urlscan.io logo urlscan.io
SecurityTrails logo

rmtottawa.ca Open in urlscan Pro
209.59.164.201  Malicious Activity! Public Scan

Go To Rescan Add Verdict Report
Submitted URL: http://rmtottawa.ca/XZ/ofc
Effective URL: http://rmtottawa.ca/XZ/ofc/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=bc1773c59402466129fda58a7f91c281ed123c1a6...
Submission Tags: @ipnigh
Submission: On May 15 via api from GB
 Behaviour Indicators
Similar DOM Content API
Verdicts

Summary

This website contacted 4 IPs in 1 countries across 3 domains to perform 4 HTTP transactions. The main IP is 209.59.164.201, located in Lansing, United States and belongs to LIQUIDWEB, US. The main domain is rmtottawa.ca.
This is the only time rmtottawa.ca was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Microsoft (Consumer)

Domain & IP information

IP Address AS Autonomous System
2 4 209.59.164.201 32244 (LIQUIDWEB)
1 2606:4700::68... 13335 (CLOUDFLAR...)
1 2600:3c01::f0... 63949 (LINODE-AP...)
4 4
Apex Domain
Subdomains		 Transfer
4 rmtottawa.ca
rmtottawa.ca
543 KB
1 jsonip.com
jsonip.com
453 B
1 cloudflare.com
cdnjs.cloudflare.com
73 KB
4 3
Domain Requested by
4 rmtottawa.ca 2 redirects
1 jsonip.com cdnjs.cloudflare.com
1 cdnjs.cloudflare.com rmtottawa.ca
4 3

This site contains no links.

Subject Issuer Validity Valid
cloudflare.com
CloudFlare Inc ECC CA-2		 2020-01-07 -
2020-10-09		 9 months crt.sh
jsonip.com
Let's Encrypt Authority X3		 2020-04-29 -
2020-07-28		 3 months crt.sh

This page contains 1 frames:

Primary Page: http://rmtottawa.ca/XZ/ofc/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=bc1773c59402466129fda58a7f91c281ed123c1a68fb5a4b04f3f7a69b2bbfe2085c53d0
Frame ID: C11887B7208ED5B049C603A58DD760F3
Requests: 8 HTTP requests in this frame

Screenshot
Live screenshot
Full Image

Page URL History Show full URLs

  1. http://rmtottawa.ca/XZ/ofc HTTP 301
    http://rmtottawa.ca/XZ/ofc/ HTTP 303
    http://rmtottawa.ca/XZ/ofc/r.php?signin=d41d8cd98f00b204e9800998ecf8427e&auth=bc1773c59402466129... Page URL
  2. http://rmtottawa.ca/XZ/ofc/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=bc1773c59402466129fda... Page URL

Detected technologies

Overall confidence: 100%
Detected patterns
  • headers server /(?:Apache(?:$|\/([\d.]+)|[^/-])|(?:^|\b)HTTPD)/i

Page Statistics

4
Requests

50 %
HTTPS

67 %
IPv6

3
Domains

3
Subdomains

4
IPs

1
Countries

616 kB
Transfer

1203 kB
Size

2
Cookies

Page URL History

This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.

  1. http://rmtottawa.ca/XZ/ofc HTTP 301
    http://rmtottawa.ca/XZ/ofc/ HTTP 303
    http://rmtottawa.ca/XZ/ofc/r.php?signin=d41d8cd98f00b204e9800998ecf8427e&auth=bc1773c59402466129fda58a7f91c281ed123c1a68fb5a4b04f3f7a69b2bbfe2085c53d0 Page URL
  2. http://rmtottawa.ca/XZ/ofc/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=bc1773c59402466129fda58a7f91c281ed123c1a68fb5a4b04f3f7a69b2bbfe2085c53d0 Page URL

Redirected requests

There were HTTP redirect chains for the following requests:

Request Chain 0
  • http://rmtottawa.ca/XZ/ofc HTTP 301
  • http://rmtottawa.ca/XZ/ofc/ HTTP 303
  • http://rmtottawa.ca/XZ/ofc/r.php?signin=d41d8cd98f00b204e9800998ecf8427e&auth=bc1773c59402466129fda58a7f91c281ed123c1a68fb5a4b04f3f7a69b2bbfe2085c53d0

