{"report_id":"aa13ce7f-3062-4ccd-82e4-6302f1f04f83","version":6,"status":"done","tags":[],"date":"2024-03-10T14:14:45Z","url":{"schema":"http","addr":"calink.bio/shell.txt","fqdn":"calink.bio","domain":"calink.bio","tld":"bio"},"ip":{"addr":"104.21.89.95","port":0,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"final":{"url":{"schema":"https","addr":"calink.bio/shell.txt","fqdn":"calink.bio","domain":"calink.bio","tld":"bio"},"title":"calink.bio/shell.txt"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-25T22:04:09Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"calink.bio","ip":{"addr":"172.67.139.185","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"United States","country_code":"US"},"domain_registered":"2023-04-23","domain_rank":0,"first_seen":"2023-04-23 15:09:22","last_seen":"2024-03-10 15:14:06","alert_count":1,"request_count":2,"received_data":139138,"sent_data":898,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-10","alert":"PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k","trigger":"calink.bio/shell.txt","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/02/07","description":"PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-08-19","rule":"webshell_php_dynamic_big","score":"50"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"https","addr":"calink.bio/shell.txt","fqdn":"calink.bio","domain":"calink.bio","tld":"bio"},"ip":{"addr":"172.67.139.185","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-03-10T14:14:20.101Z","timestamp":1710080060101,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"calink.bio","organization":""},"issuer":{"commonName":"E1","organization":"Let's Encrypt"},"validity":{"start":"Thu, 15 Feb 2024 00:22:18 GMT","end":"Wed, 15 May 2024 00:22:17 GMT"},"fingerprint":{"sha1":"C5:F1:8B:96:16:62:BC:20:DB:EA:3D:99:C7:BB:8A:34:56:5C:06:A8","sha256":"78:FD:68:B8:34:08:49:31:6A:7A:60:B7:57:EF:4F:8E:03:0C:4A:4A:4E:22:BA:B0:80:06:DE:EC:9A:61:54:BC"}}},"request":{"raw":"GET /shell.txt HTTP/1.1\r\nHost: calink.bio\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ndate: Sun, 10 Mar 2024 14:14:20 GMT\r\ncontent-type: text/plain; charset=utf-8\r\nlast-modified: Sat, 30 Sep 2023 04:12:28 GMT\r\netag: W/\"6517a02c-2c0c2\"\r\ncf-cache-status: DYNAMIC\r\nreport-to: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=gqUUxwXfzn6mOvvK6Pk%2F5Uei%2BUBGbBVs8yF1DrJcaDCzHBYCEl7rH3NzA6XBzk%2FVWklJPAkafzahIZEGiSeQtjtZImqRsHZLJVhVeFBq2c2AtKYp4Zi38P8%2BiRbi\"}],\"group\":\"cf-nel\",\"max_age\":604800}\r\nnel: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}\r\nserver: cloudflare\r\ncf-ray: 8623e917db8d56a9-OSL\r\ncontent-encoding: br\r\nalt-svc: h3=\":443\"; ma=86400\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":137639,"size_decoded":180418,"mime_type":"text/plain; charset=utf-8","magic":"PHP script, ASCII text, with very long lines (63948)","md5":"663cfc93522ac04493f394baf47a839c","sha1":"cf7b7f10e0876ad9d4c7ceee28afaad9d9b4768d","sha256":"d6da9f9d03d93bf237f6dc5b1e02a64e6a76095f5ee27550f323732cc42ea695","sha512":"d7e69d6e14f163bfe8b91def4eff120584ba56e796b721db9929deecbaa845a3280094689276d94e9f06b29c9d7f5f3219cc7c5ccf15e356c11f388acb5d93cb","ssdeep":"3072:qHcnNvEQnoYYLqUX10OG3aRDZ8IZZqpWxunF9Yzff1ktethFzCUPfWiyhPEilI//:qqo1qM10OGKFZmW4Yzff1zgUnWiyai2X","tlshash":"8004230b695a3286f54d619112a5807d2bc460048b9c91d273fe1fddb88ea1d6f9ffe0","first_seen":"2024-08-20T08:02:31.268182Z","last_seen":"2024-08-20T08:02:31.268182Z","times_seen":1,"resource_available":false,"data":null}},"time_used":505,"timings":{"blocked":40,"dns":0,"connect":1,"send":0,"wait":425,"receive":0,"ssl":35},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-03-10","alert":"PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k","trigger":"calink.bio/shell.txt","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/02/07","description":"PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","modified":"2022-08-19","rule":"webshell_php_dynamic_big","score":"50"}}],"urlquery":null}},{"url":{"schema":"https","addr":"calink.bio/favicon.ico","fqdn":"calink.bio","domain":"calink.bio","tld":"bio"},"ip":{"addr":"172.67.139.185","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://calink.bio/shell.txt","date":"2024-03-10T14:14:21.168Z","timestamp":1710080061168,"http_version":"HTTP/3","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"calink.bio","organization":""},"issuer":{"commonName":"E1","organization":"Let's Encrypt"},"validity":{"start":"Thu, 15 Feb 2024 00:22:18 GMT","end":"Wed, 15 May 2024 00:22:17 GMT"},"fingerprint":{"sha1":"C5:F1:8B:96:16:62:BC:20:DB:EA:3D:99:C7:BB:8A:34:56:5C:06:A8","sha256":"78:FD:68:B8:34:08:49:31:6A:7A:60:B7:57:EF:4F:8E:03:0C:4A:4A:4E:22:BA:B0:80:06:DE:EC:9A:61:54:BC"}}},"request":{"raw":"GET /favicon.ico HTTP/1.1\r\nHost: calink.bio\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://calink.bio/shell.txt\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/3 404 Not Found\r\ndate: Sun, 10 Mar 2024 14:14:21 GMT\r\ncontent-type: text/html; charset=iso-8859-1\r\ncache-control: max-age=14400\r\ncf-cache-status: MISS\r\nreport-to: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=OJq2Xc5RDJJJ72DLDbKvGjrDRLPiOYhiVy4cTxdOJjNTrEOOwv4%2B6QW62PW3p2k61WLIA8kjlaLxKkVO4bZBuGOILNCpzEQ59JOrSUJq%2BM0GwXsLsCPXSHujfVw5\"}],\"group\":\"cf-nel\",\"max_age\":604800}\r\nnel: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}\r\nvary: Accept-Encoding\r\nserver: cloudflare\r\ncf-ray: 8623e91e481b568a-OSL\r\ncontent-encoding: br\r\nalt-svc: h3=\":443\"; ma=86400\r\n\r\n","headers":null,"cookies":null,"status_code":"404","status_text":"Not Found","fingerprints":null,"data":{"size":272,"size_decoded":272,"mime_type":"text/html; charset=iso-8859-1","magic":"HTML document, ASCII text, with no line terminators","md5":"1ac0e173f70873e9d0d96a67c48d3c33","sha1":"780f83b1f32de44e536be77b64c56867a973ae52","sha256":"ebceb02ea6384989ea3b0eac5d888baa869c61ee6156b0f8f774d6c9c4e8b419","sha512":"d983399abf5aaa421a81dbf336191edd05428ff21e09fb3b8a0b044c2737eb03960f828622f0e6c5960ad6a6a96a30cf9450eaca72a7b33e8e9b29cbfc9f3caa","ssdeep":"","tlshash":"ddd02befd062a386446218e027c62191564d92e5792e06f87d89d54a359c03dcd67dc9","first_seen":"2024-08-20T08:02:31.269366Z","last_seen":"2024-08-20T08:02:31.269366Z","times_seen":1,"resource_available":false,"data":null}},"time_used":399,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":399,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]}