Skip to main content

API Additions - IP Location (iplocation.sicehice.com)

In an effort to continually extend our service, we recently added additional API methods that allow users to search for information about their public IP address, or look up data about others. The API methods are documented at https://sicehice.com/platform/apidocs.

To summarize the available methods:

  • GET https://iplocation.sicehice.com/
    • Returns a JSON response with information for your IP
  • GET https://iplocation.sicehice.com/plain
    • Returns only your IP
  • GET https://iplocation.sicehice.com/api/?ip=185.117.88.82
    • Returns a JSON response with information for the IP you specify
    • Can be leveraged with CLI tools, scripts, etc.


Popular posts from this blog

AndroxGh0st – Stealing your AWS Key Pairs for Simple Email Service

AndroxGh0st is a family of malware written in Python that notoriously targets Laravel .env files. Since the inception of our new fleet of web honeypots deployed in December 2021, Sicehice has detected this activity and observed tens of thousands of requests with the HTTP POST body set to 0x[]=androxgh0st . Searching this string on GitHub yields various repositories, many of which help identify AWS secrets inadvertently exposed by the Laravel framework. One feature of AndroxGh0st is the ability to search for exposed AWS credentials, namely looking for AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY identifiers. While individuals may mistakenly leak their key pairs to version control repositories such as GitHub, GitLab, or BitBucket, there is always the possibility of inadvertently leaking key pairs directly on web servers as well. AWS has gone through efforts to continually scan GitHub for AWS key pairs and automatically apply the AWS managed policy AWSCompromi...
Post a Comment
Read more

Inside a Compromised RDP Server - Bruteforcing Leads to LockBit Ransomware

As people trend towards remote work, IT departments have an ongoing need to provide remote services to end users. Without the use of traditional VPNs, technologies like Remote Desktop, Citrix and VMware are commonly used for remote access. However, they are not always configured in secure ways.  During the height of the pandemic, we setup two servers with Remote Desktop exposed to the Internet and created user "hello" with no password. Obviously, this is not a smart idea, but it does demonstrate what can happen when you have unsecured assets that are available directly on the Internet.  Scenario 1: Network Scanner Resulting in Abuse Complaint A scanning tool was used to scan for other servers listing on port 3389, which resulted in a complaint from Hetzner Online GmbH. The complaint was as follows: Figure 1: Abuse Complaint Received It is good that Hetzner has automated monitoring systems that will send abuse complaints automatically and one step in the right direction to...
Post a Comment
Read more

RondoDox Botnet: Rando In Your Router

The RondoDox botnet is a network of compromised Internet-connected devices, including MIPS-based embedded systems such as routers and IoT devices. Our honeypot data has observed attempts by RondoDox to compromise  systems, demonstrating exploitation of vulnerabilities or weak credentials to gain control over devices that can then be used for activities like DDoS attacks, spam campaigns, credential stuffing, or illicit cryptocurrency mining. Since June 2025, Sicehice has seen an uptick in exploitation of common router CVEs that lead to RondoDox botnet infections. The malware itself infects the target device with a dropper-like shell script which facilitates the download of a final stage payload. Sicehice observed the first evidence of RondoDox as early as 2025-06-04 02:43:31. The following source IP addresses are the origination point of the activity: IP AS Country 45.135.194.11 AS 51396 (Pfcloud UG) The Netherlands (NL) 45.135.194.34 AS 51396 (Pfcloud UG) The Netherlands (NL) ...
Read more