Détails IP 35.189.180.191

Synthèse exécutive

Profil de menace

Score de risque 67/100 Élevé

Première observation 04/06/2026 14:40 UTC

Dernière observation 04/06/2026 14:40 UTC

Événements (période) 302

MITRE ATT&CK principal —

risque 67/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

web_attack

Comparaison ASN / FAI

ASN 396982 · 35.189.176.0/20 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 302 événements sur la période pour cette IP.

147.185.132.112 Sonde TLS 19/06/2026 00:18 UTC
205.210.31.89 Sonde WinRM 19/06/2026 00:18 UTC
205.210.31.95 Scanner web 19/06/2026 00:17 UTC
147.185.133.88 Sonde PostgreSQL 19/06/2026 00:17 UTC
147.185.133.129 Scanner web 19/06/2026 00:17 UTC
35.203.210.115 Scanner web 19/06/2026 00:16 UTC
198.235.24.143 Sonde SAP ICM HTTP 19/06/2026 00:15 UTC
147.185.132.169 Scanner web 19/06/2026 00:13 UTC

Événements (filtres)

302

Première observation

04/06/2026 14:40 UTC

Dernière observation

04/06/2026 14:40 UTC

Dernière activité (filtres)

04/06/2026 14:40 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

—

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

TLS TCP 151 HTTP TCP 151

TLS

151

HTTP

151

Géolocalisation

Origine réseau déclarée

Taïwan unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 8091 web_attack

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Aperçu payload

GET /wp/.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (iPad; CPU OS 9_3_2 like Mac OS X) AppleWebKit/601.1.46 (K

