed816c92112ae57dc0233cb940b3215", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "606cb8ac14dde0b6a700154242812cc24d72a39a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 201, "payload_entropy": 5.301442755218296, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "1609fbcbe21948acbfd25aabc38433a40413fe6b", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b5ce20ec335f9cec50b5780e9e056899", "payload_hash": "e605582f6b1c7e3380d2397e9e7750b1", "path_pattern_hash": "4238aa7c586fdde889d3bc23ec72292d" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/tmp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64; rv:16.0) Gecko\/16.0 Firefox\/", "event_signature": "bf40864d29bd3d013463a4b01381d969eef3190c", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 67
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /dashboard/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /dashboard/.env Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Opera/9.5 (Microsoft Windows; PPC; Opera Mobi; U) SonyEricssonX1i/R2AA Profile/MIDP-2.0 Configuration/CLDC-1.1 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /dashboard/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Opera/9.5 (Microsoft Windows; PPC; Opera Mobi; U) SonyEricssonX Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "243160be25b22eeb27d7478ba8d8c6fbaafd8d90", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "a0df23adcbc250d22f3ea9c43cd45132cd7d119e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 244, "payload_entropy": 5.346867800972617, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e665deec589772a6565198dd656f09edddbade8b", "event_fingerprint": "e371ea83b59da8ade0af163186ff3be238ee1a4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1495b521513e65a405f51b3495f0cf0d", "payload_hash": "da0713022c6bc14dd89fdecbabd7d155", "path_pattern_hash": "90b830636acb1be7da7ed46e94f3bb1d" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Opera\/9.5 (Microsoft Windows; PPC; Opera Mobi; U) SonyEricssonX", "event_signature": "cca0d474eafa1f103816c5ba4217cfc87b7ee0f0", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_probe_traefik", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /build/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /build/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; FreeBSD amd64; rv:5.0) Gecko/20100101 Firefox/5.0 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /build/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:5.0) Gecko/20100101 Firefox/5.0 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "1d3a0a57d93be5633b39297ba32708143d80fa01", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "2d5b68c8e6ed1e8f4f16e52e678eb8949566126b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 197, "payload_entropy": 5.348826354341041, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "7bbe390be4bafd5e656900d90b689658c1eb30de", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c779fbb0724eaa856a50d61d61a6568d", "payload_hash": "3b8586c86dac379b4cc881fbf59f4873", "path_pattern_hash": "9c0720be539cb7af2988746580f75126" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/build\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64; rv:5.0) Gecko\/20100101 Firefox\/5.0", "event_signature": "569840349c239f7646e02d7ace9f3dbf54d1d201", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /conf/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /conf/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /conf/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 ( Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "cbb9db1397a33f72cf3f1187f904981b18d81e8c", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "70dc78a46c5fc5ec9a60262c10608bb7fd4c1db2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.421596777067779, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "5eeee7118aab26dc344ba3b2fa108acd088684fc", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c816f7e85e19cb6888eb2725fc09077c", "payload_hash": "6143d33938b41a4af1e82a21e1106a1d", "path_pattern_hash": "f6629ed9025fbf6cf9edb98b9f1072f5" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/conf\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (", "event_signature": "88df6454918e388da2b18bd9dd75c385b93838d5", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 67
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /config/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /config/.env.production Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0) Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /config/.env.production HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trid Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "63de3922903cd2b9b24b1d2bd23e4deb1b136a2e", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "b18d8885bb1938ef9b65748771cc7ca2b2b01916", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 205, "payload_entropy": 5.269200493868905, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "40f1aa7cd298e9773a4dea293135e869d11843a4", "event_fingerprint": "2209b26e3be2a4e376405419cc338852f1c85243", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b2a4aaa6e64a823983ffd070c36d1dd5", "payload_hash": "07dde65727f8fa973c225577a02403ef", "path_pattern_hash": "13dc0331670030f34544b2533e91efac" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/config\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trid", "event_signature": "ca3b5c3a45ea5ce825fb9a9a2fb17dc10bb4fac1", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_probe_config", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 67
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /admin/.env.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /admin/.env.backup Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /admin/.env.backup HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit/537 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "backup", "http_ua_hash": "36404e511934c3f5718d43e8b9255f671c846247", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "32e03e003a51f542f710beeac8e15f008c3f65ad", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 262, "payload_entropy": 5.4096880290804865, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 8, "anomaly_count": 0, "campaign_key": "2d79c4a70efc90c77d9b224ddf961b1c01e5e907", "event_fingerprint": "718fc34f8eb5a8e68125350afc5a92e2263fb148", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "63744a9cc5fb43be066e30c7cf32e296", "payload_hash": "6cebbfb2a3ac8ba5cf1767a297c15b98", "path_pattern_hash": "9967aebe85bc5150552d43732fce77c0" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/admin\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/537", "event_signature": "a2bd2a9fa79d6f8b87af97cdf0add01ecfe8d412", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_admin_panel_probe", "http_probe_admin", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 67
