Last updated Tue, 14 Jul 2026 23:04:25 (Australia/Brisbane)
Below is a list of the top 500 IP addresses with suspicious activity observed by SCARD. Click on an IP address below for more information about its activity.
Note: Due to the overwhelming number of common scan types, this list omits typical scan types in favour of less-seen threat types.
Back to top
Below is a list of the top 200 threat types observed across the network.
| Description | Incidence |
|---|---|
| ET INFO Session Traversal Utilities for NAT (STUN Binding Response) | 74238 |
| ET USER_AGENTS WinRM User Agent Detected - Possible Lateral Movement | 55869 |
| ET INFO WinRM wsman Access - Possible Lateral Movement | 55567 |
| ET SCAN LeakIX Inbound User-Agent | 26333 |
| SURICATA TCP header length too small | 20694 |
| ET WEB_SPECIFIC_APPS React Server Components React2Shell Unsafe Flight Protocol Property Access (CVE-2025-55182) | 20064 |
| ET SCAN WordPress Scanner Performing Multiple Requests to Windows Live Writer XML | 19081 |
| ET HUNTING Javascript Prototype Pollution Attempt via __proto__ in HTTP Body | 18312 |
| SERVER-OTHER tcpdump ISAKMP parser buffer overflow attempt | 17892 |
| ET WEB_SERVER WEB-PHP phpinfo access | 13906 |
| ET EXPLOIT Apache HTTP Server - Path Traversal Attempt (CVE-2021-42013) M2 | 11595 |
| ET WEB_SERVER WebShell Generic - wget http - POST | 10168 |
| ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response | 9584 |
| ET HUNTING Suspicious Chmod Usage in URI (Inbound) | 8112 |
| ET INFO External Oracle T3 Requests Inbound | 7999 |
| ET INFO Netlink GPON Login Attempt (GET) | 7686 |
| ET INFO SSH-2.0-Go version string Observed in Network Traffic | 7401 |
| ET HUNTING Javascript Sandbox Escape via Global Object (process) | 6852 |
| ET INFO Python aiohttp User-Agent Observed Inbound | 6422 |
| SURICATA HTTP Host header invalid | 6013 |
| ET SCAN Rapid POP3S Connections - Possible Brute Force Attack | 5527 |
| ET EXPLOIT MVPower DVR Shell UCE | 5497 |
| ET WEB_SPECIFIC_APPS MVPower CCTV DVR /shell JAWS Webserver Unauthenticated Remote Command Execution (CVE-2016-20016) | 5463 |
| ET SCAN JAWS Webserver Unauthenticated Shell Command Execution | 5234 |
| SERVER-WEBAPP React Server Components remote code execution attempt | 5175 |
| ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Inbound) | 5057 |
| ET HUNTING Request for Webshell in .well-known directory | 4974 |
| ET VOIP INVITE Message Flood UDP | 4892 |
| ET VOIP Possible Inbound VOIP Scan/Misuse With User-Agent Zoiper | 4720 |
| ET WEB_SPECIFIC_APPS WordPress Plugin Gravity SMTP Unauthenticated REST API (CVE-2026-4020) | 4440 |
| ET SCAN Mirai Variant User-Agent (Inbound) | 4278 |
| SURICATA HTTP URI terminated by non-compliant character | 4241 |
| ET INFO Request for Visual Studio Code sftp.json - Possible Information Leak | 4189 |
| ET EXPLOIT D-Link DSL-2750B - OS Command Injection | 4173 |
| ET EXPLOIT D-Link DSL-2750B Command Injection Attempt (CVE-2016-20017) | 4173 |
| SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt | 3756 |
| ET VOIP Modified Sipvicious Asterisk PBX User-Agent | 3729 |
| ET INFO Apache Solr System Information Request | 3635 |
| SURICATA IKE invalid proposal | 3393 |
| ET EXPLOIT Possible Authenticated Command Injection Inbound - Comtrend VR-3033 (CVE-2020-10173) | 3350 |
| SURICATA TCP invalid option length | 3308 |
| ET SCAN SFTP/FTP Password Exposure via sftp-config.json | 3210 |
| ET EXPLOIT GraphQL Introspection Query Attempt | 3139 |
| SERVER-WEBAPP TP-Link Archer Router command injection attempt | 3115 |
| ET WEB_SERVER PHP tags in HTTP POST | 3040 |
| ET INFO Google DNS Over HTTPS Certificate Inbound | 3039 |
| ET EXPLOIT HackingTrio UA (Hello, World) | 2981 |
| ET INFO Spring Boot Actuator Health Check Request | 2941 |
| ET WEB_SERVER WGET Command Specifying Output in HTTP Headers | 2889 |
| ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution | 2880 |
| ET SCAN Laravel Debug Mode Information Disclosure Probe Inbound | 2761 |
| ET EXPLOIT Netgear DGN Remote Command Execution | 2733 |
| ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine) | 2610 |
| SURICATA Applayer No TLS after STARTTLS | 2400 |
| SURICATA Applayer Unexpected protocol | 2400 |
| SERVER-WEBAPP Netgear DGN1000 series routers authentication bypass attempt | 2350 |
| ET DNS Query to a *.top domain - Likely Hostile | 2313 |
| SERVER-WEBAPP PHPUnit PHP remote code execution attempt | 2128 |
| SURICATA HTTP METHOD terminated by non-compliant character | 2108 |
| SURICATA HTTP request field missing colon | 1879 |
| ET WEB_SERVER .bash_history Detected in URI | 1713 |
| ET SCAN Suspicious User-Agent Containing Security Scan/ner Likely Scan | 1704 |
| SURICATA ICMPv4 invalid checksum | 1657 |
| ET WEB_SERVER /etc/passwd Detected in URI | 1612 |
| ET EXPLOIT Realtek SDK - Command Execution/Backdoor Access Inbound (CVE-2021-35394) | 1609 |
| ET SCAN Potential SSH Scan OUTBOUND | 1546 |
| ET WEB_SERVER Wordpress Login Bruteforcing Detected | 1537 |
| SURICATA SMB malformed request dialects | 1497 |
| SURICATA FRAG IPv4 Fragmentation overlap | 1480 |
| ET INFO Observed DNS Query to .nexus TLD | 1456 |
| ET INFO Observed DNS Query to .fit TLD | 1338 |
| SURICATA HTTP invalid request field folding | 1236 |
| ET SCAN NMAP OS Detection Probe | 1235 |
| ET SCAN NETWORK Incoming Masscan detected | 1173 |
| ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack | 1130 |
| SURICATA SMTP duplicate fields | 1113 |
| ET INFO ChatGPT-User Traffic Detected Inbound M1 | 1065 |
| ET INFO ChatGPT-User Traffic Detected Inbound M2 | 1061 |
| SURICATA QUIC error on data | 1045 |
| ET WEB_SPECIFIC_APPS Wordpress LiteSpeed Cache Plugin debug.log Access Attempt (CVE-2024-44000) | 1012 |
| ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection | 992 |
| ET WEB_SPECIFIC_APPS Apache ActiveMQ 6.x Default Unauthenticated API Access (CVE-2024-32114) M1 | 974 |
| SURICATA STREAM ESTABLISHED packet out of window | 864 |
| SURICATA DHCP truncated options | 835 |
| ET WEB_SERVER Possible SQL Injection (exec) in HTTP Request Body | 772 |
| ET SCAN NMAP SIP Version Detection Script Activity | 742 |
| ET INFO Infrastructure as a Service Domain in DNS Lookup (railway .app) | 712 |
| ET WEB_SERVER auto_prepend_file PHP config option in uri | 695 |
| ET SCAN RDP Connection Attempt from Nmap | 686 |
| ET WEB_SERVER allow_url_include PHP config option in uri | 685 |
| ET WEB_SERVER Generic PHP Remote File Include | 667 |
| ET WEB_SERVER PHP.//Input in HTTP POST | 667 |
| ET WEB_SPECIFIC_APPS PHP-CGI OS Command Injection (soft hyphen) (CVE-2024-4577) | 653 |
| ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Default Credentials | 634 |
| ET WEB_SERVER Tilde in URI - potential .php~ source disclosure vulnerability | 612 |
| SERVER-WEBAPP PHP PHP-CGI command execution attempt | 593 |
| ET HUNTING Suspicious PHP Code in HTTP POST (Inbound) | 568 |
| ET INFO POSSIBLE Web Crawl using Curl | 559 |
| ET HUNTING Observed Query to .beauty TLD | 552 |
| ET WEB_SERVER Fake Googlebot UA 2 Inbound | 550 |
| ET EXPLOIT Zyxel ZyWALL/USG OS Command Injection (CVE-2023-28771) | 518 |
| ET SCAN Exabot Webcrawler User Agent | 513 |
| ET INFO Observed DNS Query to .cfd TLD | 496 |
| ET SCAN Web Scanner - Fuzz Faster U Fool (Inbound) | 468 |
| ET WEB_SERVER Likely Malicious Request for /proc/self/environ | 429 |
| ET USER_AGENTS Suspcious LeakIX User-Agent (l9explore) | 421 |
| ET HUNTING Suspicious PHP Code in HTTP POST (Outbound) | 405 |
| ET WEB_SPECIFIC_APPS Vite Arbitrary File Read Via raw parameter (CVE-2025-30208) | 396 |
| ET Threatview.io High Confidence Cobalt Strike C2 IP group 3 | 371 |
| ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M2 (CVE-2021-44228) | 369 |
| ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228) | 369 |
| ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228) | 365 |
| ET DOS Potential CLDAP Amplification Reflection | 361 |
| ET WEB_SERVER ThinkPHP RCE Exploitation Attempt | 351 |
| SURICATA HTTP request buffer too long | 311 |
| SURICATA DNS Invalid opcode | 307 |
| ET SCAN NMAP SIP Version Detect OPTIONS Scan | 283 |
| SURICATA UDP packet too small | 278 |
| ET INFO Inbound Frequent Emails - Possible Spambot Inbound | 273 |
| SERVER-WEBAPP Langflow code validator remote code execution attempt | 272 |
| SURICATA TCP option invalid length | 269 |
| ET SCAN Yandex Webcrawler User-Agent (YandexBot) | 262 |
| SURICATA HTTP request header invalid | 261 |
| ET EXPLOIT LB-Link Command Injection Attempt (CVE-2023-26801) | 238 |
| ET INFO Discord Chat Service Domain in DNS Lookup (gateway .discord .gg) | 238 |
| SURICATA SMTP invalid pipelined sequence | 230 |
| ET WEB_SPECIFIC_APPS TBK DVR-4104/4216 Command Injection Attempt (CVE-2024-3721) | 230 |
| ET WEB_SERVER Possible D-Link Router HNAP Protocol Security Bypass Attempt | 212 |
| ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051, CVE-2019-10891, CVE-2022,37056, CVE-2024-33112, CVE-2025-114 | 212 |
| ET EXPLOIT Linksys E-Series Device RCE Attempt | 207 |
| ET INFO Peach C++ Library User Agent Inbound | 203 |
| ET VOIP REGISTER Message Flood UDP | 202 |
| MALWARE-BACKDOOR Aspx.Webshell.Agent inbound request for known webshell path attempt | 201 |
| ET WEB_SERVER Possible DD-WRT Metacharacter Injection Command Execution Attempt | 200 |
| SERVER-WEBAPP D-Link multiple products HNAP SOAPAction header command injection attempt | 194 |
| ET DNS Query to a *.pw domain - Likely Hostile | 190 |
| SERVER-WEBAPP WordPress get_post authentication bypass attempt | 187 |
| ET WEB_SPECIFIC_APPS Qwik Unauthenticated RCE via server$ Deserialization (CVE-2026-27971) | 176 |
| ET WEB_SERVER Inbound PHP User-Agent | 172 |
| ET INFO DNS Query for Suspicious .icu Domain | 172 |
| SURICATA HTTP Host header ambiguous | 170 |
| ET WEB_SPECIFIC_APPS Linksys E-Series OS Command Injection (CVE-2025-34037) M1 | 164 |
| ET EXPLOIT Cisco ASA and Firepower Path Traversal Vulnerability M2 (CVE-2020-3452) | 163 |
| ET EXPLOIT Cisco ASA/Firepower Unauthenticated File Read (CVE-2020-3452) M3 | 163 |
| ET EXPLOIT Cisco ASA/Firepower Unauthenticated File Read (CVE-2020-3452) M2 | 163 |
| ET SCAN DuckDuckGo Webcrawler User-Agent (DuckDuckBot) | 162 |
| ET SCAN Amap UDP Service Scan Detected | 159 |
| ET SCAN External Host Probing for ChromeCast Devices | 158 |
| ET INFO F5 BIG-IP - Command Execution via util/bash | 156 |
| ET INFO MS Remote Desktop Service User Login Request | 156 |
| ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass Attempt (CVE-2022-1388) M3 | 154 |
| ET HUNTING Suspicious Netlify Hosted DNS Request - Possible Phishing Landing | 154 |
| ET INFO SOCKSv4 HTTP Proxy Inbound Request (Linux Source) | 153 |
| ET INFO Proxy TRACE Request - inbound | 142 |
| SURICATA TLS handshake invalid length | 141 |
| SERVER-WEBAPP Vite Vitejs arbitrary file read attempt | 136 |
| ET SCAN Suspicious User-Agent Containing Web Scan/er Likely Web Scanner | 130 |
| ET INFO PHP Xdebug Extension Query Parameter (XDEBUG_SESSION_START) | 129 |
| SURICATA HTTP Host part of URI is invalid | 127 |
| ET EXPLOIT Possible Vacron NVR Remote Command Execution | 126 |
| ET WEB_SERVER /etc/shadow Detected in URI | 126 |
| SURICATA SMTP invalid reply | 119 |
| ET WEB_SERVER JBoss jmx-console Probe | 116 |
| ET WEB_SPECIFIC_APPS Possible JBoss JMX Console Beanshell Deployer WAR Upload and Deployment Exploit Attempt | 116 |
| ET INFO Java Url Lib User Agent Web Crawl (Inbound) | 116 |
| SERVER-OTHER Apache Log4j logging remote code execution attempt | 115 |
| SURICATA DNS Z flag set | 112 |
| SERVER-APACHE Apache Struts remote code execution attempt | 110 |
| ET WORM TheMoon.linksys.router 2 | 107 |
| SURICATA TLS invalid record version | 106 |
| ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) M3 | 103 |
| ET INFO DNS Query for Suspicious .ga Domain | 102 |
| SURICATA STREAM 3way handshake SYN/ACK ignored TFO data | 102 |
| SERVER-WEBAPP JBoss JMX console access attempt | 102 |
| ET INFO Anonymous Domain Registrar CnC Domain in DNS Lookup (*. njalla .net) | 100 |
| SURICATA HTTP status 100-Continue already seen | 96 |
| ET WEB_SERVER Possible SQL Injection UNION SELECT in HTTP Request Body | 96 |
| ET MALWARE MS Remote Desktop micros User Login Request | 96 |
| ET WEB_SERVER PHP System Command in HTTP POST | 95 |
| ET WEB_SPECIFIC_APPS Langflow AI Unauthenticated Remote Code Execution via Code Validation Endpoint (CVE-2025-3248) | 92 |
| ET WEB_SERVER SQL Injection Select Sleep Time Delay | 91 |
| ET EXPLOIT Cisco IOS XE Web Server Possible Authentication Bypass Attempt (CVE-2023-20198) (Inbound) | 91 |
| ET WEB_SERVER Possible SQL Injection (exec) in HTTP URI | 91 |
| ET INFO DNS Query to Online Application Hosting Domain (onrender .com) | 86 |
| ET WEB_SERVER Next.js Middleware Authorization Bypass (CVE-2025-29927) | 82 |
| ET INFO Ask Webcrawler User-Agent | 82 |
| PROTOCOL-DNS Malformed DNS query with HTTP content | 80 |
| ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY. | 79 |
| ET HUNTING XML External Entity Injection Inbound M1 | 79 |
| SERVER-WEBAPP Pulse Secure SSL VPN version check attempt | 76 |
| SURICATA ICMPv4 unknown code | 75 |
| SURICATA IKE unknown proposal | 72 |
| ET Threatview.io High Confidence Cobalt Strike C2 IP group 19 | 72 |
| ET INFO Referrer-Policy set to unsafe-url | 72 |
| INDICATOR-SCAN DNS version.bind string information disclosure attempt | 72 |
| SURICATA HTTP gzip decompression failed | 70 |
| ET EXPLOIT Fortigate VPN - Request to /remote/info - Possible CVE-2023-27997 Exploit Attempt | 69 |
| ET INFO Abused Hosting Domain in DNS Lookup (azurewebsites .net) | 68 |
| ET WEB_SERVER ColdFusion componentutils access | 66 |
| POLICY-OTHER Adobe ColdFusion component browser access attempt | 66 |
Back to top