Port / service

8091

Recommandation

Investiguer

Confiance

100%

Famille de menace

unknown

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

302 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

302 événement(s) — page 4/7

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��\n��q��%�`��g(��u٫�=�\|�� ig{T�%@ϗ��H�م��E��{��b&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.829001282947381, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "472d04ed8cff6725b6256d391fa23355", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\\n\ufffd\ufffdq\u0002\ufffd\ufffd\ufffd%\ufffd`\ufffd\ufffdg(\ufffd\u0004\ufffdu\u066b\ufffd=\ufffd\|\ufffd\ufffd \u000fig{T\ufffd%@\u03d7\ufffd\u0000\ufffd\u0011\ufffd\u0014\ufffdH\ufffd\u0645\ufffd\ufffdE\ufffd\ufffd{\ufffd\ufffd\ufffdb\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "5f127ddecc464e279c0b17fe662888d970aa2a5e", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��J +j�b\|��'G?��P��;-�� gr��N�DG{F1�G=�2j[{��&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.86714306781292, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "d26dce2aef07c7ba1f3c3a6684f165c9", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdJ\r+j\ufffdb\|\ufffd\ufffd\ufffd\u001a'G?\ufffd\ufffd\ufffd\u0010P\u0011\ufffd\ufffd\ufffd;-\u0004\ufffd\u0006\ufffd\ufffd \ufffdgr\ufffd\ufffd\ufffd\ufffdN\ufffdDG{F\u001e1\ufffdG=\ufffd2\u0019j\u001b[{\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "f3bcde2b9ef2f0c261a834d1848c3516def3787b", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��7��PPx��g�x��j��y��!��:�� u'��K�>��m4�S0��&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.843244206246515, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "4eafebc1b6e603d5f5eb31f34f2eb287", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00037\ufffd\ufffdPPx\ufffd\ufffdg\ufffd\u001bx\ufffd\ufffd\ufffdj\ufffd\u0014\u0010\ufffdy\ufffd\ufffd!\ufffd\ufffd:\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\ufffdu'\ufffd\ufffdK\ufffd\u001a>\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0013\ufffd\u0014\u0018m4\u001a\ufffdS0\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "22e539594d0e02ea1b4c5469600f1b5590d0af8a", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��QH:��k:H��4D��5X��'�S ��o`S��L��T��z"<D�7��Oޔr&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.8396350323229615, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "02f78bf6f0d374c569cbede465573383", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003QH:\ufffd\u0016\ufffdk:H\ufffd\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\u00144D\ufffd\ufffd\ufffd\u001e5X\ufffd\ufffd'\ufffdS \ufffd\ufffd\ufffdo`S\u0017\u0014\ufffd\ufffdL\ufffd\ufffd\ufffdT\ufffd\ufffd\ufffdz\"<D\ufffd7\ufffd\ufffd\ufffdO\u0794r\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "0093ca66bf016816f81af9ce783b694d37075e1a", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��9oV��3��H�k��rQ�gkU�c�1�A� ��,0A5_��\�^��:��kP�'KO&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.807658538182684, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "38319d6d680babd38a445386637d0274", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u00049o\u001aV\ufffd\ufffd3\ufffd\ufffdH\ufffdk\ufffd\ufffdrQ\ufffdgkU\ufffdc\ufffd1\ufffdA\ufffd \u000e \ufffd\ufffd\u0004,0A5_\ufffd\ufffd\ufffd\\\ufffd^\ufffd\ufffd\ufffd\ufffd:\u0005\u0017\ufffd\ufffd\ufffdkP\ufffd'KO\u000b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "c7352f2a932e4a157a40e91021d5f03682311c2b", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��g��7��$Zs��o� ��#��V�(� Up`7" �`ʹ�ɒ��/�@o��gP&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.84009096464508, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "4950cf984d061aff921098fbc832e0cb", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffdg\ufffd\ufffd\ufffd7\u0017\ufffd\ufffd\u0014$Zs\ufffd\ufffdo\ufffd\t\u0011\ufffd\ufffd#\ufffd\ufffdV\ufffd(\ufffd \bUp`7\"\t\ufffd`\u02b9\ufffd\u0252\u0016\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\/\ufffd@o\ufffd\ufffdgP\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "97061c48c860d5d87630efc740856ff84f236fda", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��,�8tj�4" -.j�-�x��1 U�~�%� ��t�&,��y-��+�7��,�׷&�m�&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.789282432542359, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "8e7e8f8d2fa0117cf05a195aefeb724f", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,\ufffd8tj\ufffd4\b\"\u0017\t-\b.j\ufffd-\ufffdx\ufffd\ufffd1 U\ufffd~\ufffd%\u0012\ufffd\u0016 \ufffd\ufffd\ufffdt\ufffd&,\ufffd\ufffdy\b-\ufffd\ufffd\ufffd+\ufffd7\u0016\u001f\ufffd\ufffd,\ufffd\u05f7&\ufffdm\ufffd\u001a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "1668c8b99a0f18e77e02fae89c1b48ef7ca6aa9c", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��b�F�i��Ԋ��\��b��.k�RH� R��@5}�v��x&"wYCZ��u�]�/��&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.8347579012048065, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "997a1b1e83f4394b2be6bb31d4fb317a", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0019\ufffd\u0005\u0018b\b\ufffdF\ufffd\u0017i\ufffd\ufffd\u050a\ufffd\ufffd\\\ufffd\u0005\ufffdb\ufffd\ufffd\ufffd.k\ufffdRH\ufffd R\u0005\u001a\u000f\ufffd\ufffd@5}\ufffdv\u001a\ufffd\u0017\ufffdx&\u001f\"wYCZ\ufffd\ufffdu\ufffd]\ufffd\/\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "055db0bcaf1b267eb3897032143c4f78e4cb682d", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��w&4��hn�w_�F.9ӬF�Y�"�Hs� �� '��>HV��:��q�&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.708755634445346, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "937e2d8bf95620f1272325c44e3241ec", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdw&4\ufffd\ufffd\ufffdhn\ufffdw_\ufffd\u0016F.9\u04ecF\ufffdY\ufffd\b\"\ufffd\u0015Hs\ufffd \u0001\u0005\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd'\ufffd\ufffd\ufffd>HV\ufffd\ufffd\ufffd\ufffd\ufffd:\ufffd\u0012\ufffd\ufffd\ufffdq\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "b78f5c50ffbea3bb26f992cd8e5b97a1e0238e2f", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��F��{�im}�!&�Q�6z �67n��o� �%~�s�-�N�&M��ua�+��ԛԭD-�&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.823801322579126, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "9484e9bf243df5122f6ed98273135698", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0004\ufffdF\ufffd\ufffd{\ufffdim}\ufffd!&\ufffdQ\ufffd6\u0007z \ufffd67\u0006n\ufffd\ufffd\ufffd\u000eo\ufffd\u001c \ufffd%~\ufffds\ufffd-\ufffdN\ufffd&M\ufffd\ufffd\ufffd\u000e\ufffd\ufffdua\ufffd+\ufffd\u000b\ufffd\u051b\u052dD-\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "f80262351e4a59fb0e0d949bf14b68d6dc6ce052", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��k�$��fpɒ�LI��D�_P��E�� !b�m� BI5� n�Q��6�G�Uz�yp]D�ɱ&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.83345756575882, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "dbf62cee0b4e166c22867fa498502663", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003k\ufffd$\u0017\ufffd\ufffd\ufffdfp\u000e\u0252\u0014\ufffd\u0018L\u0000I\ufffd\ufffdD\ufffd\u000e_P\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd !b\ufffdm\ufffd\f BI5\ufffd\nn\ufffdQ\ufffd\ufffd6\ufffdG\ufffdUz\ufffdyp]D\ufffd\u0271\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "0b4501ac5638c09ce6896ececd862ba1c3416cf7", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��l��.��M��.