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /admin/.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /admin/.env.local Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /admin/.env.local HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 F Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "local", "http_ua_hash": "7d2313fa392f5eb512ba0a5a936b92daaa251e8b", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "5104f09772fa402efdc8eb0bc2114ecf6407730d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 208, "payload_entropy": 5.3153258236705385, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 8, "anomaly_count": 0, "campaign_key": "2d79c4a70efc90c77d9b224ddf961b1c01e5e907", "event_fingerprint": "8f3622915d5ad180686d849d07af10fdb424c62c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bcb4de9272c041662c2a554016ffd8f1", "payload_hash": "015f3f229573874faf77f89d1032e8bc", "path_pattern_hash": "8b44c48d7af23ff178b0954ed1a8265f" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/admin\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko\/20100101 F", "event_signature": "e98a010fc5b70d0d06343e38a2779ab5455b6a17", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_admin_panel_probe", "http_probe_admin", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 67
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /config/.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /config/.env.local Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /config/.env.local HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "local", "http_ua_hash": "75dd158f63f3555441991f55a9b8d3d0ceeddfa2", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "8315d690f50358ceea64bc0cb23314dd9bf855ed", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 251, "payload_entropy": 5.410507057599803, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "40f1aa7cd298e9773a4dea293135e869d11843a4", "event_fingerprint": "7ffa62f25554ae95a16ab1a86b9d2815dbac03d2", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c87ecf9ccfd16ff01ad71bb7f657f9c3", "payload_hash": "ef386f233da068d65b90194b1873c639", "path_pattern_hash": "826e0f7bf5d8c36c7953b7184edfe839" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/config\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 ", "event_signature": "a3dcd5136dc302a04954ec25fdb420cdf442bf20", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_probe_config", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /laravel/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /laravel/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 5.1; A1601) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /laravel/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Linux; Android 5.1; A1601) AppleWebKit/537.36 (KHTML Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "81acb39d44f0a266ab1ef577349890d507edb650", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "8a8ae205bd806a11f7ace50730b7c0a8ef76120d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.3788861408977295, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "f7ec0d548d70622d8444661cc2f20b2af7339b6e", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1779dfe6f34faf53f6e1200f3da51e00", "payload_hash": "fc54fa7aef9b91a25e01419720168d23", "path_pattern_hash": "792fa580b048927b1e082634fc8cda9c" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/laravel\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; A1601) AppleWebKit\/537.36 (KHTML", "event_signature": "3e28375f0c73fba433d6b518fd5111565adaea3d", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /apps/backend/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /apps/backend/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-G955N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /apps/backend/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G955N) AppleWebKit/537.36 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "42279852616bde4c39316e27c86a00c91c9902db", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "5342af8e96c105cf859dad12eed2c40aaf87d35d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.427918901163415, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "345fd3070e653ca4c1ec574167cd9195bc28a70c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "32ca84273c82fd13be4969f771622016", "payload_hash": "5fccd769bfcd9de8370ba9c2abdba42f", "path_pattern_hash": "cfddbf55f677ac93c8dcc5d08054758b" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/apps\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G955N) AppleWebKit\/537.36 ", "event_signature": "279066cee96a17ee9a7475f4fa4a9065a54fb734", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /apps/api/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /apps/api/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /apps/api/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit/537.36 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "36404e511934c3f5718d43e8b9255f671c846247", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "e63b41d5687406ee7f40926b7271357b1c46aaae", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.391302312503641, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "a3dfc882ebddb5d957bbe5e97276b01987e765f5", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "63744a9cc5fb43be066e30c7cf32e296", "payload_hash": "b287719f6249f084c04000bb765923bc", "path_pattern_hash": "ab70800db05dbfe0190629bc711f2fa2" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-G610M) AppleWebKit\/537.36 ", "event_signature": "8e9f4cba14bfc36e68314964048998453caad83d", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /apps/frontend/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /apps/frontend/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; ELE-L09) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /apps/frontend/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Linux; Android 9; ELE-L09) AppleWebKit/537.36 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "d4213e87f50f2b1ff1f423219d60cd9df84a9cee", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "ba0ce57a366071a1ca1afd15a1a01a04ccdd2335", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.399607251025148, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "7246cab7e227a5716bebd142506efd56d9eb195e", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f8e440f448c37585e3d439a7ebcaf6f8", "payload_hash": "5b505f0189221292c2ea367810025659", "path_pattern_hash": "a541762358ad3d2463e9e9180528a6a3" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 ", "event_signature": "462cfe757e99ffa46af83f5c722ac5721ebff7ba", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /html/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /html/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /html/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "e596f3886a524289afe7da407c4c19cb47348c57", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "d88de32bc9acf1646f12af79ae4f4e612885da98", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 197, "payload_entropy": 5.320644709348824, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "8f1abccaadae79af50b4d4ee8fc2eca7e8989a79", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "dec4fdf6408be2ff275246ae930c1855", "payload_hash": "1c852ce87cb85baabe474e2495f583d2", "path_pattern_hash": "b731774ad9ccb17484242cab8412851e" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/html\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Firefox\/55.0", "event_signature": "19166c56e27e10587c2de9f827443ec80f5e3c7a", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /services/api/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /services/api/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/600.8.9 (KHTML, like Gecko) Version/8.0.8 Safari/600.8.9 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /services/api/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/ Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "4050306420e2698e2dd7e01c617c996a9b5b0977", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "450e32f1680bf647be59805b14bbd52061e00349", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.331740627753292, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "c742a502170c35bc20a79c1984f8b2456dbba99a", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "13223214f7be11be3ab8315e5093d630", "payload_hash": "d197a29e1e64f54ca3e6aa9df80b6b1c", "path_pattern_hash": "9a476469205a3b7d9994ebc8d35d13e6" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/", "event_signature": "3c7decedfcb633f6d0985930f94f165efaced436", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /release/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /release/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; MI PLAY) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /release/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; MI PLAY) AppleWebKit/537.36 (K Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "ed26700070f0f27f684508a71a75284a6d67645b", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "3f4c975c51cd1d3df84592564ed06afe4e782992", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 256, "payload_entropy": 5.402633347543512, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "cd9e40edf2cd0c2ec7ccaac37cc34b609da04b19", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "aa61063fb8b0e3e40baeeaf7a97694d2", "payload_hash": "0a186e41616f5b27f229ce9ed4950420", "path_pattern_hash": "93883cb09f4769a367badfafc907183e" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; MI PLAY) AppleWebKit\/537.36 (K", "event_signature": "97b2afd65ad4ed32fdee3c501f96a932939b9064", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /htdocs/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /htdocs/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /htdocs/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (K Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "504bf1882c89291b3d00121e743980a500faaa94", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "8f48488caec0125a8a05acdcda0c91818dd79982", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.384872414453724, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "2958179b8502bdd541e6b373b246884434cb1f2a", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e1bef62fbfaeba10d3d5412ad8263b9a", "payload_hash": "9dd836241da57cfaa3a78ce0707342ec", "path_pattern_hash": "43bb577a72550f9d83432629be23ae6a" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/htdocs\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit\/536.26 (K", "event_signature": "2489ea5ba4505e9650f7423a1d2ca548fc07bd6d", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /web/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /web/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.35 Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /web/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (K Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "b391fa6e23a5c73e10a7a338dc08f01a7b3d1fc4", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "47bcdedb3b954688023f733564a003e944c34a32", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.435644619982287, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "ca179a4b53d1833e6225dd789b42f1980eb59a2b", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8eac95891b44c1956c0135520836521d", "payload_hash": "c6fe8fd6ed176525f04779991bb99fb6", "path_pattern_hash": "d80a28198e7c3b2ce080248f274b9024" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (K", "event_signature": "c6dded2e829701a90264c3e8338e16a054d6041e", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /storage/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /storage/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/80.0.180 Chrome/74.0.3729.180 Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /storage/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, li Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "4cdd8a798554dcb7cb32c818cfdd182cc385b07d", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "b8ca2ea5c794124cded93c100b20da74277adc4e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 266, "payload_entropy": 5.433430274209542, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "729684348a37b2fb2a71ee11476ca428a9e93be6", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "69b2af8496cfc7ed3b44a7a36f501409", "payload_hash": "31de11f46ac094cc025dec4a68ea7414", "path_pattern_hash": "450e48008d46f59e9e14143fd8de05b2" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, li", "event_signature": "6bf94d8462e7e584c82966c8958e5af53c4169aa", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 67
