{"ip":"167.71.197.124","total_events":2,"verdict":{"verdict":"probing","label":"Low-level probing","detail":null,"confidence":"low","network_type":"CDN","why":["2 event(s), fewer than 10 distinct ports, no exploit payloads.","Not in any known-scanner range."]},"first_seen":"2026-07-09T23:02:21","last_seen":"2026-07-09T23:02:21","events_24h":2,"events_7d":2,"geo":{"country_code":"SG","country_name":"Singapore","region":"","city":"Singapore","lat":1.314,"lon":103.6839,"asn":14061,"org":"DigitalOcean, LLC"},"source_domain":"rivercityrockfest.com","known_scanners":[],"scanner_tag":{"key":"peeringdb:as14061","label":"DigitalOcean","category":"cdn","url":"https://www.peeringdb.com/asn/14061"},"cve_matches":[{"cve_id":"CVE-2026-41940","title":"cPanel & WHM - Authentication Bypass via Session-File CRLF Injection","severity":"CRITICAL","actively_exploited":true,"match_field":"url_path","matched_pattern":"/login/?login_only=1"}],"malware":[],"top_ports":[{"port":2087,"proto":"tcp","label":"","count":2}],"fingerprints":{"ssh_hassh":[],"tls_ja4":["t13i130900_f57a46bbacb6_e7c285222651"],"tls_ja3":["6639916abfac56b9257ca216677085bc"],"ja4h":["po11nn0600_f8bf768a441b","ge11nn0400_ef4d07580f66"]},"fingerprint_peers":{"t13i130900_f57a46bbacb6_e7c285222651":3277,"ge11nn0400_ef4d07580f66":2831,"po11nn0600_f8bf768a441b":72},"user_agents":["Go-http-client/1.1"],"timeline":[{"date":"2026-07-09","count":2}],"recent_events":[{"timestamp":"2026-07-09T23:02:21","port":2087,"proto":"tcp","app_proto":"tls","app_protocol":"http","host":"<HONEYPOT>","headers":"{\"accept-encoding\":\"gzip\",\"connection\":\"close\",\"content-length\":\"20\",\"content-type\":\"application/x-www-form-urlencoded\",\"host\":\"<HONEYPOT>:2087\",\"user-agent\":\"Go-http-client/1.1\"}","body":"pass=wrong&user=root","sni":"","tls_cipher":"TLS_AES_128_GCM_SHA256","tls_version":"TLSv1.3","alpn":[],"url_path":"/login/?login_only=1","summary":"","payload_hex":"504f5354202f6c6f67696e2f3f6c6f67696e5f6f6e6c793d3120485454502f312e310d0a486f73743a20<HONEYPOT>3a323038370d0a557365722d4167656e743a20476f2d687474702d636c69656e742f312e310d0a436f6e74656e742d4c656e6774683a2032300d0a436f6e6e656374696f6e3a20636c6f73650d0a436f6e74656e742d547970653a206170706c69636174696f6e2f782d7777772d666f726d2d75726c656e636f6465640d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a706173733d77726f6e6726757365723d726f6f74","method":"POST","user_agent":"Go-http-client/1.1","community_id":"1:fUjgqfsl/QIr8MXqeY1dc0ilNVo=","ja3":"6639916abfac56b9257ca216677085bc","session":"8e2f7fda-ff4a-45c5-803a-3319e084a977","seq":1,"duration_ms":102,"bytes_in":227,"bytes_out":79},{"timestamp":"2026-07-09T23:02:21","port":2087,"proto":"tcp","app_proto":"tls","app_protocol":"http","host":"<HONEYPOT>","headers":"{\"accept-encoding\":\"gzip\",\"connection\":\"close\",\"host\":\"<HONEYPOT>:2087\",\"user-agent\":\"Go-http-client/1.1\"}","body":"","sni":"","tls_cipher":"TLS_AES_128_GCM_SHA256","tls_version":"TLSv1.3","alpn":[],"url_path":"/openid_connect/cpanelid","summary":"","payload_hex":"474554202f6f70656e69645f636f6e6e6563742f6370616e656c696420485454502f312e310d0a486f73743a20<HONEYPOT>3a323038370d0a557365722d4167656e743a20476f2d687474702d636c69656e742f312e310d0a436f6e6e656374696f6e3a20636c6f73650d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a","method":"GET","user_agent":"Go-http-client/1.1","community_id":"1:qtR2HnWddUUDQ8NFkSupZ3l8WaA=","ja3":"6639916abfac56b9257ca216677085bc","session":"819d166d-7159-4995-8de7-1f7227cbe739","seq":1,"duration_ms":100,"bytes_in":141,"bytes_out":79}],"http_methods":[{"method":"GET","count":1},{"method":"POST","count":1}],"distinct_ports_total":1,"top_paths":[{"path":"/login/?login_only=1","count":1,"ports":1},{"path":"/openid_connect/cpanelid","count":1,"ports":1}],"distinct_paths_total":2,"top_snis":[],"top_hosts":[],"top_alpns":[],"banners":[],"credentials":[{"username":"root","password":"wrong","count":1}],"header_profile":{"signature":["Accept-Encoding","Connection","Content-Length","Content-Type","Host","User-Agent"],"representative":[{"name":"Accept-Encoding","value":"gzip","notable":false},{"name":"Connection","value":"close","notable":false},{"name":"Content-Length","value":"20","notable":false},{"name":"Content-Type","value":"application/x-www-form-urlencoded","notable":true},{"name":"Host","value":"<HONEYPOT>:2087","notable":false},{"name":"User-Agent","value":"Go-http-client/1.1","notable":false}],"distinct_sets":2,"events_with_headers":2},"tags":[{"tag_id":"CVE-2026-41940","tag_type":"cve","title":"cPanel & WHM - Authentication Bypass via Session-File CRLF Injection","severity":"CRITICAL","actively_exploited":true,"match_field":"url_path","matched_pattern":"/login/?login_only=1","reference_urls":[]}],"data_as_of":"2026-07-10T20:23:02.702844+00:00"}