��o>~�tk�� l0�6��\�b��o��bڀ� }�^ǖ��V&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.817019631216379, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "7181d6ad7bc5a247f8b1db54945abd92", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003l\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0015\ufffd.\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd.\ufffd\u0005\ufffdo>~\ufffd\u0003tk\u0005\ufffd\ufffd l0\ufffd6\ufffd\ufffd\\\ufffdb\ufffd\ufffd\u000f\ufffdo\ufffd\ufffdb\u0004\u0680\ufffd\t}\ufffd^\u01d6\ufffd\u000b\ufffdV\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "1079e7484cac2578e0bbd9878e525bc077b2bfae", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��i�1K�M��8+�� jJc�1Y��@�� oӣ��?�r�I@�z�Y��y�kJ-$�&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.789729882857882, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "ad676d408a11ea00e929bcd95c543770", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\ufffd1K\ufffdM\ufffd\ufffd\ufffd8+\ufffd\ufffd\tj\u0018Jc\ufffd1Y\ufffd\ufffd\ufffd@\u001c\u0003\ufffd\ufffd \f\ufffd\ufffdo\u04e3\ufffd\ufffd\ufffd?\ufffdr\ufffdI@\u0013\ufffdz\ufffdY\ufffd\ufffdy\ufffd\u0011kJ-$\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "5cae703c71eb0ab8ebaed6b8f5ecea5357284f9e", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��ڗ��x�w�F�8dvX>��ZS=U�m'�C-�� ?��Rjp/�~ZQ��F��v��&��T��M^�U&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.931480558953645, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "db50a40f3549f032386934157a0510f2", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0697\ufffd\ufffd\u0002x\ufffdw\ufffdF\ufffd8dvX>\ufffd\ufffd\ufffdZS=U\ufffdm'\ufffdC-\ufffd\ufffd ?\ufffd\ufffdRjp\/\ufffd~ZQ\ufffd\ufffdF\ufffd\ufffd\ufffdv\ufffd\ufffd&\ufffd\ufffdT\ufffd\ufffd\ufffd\ufffdM^\ufffdU\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "72798ed121fab669ef7c7778a3d8f3bacc657dc8", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��j[��~m�S�rh��~�9Oچ�=�ig� �r�,�OMh#6]��peA$ރh� {<��&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.873563767992362, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "6cd96e41f6fd0929974e1d8699e5d904", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003j\u0004[\ufffd\ufffd\u001f\u001a~m\ufffd\u0004S\u0010\ufffdrh\ufffd\ufffd\ufffd~\ufffd\u001c9O\u0686\ufffd=\ufffdig\ufffd \ufffdr\ufffd,\ufffdOMh\u000b#6]\ufffd\ufffd\ufffdp\u001aeA$\u0783h\ufffd {<\ufffd\u001c\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "0711131f5725158205824da92e4a6b0325e00ae8", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��^�@jv�})��ş�߆��E�L��=�� V ��[�d\|�W��]��ʕ[��#a��p&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.7569170036992166, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "d3c43ed2904a67aa07f24e8e8f56cdcc", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003^\ufffd@jv\ufffd})\ufffd\ufffd\u015f\ufffd\u07c6\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffdL\ufffd\u0013\ufffd=\ufffd\u0011\ufffd \u001fV\r\ufffd\ufffd\ufffd\ufffd\ufffd[\u0003\ufffdd\|\ufffdW\ufffd\ufffd]\ufffd\u0007\ufffd\u0295[\ufffd\ufffd#a\ufffd\ufffdp\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "8a4ce07ecec9a62e14e2a1cdb85b1b369cad304b", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��=��y+"A`ݨ�bާ�S�£�[�D X�H�㶈��W0x��1�-�[�0�V��&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.909680648518512, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "4d69ecac0dc5cc0e3254d9df091b30c1", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003=\ufffd\u001f\b\ufffd\ufffdy+\"A\uf3d9`\u0768\ufffd\u001bb\u0015\u07a7\ufffdS\u0006\ufffd\u00a3\ufffd[\ufffdD X\u0004\ufffdH\ufffd\u3d88\ufffd\ufffdW0x\ufffd\ufffd\ufffd1\ufffd-\u001d\ufffd[\ufffd0\ufffdV\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "2ea432492e3c5b2107bc5ec3ce2edc26e8953ae3", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��lB;x��V��Z �5�ƌ�ޟס;� }8e\|S�[E~2xq��_ ��P�i��d&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.821937423106851, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "2691ed3196613a6fee04f31398344591", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u001a\ufffdlB;x\ufffd\ufffdV\ufffd\ufffd\ufffdZ \ufffd5\ufffd\u018c\u0006\ufffd\u079f\u05e1;\ufffd\u0006\u0019 }8e\|S\ufffd\u000f[E~2xq\ufffd\u0017\ufffd\ufffd_\t\ufffd\ufffd\u001d\ufffdP\ufffdi\ufffd\ufffd\u001b\ufffd\u0011d\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "a5f00645f3cffd1c446a50d272fe13b17071143f", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��>�d��ņ#K9�7W��F9G�/��v�% !%�ȍNuE��Y�p�ϴ-�uL&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.93762252976687, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "bd580daf32f3ac8145ff5072913cb810", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd>\ufffdd\ufffd\ufffd\ufffd\ufffd\u0146#K9\ufffd\u00057W\ufffd\ufffdF9\u001cG\ufffd\/\ufffd\ufffd\ufffdv\ufffd% !%\ufffd\u020d\u001cNuE\f\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdY\u000e\ufffdp\ufffd\u03f4-\ufffduL\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "c25f81dca9d69b23c9cd4712a09b763720e3705c", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��Ʃv��<̟�.0��ȑ�+H��B�8�H`a >n��d� �� . �i��2y�[-�&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.7823654065730725, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "647c00ae3ae6db20baa975cf318c3b13", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0002\u01a9v\ufffd\ufffd<\u031f\ufffd.\u00050\ufffd\ufffd\u0211\ufffd+H\ufffd\ufffd\u0001\ufffdB\ufffd8\ufffdH`a >n\ufffd\ufffd\ufffd\ufffd\u001fd\ufffd \ufffd\ufffd \ufffd\u001a.\r\ufffd\u0015i\ufffd\ufffd\ufffd\u00062y\ufffd[-\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "1d799607233e8f4e6dc61be79aac8e4ec17a6d5a", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��!��$��u�b��nXa�0�O��n�� _�e�1��o��}���vv��&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.832199281448258, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "7e8d84cfd58df5bfb87f5efcc7b9b8c1", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003!\ufffd\u0006\ufffd$\ufffd\ufffd\ufffd\ufffdu\ufffdb\ufffd\ufffd\ufffd\ufffd\u0003n\u0017Xa\ufffd0\ufffdO\ufffd\ufffd\ufffdn\ufffd\ufffd \ufffd\ufffd\u0003_\ufffde\ufffd1\ufffd\ufffdo\ufffd\f\ufffd}\u0007\ufffd\ufffd\u0001\ufffd\u0088\ufffdvv\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "f2be73cc6b9a47fc3f666d8a99382a6d9cb76f1e", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	tls	Sonde TLS	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��Y�ܪ�;n_(��m��a�K�ˢ~� ��ة��.fÊ�X��,I�S&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.873165117934597, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65", "event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "c13055de01eba8dcd0366fd7e3b15329", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8091, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdY\u0010\u0002\ufffd\u072a\ufffd;n_(\u0006\ufffd\ufffdm\ufffd\ufffd\ufffd\u001c\ufffda\ufffdK\u0000\ufffd\u02e2\u0011~\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\ufffd\u000e\ufffd\u001d\ufffd\ufffd\u001f\u0629\ufffd\ufffd.f\u00ca\ufffdX\u000e\ufffd\ufffd\ufffd,I\ufffdS\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "b2da216416a0702b41714fc13304dacf64630ae8", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_sensitive_path Cible HTTP GET /.env.prod TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.prod Confiance classification 92% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Android 4.2; rv:19.0) Gecko/20121129 Firefox/19.0 Règles WAF 950326:rce-0 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /.env.prod HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Android 4.2; rv:19.0) Gecko/20121129 Firefox/19.0 Acce Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "prod", "http_ua_hash": "03837aa9b3b44541ce804f6147bda6a239d85e1f", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "dbae5bda5d181ccfbfc6b75e40a8edbe5f27e87d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.221138322049381, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834", "event_fingerprint": "4b9856329b8fd043f28bf335a314ebf7b7c909d7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "05d9eb0ee0ebe2c4ff803a86f4624e06", "payload_hash": "426f1e0373fbbb3c4eaa771f44d165c8", "path_pattern_hash": "d6acfe32219429bb20e7ee2ee79adb21" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Android 4.2; rv:19.0) Gecko\/20121129 Firefox\/19.0\r\nAcce", "event_signature": "15e04c810b6ec276ca972bf66ad20a6f84f05fcf", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 96 }