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 34 Recommandation Investiguer Tags 950086:sqli-21 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /services/backend/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /services/backend/.env Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.4(0x17000428) NetType/WIFI Language/zh_CN Règles WAF 950086:sqli-21 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /services/backend/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) A Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "e2f56bb65e99af009a0ca981d5565ee1d59860cc", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "bff52174bd71304ed2bfcd7637238e2def0caff3", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 311, "payload_entropy": 5.474835756128031, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "885378e2155a1975efce45dbab7a331f2d78b139", "event_fingerprint": "27383232c057b7e2b6ea52c14a1afa364957b887", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c0cd4eafac05e8c072eadef852bfe438", "payload_hash": "f5a5e60f58d7417624ea92474d14fa52", "path_pattern_hash": "5b9b007f982aa0909ed1fcbe7f087982" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) A", "event_signature": "cfd8002a685d9647392a3d39980904a706a8e880", "ban_policy": "advisory_investigate", "tags_list": [ "950086:sqli-21", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /wordpress/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /wordpress/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3889.0 Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /wordpress/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "ceed78b3e9a2ebecf46ba3f2ec390372101a00dc", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "b10966d4f4636bfb328d13cc5ad3eaa190ac10f4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 247, "payload_entropy": 5.432522154200139, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "c92c23f522c6c726b388c60f329affb6a5dcacc9", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "50e034175d47a2434211d53de9fcb34e", "payload_hash": "91d11c0f68cfa6700bb5119cac5d8836", "path_pattern_hash": "887cb9244069f23f855e833cc59330df" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/wordpress\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (K", "event_signature": "4243c80ee37c8ef2dbf18c4260ca317c3cc1e4dd", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /services/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /services/.env.production Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120422 Firefox/12.0 SeaMonkey/2.9 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /services/.env.production HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "62972c4b6e969173d3b40d9b26809dd2c43da40b", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "7ad14949ad0b183b675db2d36d2d5b72ec09f204", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 230, "payload_entropy": 5.326871175905393, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "c2bdb747b7b3c526d7923c35d4fac0d711dd3d62", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "21ac16a59755f501be526ca408ba127f", "payload_hash": "96ef8f2d4948f54d58ca4309f3e960f7", "path_pattern_hash": "211e3ccc5c91dea183ab66efa73c6a45" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko\/20", "event_signature": "982823a3a41bec68d8c7eee2bed3452f2c8cf5f8", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /public/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /public/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 Nokia5700/3.27; Profile/MIDP-2.0 Configuration/CLDC-1.1) AppleWebKit/413 (KHTML, like Gecko) Safari/413 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /public/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 Nokia5700/3.27; Profil Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "d0e307a99d7004360e9ba55b70f79a5660f52eca", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "bc9ca66c038b10c68f8dffc886361c52fc1ac680", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 278, "payload_entropy": 5.48365136060599, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "feeddc73170764cccd305e75d7a81656a104c6e1", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5bd7f4227a02eaa7afee25a96a9efdac", "payload_hash": "34735a98d2a94e24eb629693a6fb97f1", "path_pattern_hash": "6cf746da949d58c839550a31197db646" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/public\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 Nokia5700\/3.27; Profil", "event_signature": "a4912acf11cc59d09c7d34277200924c19540e16", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /portal/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /portal/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; POT-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /portal/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Linux; Android 9; POT-LX1) AppleWebKit/537.36 (KHTML, Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "e6623f48c6205681e2990174a89fc08c5e628133", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "25e9d50bacd292841afcec6b93bcba6a1f6790d4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.4329253917119065, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "3961b5e75b81ab09b845c05831e128cb8993f16b", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9806245c10ff8d721773296f1ac813d6", "payload_hash": "b8fde612463671c5394384b2769a2e85", "path_pattern_hash": "8432e822d78216a6822b5a443dbf894c" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POT-LX1) AppleWebKit\/537.36 (KHTML,", "event_signature": "851ba32699d24f2ec973eb21dc34049abb9ca9aa", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /temp/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /temp/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/8.0.57838 Mobile/12H321 Safari/600.1.4 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /temp/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/ Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "5dada22dca7c6f14c97a1a0e2ab97f746d9f239e", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "a617862b9702a5eb0473c44d9afaf4e0da55a075", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 267, "payload_entropy": 5.404250531263647, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "5d719784823e300e0aa53dc208e50b798e4a95e4", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4435cdbf790e0e1db69f3b7306b4ff9b", "payload_hash": "f1f999a9a28199937d5ec0dc2bc363cd", "path_pattern_hash": "75ee17153df3d0dbe793fbb0bd486a6b" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit\/", "event_signature": "394006b387bd2485ef30c120e00a281a9d57dec1", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /docker/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /docker/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.514.0 Safari/534.7 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /docker/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.7 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "358c4581d5122600c44b1b8c923addb54b77329b", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "9af4b895c55b82b27b0181f549c7f29671f851e7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.406660439610739, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "9495d511c95bce26b409893cc13f02c33d128d5e", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d867f2d8821d8db13c85e66d9e1f65a9", "payload_hash": "7160cf39a817f9c9a1ab9ee55c0b66ca", "path_pattern_hash": "d8c5fc01c634b7a145b1071dcf26d56b" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/docker\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit\/534.7 ", "event_signature": "c0d818664986b6bea6e5540e028423ad204c78ed", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /services/auth/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /services/auth/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.119 Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /services/auth/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "3ccd4eed62472b12534dd91a4e4a3b0ab7d03350", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "09b20d19aa313f464eacd68829b3fab12fccb496", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 243, "payload_entropy": 5.452809429264221, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "ba9f310120cfc4c67059efb362cfc61d27cf2ca4", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e0380f369210706b00a6b0e3ede6f7d9", "payload_hash": "9cce6c9344d8aac799f9371979862c2e", "path_pattern_hash": "465b6d455db6ce12c0bb2d49f4cfba7e" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/services\/auth\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, ", "event_signature": "2b82259ecc2f2e85349ffb58babee05c06baf83f", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 67
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 33 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /symfony/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /symfony/.env Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; YandexNews/4.0; +http://yandex.com/bots) Règles WAF 950326:rce-0 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /symfony/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (compatible; YandexNews/4.0; +http://yandex.com/bots) Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "0a0bcefa87413ca5dc0d5c25734336832c15bdf2", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "581b418411856b2c342ec9927095e7782e5723ff", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 197, "payload_entropy": 5.3036029619360825, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "3c49364c2af9e372555b34262679719e5f644b7a", "event_fingerprint": "855e052e6053e7f5afa775e7ca50f50ae4b9fe97", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5921f6b1c7926384d75f8f881a2569ee", "payload_hash": "08ea6b19d895fcce05a72d7b6e94f1e8", "path_pattern_hash": "76c104a7314c285b1e250aee04e5396e" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/symfony\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (compatible; YandexNews\/4.0; +http:\/\/yandex.com\/bots)", "event_signature": "bdbd7d235bcbafc1fdc9af4622064c5d14032f67", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 67
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 49 Recommandation Investiguer Tags 950310:lfi-12 950318:lfi-14 950326:rce-0 950406:ssrf-3 Cible HTTP GET /packages/api/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /packages/api/.env Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Gaisbot/3.0 (robot@gais.cs.ccu.edu.tw; http://gais.cs.ccu.edu.tw/robot.php) Règles WAF 950310:lfi-12 950318:lfi-14 950326:rce-0 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /packages/api/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Gaisbot/3.0 (robot@gais.cs.ccu.edu.tw; http://gais.cs.ccu.ed Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "e303cafa16cffb83fe9920e4b803b7bfce58cd74", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "fd8fe30f25c6601a86628e4b53931f0feb977f1a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 212, "payload_entropy": 5.08384750084713, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 9, "anomaly_count": 0, "campaign_key": "533278a017eaae240ea40841667e6b297cc45948", "event_fingerprint": "dab8186691cdc8d53cd2129f99b877809708ea6a", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "715818dd0b717f3460b481c0fc9c521d", "payload_hash": "c7b42dbb9eb6985a6801f3a8b3df0064", "path_pattern_hash": "226ad246bf9a22935f1389885ad08c73" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Gaisbot\/3.0 (robot@gais.cs.ccu.edu.tw; http:\/\/gais.cs.ccu.ed", "event_signature": "107d6aecb316fb1b75cbe7cbf9682986788b0095", "ban_policy": "advisory_investigate", "tags_list": [ "950310:lfi-12", "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 67