4 HTTP transactions

Resource
Path		 Size
x-fer		 Type
MIME-Type
r.php
rmtottawa.ca/XZ/ofc/
Redirect Chain
  • http://rmtottawa.ca/XZ/ofc
  • http://rmtottawa.ca/XZ/ofc/
  • http://rmtottawa.ca/XZ/ofc/r.php?signin=d41d8cd98f00b204e9800998ecf8427e&auth=bc1773c59402466129fda58a7f91c281ed123c1a68fb5a4b04f3f7a69b2bbfe2085c53d0
222 B
574 B 		Document
General
Check archive.org
Download Go to
Full URL
http://rmtottawa.ca/XZ/ofc/r.php?signin=d41d8cd98f00b204e9800998ecf8427e&auth=bc1773c59402466129fda58a7f91c281ed123c1a68fb5a4b04f3f7a69b2bbfe2085c53d0
Protocol
HTTP/1.1
Server
209.59.164.201 Lansing, United States, ASN32244 (LIQUIDWEB, US),
Reverse DNS
cloud.uberip.com
Software
Apache / PHP/5.6.40
Resource Hash

Request headers

Host
rmtottawa.ca
Connection
keep-alive
Pragma
no-cache
Cache-Control
no-cache
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding
gzip, deflate
Accept-Language
en-US
Cookie
PHPSESSID=5f32f7bcb32309c2560dfe0576ba0d5d
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date
Fri, 15 May 2020 01:19:32 GMT
Server
Apache
X-Powered-By
PHP/5.6.40
Expires
Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control
no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma
no-cache
Content-Length
222
Keep-Alive
timeout=5, max=148
Connection
Keep-Alive
Content-Type
text/html; charset=UTF-8

Redirect headers

Date
Fri, 15 May 2020 01:19:32 GMT
Server
Apache
X-Powered-By
PHP/5.6.40
Set-Cookie
PHPSESSID=5f32f7bcb32309c2560dfe0576ba0d5d; path=/
Expires
Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control
no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma
no-cache
LOCATION
./r.php?signin=d41d8cd98f00b204e9800998ecf8427e&auth=bc1773c59402466129fda58a7f91c281ed123c1a68fb5a4b04f3f7a69b2bbfe2085c53d0
Content-Length
0
Keep-Alive
timeout=5, max=149
Connection
Keep-Alive
Content-Type
text/html; charset=UTF-8
Primary Request /
rmtottawa.ca/XZ/ofc/s/ 		542 KB
542 KB 		Document
General
Check archive.org
Download Go to
Full URL
http://rmtottawa.ca/XZ/ofc/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=bc1773c59402466129fda58a7f91c281ed123c1a68fb5a4b04f3f7a69b2bbfe2085c53d0
Protocol
HTTP/1.1
Server
209.59.164.201 Lansing, United States, ASN32244 (LIQUIDWEB, US),
Reverse DNS
cloud.uberip.com
Software
Apache / PHP/5.6.40
Resource Hash
6147623722fb0271292868e0f39aa5de3807d4dbf455f3d0517254d01b730d87

Request headers

Host
rmtottawa.ca
Connection
keep-alive
Pragma
no-cache
Cache-Control
no-cache
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer
http://rmtottawa.ca/XZ/ofc/r.php?signin=d41d8cd98f00b204e9800998ecf8427e&auth=bc1773c59402466129fda58a7f91c281ed123c1a68fb5a4b04f3f7a69b2bbfe2085c53d0
Accept-Encoding
gzip, deflate
Accept-Language
en-US
Cookie
PHPSESSID=5f32f7bcb32309c2560dfe0576ba0d5d
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Referer
http://rmtottawa.ca/XZ/ofc/r.php?signin=d41d8cd98f00b204e9800998ecf8427e&auth=bc1773c59402466129fda58a7f91c281ed123c1a68fb5a4b04f3f7a69b2bbfe2085c53d0

Response headers

Date
Fri, 15 May 2020 01:19:33 GMT
Server
Apache
X-Powered-By
PHP/5.6.40
Expires
Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control
no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma
no-cache
Keep-Alive
timeout=5, max=147
Connection
Keep-Alive
Transfer-Encoding
chunked
Content-Type
text/html; charset=UTF-8
jquery.js
cdnjs.cloudflare.com/ajax/libs/jquery/3.0.0/ 		257 KB
73 KB 		Script
General
Check archive.org
Download Go to
Full URL
https://cdnjs.cloudflare.com/ajax/libs/jquery/3.0.0/jquery.js
Requested by
Host: rmtottawa.ca
URL: http://rmtottawa.ca/XZ/ofc/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=bc1773c59402466129fda58a7f91c281ed123c1a68fb5a4b04f3f7a69b2bbfe2085c53d0
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2606:4700::6810:84e5 , United States, ASN13335 (CLOUDFLARENET, US),
Reverse DNS
Software
cloudflare /
Resource Hash
8eb3cb67ef2f0f1b76167135cef6570a409c79b23f0bc0ede71c9a4018f1408a
Security Headers
Name Value
Strict-Transport-Security max-age=15780000; includeSubDomains