04/06/2026 14:40:21 UTC	TCP	8091	http	Sonde HTTP	Élevée	Faible · 29
Étape Sonde / probe MITRE TA0007 TA0001 WAF 8 Recommandation Surveiller Tags 950514:leak-1 http_probe_env_local http_sensitive_path Cible HTTP GET /.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.local Confiance classification 74% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent WDG_Validator/1.6.2 Règles WAF 950514:leak-1 Payload (extrait) GET /.env.local HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: WDG_Validator/1.6.2 Accept-Charset: utf-8 Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "local", "http_ua_hash": "d9e4118625366d32e46baa9fa9f06d4ca05f4e4d", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "1bd3d14a0dcd500ff7a77dd7b961ff8960851334", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 149, "payload_entropy": 5.144997984948825, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 40, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1, "risk_breakdown": { "waf": 40, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 29, "tag_count": 3, "anomaly_count": 0, "campaign_key": "66a1ea594f1478ecb6ef9a47809d4c0a9f7128fb", "event_fingerprint": "4e72a302eaa8732676c2200413ae2cb47e3ba478", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7b51e3fad151c31042c711a544a26d12", "payload_hash": "c7b1cba3772e83bc053bd3ed78ba8da9", "path_pattern_hash": "b9c24fc1b97f40588adfd0796c248786" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: WDG_Validator\/1.6.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\n", "event_signature": "06d618c81f8802d84348c18da08c15e19c7c29fe", "ban_policy": "advisory_monitor", "tags_list": [ "950514:leak-1", "http_probe_env_local", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_probe_env Cible HTTP GET /.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env Confiance classification 95% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Règles WAF 950326:rce-0 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /.env HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "env", "http_ua_hash": "e4861f8679e5155f9842a79480d4310270e3f871", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "9ee0d3f55b39072ba6bec6203d26e470be80afdc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 237, "payload_entropy": 5.416884796543453, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "6e441ec407748758855c484f52aa104f0aa9fcc2", "event_fingerprint": "e5fa5523516c54493c48a7a00caf1e4ccecb5896", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6a6d38f375f05245fc45ae61302800d5", "payload_hash": "3ac19a942ef0f071050ba6789eecb138", "path_pattern_hash": "aef81e7735de8f42b73e111497498c8b" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.95, "classification_confidence": 0.95, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like ", "event_signature": "74b1377259c360c19d1dffb5f038e794f03291f0", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_probe_env", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Moyen · 61
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 20 Recommandation Investiguer Tags 950406:ssrf-3 950470:nosqli-3 950514:leak-1 http_sensitive_path Cible HTTP GET /.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.production Confiance classification 92% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent msnbot/0.11 ( http://search.msn.com/msnbot.htm) Règles WAF 950406:ssrf-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /.env.production HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: msnbot/0.11 ( http://search.msn.com/msnbot.htm) Accept-Charse Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "production", "http_ua_hash": "89dd5d41d3d9d67804fa452fc26e0d1854f91e2f", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "9b39fa6529cda07275007291b337879405a04c62", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 182, "payload_entropy": 5.046566374731163, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 88, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 88, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 61, "tag_count": 4, "anomaly_count": 0, "campaign_key": "3876efc891d742ee6dcbf74172d5b437cf6758f4", "event_fingerprint": "573d69b953c64e444855446bb5715b0380ad4b4f", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8f1e26574192b3d2adfdd413095e2a21", "payload_hash": "2d12892edc62c7379a70e8f6b593c553", "path_pattern_hash": "a397c8c79032c8a19624fdccf1ae5680" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: msnbot\/0.11 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Charse", "event_signature": "2ebb4ad4cf10886e68e4a08062c9dbd1da6d76fc", "ban_policy": "advisory_investigate", "tags_list": [ "950406:ssrf-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 950521:leak-8 Cible HTTP GET /.env.prod.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.prod.bak Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.82 Safari/537.36 OPR/29.0.1795.41 Règles WAF 950326:rce-0 950470:nosqli-3 950514:leak-1 950521:leak-8 Payload (extrait) GET /.env.prod.bak HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537. Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bak", "http_ua_hash": "c4bf57bd739bb02823fb036b11f2278a0396fb9a", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "e79ede117a02a11b4e7051104a60cdf42ee84dde", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 270, "payload_entropy": 5.460602801083272, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "670f5a885f2c3aa910a5f1683c4e5da9953040a5", "event_fingerprint": "a3c0999096826241c327c4f183050b47fcd76dff", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2a54b417612f59356c0ee2623b71e6a7", "payload_hash": "a5c22d8a46cbdd5bcfc156e14313a0e8", "path_pattern_hash": "b6f3643e7f32a1b4084c7ae038946cd0" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.prod.bak HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/537.", "event_signature": "5c0ffd50074cd04394d91dcfd4fcc28ce4ea5c68", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_path", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_sensitive_path Cible HTTP GET /.env.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.backup Confiance classification 92% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Règles WAF 950326:rce-0 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /.env.backup HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "backup", "http_ua_hash": "fdaa4c1e1de66370701fdf4860e77b1c763f15b4", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "0cdfae489c44fe084f54d0d07b1f18ad12bec86e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.434573567042935, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834", "event_fingerprint": "df30bf9496c68ef91f53f04e7669c37f4134606a", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c3bbdc96b5aa6b0b36251a9ea5cdb741", "payload_hash": "527c365ae94ade0aa37c3854cc7c96ed", "path_pattern_hash": "46237bd90c824ac71e080a2ce5957ff9" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36", "event_signature": "f11f8bd81c4aa8ac0dead3fd500eda7ab4fde65d", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Élevé · 67
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 950521:leak-8 Cible HTTP GET /.env.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.old Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3786.0 Safari/537.36 Règles WAF 950326:rce-0 950470:nosqli-3 950514:leak-1 950521:leak-8 Payload (extrait) GET /.env.old HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, l Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "old", "http_ua_hash": "daa2b923a678ca2f41e25c1c11b3147a54eb1b4e", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "5c6d2af3e13d17105c8f5fb6187fb5c332303b42", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 240, "payload_entropy": 5.413773118504439, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "5a5ee2facd91662665c3c6eb9f7ff2892413a82a", "event_fingerprint": "9015e186000d7dc85a97cb19acb53877aeb40eb4", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "287939626b5425ec6f733377b9e9ebc3", "payload_hash": "f4a243c172cac8bf4702721caab2ad39", "path_pattern_hash": "3807eb1255fb0315f3ffbb94c31e25e0" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, l", "event_signature": "38e15c759e144ea04710597982beaa00872f6e64", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_path", "http_probe_env", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_sensitive_path Cible HTTP GET /.env.backup.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.backup.txt Confiance classification 92% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko Règles WAF 950326:rce-0 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /.env.backup.txt HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "8ab4544020e32913967bdcf9deb7e30c7875bc73", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "184b58f152ad4847d3c68a03f1b63b5f06475d83", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 196, "payload_entropy": 5.25497855472827, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834", "event_fingerprint": "1f94d0445a8fa250e81b426af5f551cf540c0fcd", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f2aed531125224df1c33ce8b491c48a3", "payload_hash": "e4fdf3f10498f14b863f63d10318f9a6", "path_pattern_hash": "34c4e8aec1933ec66edde754c405cd53" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.backup.txt HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Trident\/7.0; rv:11.0) like Gecko\r", "event_signature": "5710d7b878bb21221e6f835e2ae8e8a327a375fc", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 950521:leak-8 Cible HTTP GET /.env.production.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.production.bak Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/607.2.6 (KHTML, like Gecko) Version/12.1.1 Safari/607.2.6 Maxthon/5.1.132 Règles WAF 950326:rce-0 950470:nosqli-3 950514:leak-1 950521:leak-8 Payload (extrait) GET /.env.production.bak HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bak", "http_ua_hash": "bd24e915f688b8d66845c302b04a91f5d491f0a5", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "5e60aad91233f8359cb54318aa7e2c8c88640909", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 272, "payload_entropy": 5.391676330858726, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "670f5a885f2c3aa910a5f1683c4e5da9953040a5", "event_fingerprint": "b8aed82ff487289c510f27cbc2639ef81cb85c30", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ca71f6b0fbd36aea76c5a73408e425b7", "payload_hash": "d1140f8d48b522735fa1cfdfdf4cf206", "path_pattern_hash": "46a3381311009be4b70c0ebd235fdb59" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.production.bak HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi", "event_signature": "2e579adc5b78f7654abd1fc45f23bcba15c18d3a", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_path", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_sensitive_path Cible HTTP GET /.env.dist TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.dist Confiance classification 92% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36 Maxthon/5.2.7.5000 Règles WAF 950326:rce-0 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /.env.dist HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "dist", "http_ua_hash": "87ebac2b3cc7ed6ba4ee408a82877492dcfa5d2e", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "a8dbdb551defc236b9cece3e75d9b78bd8bedf29", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 256, "payload_entropy": 5.41701119568539, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834", "event_fingerprint": "bfabed9533343aae0fc4c8ffa206045684bcf6fa", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b05785e0cf1ecbcc64b771618a4d8e5e", "payload_hash": "16c7060b42bd9768976d0cccd53951be", "path_pattern_hash": "dca3f24e2bb7c842c1b47abf4a5e3131" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.dist HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like ", "event_signature": "f6036ea835d6c7b73af0081e0d9b6091beebb7fe", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_sensitive_path Cible HTTP GET /.env.dev TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.dev Confiance classification 92% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; SM-T580) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Safari/537.36 Règles WAF 950326:rce-0 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /.env.dev HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; SM-T580) AppleWebKit/537.36 (KHTML Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "dev", "http_ua_hash": "71580ff4c2844221f4b1e1e55846a90adfae2040", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "a499321530f3e4ddd283e6792cf6d67b1e7cfe88", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 245, "payload_entropy": 5.398034550062202, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834", "event_fingerprint": "c845535410e0985bf601bfa2e9445141626ba093", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2656e5938eeb9d2a1a4db84d22dac348", "payload_hash": "ff2be98cf67ba1f20fe9a3f3c2771942", "path_pattern_hash": "ceb221ca10f5b573c09ea91320781e08" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-T580) AppleWebKit\/537.36 (KHTML", "event_signature": "3622b770784976171d046c10980d01d7c2acb3a0", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_sensitive_path Cible HTTP GET /.env.development TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.development Confiance classification 92% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.34 (KHTML, like Gecko) QupZilla/1.2.0 Safari/534.34 Règles WAF 950326:rce-0 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /.env.development HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.34 (KHTML, like Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "development", "http_ua_hash": "c8b415ecf5bbf72593c2b47bb0886bd0e58b16ec", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "8a4e51701d196d7852353e13bcdd4450138c4d04", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 233, "payload_entropy": 5.408352384860357, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834", "event_fingerprint": "4d95370ae6f38e734b17ff313a93e95390b46341", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8a1a6ac851cbe873b8db07e91deee700", "payload_hash": "b8b2a67d7baf184050719a3fe8c342f0", "path_pattern_hash": "c0c440edf0616e70222e5cd82887a202" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.development HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/534.34 (KHTML, like", "event_signature": "0cfd2c344df564318b68d9ce6cc482a8b4236149", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_sensitive_path Cible HTTP GET /.env.qa TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.qa Confiance classification 92% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Règles WAF 950326:rce-0 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /.env.qa HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KH Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "qa", "http_ua_hash": "8ab8a68e4cc646859ff84dddfd26ed68c5d9cf52", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "f6ca81fc6b63d491b34b08edc02f7c1a76039985", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.420059365472038, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834", "event_fingerprint": "c7b767d4b31434ef02b6959760e09ada7ffb8bfd", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "20531fbe975e1391881163714ac60055", "payload_hash": "80887705e13d54dc0d9a35310855bade", "path_pattern_hash": "4ceac2fb8b154c5a9855e0056c339f6c" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.qa HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit\/537.36 (KH", "event_signature": "bac94faf5d0052aedf5ba2cb60cb39b072e6f3ea", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	Sonde HTTP	Élevée	Faible · 29
Étape Sonde / probe MITRE TA0007 TA0001 WAF 8 Recommandation Surveiller Tags 950514:leak-1 http_sensitive_path http_ua_suspicious Cible HTTP GET /.env.stage TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.stage Confiance classification 74% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent libwww-perl/5.820 Règles WAF 950514:leak-1 Payload (extrait) GET /.env.stage HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: libwww-perl/5.820 Accept-Charset: utf-8 Accept-Encoding: gzip Co Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "stage", "http_ua_hash": "856b1eac93dedf443ca3d70fbeb95608949e2030", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "3b1f09925d833e9c8b11c15969735e676c352e02", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.09752432358082, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 40, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1, "risk_breakdown": { "waf": 40, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 29, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ca65ecd7e7948255e106f51184f2246f854c5c2a", "event_fingerprint": "b28bc215b742ab65f3b63cdfbdcd2db6b22bf442", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "05f7bb05bd4aac5c93ecca9e3ddde96e", "payload_hash": "10acca8396ea0da528008dca5b3bdbfa", "path_pattern_hash": "41bc8d05ec3b934057692a81f7d48c57" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.stage HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: libwww-perl\/5.820\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "event_signature": "9c28e403bcfe2ad9d00f3de573f5ee1da30be1f7", "ban_policy": "advisory_monitor", "tags_list": [ "950514:leak-1", "http_sensitive_path", "http_ua_suspicious" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 84 }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_sensitive_path Cible HTTP GET /.env.uat TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.uat Confiance classification 92% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36 Règles WAF 950326:rce-0 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /.env.uat HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "uat", "http_ua_hash": "13330a7d3aaee1569dd7ceebc04360c8b673fb08", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "66d1899261b7971a064fb81964052eae4ab44ccb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 233, "payload_entropy": 5.448473079647627, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834", "event_fingerprint": "f69fd9a2c6985f8a47dc1a14c950fe2953d38a3b", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8790bcb5c8899608c144ab0e4b52234f", "payload_hash": "13d84f666142107ef0f3cef595b2aba7", "path_pattern_hash": "ae4cb14da8dffdd0fce54bdc9802bc13" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.uat HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "event_signature": "0a6d44e1bac6268d0611f14a4b587323cf2ea27c", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Élevé · 66
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 28 Recommandation Investiguer Tags 950086:sqli-21 950326:rce-0 950470:nosqli-3 950514:leak-1 Cible HTTP GET /.env.copy TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.copy Confiance classification 95% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 MicroMessenger/7.0.4(0x17000428) NetType/WIFI Language/zh_CN Règles WAF 950086:sqli-21 950326:rce-0 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /.env.copy HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "copy", "http_ua_hash": "36a7934bd24dfcf4fa62b9c6e9ecd50cbcc772a6", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "7c2ae66345773d74e41beccb46e084de01a9b535", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 299, "payload_entropy": 5.475560953676331, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "bf2ad86e7cbf4e7eca999ee730cb4f670aff5dfe", "event_fingerprint": "b5d25da6d6117907ac0ea56298fa6b261a8d8536", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c0fd028b63b4bfcfccd993a36fa5c8a0", "payload_hash": "fd38b5c36bd77d19f5d9bf13f30c3e68", "path_pattern_hash": "1582af18ca1ce6e54d4467e471b637e8" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.95, "classification_confidence": 0.95, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.copy HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit", "event_signature": "3589355687b4868181970f8e12af777a4c98b067", "ban_policy": "advisory_investigate", "tags_list": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	Sonde HTTP	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF 8 Recommandation Surveiller Tags 950514:leak-1 http_sensitive_path Cible HTTP GET /.env.staging TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.staging Confiance classification 71% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent Microsoft URL Control - 6.00.8862 Règles WAF 950514:leak-1 Payload (extrait) GET /.env.staging HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Microsoft URL Control - 6.00.8862 Accept-Charset: utf-8 Accept- Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "staging", "http_ua_hash": "9bd1bb4d3b5ab0a83c56d799277d91873aeefed0", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "b697ca05984d1bd61ac6a6cd96868703f3417431", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 165, "payload_entropy": 5.070762628574538, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 40, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 0.7, "risk_breakdown": { "waf": 40, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 28, "tag_count": 2, "anomaly_count": 0, "campaign_key": "027c44180d371ab646696db376c971f7b311e65d", "event_fingerprint": "52f10ab91b3b0454e98c738b7d3963844325dc2e", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "464c2d65b77b87b890772e045fb6d740", "payload_hash": "f5fde24fa210b51f19a553f1105d5db9", "path_pattern_hash": "273c68db2803cfd6e1d27200e5969039" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.71, "classification_confidence": 