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /admin/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /admin/.env Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Opera/9.80 (Android; Opera Mini/9.0.1829/66.318; U; en) Presto/2.12.423 Version/12.16 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /admin/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Opera/9.80 (Android; Opera Mini/9.0.1829/66.318; U; en) Presto/2.12 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "c1a65ffe09e19b59fe43ff5ca381298a005fa782", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "9bae73d08848be44521e9c4d49360c6e081f0fff", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 215, "payload_entropy": 5.191557351811118, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 8, "anomaly_count": 0, "campaign_key": "2d79c4a70efc90c77d9b224ddf961b1c01e5e907", "event_fingerprint": "f6afd5eeea111cf98e13e9d8aa60170d85a58fee", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "644cb8d3c2c973d5d5f039d26478e1c2", "payload_hash": "7f244dad6056b8a3ce5868f6089803dd", "path_pattern_hash": "36de7f489df887c3e31f5a951469f711" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/9.0.1829\/66.318; U; en) Presto\/2.12", "event_signature": "4b08193aa2cf7eb56e2315d9b5d6568803efdae5", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_admin_panel_probe", "http_probe_admin", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 67
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/backend/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /api/backend/.env Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 950600:k8s-api Payload (extrait) GET /api/backend/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, li Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "ea4fa585ac15d157c47f34ea7de09f788feba735", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "e525470447161ee4034567dbf14d4d4a54f52f46", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 240, "payload_entropy": 5.451662897318519, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 8, "anomaly_count": 0, "campaign_key": "195947f1d652578a55503d333c24f8206ab33695", "event_fingerprint": "b3a548f1edc78e12e9a277f013863ddba60bb6bf", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d82cefaf22eda39f47cd4260363c44b1", "payload_hash": "611f74595111573a8b2e40653c983e79", "path_pattern_hash": "ad852d1414999713ac2638aba79c8ff5" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "event_signature": "1860cfc6fda7a0bf701b3ad0833b6de3e634cf59", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 67
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 35 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /wp/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /wp/.env Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (iPad; CPU OS 9_3_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13F69 Safari/601.1 Règles WAF 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /wp/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (iPad; CPU OS 9_3_2 like Mac OS X) AppleWebKit/601.1.46 (K Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "41d49640cf6562d0508fdde1291f64abe488d24f", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "ac9f3e6c6c68e068721388888a9710fa61a49772", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.424127807861813, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 8, "anomaly_count": 0, "campaign_key": "6a950e06c7477730f26b0c07c3ad479c3d26d9f3", "event_fingerprint": "8e8b70e94e66e82115d59eb10b9dc633f2a55d34", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f389b8ac4b7dccb1a8cfb683ebf4eeca", "payload_hash": "dd7873585cda8c8b9b3ed5a6f5e8117b", "path_pattern_hash": "0151780c15d45702ae9dc50e582e8700" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/wp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 9_3_2 like Mac OS X) AppleWebKit\/601.1.46 (K", "event_signature": "0252d10e587a3301e5e75210d1a1c359f2214808", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_probe_wordpress", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 67
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.dev TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /api/.env.dev Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0 Iceweasel/19.0.2 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 950600:k8s-api Payload (extrait) GET /api/.env.dev HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/1 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "dev", "http_ua_hash": "6f8a4be2f5bfa02780d26b61c52f43530f67a2c4", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "df0da649347f6e8b30ebfd6075798e279a79356e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 217, "payload_entropy": 5.306368863274826, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 8, "anomaly_count": 0, "campaign_key": "195947f1d652578a55503d333c24f8206ab33695", "event_fingerprint": "cdcdaa99a3d37f01a2bcce38a8a08b7b98b30deb", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2f6531aee1ed2c00884d9774367987d3", "payload_hash": "bf574135bf206c3bd5d3b6a07fb69784", "path_pattern_hash": "a65c42973e65ed0c7793c8c71a0195da" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/api\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:19.0) Gecko\/20100101 Firefox\/1", "event_signature": "ed1a0321ded237e0986da3d487e152c32ecc183a", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 28 Recommandation Investiguer Tags 950318:lfi-14 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /development/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /development/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent NokiaN70-1/5.0609.2.0.1 Series60/2.8 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.1.13.0 Règles WAF 950318:lfi-14 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /development/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: NokiaN70-1/5.0609.2.0.1 Series60/2.8 Profile/MIDP-2.0 Configu Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "26ccbd7e7dedfd9062c5f31cbb3975e851746e4b", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "368a782b06d2e3f08e91fcad6aa099df587b3caa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 231, "payload_entropy": 5.239984913478619, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "af879cafb834d63511f4c0db64ae5a5b6da59055", "event_fingerprint": "8f54979ec71e664ad185124054d2666b4892d9dc", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "76bf3224f1bf6605bfa8e88c71a7419f", "payload_hash": "c417d99d161a7fb8c4ca5c908132ddf8", "path_pattern_hash": "5ac5643a22156fcbe040fcd2350884e7" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/development\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: NokiaN70-1\/5.0609.2.0.1 Series60\/2.8 Profile\/MIDP-2.0 Configu", "event_signature": "42ad8ba2d105e407541ac7c501fad5cea4694555", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 67
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /dev/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /dev/.env Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /dev/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "c28869da8a5580e045c507ea0936555e21c1862e", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "95dbd9173b5580a94a3583c1e8d31bee303be7a7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 233, "payload_entropy": 5.4447675654198235, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "42c42091e4c8c94f80914907807614f396bc0733", "event_fingerprint": "a630778bbc8653cdf9672c42bf438accde5a1465", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d3273569706da18414462fd254b8f13b", "payload_hash": "3e05f4d6c6253cd3d3b4c3c21eaf9928", "path_pattern_hash": "5776ea19ec2f88a0568ff0bc7de6e909" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/dev\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "event_signature": "b177bf5be2c722a0e96a9fb928610985c5285efb", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_probe_dev", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 67
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 35 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /v3/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /v3/.env Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US) AppleWebKit/528.16 (KHTML, like Gecko, Safari/528.16) OmniWeb/v622.8.0.112941 Règles WAF 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /v3/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US) AppleWebKit/528.16 ( Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "f25bb0e0284eba994afae54c7a6576d5ef8e0938", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "8c6c0cf35b21182c44d1fbe7c55901c2e77c5cbc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.426347556275971, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "6e9c7268073175810e1d974639ded1cb05f4a865", "event_fingerprint": "ac3ee0acd6f6454cdcc2e61c4bda7e97520a52d1", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e2d12ebef65bb43da52dd27e4e4b72ce", "payload_hash": "3cddd39de3cbb289c6a1e332f2a97e7b", "path_pattern_hash": "b9266b5e3818db8e42f016e0af085277" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X; en-US) AppleWebKit\/528.16 (", "event_signature": "10394690792a9fae4fe6c1f583aec2910a45831b", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950514:leak-1 http_sensitive_path Cible HTTP GET /prod/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /prod/.env Confiance classification 95% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/4.0 (compatible; Dillo 3.0) Règles WAF 950326:rce-0 950468:nosqli-3 950514:leak-1 Payload (extrait) GET /prod/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/4.0 (compatible; Dillo 3.0) Accept-Charset: utf-8 Accept-E Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "b0c5734e3267fae307a43bdf236b1c6b09949444", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "7702579be3ca2d14cb80324c6a749f13cc1e6ce1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 164, "payload_entropy": 5.1895510333202415, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ff1c70bed35a1e1fb3c707c6563ba6838d87dbdf", "event_fingerprint": "78401f79bc73a4f0e85761ae38311d3839c62f49", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4617f7493afe33a1fc0e16514d66b372", "payload_hash": "d70d5a5972fa2419c833c1fcea018a26", "path_pattern_hash": "e986d9a8713d4af4d188b7a61ad378ee" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.95, "classification_confidence": 0.95, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/prod\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/4.0 (compatible; Dillo 3.0)\r\nAccept-Charset: utf-8\r\nAccept-E", "event_signature": "b58ff525e59f05bc309a7ca590342aa42b74582d", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Moyen · 62
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 20 Recommandation Investiguer Tags 950468:nosqli-3 950470:nosqli-3 950514:leak-1 http_probe_test Cible HTTP GET /test/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /test/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent SonyEricssonW810i/R4EA Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0 Règles WAF 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /test/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: SonyEricssonW810i/R4EA Browser/NetFront/3.3 Profile/MIDP-2.0 Configu Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "5eb0afc57bd11aa7abf9efc5e8e450b72f4e5475", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "8197cec9b1d84f19de1c5b10c28917030b9542e4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 230, "payload_entropy": 5.262858640543462, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 88, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 88, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 62, "tag_count": 6, "anomaly_count": 0, "campaign_key": "1427c0b1ff04dec42d4af4c68d3c71cbac5642a8", "event_fingerprint": "8b54250aef51f8b499fe8f3c70694db9b91ee8c1", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "955f0c754fbeaecfd26cdcc94f2dc21c", "payload_hash": "d51f382020e6fcebc2837d96d599b1bf", "path_pattern_hash": "a0f6f48aed881c23044b32112fcbe5cd" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/test\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: SonyEricssonW810i\/R4EA Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configu", "event_signature": "084c6b3dae005b98f7d936f250e53f9d99c193bd", "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_probe_test", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 67
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 35 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /v2/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /v2/.env Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.30-7.dmz.1-liquorix-686; X11) KHTML/3.5.10 (like Gecko) (Debian package 4:3.5.10.dfsg.1-1 b1) Règles WAF 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /v2/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.30-7.dmz.1-liquorix- Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "f9bfbfd652abfd8c3c1cc17a57bf687728c3787c", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "79d69dbab75f7603ce6f8ff1846eda4ce95a3fd2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 270, "payload_entropy": 5.394360777965519, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "6e9c7268073175810e1d974639ded1cb05f4a865", "event_fingerprint": "cddd4a2bb360f5f2b66cf115d2dcc550cf68a882", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c765fd161bc16448694950e44cb872e3", "payload_hash": "855eba43550ff28063673ff85cd455ef", "path_pattern_hash": "ea63ee477c90ac313ab228a937b8deee" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/3.5; Linux 2.6.30-7.dmz.1-liquorix-", "event_signature": "345fe92a38681aef492ae0e68c83c57f476a4eba", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /app/.env.production Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /app/.env.production HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit/53 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "c22b811f6079d1008094695c3038cc31be7f2962", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "9f1a3b476954729097b55b44dc605e9187baaeeb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 263, "payload_entropy": 5.4013747956218126, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "4871537b1838aa6ad55b6517dd5bcb2434c5d938", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4cd92407b05ac14d5924946547680140", "payload_hash": "0cb3b58f6e03752535bece3293e2f4ee", "path_pattern_hash": "129b91fce99c27e6763c24ece35d5295" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/53", "event_signature": "6cc8f0d41df81483667b7827ae22bb2c04d0da30", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /backend/.env.production Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0) Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /backend/.env.production HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Tri Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "ed06f2f1b1802b2bf443a12fa33354de95410b0f", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "f5bb9f02b8945472030d827baea0ca721346631c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 206, "payload_entropy": 5.28219227433343, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "da8f44a4ed7c62f4b2317eb4291ce344c394670d", "event_fingerprint": "b1adf704405e3f24a0d9d1932aab6fb884fa3456", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "432b20c082f564bb8f0a327579c69c0e", "payload_hash": "67186b1455e06cab275affd3ef3611bf", "path_pattern_hash": "36d1a8d01ff9d9e501d856bd9686d325" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/backend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Tri", "event_signature": "eb52e4e54e5f8bd897d42106904e527194b869e0", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:22 UTC	TCP	8091	http	web attack	Élevée	Élevé · 67
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /staging/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /staging/.env Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /staging/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "fc0a9e3ca04ece3ca27a5c3cbfd44d7a6f49a9d4", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "111415a347404bdd37fcf414f912f654289a0484", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 213, "payload_entropy": 5.228169993805333, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "f82c53bb42eadf3b66e04a79b66031e0e29fe5df", "event_fingerprint": "3300c640077e0a7fdbb4e62a79f2b1b5e2d13742", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "03de02e52a0aca5f23ae174543f7c920", "payload_hash": "0fbe331b3c8d36657dd30142484cc21b", "path_pattern_hash": "65b91a5bf45b2313cae0e22cf01533dc" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/staging\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko\/20100", "event_signature": "7503b8acb8d7eed298d4cfab07d71dde0b6ed852", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_probe_staging", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��(��!A�q���D��պN�6��.k �K:�\|�1��X%��P�旻��X[��&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.874547754779391, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "d8763aa3d959936b839c7d888be4124e", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd(\u001c\ufffd\ufffd!A\u000f\ufffdq\ufffd\ufffd\ufffd\ufffdD\ufffd\ufffd\ufffd\ufffd\u0000\u057aN\ufffd6\ufffd\u001a\ufffd.k \ufffdK:\ufffd\u0002\|\ufffd1\ufffd\u0018\ufffdX\u000e%\ufffd\ufffdP\ufffd\u65fb\ufffd\ufffd\ufffdX[\u001c\ufffd\ufffd\u001f\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "0ef896f3b826028e1a652a7aeaf3b15e64442598", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��.MYiO��˺�C��4g\|��Sp��º ��P��v(7�&�QВ��G}�t �^ ��j�&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.8077487384497495, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "73e20565cc2deed5adda0e57faa5c158", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003.MYiO\ufffd\u0013\ufffd\u0004\u02fa\ufffdC\u0015\ufffd\ufffd4g\|\ufffd\ufffd\f\ufffdS\u0003p\ufffd\u0002\ufffd\u00ba \ufffd\ufffdP\ufffd\ufffd\ufffdv(7\ufffd&\ufffdQ\u0412\ufffd\ufffd\ufffd\ufffdG}\ufffdt \ufffd^\n\ufffd\ufffdj\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "6aa7d4cba72cb1307f1746e4d6977254ea244789", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��Q̧��N��C��2�jUd��rI�W �q��s�0ؓ��d�4��b�L�=�-�&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.837741346904377, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "4185f472051564a903929921dd0bcfde", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0007Q\u0327\ufffd\ufffdN\u0005\ufffd\u0007\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffd\ufffd\u00002\ufffdjUd\ufffd\ufffdrI\ufffdW \ufffdq\ufffd\ufffds\ufffd0\u0613\u0004\ufffd\ufffdd\ufffd4\ufffd\ufffd\ufffd\ufffdb\ufffdL\ufffd=\u000e\ufffd\u0016\u0002\u000e-\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "4664f56b7925e1ba3de51236324c5bf6638fde15", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }

35.189.180.191

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence