Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| pv.sohu.com | 211.152.133.19 | |
| www.ip138.com |
CNAME
www.ip138.com.lxdns.com
|
61.110.197.11 |
| 2022.ip138.com | 61.110.197.11 |
- TCP Requests
GET
200
https://www.ip138.com/
REQUEST
RESPONSE
BODY
GET / HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: zh-cn
Referer: http://www.ip138.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36
Host: www.ip138.com
HTTP/1.1 200 OK
Date: Tue, 29 Nov 2022 02:52:57 GMT
Content-Type: text/html
Content-Length: 21114
Connection: keep-alive
Content-Location: http://www.ip138.com/index.htm
Last-Modified: Fri, 18 Nov 2022 11:08:57 GMT
Accept-Ranges: bytes
ETag: "4cfcad273efbd81:28c8"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 68812
X-Via: 1.1 in151:7 (Cdn Cache Server V2.0), 1.1 PS-SHE-01tRJ65:10 (Cdn Cache Server V2.0), 1.1 PS-GMP-01swn39:3 (Cdn Cache Server V2.0)
X-Ws-Request-Id: 63857409_PS-GMP-01NjC40_34210-6610
GET
403
http://pv.sohu.com/cityjson
REQUEST
RESPONSE
BODY
GET /cityjson HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: pv.sohu.com
HTTP/1.1 403 Forbidden
Date: Tue, 29 Nov 2022 02:52:57 GMT
Content-Type: text/html
Server: nginx/1.0.15
X-Cache-Lookup: Cache Miss
X-Cache-Lookup: Cache Miss
X-Cache-Lookup: Cache Miss
Content-Length: 571
X-NWS-LOG-UUID: 16420398845980674872
Connection: keep-alive
X-Cache-Lookup: Cache Miss
GET
301
http://www.ip138.com/
REQUEST
RESPONSE
BODY
GET / HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: zh-cn
Referer: http://www.ip138.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36
Host: www.ip138.com
HTTP/1.1 301 Moved Permanently
Date: Tue, 29 Nov 2022 02:52:57 GMT
Content-Length: 0
Connection: keep-alive
Server: Cdn Cache Server V2.0
Location: https://www.ip138.com/
X-Via: 1.0 PS-GMP-01swn39:3 (Cdn Cache Server V2.0)
X-Ws-Request-Id: 63857409_PS-GMP-01NjC40_30476-14540
GET
200
http://2022.ip138.com/
REQUEST
RESPONSE
BODY
GET / HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: zh-cn
Referer: http://2022.ip138.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: 2022.ip138.com
HTTP/1.1 200 OK
Date: Tue, 29 Nov 2022 02:52:57 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 915
Connection: keep-alive
Server: nginx
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-tip: 1
X-Via: 1.1 PS-GMP-01swn39:3 (Cdn Cache Server V2.0)
X-Ws-Request-Id: 63857409_PS-GMP-01NjC40_30476-14577
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49165 -> 61.110.197.11:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.103:49165 61.110.197.11:443 |
C=US, O=DigiCert Inc, CN=DigiCert Basic RSA CN CA G2 | C=CN, ST=福建省, L=厦门市, O=网宿科技股份有限公司厦门分公司, CN=default.chinanetcenter.com | e8:03:33:5c:51:55:27:6a:aa:32:35:20:46:a9:6f:ab:09:cb:c6:c2 |
Snort Alerts
No Snort Alerts