0.71, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Microsoft URL Control - 6.00.8862\r\nAccept-Charset: utf-8\r\nAccept-", "event_signature": "c791ba740c94935e3c5bea99f7fb4b01cc97893a", "ban_policy": "advisory_monitor", "tags_list": [ "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_sensitive_path Cible HTTP GET /.env.save TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.save Confiance classification 92% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.4 (KHTML like Gecko) Chrome/22.0.1229.79 Safari/537.4 Règles WAF 950326:rce-0 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /.env.save HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.4 (KH Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "save", "http_ua_hash": "074dde9236a1f8cf03020371fe0dbb0e8026df12", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "b6acd8fd883f6c293e3cda5fd50434818eb0b3df", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 245, "payload_entropy": 5.413956933208063, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834", "event_fingerprint": "27a040c34cf71486d0ccfece14d3dc890dd4d021", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9d5fb344a94baff49f7b4cfde7d3d1aa", "payload_hash": "5a1ff7e235359778211e7dc63bdc5a59", "path_pattern_hash": "f8bd9e65b618d21d6e757070964bc6e1" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.save HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit\/537.4 (KH", "event_signature": "231ccf35c4635c4b6993d4c7ab0ed0c88ff984b0", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 22 Recommandation Investiguer Tags 950470:nosqli-3 950514:leak-1 950521:leak-8 http_backup_path Cible HTTP GET /.env.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.bak Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent SonyEricssonT650i/R7AA Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 Règles WAF 950470:nosqli-3 950514:leak-1 950521:leak-8 Payload (extrait) GET /.env.bak HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: SonyEricssonT650i/R7AA Browser/NetFront/3.3 Profile/MIDP-2.0 Configur Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bak", "http_ua_hash": "6dd8cca1fd58af323d6778f5eadabff42ba8e97a", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "4a5fcefd2e38e385c845c219c16c9499f238dece", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 211, "payload_entropy": 5.29977586184521, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 96, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 96, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 6, "anomaly_count": 0, "campaign_key": "81556afcd246bcb9bc08afb940257742ed2e7ee4", "event_fingerprint": "660cb577335a88d15d7d145a108c7aa40993c4ed", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c65b499b585d6d68f7a45b41e58a1e0d", "payload_hash": "456551f2b13fdfe7a06949b79ded55c4", "path_pattern_hash": "e884c8b66a9cc0dbcd8816b9898313a2" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: SonyEricssonT650i\/R7AA Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configur", "event_signature": "cf63f7f6ddbc1dda4763f184026559a38fd3e431", "ban_policy": "advisory_investigate", "tags_list": [ "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_path", "http_probe_env", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_sensitive_path Cible HTTP GET /.env.production.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.production.local Confiance classification 92% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS X; da-dk) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5 Règles WAF 950326:rce-0 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /.env.production.local HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "local", "http_ua_hash": "53d871767025f314531d14f8a2ab204a471f711d", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "d3f1365c6401e671ba4f40a870e3ce46645aab05", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 291, "payload_entropy": 5.402668885907101, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834", "event_fingerprint": "bf80c0004a4725a9e543b8f10325e29c580a63fb", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b31f7f23732c6cfc471450978c235067", "payload_hash": "9d7434e32eef662567ea671c95f2e72d", "path_pattern_hash": "a0a342b9319fca95b9114c90facec319" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.production.local HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 4_2_1 like Mac OS ", "event_signature": "7e3357c2c540fdf55fa0e6679de6887ba2f25cb3", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_sensitive_path Cible HTTP GET /.env.default TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.default Confiance classification 92% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686; rv:32.0) Gecko/20100101 Firefox/32.0 Règles WAF 950326:rce-0 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /.env.default HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:32.0) Gecko/20100101 Firefox/32. Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "default", "http_ua_hash": "51be3634ba4e4a58df8e12f83430a343c74959ff", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "437476297bcc04ccaf487ff217e9f02a35247fa6", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 198, "payload_entropy": 5.266541870318177, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834", "event_fingerprint": "c90aa920a40863c884887e5e3a2a69601768843a", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5285b277d72c4ac82f931a2157ac21b8", "payload_hash": "e146cc8915ffd83c9743b0231337b59a", "path_pattern_hash": "ef22944b80bfbabaa71a03775ffca265" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.default HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.", "event_signature": "e74ea608aa04c9abad3d34dd61c982935395b317", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_sensitive_path Cible HTTP GET /.env.testing TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.testing Confiance classification 92% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4) Gecko Netscape/7.1 (ax) Règles WAF 950326:rce-0 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /.env.testing HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4) Gecko Netscape/7.1 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "testing", "http_ua_hash": "04526a14d1a43a1e5b3185b0e9ebf8bdf5cf3a44", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "d6baaf9bbaea83adf628e2291f2046f316df3dcd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 202, "payload_entropy": 5.269317634791371, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834", "event_fingerprint": "2ad79f15fb6730d87264769443b95e6cbf970af9", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "664168ca14a33a10a2796df70f763256", "payload_hash": "d5fface3c3fc96fed89341c902e0df96", "path_pattern_hash": "93c3c1ea576f84843908e14f1e5f7a72" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.testing HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Win98; en-US; rv:1.4) Gecko Netscape\/7.1", "event_signature": "1a30bd37f90f2686faa9b495bd959d9db4a4d456", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_sensitive_path Cible HTTP GET /.env.sample TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.sample Confiance classification 92% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-N950F Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/9.4 Chrome/67.0.3396.87 Mobile Safari/537.36 Règles WAF 950326:rce-0 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /.env.sample HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-N950F Build/PPR1.180610. Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "sample", "http_ua_hash": "2d6b0b9b28a297504657d046e3196200702e7be3", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "095847d45b64fa9778f5b417101046355c7fb8b4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 300, "payload_entropy": 5.526566760140529, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834", "event_fingerprint": "d4cf8dfe9e2cf75df5b3529edac20e8083a7beba", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c8eb2bbe42433957c18999e54e9a8783", "payload_hash": "5092cfa2e28119165a3e5f4fe2e3ff26", "path_pattern_hash": "124d2598962516d623c1414e60d74596" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.sample HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-N950F Build\/PPR1.180610.", "event_signature": "08def28149fa9dc08cf077296ac61527b9731ff9", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_sensitive_path Cible HTTP GET /.env.pre-production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.pre-production Confiance classification 92% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF 950326:rce-0 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /.env.pre-production HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit/537 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "pre-production", "http_ua_hash": "22eafb7153480df47271eb853b60fdf154e6a829", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "b0266a8b5f23aa7eb0ba5ad4711f86dc278bff09", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 262, "payload_entropy": 5.358001139975496, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834", "event_fingerprint": "2ba4ca0ae4d64f56dba3781c999df82fdc7fd4b2", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "241a3535664b38e6b9a1bb81bd66c916", "payload_hash": "1adc7cb373325b9c6476ee67db997a64", "path_pattern_hash": "38db8d3279e3019bd5a23c153b1847d3" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.pre-production HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit\/537", "event_signature": "798e91cbd54a5869e4ee45cacfa38c706f09c241", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_sensitive_path Cible HTTP GET /.env.demo TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.demo Confiance classification 92% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52 Règles WAF 950326:rce-0 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /.env.demo HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "demo", "http_ua_hash": "35d3136c872f1aad3a3483c918696798e2b9bfec", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "281117a46ffb6dbe77926884a25652c0da93651c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 210, "payload_entropy": 5.225660489874035, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834", "event_fingerprint": "3537c5a1290017c23ffdb239d7966bbd8196991c", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4d7250607667b0ddf1ecee4e057260f2", "payload_hash": "f25268a1577ef9d2601619db66f473c8", "path_pattern_hash": "ff56ce56a447b9537c511ab389b44d21" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto\/2.9.168 ", "event_signature": "2307c03c7eea72f4c46d32502031431def2d0dd6", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Moyen · 46
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /env.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /env.txt Confiance classification 86% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0) Règles WAF 950326:rce-0 950470:nosqli-3 Payload (extrait) GET /env.txt HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0) Accep Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "ed06f2f1b1802b2bf443a12fa33354de95410b0f", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "43063baf0fda73950dd575fa216e503f70ad04be", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 190, "payload_entropy": 5.287109371494265, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 0.7, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 46, "tag_count": 2, "anomaly_count": 0, "campaign_key": "2d4bad77b9af66303184e37395d5fd0604c3d8fb", "event_fingerprint": "a633682292c8935ccb5bd465ec5785f1c4073a23", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "432b20c082f564bb8f0a327579c69c0e", "payload_hash": "00172a8f99b3383a93ffc221625981cc", "path_pattern_hash": "4ff48f74005d677acf48e527b71c7273" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.86, "classification_confidence": 0.86, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/env.txt HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident\/4.0)\r\nAccep", "event_signature": "895dc6d153708e483d309a51d372e0ec5855b231", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_sensitive_path Cible HTTP GET /.env.live TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.live Confiance classification 92% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Règles WAF 950326:rce-0 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /.env.live HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 ( Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "live", "http_ua_hash": "6c68b31e4afe613651be3d49fd3f6f12f40168c0", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "6ac4c96f7567e632cc17c82931a457152d6117b9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.429389523063607, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834", "event_fingerprint": "1eba4f6b525098d823ac78fced23754e05961d27", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "77c7bee56c3a61cc8dc4c726a4bc15e4", "payload_hash": "6d3ebd697748568ab8990ef7654249e4", "path_pattern_hash": "0bb869934ccc3c32135ba9dd6550d1cf" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.live HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (", "event_signature": "59168437ac7963cba5199324e921f8793801f00b", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 14:40:21 UTC	TCP	8091	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_sensitive_path Cible HTTP GET /.env.preprod TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8091 Chemin / cible /.env.preprod Confiance classification 92% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116 Règles WAF 950326:rce-0 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /.env.preprod HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTM Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "preprod", "http_ua_hash": "c8d768376fb642bd5d45dfeaaf05d88be84f9bbc", "http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc", "http_target_hash": "67166fa60459969a35e979b1c3340b3415271d3a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 264, "payload_entropy": 5.435254164199355, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8091, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834", "event_fingerprint": "e8814151b0a81caf8d03007515447c96c3120f11", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2512e0d99e351736d3452fd09c838f47", "payload_hash": "757e9778b35ada58172a7271db52f351", "path_pattern_hash": "56c2098c6a61c7ac0db82c4db6400ced" }, "target_context": { "dst_port": 8091, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/.env.preprod HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTM", "event_signature": "dadcd62d2861602d946a79cf5d6697b3fed5ea8a", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }

35.189.180.191

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence