SOC Audit Report — Reviewable ML-Assisted Security System

CELL 2. DB Connectivity + Scope Declaration

Cell Group 2 — Result (Generated)

DB connectivity verified (SELECT 1 succeeded).

Audit window (UTC):
- Run: 2026-01-31 20:25:20.600085+00:00
- Start: 2026-01-09T05:21:39+00:00
- End: 2026-01-11T05:21:39+00:00
- Hours: 48.0

Scope note:
- This notebook performs analysis only.
- It does not modify firewall state, ipsets, services, or configurations.

CELL 3. DB Connectivity Verification (Repeat Check)

Cell Group 3 — Result (Generated)

DB connectivity verified (SELECT 1 succeeded).

CELL 4. Evidence Acquisition (df_events)

Cell Group 4 — Result (Generated)

Evidence acquired from Postgres (read-only) and canonical dataset created.

- Source relation: waf.events
- Timestamp column used: ts_utc
- Audit window (UTC): 2026-01-09T05:21:39+00:00 → 2026-01-11T05:21:39+00:00
- Total rows in table: 11532
- Data range: min_ts=2025-12-30 09:32:57-08:00 max_ts=2026-01-10 21:21:39-08:00
- Rows in window: 3748 (rows_in_window=3748)
- df_events shape: rows=3748 cols=9
- Columns (first 20): event_id, ts_utc, ip, verdict, expected_action, source_log, raw_line, raw_hash, ingested_at_utc

Downstream contract:
- All subsequent analysis MUST use df_events as the canonical evidence dataframe for this run.
- All subsequent time filters MUST use AUDIT_WINDOW values (no ad-hoc windows).

CELL 5. Evidence Normalization + Health Metrics

Cell Group 5 — Result (Generated)

Canonical evidence dataframe normalized and baseline health metrics computed.

Audit window (UTC): 2026-01-09T05:21:39+00:00 → 2026-01-11T05:21:39+00:00
df_events: rows=3748 cols=9 unique_ips=571
Time coverage within window: 2026-01-09T05:24:26+00:00 → 2026-01-11T05:19:52+00:00
Dropped empty-IP rows: 0

Verdict distribution (top):
- SUSPICIOUS: 2742
- TRACE: 720
- BENIGN: 286

Expected-action distribution (top):
- BLOCK: 2742
- TRACE: 720
- OTHER: 286

Top IPs by event count (top 10):
ip events
4.194.28.132 505
4.218.10.48 400
40.83.95.233 245
104.215.29.182 242
4.214.32.32 236
23.100.94.228 224
74.225.193.147 148
4.197.236.122 130
185.177.72.10 74
4.194.99.179 41

Downstream contract:
- All subsequent analysis MUST use normalized df_events produced by this cell.
- No downstream cell may redefine time windows outside AUDIT_WINDOW.
- Any exclusions (e.g., home IP) must be explicitly declared and quantified when applied.

Rendered cell markdown (for traceability):
## Cell Group 5 — Result (Generated)

Canonical evidence dataframe normalized and baseline health metrics computed.

**Audit window (UTC):**
- Start: `2026-01-09T05:21:39+00:00`
- End: `2026-01-11T05:21:39+00:00`

**Canonical dataframe:** `df_events`
- Rows: **3748**
- Columns: **9**
- Unique IPs: **571**
- Time coverage within window (UTC): `2026-01-09T05:24:26+00:00` → `2026-01-11T05:19:52+00:00`

**Verdict distribution (top):**
- `SUSPICIOUS`: **2742**
- `TRACE`: **720**
- `BENIGN`: **286**

**Expected-action distribution (top):**
- `BLOCK`: **2742**
- `TRACE`: **720**
- `OTHER`: **286**

**Downstream contract**
- All subsequent analysis MUST use the normalized `df_events` produced by this cell.
- No downstream cell may redefine time windows outside `AUDIT_WINDOW`.
- Any exclusions (e.g., home IP) must be explicitly declared and quantified when applied.

CELL 6. Exclusions + Cohort Labeling

Cell Group 6 — Result (Generated)

Explicit exclusions declared and applied using cohort labeling (no evidence deletion).

Totals: total_rows=3748 excluded_rows=4 included_rows=3744

Excluded IPs (with reasons):
- 66.241.78.7: 4 events — Operator home IP (administrative access)

Downstream contract:
- All subsequent analytical cells MUST operate on df_events.
- Any exclusion-sensitive analysis MUST filter using excluded == False explicitly.
- Raw evidence remains fully preserved for audit review.

Rendered cell markdown (for traceability):
## Cell Group 6 — Result (Generated)

Explicit exclusions declared and applied using cohort labeling (no evidence deletion).

- Total events: **3748**
- Excluded events: **4**
- Included events: **3744**

**Excluded IPs:**
- `66.241.78.7`: **4** events — Operator home IP (administrative access)

**Downstream contract**
- All subsequent analytical cells MUST operate on `df_events`.
- Any exclusion-sensitive analysis MUST filter using `excluded == False` explicitly.
- Raw evidence remains fully preserved for audit review.

CELL 7. Event Pressure + Concentration

Cell Group 7 — Result (Generated)

Event pressure and concentration metrics computed for included evidence cohort.

Included cohort: total_events=3744 unique_ips=570
Top 1: 505 events (13.49%)
Top 5: 1628 events (43.48%)
Top 10: 2245 events (59.96%)

Top IPs by event pressure (top 10):
ip events
4.194.28.132 505
4.218.10.48 400
40.83.95.233 245
104.215.29.182 242
4.214.32.32 236
23.100.94.228 224
74.225.193.147 148
4.197.236.122 130
185.177.72.10 74
4.194.99.179 41

Downstream contract:
- df_ip_pressure is the canonical per-IP event count table for this run.
- Subsequent cells may classify burst vs persistent behavior using these metrics.
- No enforcement or labeling is implied at this stage.

Rendered cell markdown (for traceability):
## Cell Group 7 — Result (Generated)

Event pressure and concentration metrics computed for included evidence cohort.

- Total events analyzed: **3744**
- Unique source IPs: **570**

**Concentration ratios:**
- Top 1 IP: **505 events** (13.49% of total)
- Top 5 IPs: **1628 events** (43.48% of total)
- Top 10 IPs: **2245 events** (59.96% of total)

**Interpretation guidance (non-normative):**
- High concentration suggests automation or targeted probing.
- Low concentration suggests distributed or background noise.

**Downstream contract**
- `df_ip_pressure` is the canonical per-IP event count table for this run.
- Subsequent cells may classify burst vs persistent behavior using these metrics.
- No enforcement or labeling is implied at this stage.

CELL 8. Temporal Behavior (Burst vs Persistence)

Cell Group 8 — Result (Generated)

Temporal behavior metrics computed per source IP.

Total IPs analyzed: 570
Burst-like IPs (≤10 min, ≥20 events): 7
Persistent IPs (≥6 hours activity): 68

Top persistent IPs (top 10 by duration/events sort):
ip events duration_seconds events_per_hour first_seen last_seen
193.142.147.209 35 164069.0 0.767970 2026-01-09 05:27:26+00:00 2026-01-11 03:01:55+00:00
79.124.40.174 9 159973.0 0.202534 2026-01-09 07:28:28+00:00 2026-01-11 03:54:41+00:00
95.214.55.71 16 157336.0 0.366095 2026-01-09 06:31:56+00:00 2026-01-11 02:14:12+00:00
43.131.36.84 3 155799.0 0.069320 2026-01-09 09:33:02+00:00 2026-01-11 04:49:41+00:00
49.233.45.47 4 155051.0 0.092873 2026-01-09 08:27:59+00:00 2026-01-11 03:32:10+00:00
185.12.59.118 2 140054.0 0.051409 2026-01-09 09:40:30+00:00 2026-01-11 00:34:44+00:00
182.42.105.144 5 126088.0 0.142757 2026-01-09 13:47:10+00:00 2026-01-11 00:48:38+00:00
91.232.238.112 4 125589.0 0.114660 2026-01-09 14:26:46+00:00 2026-01-11 01:19:55+00:00
4.194.99.179 41 120338.0 1.226545 2026-01-09 15:05:28+00:00 2026-01-11 00:31:06+00:00
142.44.161.179 10 119774.0 0.300566 2026-01-09 08:02:07+00:00 2026-01-10 17:18:21+00:00

Definitions used (explicit, non-normative):
- Burst-like: short duration, high density
- Persistent: long-lived presence regardless of density

Downstream contract:
- df_ip_temporal is the canonical per-IP temporal behavior table.
- Subsequent cells may combine temporal shape with verdict/action.
- No enforcement or risk scoring is implied at this stage.

Rendered cell markdown (for traceability):
## Cell Group 8 — Result (Generated)

Temporal behavior metrics computed per source IP.

- Total IPs analyzed: **570**
- Burst-like IPs (≤10 min, ≥20 events): **7**
- Persistent IPs (≥6 hours activity): **68**

**Definitions used (explicit, non-normative):**
- *Burst-like*: short duration, high density
- *Persistent*: long-lived presence regardless of density

**Downstream contract**
- `df_ip_temporal` is the canonical per-IP temporal behavior table.
- Subsequent cells may combine temporal shape with verdict/action.
- No enforcement or risk scoring is implied at this stage.

CELL 9. Verdict × Temporal × Volume Convergence

Cell Group 9 — Result (Generated)

Verdict distribution correlated with temporal persistence and event volume.

Total IPs profiled: 570
Persistent IPs with SUSPICIOUS activity: 33
TRACE-heavy IPs (possible scanners/crawlers): 0

Top persistent suspicious IPs (top 10):
ip events duration_seconds SUSPICIOUS TRACE BENIGN suspicious_ratio
4.194.28.132 505 63356.0 503 0 2 0.996040
4.218.10.48 400 119172.0 398 0 2 0.995000
4.214.32.32 236 106372.0 234 0 2 0.991525
23.100.94.228 224 22497.0 224 0 0 1.000000
74.225.193.147 148 111839.0 147 0 1 0.993243
4.197.236.122 130 101963.0 129 0 1 0.992308
185.177.72.10 74 111717.0 62 8 4 0.837838
4.194.99.179 41 120338.0 41 0 0 1.000000
162.243.95.18 15 32266.0 10 5 0 0.666667
204.76.203.18 11 114956.0 9 2 0 0.818182

Downstream contract:
- df_ip_profile is the canonical per-IP convergence table for this run.
- Subsequent cells may perform false-positive review or enforcement gap analysis.
- No automated action is taken based on this cell.

Rendered cell markdown (for traceability):
## Cell Group 9 — Result (Generated)

Verdict distribution correlated with temporal persistence and event volume.

- Total IPs profiled: **570**
- Persistent IPs with SUSPICIOUS activity: **33**
- TRACE-heavy IPs (possible scanners / crawlers): **0**

**Interpretation guidance (non-normative):**
- Persistent + high SUSPICIOUS ratio → strongest candidates for enforcement review
- Persistent + TRACE-dominant → often scanners, crawlers, or misclassified automation
- BENIGN-dominant persistent IPs commonly include admins, services, or trusted sources

**Downstream contract**
- `df_ip_profile` is the canonical per-IP convergence table for this run.
- Subsequent cells may perform false-positive review or enforcement gap analysis.
- No automated action is taken based on this cell.

CELL 10A. Enforcement Gap Analysis

Cell Group 10A — Result (Generated)

Enforcement gap analysis completed.

Audit window (UTC): 2026-01-09T05:21:39+00:00 → 2026-01-11T05:21:39+00:00

Parameters (auditable):
- PERSISTENCE_SECONDS: 21600
- SUSPICIOUS_RATIO_THRESHOLD: 0.9

Summary metrics:
- Total IPs profiled: 570
- Enforcement-worthy candidates: 19
- Enforcement gaps detected: 19

Top enforcement gap candidates (top 10):
ip events duration_seconds suspicious_ratio expected_block_events first_seen last_seen
4.194.28.132 505 63356.0 0.996040 503 2026-01-10 10:12:05+00:00 2026-01-11 03:48:01+00:00
4.218.10.48 400 119172.0 0.995000 398 2026-01-09 14:34:51+00:00 2026-01-10 23:41:03+00:00
4.214.32.32 236 106372.0 0.991525 234 2026-01-09 22:23:42+00:00 2026-01-11 03:56:34+00:00
23.100.94.228 224 22497.0 1.000000 224 2026-01-10 15:24:02+00:00 2026-01-10 21:38:59+00:00
74.225.193.147 148 111839.0 0.993243 147 2026-01-09 21:14:16+00:00 2026-01-11 04:18:15+00:00
4.197.236.122 130 101963.0 0.992308 129 2026-01-09 09:03:03+00:00 2026-01-10 13:22:26+00:00
4.194.99.179 41 120338.0 1.000000 41 2026-01-09 15:05:28+00:00 2026-01-11 00:31:06+00:00
91.232.238.112 4 125589.0 1.000000 4 2026-01-09 14:26:46+00:00 2026-01-11 01:19:55+00:00
195.178.110.25 4 100986.0 1.000000 4 2026-01-09 19:46:55+00:00 2026-01-10 23:50:01+00:00
172.68.10.215 4 91673.0 1.000000 4 2026-01-09 21:47:53+00:00 2026-01-10 23:15:46+00:00

Downstream contract:
- df_enforcement_gap is the canonical enforcement-review table for this run.
- No enforcement action is taken by this notebook.

Rendered cell markdown (for traceability):
### Cell Group 10A — Result (Generated)

**Enforcement gap analysis completed.**

Audit window (UTC):
- Start: 2026-01-09 05:21:39+00:00
- End: 2026-01-11 05:21:39+00:00

**Parameters (auditable)**

- Persistence threshold (seconds): 21600
- Suspicious ratio threshold: 0.9

**Summary metrics**

- Total IPs profiled: 570
- Enforcement-worthy candidates: 19
- Enforcement gaps detected: 19

**Interpretation (non-normative)**

- Enforcement gaps do **not** imply detection failure.
- Common explanations include TTL expiry, delayed response, or enforcement occurring
outside the audit window.
- This cell supports operational review and tuning only.

**Downstream contract**

- `df_enforcement_gap` is the canonical enforcement-review table for this run.
- No enforcement action is taken by this notebook.

CELL 10B2. FP Stratification (df_fp_stratified)

Cell Group 10B2 — Result (Generated)

False-positive candidate cohort stratified into explicit categories for analyst workflow.

Audit window (UTC): 2026-01-09T05:21:39+00:00 → 2026-01-11T05:21:39+00:00
Total FP candidates: 537

Category counts:
- TRACE-dominant: 308
- Low-volume: 229

Top stratified examples (top 10):
ip events TRACE SUSPICIOUS BENIGN trace_ratio fp_category fp_rationale
142.44.161.179 10 6 4 0 0.600000 Low-volume Low-volume activity
4.196.80.216 10 0 10 0 0.000000 Low-volume Low-volume activity
79.124.40.174 9 5 4 0 0.555556 Low-volume Low-volume activity
89.42.231.200 9 3 6 0 0.333333 Low-volume Low-volume activity
47.15.11.33 9 1 0 8 0.111111 Low-volume Low-volume activity
167.99.219.122 9 5 4 0 0.555556 Low-volume Low-volume activity
77.75.77.62 8 4 0 4 0.500000 Low-volume Low-volume activity
66.249.74.96 8 0 0 8 0.000000 Low-volume Low-volume activity
66.249.74.97 7 0 0 7 0.000000 Low-volume Low-volume activity
162.240.14.171 7 0 7 0 0.000000 Low-volume Low-volume activity

Downstream contract:
- df_fp_stratified is the canonical stratified FP table for this run.
- Used by CELL 10B3 triage queues.

Rendered cell markdown (for traceability):
### Cell Group 10B2 — Result (Generated)

False-positive candidate cohort stratified into explicit categories for analyst workflow.

Audit window (UTC): 2026-01-09 05:21:39+00:00 → 2026-01-11 05:21:39+00:00

**Category counts:**
- TRACE-dominant: 308
- Low-volume: 229

**Downstream contract**
- `df_fp_stratified` is the canonical stratified FP table for this run.
- Used by CELL 10B3 triage queues.

CELL 10B3. FP Triage Queues

Cell Group 10B3 — Result (Generated)

FP candidate cohort triaged into explicit analyst queues.

Total FP candidates: 537
SUSPICIOUS_MIN_EVENTS: 3

Queue summary:
queue count percent
TRACE-dominant 308 57.36
Low-volume 229 42.64
Suspicious-low-volume (SUSPICIOUS >= 3) 25 4.66

Top TRACE-dominant examples (top 10):
ip events TRACE SUSPICIOUS BENIGN trace_ratio fp_category
95.214.55.71 16 14 2 0 0.875000 TRACE-dominant
89.42.231.186 4 3 1 0 0.750000 TRACE-dominant
193.142.147.209 35 35 0 0 1.000000 TRACE-dominant
144.76.32.235 21 21 0 0 1.000000 TRACE-dominant
45.142.154.29 9 7 0 2 0.777778 TRACE-dominant
85.11.183.6 8 8 0 0 1.000000 TRACE-dominant
43.135.145.77 7 7 0 0 1.000000 TRACE-dominant
45.135.194.23 6 6 0 0 1.000000 TRACE-dominant
178.22.24.64 6 6 0 0 1.000000 TRACE-dominant
182.42.105.144 5 5 0 0 1.000000 TRACE-dominant

Top Low-volume examples (top 10):
ip events TRACE SUSPICIOUS BENIGN trace_ratio fp_category
4.196.80.216 10 0 10 0 0.000000 Low-volume
162.240.14.171 7 0 7 0 0.000000 Low-volume
89.42.231.200 9 3 6 0 0.333333 Low-volume
87.121.84.125 5 0 5 0 0.000000 Low-volume
87.121.84.105 5 0 5 0 0.000000 Low-volume
74.225.218.73 5 0 5 0 0.000000 Low-volume
142.44.161.179 10 6 4 0 0.600000 Low-volume
79.124.40.174 9 5 4 0 0.555556 Low-volume
167.99.219.122 9 5 4 0 0.555556 Low-volume
157.245.101.73 6 2 4 0 0.333333 Low-volume

Top Suspicious-low-volume examples (top 20):
ip events TRACE SUSPICIOUS BENIGN trace_ratio fp_category
4.196.80.216 10 0 10 0 0.000000 Low-volume
162.240.14.171 7 0 7 0 0.000000 Low-volume
89.42.231.200 9 3 6 0 0.333333 Low-volume
87.121.84.125 5 0 5 0 0.000000 Low-volume
87.121.84.105 5 0 5 0 0.000000 Low-volume
74.225.218.73 5 0 5 0 0.000000 Low-volume
142.44.161.179 10 6 4 0 0.600000 Low-volume
79.124.40.174 9 5 4 0 0.555556 Low-volume
167.99.219.122 9 5 4 0 0.555556 Low-volume
157.245.101.73 6 2 4 0 0.333333 Low-volume
46.161.50.108 6 2 4 0 0.333333 Low-volume
91.232.238.112 4 0 4 0 0.000000 Low-volume
195.178.110.25 4 0 4 0 0.000000 Low-volume
172.68.10.215 4 0 4 0 0.000000 Low-volume
204.76.203.30 4 0 4 0 0.000000 Low-volume
195.178.110.190 4 0 4 0 0.000000 Low-volume
187.228.70.30 4 0 4 0 0.000000 Low-volume
4.230.25.46 4 0 4 0 0.000000 Low-volume
104.23.223.105 3 0 3 0 0.000000 Low-volume
104.23.221.174 3 0 3 0 0.000000 Low-volume

Downstream contract:
- df_fp_queue_trace, df_fp_queue_low, df_fp_queue_susp_low are canonical queue tables for this run.
- df_fp_queue_summary is the canonical triage summary for SOC narrative use.
- No allowlisting/suppression/enforcement changes are performed.

CELL 10B4. Evidence Snippets (Suspicious-low-volume)

Cell Group 10B.4 — Result (Generated)

Primary evidence excerpts extracted for the Suspicious-low-volume review queue.

suspicious_low_volume_ips=25
MAX_EVENTS_PER_IP=5
evidence_pack_rows=104
evidence_pack_unique_ips=25

Evidence summary (top 50 rows):
ip verdict events_in_pack
162.240.14.171 SUSPICIOUS 5
87.121.84.125 SUSPICIOUS 5
74.225.218.73 SUSPICIOUS 5
87.121.84.105 SUSPICIOUS 5
89.42.231.200 SUSPICIOUS 5
4.196.80.216 SUSPICIOUS 5
195.178.110.25 SUSPICIOUS 4
204.76.203.30 SUSPICIOUS 4
195.178.110.190 SUSPICIOUS 4
142.44.161.179 SUSPICIOUS 4
167.99.219.122 SUSPICIOUS 4
172.68.10.215 SUSPICIOUS 4
157.245.101.73 SUSPICIOUS 4
187.228.70.30 SUSPICIOUS 4
91.232.238.112 SUSPICIOUS 4
79.124.40.174 SUSPICIOUS 4
4.230.25.46 SUSPICIOUS 4
46.161.50.108 SUSPICIOUS 4
104.23.223.105 SUSPICIOUS 3
106.54.176.158 SUSPICIOUS 3
111.230.195.3 SUSPICIOUS 3
113.56.161.85 SUSPICIOUS 3
91.200.220.91 SUSPICIOUS 3
204.76.203.8 SUSPICIOUS 3
104.23.221.174 SUSPICIOUS 3
142.44.161.179 TRACE 1
167.99.219.122 TRACE 1
157.245.101.73 TRACE 1
46.161.50.108 TRACE 1
79.124.40.174 TRACE 1

Evidence pack (top 50 rows; raw_line HTML-escaped):
ip ts_utc verdict expected_action source_log raw_line
104.23.221.174 2026-01-09 18:49:19+00:00 SUSPICIOUS BLOCK detections.log [orneigong.org_ssl_access] [2026-01-09 18:49:19] SUSPICIOUS | 104.23.221.174 | GET /wordpress/wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
104.23.221.174 2026-01-10 09:56:58+00:00 SUSPICIOUS BLOCK detections.log [orneigong.org_access] [2026-01-10 09:56:58] SUSPICIOUS | 104.23.221.174 | GET /wordpress/wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
104.23.221.174 2026-01-10 09:57:17+00:00 SUSPICIOUS BLOCK detections.log [orneigong.org_access] [2026-01-10 09:57:17] SUSPICIOUS | 104.23.221.174 | GET /wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
104.23.223.105 2026-01-09 18:50:56+00:00 SUSPICIOUS BLOCK detections.log [orneigong.org_access] [2026-01-09 18:50:56] SUSPICIOUS | 104.23.223.105 | GET /wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
104.23.223.105 2026-01-10 09:57:44+00:00 SUSPICIOUS BLOCK detections.log [orneigong.org_ssl_access] [2026-01-10 09:57:44] SUSPICIOUS | 104.23.223.105 | GET /wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
104.23.223.105 2026-01-10 23:12:29+00:00 SUSPICIOUS BLOCK detections.log [orneigong.org_ssl_access] [2026-01-10 23:12:29] SUSPICIOUS | 104.23.223.105 | GET /wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
106.54.176.158 2026-01-09 14:02:08+00:00 SUSPICIOUS BLOCK detections.log [astromap-access] [2026-01-09 14:02:08] SUSPICIOUS | 106.54.176.158 | POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh | 400 | Reason: ml_suspicious | Pattern: /bin/sh | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
106.54.176.158 2026-01-09 14:02:11+00:00 SUSPICIOUS BLOCK detections.log [astromap-access] [2026-01-09 14:02:11] SUSPICIOUS | 106.54.176.158 | POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh | 400 | Reason: ml_suspicious | Pattern: /bin/sh | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
106.54.176.158 2026-01-09 14:02:12+00:00 SUSPICIOUS BLOCK detections.log [astromap-access] [2026-01-09 14:02:12] SUSPICIOUS | 106.54.176.158 | POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input | 301 | Reason: ml_suspicious | Pattern: /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input | ML: 1.000 | Path: DNG_MTH→ABS_URI
111.230.195.3 2026-01-10 08:51:35+00:00 SUSPICIOUS BLOCK detections.log [astromap-access] [2026-01-10 08:51:35] SUSPICIOUS | 111.230.195.3 | POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh | 400 | Reason: ml_suspicious | Pattern: /bin/sh | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
111.230.195.3 2026-01-10 08:51:35+00:00 SUSPICIOUS BLOCK detections.log [astromap-access] [2026-01-10 08:51:35] SUSPICIOUS | 111.230.195.3 | POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh | 400 | Reason: ml_suspicious | Pattern: /bin/sh | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
111.230.195.3 2026-01-10 08:51:36+00:00 SUSPICIOUS BLOCK detections.log [astromap-access] [2026-01-10 08:51:36] SUSPICIOUS | 111.230.195.3 | POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input | 301 | Reason: ml_suspicious | Pattern: /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input | ML: 1.000 | Path: DNG_MTH→ABS_URI
113.56.161.85 2026-01-11 03:53:55+00:00 SUSPICIOUS BLOCK detections.log [astromap-access] [2026-01-11 03:53:55] SUSPICIOUS | 113.56.161.85 | POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh | 400 | Reason: ml_suspicious | Pattern: /bin/sh | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
113.56.161.85 2026-01-11 03:53:55+00:00 SUSPICIOUS BLOCK detections.log [astromap-access] [2026-01-11 03:53:55] SUSPICIOUS | 113.56.161.85 | POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh | 400 | Reason: ml_suspicious | Pattern: /bin/sh | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
113.56.161.85 2026-01-11 03:53:55+00:00 SUSPICIOUS BLOCK detections.log [astromap-access] [2026-01-11 03:53:55] SUSPICIOUS | 113.56.161.85 | POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input | 301 | Reason: ml_suspicious | Pattern: /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input | ML: 1.000 | Path: DNG_MTH→ABS_URI
142.44.161.179 2026-01-09 08:02:08+00:00 SUSPICIOUS BLOCK detections.log [orneigong.org_ssl_access] [2026-01-09 08:02:08] SUSPICIOUS | 142.44.161.179 | GET /a/pl | 404 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
142.44.161.179 2026-01-09 09:25:41+00:00 SUSPICIOUS BLOCK detections.log [orneigong.org_ssl_access] [2026-01-09 09:25:41] SUSPICIOUS | 142.44.161.179 | GET /a/pl | 404 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
142.44.161.179 2026-01-09 16:37:30+00:00 SUSPICIOUS BLOCK detections.log [astropema_ssl_access] [2026-01-09 16:37:30] SUSPICIOUS | 142.44.161.179 | GET /a/pl | 404 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
142.44.161.179 2026-01-10 17:18:21+00:00 SUSPICIOUS BLOCK detections.log [orneigong.org_ssl_access] [2026-01-10 17:18:21] SUSPICIOUS | 142.44.161.179 | GET /a/pl | 404 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
142.44.161.179 2026-01-09 08:02:07+00:00 TRACE TRACE detections.log [orneigong.org_ssl_access] [2026-01-09 08:02:07] TRACE | 142.44.161.179 | GET / | 403 | Reason: ml_detect | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
157.245.101.73 2026-01-10 02:55:32+00:00 SUSPICIOUS BLOCK detections.log [astromap-access] [2026-01-10 02:55:32] SUSPICIOUS | 157.245.101.73 | GET /.env | 301 | Reason: ml_suspicious | Pattern: /.env | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
157.245.101.73 2026-01-10 02:55:34+00:00 SUSPICIOUS BLOCK detections.log [astromap-access] [2026-01-10 02:55:34] SUSPICIOUS | 157.245.101.73 | GET /.git/config | 301 | Reason: ml_suspicious | Pattern: \.git/ | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
157.245.101.73 2026-01-10 09:15:04+00:00 SUSPICIOUS BLOCK detections.log [astromap-ssl-access] [2026-01-10 09:15:04] SUSPICIOUS | 157.245.101.73 | GET /.env | 404 | Reason: ml_suspicious | Pattern: /.env | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
157.245.101.73 2026-01-10 09:15:07+00:00 SUSPICIOUS BLOCK detections.log [astromap-ssl-access] [2026-01-10 09:15:07] SUSPICIOUS | 157.245.101.73 | GET /.git/config | 200 | Reason: ml_suspicious | Pattern: \.git/ | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
157.245.101.73 2026-01-10 09:15:05+00:00 TRACE TRACE detections.log [astromap-ssl-access] [2026-01-10 09:15:05] TRACE | 157.245.101.73 | GET / | 400 | Reason: ml_detect | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
162.240.14.171 2026-01-11 03:03:56+00:00 SUSPICIOUS BLOCK detections.log [astromap-ssl-access] [2026-01-11 03:03:56] SUSPICIOUS | 162.240.14.171 | GET /.env | 404 | Reason: ml_suspicious | Pattern: /.env | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
162.240.14.171 2026-01-11 03:03:56+00:00 SUSPICIOUS BLOCK detections.log [astromap-ssl-access] [2026-01-11 03:03:56] SUSPICIOUS | 162.240.14.171 | GET /.env.save | 404 | Reason: ml_suspicious | Pattern: /.env | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
162.240.14.171 2026-01-11 03:03:56+00:00 SUSPICIOUS BLOCK detections.log [astromap-ssl-access] [2026-01-11 03:03:56] SUSPICIOUS | 162.240.14.171 | GET /.env.local | 404 | Reason: ml_suspicious | Pattern: /.env | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
162.240.14.171 2026-01-11 03:03:56+00:00 SUSPICIOUS BLOCK detections.log [astromap-ssl-access] [2026-01-11 03:03:56] SUSPICIOUS | 162.240.14.171 | GET /app/.env | 404 | Reason: ml_suspicious | Pattern: /.env | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
162.240.14.171 2026-01-11 03:03:56+00:00 SUSPICIOUS BLOCK detections.log [astromap-ssl-access] [2026-01-11 03:03:56] SUSPICIOUS | 162.240.14.171 | GET /.env.production | 404 | Reason: ml_suspicious | Pattern: /.env | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
167.99.219.122 2026-01-10 14:12:53+00:00 SUSPICIOUS BLOCK detections.log [astromap-ssl-access] [2026-01-10 14:12:53] SUSPICIOUS | 167.99.219.122 | GET /ab2g | 404 | Reason: ml_suspicious | Pattern: /ab2g | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
167.99.219.122 2026-01-10 14:12:53+00:00 SUSPICIOUS BLOCK detections.log [astromap-ssl-access] [2026-01-10 14:12:53] SUSPICIOUS | 167.99.219.122 | GET /ab2h | 404 | Reason: ml_suspicious | Pattern: /ab2h | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
167.99.219.122 2026-01-10 14:12:54+00:00 SUSPICIOUS BLOCK detections.log [astromap-ssl-access] [2026-01-10 14:12:54] SUSPICIOUS | 167.99.219.122 | GET /alive.php | 404 | Reason: ml_suspicious | Pattern: /alive.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
167.99.219.122 2026-01-10 14:13:00+00:00 SUSPICIOUS BLOCK detections.log [astromap-ssl-access] [2026-01-10 14:13:00] SUSPICIOUS | 167.99.219.122 | GET /teorema505?t=1 | 404 | Reason: ml_suspicious | Pattern: /teorema505 | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
167.99.219.122 2026-01-10 14:12:57+00:00 TRACE TRACE detections.log [astromap-ssl-access] [2026-01-10 14:12:57] TRACE | 167.99.219.122 | GET / | 400 | Reason: ml_detect | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
172.68.10.215 2026-01-09 21:47:53+00:00 SUSPICIOUS BLOCK detections.log [orneigong.org_ssl_access] [2026-01-09 21:47:53] SUSPICIOUS | 172.68.10.215 | GET /wordpress/wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
172.68.10.215 2026-01-10 19:02:25+00:00 SUSPICIOUS BLOCK detections.log [orneigong.org_ssl_access] [2026-01-10 19:02:25] SUSPICIOUS | 172.68.10.215 | GET /wordpress/wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
172.68.10.215 2026-01-10 23:15:28+00:00 SUSPICIOUS BLOCK detections.log [orneigong.org_ssl_access] [2026-01-10 23:15:28] SUSPICIOUS | 172.68.10.215 | GET /wordpress/wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
172.68.10.215 2026-01-10 23:15:46+00:00 SUSPICIOUS BLOCK detections.log [orneigong.org_access] [2026-01-10 23:15:46] SUSPICIOUS | 172.68.10.215 | GET /wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
187.228.70.30 2026-01-09 16:13:38+00:00 SUSPICIOUS BLOCK detections.log [astromap-access] [2026-01-09 16:13:38] SUSPICIOUS | 187.228.70.30 | HEAD /invoker/EJBInvokerServlet | 301 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
187.228.70.30 2026-01-09 16:13:42+00:00 SUSPICIOUS BLOCK detections.log [astromap-access] [2026-01-09 16:13:42] SUSPICIOUS | 187.228.70.30 | HEAD /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo | 301 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
187.228.70.30 2026-01-09 16:13:52+00:00 SUSPICIOUS BLOCK detections.log [astromap-access] [2026-01-09 16:13:52] SUSPICIOUS | 187.228.70.30 | HEAD /invoker/JMXInvokerServlet | 301 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
187.228.70.30 2026-01-09 16:13:55+00:00 SUSPICIOUS BLOCK detections.log [astromap-access] [2026-01-09 16:13:55] SUSPICIOUS | 187.228.70.30 | HEAD /web-console/ServerInfo.jsp | 301 | Reason: ml_suspicious | Pattern: /server | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
195.178.110.190 2026-01-11 02:05:52+00:00 SUSPICIOUS BLOCK detections.log [astromap-ssl-access] [2026-01-11 02:05:52] SUSPICIOUS | 195.178.110.190 | GET /.git/config | 200 | Reason: ml_suspicious | Pattern: \.git/ | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
195.178.110.190 2026-01-11 02:06:54+00:00 SUSPICIOUS BLOCK detections.log [astromap-ssl-access] [2026-01-11 02:06:54] SUSPICIOUS | 195.178.110.190 | GET /.git/config | 200 | Reason: ml_suspicious | Pattern: \.git/ | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
195.178.110.190 2026-01-11 02:07:36+00:00 SUSPICIOUS BLOCK detections.log [astromap-ssl-access] [2026-01-11 02:07:36] SUSPICIOUS | 195.178.110.190 | GET /.git/config | 200 | Reason: ml_suspicious | Pattern: \.git/ | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
195.178.110.190 2026-01-11 02:09:03+00:00 SUSPICIOUS BLOCK detections.log [astromap-ssl-access] [2026-01-11 02:09:03] SUSPICIOUS | 195.178.110.190 | GET /.git/config | 200 | Reason: ml_suspicious | Pattern: \.git/ | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
195.178.110.25 2026-01-09 19:46:55+00:00 SUSPICIOUS BLOCK detections.log [astromap-ssl-access] [2026-01-09 19:46:55] SUSPICIOUS | 195.178.110.25 | GET /dispatch.asp | 404 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
195.178.110.25 2026-01-09 20:24:25+00:00 SUSPICIOUS BLOCK detections.log [astromap-access] [2026-01-09 20:24:25] SUSPICIOUS | 195.178.110.25 | GET /dispatch.asp | 301 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
195.178.110.25 2026-01-10 23:22:47+00:00 SUSPICIOUS BLOCK detections.log [astromap-ssl-access] [2026-01-10 23:22:47] SUSPICIOUS | 195.178.110.25 | GET /dispatch.asp | 404 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST

Downstream contract:
- df_fp_evidence_pack is the canonical evidence excerpt table for this run.
- df_fp_evidence_summary is the canonical per-IP excerpt count summary.
- No enforcement/allowlisting/suppression changes are performed.

CELL 10B5. Evidence Refinement (Dedup + Method/Path)

Cell Group 10B.5 — Result (Generated)

Evidence pack refined for SOC narrative quality.

dedup_key=raw_hash
rows_before=104
rows_after=104

Top request indicators (method+path) (top 25):
http_method http_path events_in_pack
GET /.git/config 6
GET /SDK/webLanguage 5
GET /bitrix/templates/.default/lang/ru/page_templates/.contents.php 5
GET /bitrix/css/main/themes/0x1.php 5
GET /wordpress/wp-admin/setup-config.php 5
GET /wp-admin/setup-config.php 5
GET / 4
GET /a/pl 4
GET /actuator/gateway/routes 4
GET /dispatch.asp 4
GET /admin/config.php 4
GET /geoserver/wfs?request=ListStoredQueries&service=wfs&version=2.0.0 3
GET /wp-content/plugins/hellopress/wp_filemanager.php 3
GET /.env 3
POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input 3
POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh 3
POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh 3
GET /aaa9 2
GET /aab9 2
UNKNOWN UNKNOWN 2
GET http://ip-api.com/json/ 2
GET /.env.local 1
GET /.env.save 1
GET /?XDEBUG_SESSION_START=phpstorm 1
GET /admin.php 1

Per-IP top paths (first 50 rows):
ip http_method http_path events_in_pack
104.23.221.174 GET /wordpress/wp-admin/setup-config.php 2
104.23.221.174 GET /wp-admin/setup-config.php 1
104.23.223.105 GET /wp-admin/setup-config.php 3
106.54.176.158 POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh 1
106.54.176.158 POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh 1
106.54.176.158 POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input 1
111.230.195.3 POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh 1
111.230.195.3 POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh 1
111.230.195.3 POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input 1
113.56.161.85 POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh 1
113.56.161.85 POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh 1
113.56.161.85 POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input 1
142.44.161.179 GET /a/pl 4
142.44.161.179 GET / 1
157.245.101.73 GET /.env 2
157.245.101.73 GET /.git/config 2
157.245.101.73 GET / 1
162.240.14.171 GET /.env 1
162.240.14.171 GET /.env.local 1
162.240.14.171 GET /.env.production 1
162.240.14.171 GET /.env.save 1
162.240.14.171 GET /app/.env 1
167.99.219.122 GET / 1
167.99.219.122 GET /ab2g 1
167.99.219.122 GET /ab2h 1
167.99.219.122 GET /alive.php 1
167.99.219.122 GET /teorema505?t=1 1
172.68.10.215 GET /wordpress/wp-admin/setup-config.php 3
172.68.10.215 GET /wp-admin/setup-config.php 1
187.228.70.30 HEAD /invoker/EJBInvokerServlet 1
187.228.70.30 HEAD /invoker/JMXInvokerServlet 1
187.228.70.30 HEAD /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo 1
187.228.70.30 HEAD /web-console/ServerInfo.jsp 1
195.178.110.190 GET /.git/config 4
195.178.110.25 GET /dispatch.asp 4
204.76.203.30 GET http://ip-api.com/json/ 2
204.76.203.30 UNKNOWN UNKNOWN 2
204.76.203.8 GET /geoserver/wfs?request=ListStoredQueries&service=wfs&version=2.0.0 3
4.196.80.216 GET /wp-content/plugins/hellopress/wp_filemanager.php 3
4.196.80.216 GET /class-t.api.php 1
4.196.80.216 GET /zwso.php 1
4.230.25.46 GET /admin/ 1
4.230.25.46 GET /admin/controller/extension/extension/ 1
4.230.25.46 GET /admin/uploads/ 1
4.230.25.46 GET /wordpress/wp-admin/maint/ 1
46.161.50.108 GET /aaa9 2
46.161.50.108 GET /aab9 2
46.161.50.108 GET / 1
74.225.218.73 GET /about.php 1
74.225.218.73 GET /admin.php 1

Refined evidence pack (first 50 rows; raw_line HTML-escaped):
ip ts_utc verdict expected_action source_log http_method http_path raw_line
104.23.221.174 2026-01-09 18:49:19+00:00 SUSPICIOUS BLOCK detections.log GET /wordpress/wp-admin/setup-config.php [orneigong.org_ssl_access] [2026-01-09 18:49:19] SUSPICIOUS | 104.23.221.174 | GET /wordpress/wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
104.23.221.174 2026-01-10 09:56:58+00:00 SUSPICIOUS BLOCK detections.log GET /wordpress/wp-admin/setup-config.php [orneigong.org_access] [2026-01-10 09:56:58] SUSPICIOUS | 104.23.221.174 | GET /wordpress/wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
104.23.221.174 2026-01-10 09:57:17+00:00 SUSPICIOUS BLOCK detections.log GET /wp-admin/setup-config.php [orneigong.org_access] [2026-01-10 09:57:17] SUSPICIOUS | 104.23.221.174 | GET /wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
104.23.223.105 2026-01-09 18:50:56+00:00 SUSPICIOUS BLOCK detections.log GET /wp-admin/setup-config.php [orneigong.org_access] [2026-01-09 18:50:56] SUSPICIOUS | 104.23.223.105 | GET /wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
104.23.223.105 2026-01-10 09:57:44+00:00 SUSPICIOUS BLOCK detections.log GET /wp-admin/setup-config.php [orneigong.org_ssl_access] [2026-01-10 09:57:44] SUSPICIOUS | 104.23.223.105 | GET /wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
104.23.223.105 2026-01-10 23:12:29+00:00 SUSPICIOUS BLOCK detections.log GET /wp-admin/setup-config.php [orneigong.org_ssl_access] [2026-01-10 23:12:29] SUSPICIOUS | 104.23.223.105 | GET /wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
106.54.176.158 2026-01-09 14:02:08+00:00 SUSPICIOUS BLOCK detections.log POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh [astromap-access] [2026-01-09 14:02:08] SUSPICIOUS | 106.54.176.158 | POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh | 400 | Reason: ml_suspicious | Pattern: /bin/sh | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
106.54.176.158 2026-01-09 14:02:11+00:00 SUSPICIOUS BLOCK detections.log POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh [astromap-access] [2026-01-09 14:02:11] SUSPICIOUS | 106.54.176.158 | POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh | 400 | Reason: ml_suspicious | Pattern: /bin/sh | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
106.54.176.158 2026-01-09 14:02:12+00:00 SUSPICIOUS BLOCK detections.log POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input [astromap-access] [2026-01-09 14:02:12] SUSPICIOUS | 106.54.176.158 | POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input | 301 | Reason: ml_suspicious | Pattern: /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input | ML: 1.000 | Path: DNG_MTH→ABS_URI
111.230.195.3 2026-01-10 08:51:35+00:00 SUSPICIOUS BLOCK detections.log POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh [astromap-access] [2026-01-10 08:51:35] SUSPICIOUS | 111.230.195.3 | POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh | 400 | Reason: ml_suspicious | Pattern: /bin/sh | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
111.230.195.3 2026-01-10 08:51:35+00:00 SUSPICIOUS BLOCK detections.log POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh [astromap-access] [2026-01-10 08:51:35] SUSPICIOUS | 111.230.195.3 | POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh | 400 | Reason: ml_suspicious | Pattern: /bin/sh | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
111.230.195.3 2026-01-10 08:51:36+00:00 SUSPICIOUS BLOCK detections.log POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input [astromap-access] [2026-01-10 08:51:36] SUSPICIOUS | 111.230.195.3 | POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input | 301 | Reason: ml_suspicious | Pattern: /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input | ML: 1.000 | Path: DNG_MTH→ABS_URI
113.56.161.85 2026-01-11 03:53:55+00:00 SUSPICIOUS BLOCK detections.log POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh [astromap-access] [2026-01-11 03:53:55] SUSPICIOUS | 113.56.161.85 | POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh | 400 | Reason: ml_suspicious | Pattern: /bin/sh | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
113.56.161.85 2026-01-11 03:53:55+00:00 SUSPICIOUS BLOCK detections.log POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh [astromap-access] [2026-01-11 03:53:55] SUSPICIOUS | 113.56.161.85 | POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh | 400 | Reason: ml_suspicious | Pattern: /bin/sh | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
113.56.161.85 2026-01-11 03:53:55+00:00 SUSPICIOUS BLOCK detections.log POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input [astromap-access] [2026-01-11 03:53:55] SUSPICIOUS | 113.56.161.85 | POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input | 301 | Reason: ml_suspicious | Pattern: /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input | ML: 1.000 | Path: DNG_MTH→ABS_URI
142.44.161.179 2026-01-09 08:02:07+00:00 TRACE TRACE detections.log GET / [orneigong.org_ssl_access] [2026-01-09 08:02:07] TRACE | 142.44.161.179 | GET / | 403 | Reason: ml_detect | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
142.44.161.179 2026-01-09 08:02:08+00:00 SUSPICIOUS BLOCK detections.log GET /a/pl [orneigong.org_ssl_access] [2026-01-09 08:02:08] SUSPICIOUS | 142.44.161.179 | GET /a/pl | 404 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
142.44.161.179 2026-01-09 09:25:41+00:00 SUSPICIOUS BLOCK detections.log GET /a/pl [orneigong.org_ssl_access] [2026-01-09 09:25:41] SUSPICIOUS | 142.44.161.179 | GET /a/pl | 404 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
142.44.161.179 2026-01-09 16:37:30+00:00 SUSPICIOUS BLOCK detections.log GET /a/pl [astropema_ssl_access] [2026-01-09 16:37:30] SUSPICIOUS | 142.44.161.179 | GET /a/pl | 404 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
142.44.161.179 2026-01-10 17:18:21+00:00 SUSPICIOUS BLOCK detections.log GET /a/pl [orneigong.org_ssl_access] [2026-01-10 17:18:21] SUSPICIOUS | 142.44.161.179 | GET /a/pl | 404 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
157.245.101.73 2026-01-10 02:55:32+00:00 SUSPICIOUS BLOCK detections.log GET /.env [astromap-access] [2026-01-10 02:55:32] SUSPICIOUS | 157.245.101.73 | GET /.env | 301 | Reason: ml_suspicious | Pattern: /.env | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
157.245.101.73 2026-01-10 02:55:34+00:00 SUSPICIOUS BLOCK detections.log GET /.git/config [astromap-access] [2026-01-10 02:55:34] SUSPICIOUS | 157.245.101.73 | GET /.git/config | 301 | Reason: ml_suspicious | Pattern: \.git/ | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
157.245.101.73 2026-01-10 09:15:04+00:00 SUSPICIOUS BLOCK detections.log GET /.env [astromap-ssl-access] [2026-01-10 09:15:04] SUSPICIOUS | 157.245.101.73 | GET /.env | 404 | Reason: ml_suspicious | Pattern: /.env | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
157.245.101.73 2026-01-10 09:15:05+00:00 TRACE TRACE detections.log GET / [astromap-ssl-access] [2026-01-10 09:15:05] TRACE | 157.245.101.73 | GET / | 400 | Reason: ml_detect | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
157.245.101.73 2026-01-10 09:15:07+00:00 SUSPICIOUS BLOCK detections.log GET /.git/config [astromap-ssl-access] [2026-01-10 09:15:07] SUSPICIOUS | 157.245.101.73 | GET /.git/config | 200 | Reason: ml_suspicious | Pattern: \.git/ | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
162.240.14.171 2026-01-11 03:03:56+00:00 SUSPICIOUS BLOCK detections.log GET /.env [astromap-ssl-access] [2026-01-11 03:03:56] SUSPICIOUS | 162.240.14.171 | GET /.env | 404 | Reason: ml_suspicious | Pattern: /.env | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
162.240.14.171 2026-01-11 03:03:56+00:00 SUSPICIOUS BLOCK detections.log GET /.env.save [astromap-ssl-access] [2026-01-11 03:03:56] SUSPICIOUS | 162.240.14.171 | GET /.env.save | 404 | Reason: ml_suspicious | Pattern: /.env | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
162.240.14.171 2026-01-11 03:03:56+00:00 SUSPICIOUS BLOCK detections.log GET /.env.local [astromap-ssl-access] [2026-01-11 03:03:56] SUSPICIOUS | 162.240.14.171 | GET /.env.local | 404 | Reason: ml_suspicious | Pattern: /.env | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
162.240.14.171 2026-01-11 03:03:56+00:00 SUSPICIOUS BLOCK detections.log GET /app/.env [astromap-ssl-access] [2026-01-11 03:03:56] SUSPICIOUS | 162.240.14.171 | GET /app/.env | 404 | Reason: ml_suspicious | Pattern: /.env | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
162.240.14.171 2026-01-11 03:03:56+00:00 SUSPICIOUS BLOCK detections.log GET /.env.production [astromap-ssl-access] [2026-01-11 03:03:56] SUSPICIOUS | 162.240.14.171 | GET /.env.production | 404 | Reason: ml_suspicious | Pattern: /.env | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
167.99.219.122 2026-01-10 14:12:53+00:00 SUSPICIOUS BLOCK detections.log GET /ab2g [astromap-ssl-access] [2026-01-10 14:12:53] SUSPICIOUS | 167.99.219.122 | GET /ab2g | 404 | Reason: ml_suspicious | Pattern: /ab2g | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
167.99.219.122 2026-01-10 14:12:53+00:00 SUSPICIOUS BLOCK detections.log GET /ab2h [astromap-ssl-access] [2026-01-10 14:12:53] SUSPICIOUS | 167.99.219.122 | GET /ab2h | 404 | Reason: ml_suspicious | Pattern: /ab2h | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
167.99.219.122 2026-01-10 14:12:54+00:00 SUSPICIOUS BLOCK detections.log GET /alive.php [astromap-ssl-access] [2026-01-10 14:12:54] SUSPICIOUS | 167.99.219.122 | GET /alive.php | 404 | Reason: ml_suspicious | Pattern: /alive.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
167.99.219.122 2026-01-10 14:12:57+00:00 TRACE TRACE detections.log GET / [astromap-ssl-access] [2026-01-10 14:12:57] TRACE | 167.99.219.122 | GET / | 400 | Reason: ml_detect | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
167.99.219.122 2026-01-10 14:13:00+00:00 SUSPICIOUS BLOCK detections.log GET /teorema505?t=1 [astromap-ssl-access] [2026-01-10 14:13:00] SUSPICIOUS | 167.99.219.122 | GET /teorema505?t=1 | 404 | Reason: ml_suspicious | Pattern: /teorema505 | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
172.68.10.215 2026-01-09 21:47:53+00:00 SUSPICIOUS BLOCK detections.log GET /wordpress/wp-admin/setup-config.php [orneigong.org_ssl_access] [2026-01-09 21:47:53] SUSPICIOUS | 172.68.10.215 | GET /wordpress/wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
172.68.10.215 2026-01-10 19:02:25+00:00 SUSPICIOUS BLOCK detections.log GET /wordpress/wp-admin/setup-config.php [orneigong.org_ssl_access] [2026-01-10 19:02:25] SUSPICIOUS | 172.68.10.215 | GET /wordpress/wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
172.68.10.215 2026-01-10 23:15:28+00:00 SUSPICIOUS BLOCK detections.log GET /wordpress/wp-admin/setup-config.php [orneigong.org_ssl_access] [2026-01-10 23:15:28] SUSPICIOUS | 172.68.10.215 | GET /wordpress/wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
172.68.10.215 2026-01-10 23:15:46+00:00 SUSPICIOUS BLOCK detections.log GET /wp-admin/setup-config.php [orneigong.org_access] [2026-01-10 23:15:46] SUSPICIOUS | 172.68.10.215 | GET /wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
187.228.70.30 2026-01-09 16:13:38+00:00 SUSPICIOUS BLOCK detections.log HEAD /invoker/EJBInvokerServlet [astromap-access] [2026-01-09 16:13:38] SUSPICIOUS | 187.228.70.30 | HEAD /invoker/EJBInvokerServlet | 301 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
187.228.70.30 2026-01-09 16:13:42+00:00 SUSPICIOUS BLOCK detections.log HEAD /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo [astromap-access] [2026-01-09 16:13:42] SUSPICIOUS | 187.228.70.30 | HEAD /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo | 301 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
187.228.70.30 2026-01-09 16:13:52+00:00 SUSPICIOUS BLOCK detections.log HEAD /invoker/JMXInvokerServlet [astromap-access] [2026-01-09 16:13:52] SUSPICIOUS | 187.228.70.30 | HEAD /invoker/JMXInvokerServlet | 301 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
187.228.70.30 2026-01-09 16:13:55+00:00 SUSPICIOUS BLOCK detections.log HEAD /web-console/ServerInfo.jsp [astromap-access] [2026-01-09 16:13:55] SUSPICIOUS | 187.228.70.30 | HEAD /web-console/ServerInfo.jsp | 301 | Reason: ml_suspicious | Pattern: /server | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
195.178.110.190 2026-01-11 02:05:52+00:00 SUSPICIOUS BLOCK detections.log GET /.git/config [astromap-ssl-access] [2026-01-11 02:05:52] SUSPICIOUS | 195.178.110.190 | GET /.git/config | 200 | Reason: ml_suspicious | Pattern: \.git/ | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
195.178.110.190 2026-01-11 02:06:54+00:00 SUSPICIOUS BLOCK detections.log GET /.git/config [astromap-ssl-access] [2026-01-11 02:06:54] SUSPICIOUS | 195.178.110.190 | GET /.git/config | 200 | Reason: ml_suspicious | Pattern: \.git/ | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
195.178.110.190 2026-01-11 02:07:36+00:00 SUSPICIOUS BLOCK detections.log GET /.git/config [astromap-ssl-access] [2026-01-11 02:07:36] SUSPICIOUS | 195.178.110.190 | GET /.git/config | 200 | Reason: ml_suspicious | Pattern: \.git/ | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
195.178.110.190 2026-01-11 02:09:03+00:00 SUSPICIOUS BLOCK detections.log GET /.git/config [astromap-ssl-access] [2026-01-11 02:09:03] SUSPICIOUS | 195.178.110.190 | GET /.git/config | 200 | Reason: ml_suspicious | Pattern: \.git/ | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
195.178.110.25 2026-01-09 19:46:55+00:00 SUSPICIOUS BLOCK detections.log GET /dispatch.asp [astromap-ssl-access] [2026-01-09 19:46:55] SUSPICIOUS | 195.178.110.25 | GET /dispatch.asp | 404 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
195.178.110.25 2026-01-09 20:24:25+00:00 SUSPICIOUS BLOCK detections.log GET /dispatch.asp [astromap-access] [2026-01-09 20:24:25] SUSPICIOUS | 195.178.110.25 | GET /dispatch.asp | 301 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
195.178.110.25 2026-01-10 23:22:47+00:00 SUSPICIOUS BLOCK detections.log GET /dispatch.asp [astromap-ssl-access] [2026-01-10 23:22:47] SUSPICIOUS | 195.178.110.25 | GET /dispatch.asp | 404 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST

Downstream contract:
- df_fp_evidence_pack_dedup is the canonical refined evidence pack for this run.
- df_fp_path_summary is the canonical global method/path summary for this run.
- df_fp_ip_summary is the canonical per-IP top-path summary for this run.
- No enforcement/allowlisting/suppression changes are performed.

CELL 10B6. Dup Metrics + Compressed Behavior Evidence

Cell Group 10B.6 — Result (Generated)

Redundancy metrics computed and behavior-level evidence compression produced.

rows_total=104
unique_ips=25
unique_raw_line=104
unique_behavior_method_path=48
unique_raw_hash=104
K_BEHAVIORS_PER_IP=6

Duplication metrics:
rows_total unique_ips unique_raw_hash unique_raw_line unique_behavior_method_path dup_rate_by_raw_line dup_rate_by_behavior
104 25 104 104 48 0.0 0.538462

Top IPs by distinct behaviors (before K cap):
ip distinct_behaviors_detected
162.240.14.171 5
167.99.219.122 5
74.225.218.73 5
187.228.70.30 4
4.230.25.46 4
113.56.161.85 3
157.245.101.73 3
106.54.176.158 3
111.230.195.3 3
46.161.50.108 3
91.200.220.91 3
4.196.80.216 3
104.23.221.174 2
79.124.40.174 2
142.44.161.179 2
204.76.203.30 2
172.68.10.215 2
104.23.223.105 1
204.76.203.8 1
195.178.110.190 1
195.178.110.25 1
87.121.84.105 1
87.121.84.125 1
89.42.231.200 1
91.232.238.112 1

Compressed behavior evidence pack (first rows; raw_line HTML-escaped):
ip ts_utc verdict expected_action source_log http_method http_path raw_line
104.23.221.174 2026-01-09 18:49:19+00:00 SUSPICIOUS BLOCK detections.log GET /wordpress/wp-admin/setup-config.php [orneigong.org_ssl_access] [2026-01-09 18:49:19] SUSPICIOUS | 104.23.221.174 | GET /wordpress/wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
104.23.221.174 2026-01-10 09:57:17+00:00 SUSPICIOUS BLOCK detections.log GET /wp-admin/setup-config.php [orneigong.org_access] [2026-01-10 09:57:17] SUSPICIOUS | 104.23.221.174 | GET /wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
104.23.223.105 2026-01-09 18:50:56+00:00 SUSPICIOUS BLOCK detections.log GET /wp-admin/setup-config.php [orneigong.org_access] [2026-01-09 18:50:56] SUSPICIOUS | 104.23.223.105 | GET /wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
106.54.176.158 2026-01-09 14:02:08+00:00 SUSPICIOUS BLOCK detections.log POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh [astromap-access] [2026-01-09 14:02:08] SUSPICIOUS | 106.54.176.158 | POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh | 400 | Reason: ml_suspicious | Pattern: /bin/sh | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
106.54.176.158 2026-01-09 14:02:11+00:00 SUSPICIOUS BLOCK detections.log POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh [astromap-access] [2026-01-09 14:02:11] SUSPICIOUS | 106.54.176.158 | POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh | 400 | Reason: ml_suspicious | Pattern: /bin/sh | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
106.54.176.158 2026-01-09 14:02:12+00:00 SUSPICIOUS BLOCK detections.log POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input [astromap-access] [2026-01-09 14:02:12] SUSPICIOUS | 106.54.176.158 | POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input | 301 | Reason: ml_suspicious | Pattern: /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input | ML: 1.000 | Path: DNG_MTH→ABS_URI
111.230.195.3 2026-01-10 08:51:35+00:00 SUSPICIOUS BLOCK detections.log POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh [astromap-access] [2026-01-10 08:51:35] SUSPICIOUS | 111.230.195.3 | POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh | 400 | Reason: ml_suspicious | Pattern: /bin/sh | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
111.230.195.3 2026-01-10 08:51:35+00:00 SUSPICIOUS BLOCK detections.log POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh [astromap-access] [2026-01-10 08:51:35] SUSPICIOUS | 111.230.195.3 | POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh | 400 | Reason: ml_suspicious | Pattern: /bin/sh | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
111.230.195.3 2026-01-10 08:51:36+00:00 SUSPICIOUS BLOCK detections.log POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input [astromap-access] [2026-01-10 08:51:36] SUSPICIOUS | 111.230.195.3 | POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input | 301 | Reason: ml_suspicious | Pattern: /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input | ML: 1.000 | Path: DNG_MTH→ABS_URI
113.56.161.85 2026-01-11 03:53:55+00:00 SUSPICIOUS BLOCK detections.log POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh [astromap-access] [2026-01-11 03:53:55] SUSPICIOUS | 113.56.161.85 | POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh | 400 | Reason: ml_suspicious | Pattern: /bin/sh | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
113.56.161.85 2026-01-11 03:53:55+00:00 SUSPICIOUS BLOCK detections.log POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh [astromap-access] [2026-01-11 03:53:55] SUSPICIOUS | 113.56.161.85 | POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh | 400 | Reason: ml_suspicious | Pattern: /bin/sh | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
113.56.161.85 2026-01-11 03:53:55+00:00 SUSPICIOUS BLOCK detections.log POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input [astromap-access] [2026-01-11 03:53:55] SUSPICIOUS | 113.56.161.85 | POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input | 301 | Reason: ml_suspicious | Pattern: /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input | ML: 1.000 | Path: DNG_MTH→ABS_URI
142.44.161.179 2026-01-09 08:02:07+00:00 TRACE TRACE detections.log GET / [orneigong.org_ssl_access] [2026-01-09 08:02:07] TRACE | 142.44.161.179 | GET / | 403 | Reason: ml_detect | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
142.44.161.179 2026-01-09 08:02:08+00:00 SUSPICIOUS BLOCK detections.log GET /a/pl [orneigong.org_ssl_access] [2026-01-09 08:02:08] SUSPICIOUS | 142.44.161.179 | GET /a/pl | 404 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
157.245.101.73 2026-01-10 02:55:32+00:00 SUSPICIOUS BLOCK detections.log GET /.env [astromap-access] [2026-01-10 02:55:32] SUSPICIOUS | 157.245.101.73 | GET /.env | 301 | Reason: ml_suspicious | Pattern: /.env | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
157.245.101.73 2026-01-10 02:55:34+00:00 SUSPICIOUS BLOCK detections.log GET /.git/config [astromap-access] [2026-01-10 02:55:34] SUSPICIOUS | 157.245.101.73 | GET /.git/config | 301 | Reason: ml_suspicious | Pattern: \.git/ | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
157.245.101.73 2026-01-10 09:15:05+00:00 TRACE TRACE detections.log GET / [astromap-ssl-access] [2026-01-10 09:15:05] TRACE | 157.245.101.73 | GET / | 400 | Reason: ml_detect | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
162.240.14.171 2026-01-11 03:03:56+00:00 SUSPICIOUS BLOCK detections.log GET /.env [astromap-ssl-access] [2026-01-11 03:03:56] SUSPICIOUS | 162.240.14.171 | GET /.env | 404 | Reason: ml_suspicious | Pattern: /.env | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
162.240.14.171 2026-01-11 03:03:56+00:00 SUSPICIOUS BLOCK detections.log GET /.env.save [astromap-ssl-access] [2026-01-11 03:03:56] SUSPICIOUS | 162.240.14.171 | GET /.env.save | 404 | Reason: ml_suspicious | Pattern: /.env | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
162.240.14.171 2026-01-11 03:03:56+00:00 SUSPICIOUS BLOCK detections.log GET /.env.local [astromap-ssl-access] [2026-01-11 03:03:56] SUSPICIOUS | 162.240.14.171 | GET /.env.local | 404 | Reason: ml_suspicious | Pattern: /.env | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
162.240.14.171 2026-01-11 03:03:56+00:00 SUSPICIOUS BLOCK detections.log GET /app/.env [astromap-ssl-access] [2026-01-11 03:03:56] SUSPICIOUS | 162.240.14.171 | GET /app/.env | 404 | Reason: ml_suspicious | Pattern: /.env | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
162.240.14.171 2026-01-11 03:03:56+00:00 SUSPICIOUS BLOCK detections.log GET /.env.production [astromap-ssl-access] [2026-01-11 03:03:56] SUSPICIOUS | 162.240.14.171 | GET /.env.production | 404 | Reason: ml_suspicious | Pattern: /.env | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
167.99.219.122 2026-01-10 14:12:53+00:00 SUSPICIOUS BLOCK detections.log GET /ab2g [astromap-ssl-access] [2026-01-10 14:12:53] SUSPICIOUS | 167.99.219.122 | GET /ab2g | 404 | Reason: ml_suspicious | Pattern: /ab2g | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
167.99.219.122 2026-01-10 14:12:53+00:00 SUSPICIOUS BLOCK detections.log GET /ab2h [astromap-ssl-access] [2026-01-10 14:12:53] SUSPICIOUS | 167.99.219.122 | GET /ab2h | 404 | Reason: ml_suspicious | Pattern: /ab2h | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
167.99.219.122 2026-01-10 14:12:54+00:00 SUSPICIOUS BLOCK detections.log GET /alive.php [astromap-ssl-access] [2026-01-10 14:12:54] SUSPICIOUS | 167.99.219.122 | GET /alive.php | 404 | Reason: ml_suspicious | Pattern: /alive.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
167.99.219.122 2026-01-10 14:12:57+00:00 TRACE TRACE detections.log GET / [astromap-ssl-access] [2026-01-10 14:12:57] TRACE | 167.99.219.122 | GET / | 400 | Reason: ml_detect | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
167.99.219.122 2026-01-10 14:13:00+00:00 SUSPICIOUS BLOCK detections.log GET /teorema505?t=1 [astromap-ssl-access] [2026-01-10 14:13:00] SUSPICIOUS | 167.99.219.122 | GET /teorema505?t=1 | 404 | Reason: ml_suspicious | Pattern: /teorema505 | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
172.68.10.215 2026-01-09 21:47:53+00:00 SUSPICIOUS BLOCK detections.log GET /wordpress/wp-admin/setup-config.php [orneigong.org_ssl_access] [2026-01-09 21:47:53] SUSPICIOUS | 172.68.10.215 | GET /wordpress/wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
172.68.10.215 2026-01-10 23:15:46+00:00 SUSPICIOUS BLOCK detections.log GET /wp-admin/setup-config.php [orneigong.org_access] [2026-01-10 23:15:46] SUSPICIOUS | 172.68.10.215 | GET /wp-admin/setup-config.php | 404 | Reason: ml_suspicious | Pattern: /wp-admin/setup-config.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
187.228.70.30 2026-01-09 16:13:38+00:00 SUSPICIOUS BLOCK detections.log HEAD /invoker/EJBInvokerServlet [astromap-access] [2026-01-09 16:13:38] SUSPICIOUS | 187.228.70.30 | HEAD /invoker/EJBInvokerServlet | 301 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
187.228.70.30 2026-01-09 16:13:42+00:00 SUSPICIOUS BLOCK detections.log HEAD /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo [astromap-access] [2026-01-09 16:13:42] SUSPICIOUS | 187.228.70.30 | HEAD /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo | 301 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
187.228.70.30 2026-01-09 16:13:52+00:00 SUSPICIOUS BLOCK detections.log HEAD /invoker/JMXInvokerServlet [astromap-access] [2026-01-09 16:13:52] SUSPICIOUS | 187.228.70.30 | HEAD /invoker/JMXInvokerServlet | 301 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
187.228.70.30 2026-01-09 16:13:55+00:00 SUSPICIOUS BLOCK detections.log HEAD /web-console/ServerInfo.jsp [astromap-access] [2026-01-09 16:13:55] SUSPICIOUS | 187.228.70.30 | HEAD /web-console/ServerInfo.jsp | 301 | Reason: ml_suspicious | Pattern: /server | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
195.178.110.190 2026-01-11 02:05:52+00:00 SUSPICIOUS BLOCK detections.log GET /.git/config [astromap-ssl-access] [2026-01-11 02:05:52] SUSPICIOUS | 195.178.110.190 | GET /.git/config | 200 | Reason: ml_suspicious | Pattern: \.git/ | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
195.178.110.25 2026-01-09 19:46:55+00:00 SUSPICIOUS BLOCK detections.log GET /dispatch.asp [astromap-ssl-access] [2026-01-09 19:46:55] SUSPICIOUS | 195.178.110.25 | GET /dispatch.asp | 404 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
204.76.203.30 2026-01-10 01:58:05+00:00 SUSPICIOUS BLOCK detections.log GET http://ip-api.com/json/ [astromap-access] [2026-01-10 01:58:05] SUSPICIOUS | 204.76.203.30 | GET http://ip-api.com/json/ | 301 | Reason: ml_suspicious | Pattern: http://ip-api.com/json/ | ML: 1.000 | Path: DNG_MTH→ABS_URI
204.76.203.30 2026-01-10 01:58:05+00:00 SUSPICIOUS BLOCK detections.log UNKNOWN UNKNOWN [astromap-access] [2026-01-10 01:58:05] SUSPICIOUS | 204.76.203.30 | CONNECT ip-api.com:443 | 301 | Reason: ml_suspicious | Pattern: CONNECT | ML: 1.000 | Path: DNG_MTH
204.76.203.8 2026-01-09 15:46:08+00:00 SUSPICIOUS BLOCK detections.log GET /geoserver/wfs?request=ListStoredQueries&service=wfs&version=2.0.0 [astromap-access] [2026-01-09 15:46:08] SUSPICIOUS | 204.76.203.8 | GET /geoserver/wfs?request=ListStoredQueries&service=wfs&version=2.0.0 | 301 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
4.196.80.216 2026-01-09 10:22:33+00:00 SUSPICIOUS BLOCK detections.log GET /wp-content/plugins/hellopress/wp_filemanager.php [astropema_access] [2026-01-09 10:22:33] SUSPICIOUS | 4.196.80.216 | GET /wp-content/plugins/hellopress/wp_filemanager.php | 301 | Reason: ml_suspicious | Pattern: /wp-content/ | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
4.196.80.216 2026-01-09 10:22:34+00:00 SUSPICIOUS BLOCK detections.log GET /class-t.api.php [astropema_access] [2026-01-09 10:22:34] SUSPICIOUS | 4.196.80.216 | GET /class-t.api.php | 301 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
4.196.80.216 2026-01-09 10:22:34+00:00 SUSPICIOUS BLOCK detections.log GET /zwso.php [astropema_access] [2026-01-09 10:22:34] SUSPICIOUS | 4.196.80.216 | GET /zwso.php | 301 | Reason: ml_suspicious | Pattern: /zwso.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
4.230.25.46 2026-01-10 09:42:52+00:00 SUSPICIOUS BLOCK detections.log GET /admin/ [orneigong.org_access] [2026-01-10 09:42:52] SUSPICIOUS | 4.230.25.46 | GET /admin/ | 404 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
4.230.25.46 2026-01-10 09:42:53+00:00 SUSPICIOUS BLOCK detections.log GET /admin/uploads/ [orneigong.org_access] [2026-01-10 09:42:53] SUSPICIOUS | 4.230.25.46 | GET /admin/uploads/ | 404 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
4.230.25.46 2026-01-10 09:42:53+00:00 SUSPICIOUS BLOCK detections.log GET /wordpress/wp-admin/maint/ [orneigong.org_access] [2026-01-10 09:42:53] SUSPICIOUS | 4.230.25.46 | GET /wordpress/wp-admin/maint/ | 404 | Reason: ml_suspicious | Pattern: /wp-admin/ | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
4.230.25.46 2026-01-10 09:42:53+00:00 SUSPICIOUS BLOCK detections.log GET /admin/controller/extension/extension/ [orneigong.org_access] [2026-01-10 09:42:53] SUSPICIOUS | 4.230.25.46 | GET /admin/controller/extension/extension/ | 404 | Reason: ml_suspicious | Pattern: /admin/controller/ | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
46.161.50.108 2026-01-09 06:39:33+00:00 SUSPICIOUS BLOCK detections.log GET /aaa9 [astromap-ssl-access] [2026-01-09 06:39:33] SUSPICIOUS | 46.161.50.108 | GET /aaa9 | 404 | Reason: ml_suspicious | Pattern: /aaa9 | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
46.161.50.108 2026-01-09 06:39:34+00:00 SUSPICIOUS BLOCK detections.log GET /aab9 [astromap-ssl-access] [2026-01-09 06:39:34] SUSPICIOUS | 46.161.50.108 | GET /aab9 | 404 | Reason: ml_suspicious | Pattern: /aab9 | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
46.161.50.108 2026-01-09 06:39:34+00:00 TRACE TRACE detections.log GET / [astromap-ssl-access] [2026-01-09 06:39:34] TRACE | 46.161.50.108 | GET / | 400 | Reason: ml_detect | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
74.225.218.73 2026-01-10 19:56:19+00:00 SUSPICIOUS BLOCK detections.log GET /edit.php [orneigong.org_access] [2026-01-10 19:56:19] SUSPICIOUS | 74.225.218.73 | GET /edit.php | 404 | Reason: ml_suspicious | Pattern: /edit.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
74.225.218.73 2026-01-10 19:56:19+00:00 SUSPICIOUS BLOCK detections.log GET /about.php [orneigong.org_access] [2026-01-10 19:56:19] SUSPICIOUS | 74.225.218.73 | GET /about.php | 404 | Reason: ml_suspicious | Pattern: /about.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
74.225.218.73 2026-01-10 19:56:19+00:00 SUSPICIOUS BLOCK detections.log GET /adminfuns.php [orneigong.org_access] [2026-01-10 19:56:19] SUSPICIOUS | 74.225.218.73 | GET /adminfuns.php | 404 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
74.225.218.73 2026-01-10 19:56:19+00:00 SUSPICIOUS BLOCK detections.log GET /admin.php [orneigong.org_access] [2026-01-10 19:56:19] SUSPICIOUS | 74.225.218.73 | GET /admin.php | 404 | Reason: ml_suspicious | Pattern: /admin.php | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
74.225.218.73 2026-01-10 19:56:20+00:00 SUSPICIOUS BLOCK detections.log GET /info.php [orneigong.org_access] [2026-01-10 19:56:20] SUSPICIOUS | 74.225.218.73 | GET /info.php | 404 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
79.124.40.174 2026-01-09 07:28:28+00:00 TRACE TRACE detections.log GET /?XDEBUG_SESSION_START=phpstorm [astromap-ssl-access] [2026-01-09 07:28:28] TRACE | 79.124.40.174 | GET /?XDEBUG_SESSION_START=phpstorm | 200 | Reason: ml_detect | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
79.124.40.174 2026-01-09 09:12:53+00:00 SUSPICIOUS BLOCK detections.log GET /actuator/gateway/routes [astromap-ssl-access] [2026-01-09 09:12:53] SUSPICIOUS | 79.124.40.174 | GET /actuator/gateway/routes | 404 | Reason: ml_suspicious | Pattern: /actuator/gateway/routes | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
87.121.84.105 2026-01-09 20:41:17+00:00 SUSPICIOUS BLOCK detections.log GET /bitrix/css/main/themes/0x1.php [astropema_access] [2026-01-09 20:41:17] SUSPICIOUS | 87.121.84.105 | GET /bitrix/css/main/themes/0x1.php | 301 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
87.121.84.125 2026-01-10 13:55:28+00:00 SUSPICIOUS BLOCK detections.log GET /bitrix/templates/.default/lang/ru/page_templates/.contents.php [astropema_access] [2026-01-10 13:55:28] SUSPICIOUS | 87.121.84.125 | GET /bitrix/templates/.default/lang/ru/page_templates/.contents.php | 301 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
89.42.231.200 2026-01-09 14:26:35+00:00 SUSPICIOUS BLOCK detections.log GET /SDK/webLanguage [astromap-access] [2026-01-09 14:26:35] SUSPICIOUS | 89.42.231.200 | GET /SDK/webLanguage | 301 | Reason: ml_suspicious | Pattern: /sdk | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
91.200.220.91 2026-01-09 22:12:39+00:00 SUSPICIOUS BLOCK detections.log POST /api [astromap-access] [2026-01-09 22:12:39] SUSPICIOUS | 91.200.220.91 | POST /api | 301 | Reason: ml_suspicious | Pattern: /api | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST
91.200.220.91 2026-01-09 22:12:51+00:00 SUSPICIOUS BLOCK detections.log POST /app [astromap-access] [2026-01-09 22:12:51] SUSPICIOUS | 91.200.220.91 | POST /app | 301 | Reason: ml_suspicious | ML: 1.000 | Path: DNG_MTH→ABS_URI→CHAL→ACME→ADM_PRB→WEBSHEL→WHTLST→BLKLST

Downstream contract:
- df_fp_dup_metrics is the canonical redundancy metrics table for this run.
- df_fp_behavior_pack is the canonical compressed evidence pack for SOC narrative use.
- df_fp_behavior_counts is the canonical per-IP distinct-behavior count table.
- No enforcement/allowlisting/suppression changes are performed.

CELL 10B7. SOC Narrative + Taxonomy (Suspicious-low-volume)

Cell Group 10B.7 — Result (Generated)

Audit window (UTC): 2026-01-09T05:21:39+00:00 → 2026-01-11T05:21:39+00:00
behavior_pack_rows=62
behavior_pack_unique_ips=25

Taxonomy summary (events):
taxonomy events_in_behavior_pack
Other Probing/Recon 23
CMS Probing (WordPress) 7
Secrets/Config Exposure (.env) 6
Admin Surface Probing 6
Traversal/RCE Probing (cgi-bin traversal) 6
Java Middleware Probing (JMX/EJB) 4
RCE Probing (php.ini injection attempt) 3
CMS/Platform Probing (Bitrix) 2
Repo/Source Exposure (.git) 2
Outbound Recon/Callback Indicator (ip-api) 1
Platform Recon (Spring Actuator) 1
Unknown/Unparsed 1

Taxonomy summary (unique IPs):
taxonomy unique_ips
Other Probing/Recon 11
CMS Probing (WordPress) 5
RCE Probing (php.ini injection attempt) 3
Admin Surface Probing 3
Traversal/RCE Probing (cgi-bin traversal) 3
CMS/Platform Probing (Bitrix) 2
Secrets/Config Exposure (.env) 2
Repo/Source Exposure (.git) 2
Java Middleware Probing (JMX/EJB) 1
Outbound Recon/Callback Indicator (ip-api) 1
Platform Recon (Spring Actuator) 1
Unknown/Unparsed 1

Top indicators (method+path):
taxonomy behavior_sig count
Other Probing/Recon GET / 4
CMS Probing (WordPress) GET /wp-admin/setup-config.php 3
Traversal/RCE Probing (cgi-bin traversal) POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh 3
Traversal/RCE Probing (cgi-bin traversal) POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh 3
RCE Probing (php.ini injection attempt) POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input 3
CMS Probing (WordPress) GET /wordpress/wp-admin/setup-config.php 2
Secrets/Config Exposure (.env) GET /.env 2
Repo/Source Exposure (.git) GET /.git/config 2
CMS Probing (WordPress) GET /wordpress/wp-admin/maint/ 1
CMS Probing (WordPress) GET /wp-content/plugins/hellopress/wp_filemanager.php 1
Admin Surface Probing GET /admin/config.php 1
Admin Surface Probing GET /admin.php 1
Admin Surface Probing GET /admin/controller/extension/extension/ 1
Admin Surface Probing GET /admin/uploads/ 1
Admin Surface Probing GET /adminfuns.php 1
Admin Surface Probing GET /admin/ 1
Java Middleware Probing (JMX/EJB) HEAD /web-console/ServerInfo.jsp 1
Java Middleware Probing (JMX/EJB) HEAD /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo 1
Java Middleware Probing (JMX/EJB) HEAD /invoker/JMXInvokerServlet 1
Java Middleware Probing (JMX/EJB) HEAD /invoker/EJBInvokerServlet 1
CMS/Platform Probing (Bitrix) GET /bitrix/templates/.default/lang/ru/page_templates/.contents.php 1
CMS/Platform Probing (Bitrix) GET /bitrix/css/main/themes/0x1.php 1
Other Probing/Recon GET /SDK/webLanguage 1
Other Probing/Recon GET /?XDEBUG_SESSION_START=phpstorm 1
Other Probing/Recon GET /about.php 1
Other Probing/Recon GET /alive.php 1
Other Probing/Recon GET /class-t.api.php 1
Other Probing/Recon GET /a/pl 1
Other Probing/Recon GET /aaa9 1
Other Probing/Recon GET /aab9 1

Narrative:
SOC Narrative — Suspicious-Low-Volume Queue (Behavior-Level Summary)

Audit window (UTC): 2026-01-09T05:21:39+00:00 → 2026-01-11T05:21:39+00:00
Evidence basis: behavior-compressed excerpt pack (rows=62, unique IPs=25).

What was observed
- A low-volume subset of IPs generated SUSPICIOUS-labeled requests consistent with common exploitation and misconfiguration probes.
- Individual raw events were unique at the record level, while repeated behavior signatures (method+path) occurred across multiple IPs.

Behavior taxonomy (from compressed evidence)
- Other Probing/Recon: 23 behavior events
- CMS Probing (WordPress): 7 behavior events
- Secrets/Config Exposure (.env): 6 behavior events
- Admin Surface Probing: 6 behavior events
- Traversal/RCE Probing (cgi-bin traversal): 6 behavior events
- Java Middleware Probing (JMX/EJB): 4 behavior events
- RCE Probing (php.ini injection attempt): 3 behavior events
- CMS/Platform Probing (Bitrix): 2 behavior events

Representative indicators (method + path)
- [Other Probing/Recon] GET / (count=4)
- [CMS Probing (WordPress)] GET /wp-admin/setup-config.php (count=3)
- [Traversal/RCE Probing (cgi-bin traversal)] POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh (count=3)
- [Traversal/RCE Probing (cgi-bin traversal)] POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh (count=3)
- [RCE Probing (php.ini injection attempt)] POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input (count=3)
- [CMS Probing (WordPress)] GET /wordpress/wp-admin/setup-config.php (count=2)
- [Secrets/Config Exposure (.env)] GET /.env (count=2)
- [Repo/Source Exposure (.git)] GET /.git/config (count=2)
- [CMS Probing (WordPress)] GET /wordpress/wp-admin/maint/ (count=1)
- [CMS Probing (WordPress)] GET /wp-content/plugins/hellopress/wp_filemanager.php (count=1)

Analyst interpretation (non-normative)
- `.env` and `/.git/config` targets align with attempts to retrieve secrets or source metadata.
- WordPress/Bitrix paths align with broad CMS exploitation scanning.
- Encoded traversal and CGI probes align with traversal/RCE attempt patterns.
- JMX/EJB invoker paths align with legacy middleware probing.

Controls note
- This notebook performs read-only analysis and does not modify enforcement state.

Downstream contract:
- df_fp_taxonomy / df_fp_taxonomy_summary / df_fp_taxonomy_ip_counts / df_top_indicators
- SOC_NARRATIVE_10B7
- No enforcement/allowlisting/suppression changes are performed.