This report details a brief, targeted scanning campaign observed on a honeypot, suggesting a low-risk, automated reconnaissance effort by a single host. The observed activity primarily focused on probing for common web application endpoints and administrative interfaces.
🎯 Overview of Activity
A total of 13 requests were captured from a single source IP address, 45.156.129.174, over a short period of less than five minutes. The activity is characteristic of an opportunistic scanner or internet census rather than a sustained, targeted attack by a sophisticated threat actor. The source IP is associated with an ISP, and the hostname suggests an “internet-census.org” domain, reinforcing the likely nature of automated public internet scanning.
| Metric | Detail |
| Attacker IP | 45.156.129.174 |
| Attacker Country | United States (US) |
| ISP/Organization | INAP-CHI-1 (Hostnames link to internet-census.org) |
| Timeframe | October 16, 2025, 14:18:48Z to 14:22:57Z |
| Total Requests | 13 |
| Reputation | Low Risk (Confidence: 25, Reports: 386) |
🚨 Known Vulnerabilities & Targeted Software
The scanner’s request paths indicate an automated probe for common, and in some cases, historically vulnerable, web application components. This suggests the actor is broadly checking for the presence of these applications, likely to exploit known vulnerabilities if found.
| Targeted URL Path Fragment | Potential Targeted Application/Component | Relevant Known Vulnerabilities (Examples) |
/Telerik.Web.UI.WebResource.axd?type=rau | Telerik UI for ASP.NET AJAX | This endpoint has been historically associated with CVE-2017-11317 and CVE-2019-18935, which are deserialization and arbitrary file upload vulnerabilities, respectively. |
/index.jsp | Generic Java/JSP application, e.g., Apache Tomcat, JBoss, Liferay. | Broadly targets Java web apps, potentially for exploits like Log4Shell (CVE-2021-44228) in applicable environments or other deserialization issues. |
/zabbix/favicon.ico | Zabbix monitoring software | Targeting the Zabbix path can precede attempts to exploit authentication bypass or SQL injection vulnerabilities, such as CVE-2020-11800. |
/sugar_version.json | SugarCRM | Indicates a probe for SugarCRM installation, which has had various security vulnerabilities over time. |
/login.do, /login/login, /admin/, /WebInterface/ | Generic login/administrative interfaces | Mass scanning for default/common login portals, often precedes brute-force attacks or attempts to exploit default credentials. |
🚩 Indicators of Compromise (IoCs)
Based solely on this captured activity, the following are the primary IoCs for defensive monitoring:
- Attacking IP Address:
45.156.129.174 - Targeted URL Paths:
/ext-js/app/common/zld_product_spec.js/login.do/login/login/css/images/PTZOptics_powerby.png/identity/Telerik.Web.UI.WebResource.axd?type=rau/index.jsp/zabbix/favicon.ico/progs/homepage/sugar_version.json/WebInterface//admin//partymgr/control/main
- User-Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36(A common but slightly older Chrome user-agent, likely masquerading for an automated scanner).
🌐 Campaigns and APT Attribution
Campaigns:
This activity is classified as “Opportunistic Mass Scanning for Web Application Assets.” The lack of any actual exploit payloads or sophisticated, sequential activity suggests this is part of a broad reconnaissance campaign aimed at mapping the internet for specific, potentially vulnerable, software installations. The hostname association with internet-census.org points to this being part of a large-scale, automated inventory project, though some of these projects are later abused by malicious actors.
Advanced Persistent Threats (APTs):
There is no evidence in the provided logs to attribute this low-level scanning activity to any specific Advanced Persistent Threat (APT) group. APTs typically exhibit:
- A higher degree of sophistication.
- A more focused target selection (not broad application paths).
- Use of custom tools and more deliberate, stealthy reconnaissance.
The activity seen here is generic and widely used by benign researchers, vulnerability aggregators, and low-level commodity threat actors alike.
🛡️ Defensive Recommendations
To defend against the intent behind this type of scanning, organizations should:
- Block/Monitor IoCs: Block the source IP address (
45.156.129.174) and monitor logs for access attempts to the specific targeted paths. - Patch and Update: Ensure all public-facing applications, especially Telerik UI, Zabbix, SugarCRM, and all Java/JSP applications, are running the latest versions and have all known security patches applied.
- Harden Web Servers: Remove or restrict access to unnecessary administration and default pages (e.g.,
/admin/, default error pages, unnecessary web resources). - Web Application Firewalls (WAF): Utilize a WAF to detect and block requests targeting known vulnerable application paths (like the Telerik
WebResource.axdendpoint) and common web application attacks.