Request headers

Referer
http://rmtottawa.ca/XZ/ofc/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=bc1773c59402466129fda58a7f91c281ed123c1a68fb5a4b04f3f7a69b2bbfe2085c53d0
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Fri, 15 May 2020 01:19:34 GMT
content-encoding
br
vary
Accept-Encoding
cf-cache-status
HIT
age
2918568
status
200
alt-svc
h3-27=":443"; ma=86400, h3-25=":443"; ma=86400, h3-24=":443"; ma=86400, h3-23=":443"; ma=86400
cf-request-id
02b7835d94000097cc87beb200000001
served-in-seconds
0.004
timing-allow-origin
*
last-modified
Thu, 17 May 2018 09:21:00 GMT
server
cloudflare
etag
W/"5afd497c-40464"
expect-ct
max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
strict-transport-security
max-age=15780000; includeSubDomains
content-type
application/javascript; charset=utf-8
access-control-allow-origin
*
cache-control
public, max-age=30672000
cf-ray
5939080f5a7697cc-FRA
expires
Wed, 05 May 2021 01:19:34 GMT
truncated
/ 		383 KB
0 		Image
General
Check archive.org
Download Go to Show image
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
0f6307074eb27dd48ea5fd4fa7223b32b2218ffcef0a6f45bdf0008781392f9a

Request headers

Referer
http://rmtottawa.ca/XZ/ofc/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=bc1773c59402466129fda58a7f91c281ed123c1a68fb5a4b04f3f7a69b2bbfe2085c53d0
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Content-Type
image/png
/
jsonip.com/ 		152 B
453 B 		Script
General
Check archive.org
Download Go to
Full URL
https://jsonip.com/?callback=jQuery30000427313881258371_1589505574348&_=1589505574349
Requested by
Host: cdnjs.cloudflare.com
URL: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.0.0/jquery.js
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
2600:3c01::f03c:91ff:fe79:43b , United States, ASN63949 (LINODE-AP Linode, LLC, US),
Reverse DNS
Software
nginx/1.16.1 /
Resource Hash
8ee9b2ebc4bedc1378c658d037b02e286c9f9ffbcc17ee120a1976a2cc3d618a
Security Headers
Name Value
Strict-Transport-Security max-age=31536000;

Request headers

Referer
http://rmtottawa.ca/XZ/ofc/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=bc1773c59402466129fda58a7f91c281ed123c1a68fb5a4b04f3f7a69b2bbfe2085c53d0
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date
Fri, 15 May 2020 01:19:34 GMT
Server
nginx/1.16.1
Strict-Transport-Security
max-age=31536000;
Access-Control-Allow-Methods
GET
Content-Type
application/json; charset=utf-8
Access-Control-Allow-Origin
*
Transfer-Encoding
chunked
Connection
keep-alive
truncated
/ 		7 KB
0 		Image
General
Check archive.org
Download Go to Show image
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
4383878a2993e67c930e7003b37f916d229c3b6ecac369e0f260b8108937c25d

Request headers

Referer
http://rmtottawa.ca/XZ/ofc/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=bc1773c59402466129fda58a7f91c281ed123c1a68fb5a4b04f3f7a69b2bbfe2085c53d0
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Content-Type
image/png
truncated
/ 		10 KB
0 		Image
General
Check archive.org
Download Go to Show image
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
d575a384f0e584908909bb1465a8ec3c2d47da6085c1d72082092771c85d629a

Request headers

Referer
http://rmtottawa.ca/XZ/ofc/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=bc1773c59402466129fda58a7f91c281ed123c1a68fb5a4b04f3f7a69b2bbfe2085c53d0
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Content-Type
image/png
truncated
/ 		3 KB
0 		Image
General
Check archive.org
Download Go to Show image
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
412b07a79cdf703396340599af2b0fbb3f67e7c030c793104a739bad6113a9f2

Request headers

Referer
http://rmtottawa.ca/XZ/ofc/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=bc1773c59402466129fda58a7f91c281ed123c1a68fb5a4b04f3f7a69b2bbfe2085c53d0
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Content-Type
image/png

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Microsoft (Consumer)

6 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

object| onformdata object| onpointerrawupdate function| $ function| jQuery function| getIPAddress string| x

2 Cookies

Domain/Path Name / Value
rmtottawa.ca/ Name: PHPSESSID
Value: 5f32f7bcb32309c2560dfe0576ba0d5d
rmtottawa.ca/XZ/ofc/s Name: ip11
Value: 2a01:4f8:192:5414::2