The IP was seen attempting a FTP Command Injection attack, inserting malicious commands into legitimate FTP requests.

Multiple unsuccessful attempts to escalate privileges or access root account.

POST /modules/raptor_file_manager/upload.php: Attempt to use a known flaw in the Raptor file manager for arbitrary file upload.

Numerous requests for non-existent pages, suggesting the attacker is probing for vulnerabilities.

Unusual patterns in session IDs.

Attempted to conduct numerous data harvesting strategies to gather sensitive user data.

FOR YOUR INFORMATIONS and ACTIONS against these Bastards HACKERS USING your servers IP and accounts and mails boxes ! Pour votre Information et Actions contre ces hackers utilisant vos serveurs IP, comptes et boites mails ! Recu 3ème mail escroc usurpant la Banque NICKEL avec ENCORE utilisation des serveurs mails website@multigama.ro et adresse IP 92.86.6.214 en ROUMANIE ! avec aussi adresse IP : Received : from EC2AMAZ-6U1VN38 (ec2-18-188-134-128.us-east-2.compute.amazonaws.com [18.188.134.128]) Recu ce Lundi 04 Novembre 2024 après 16h27 ( et mails escrocs toujours envoyés les nuits ou week-ends ) ce 3ème mail ci-dessous usurpant encore la banque NICKEL : venant encore de la boite mail en ROUMANIE: From: "Nickel" website@multigama.ro avec utilisation des serveurs IP mail.multigama.ro et adresse IP 92.86.6.214 en ROUMANIE gérée par registry@orange.com et adresse IP 18.188.134.128 gérée par trustandsafety@support.aws.com Received : from mail.multigama.ro (mail.multigama.ro [92.86.6.214]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mlpnf0109.laposte.net (SMTP Server) with ESMTPS id 4XhwMP2lvHz1xmH for <@laposte.net>; Mon, 4 Nov 2024 16:27:45 +0100 (CET) Received : from mail.multigama.ro (mail.multigama.ro [127.0.0.1]) by mail.multigama.ro (Postfix) with ESMTP id C9DBB2427C27 for <@laposte.net>; Mon, 4 Nov 2024 17:27:44 +0200 (EET) Authentication-Results : mail.multigama.ro (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=multigama.ro DKIM-Signature : v=1; a=rsa-sha256; c=relaxed/simple; d=multigama.ro; h= in-reply-to:message-id:date:date:mime-version:content-type :content-type:to:subject:subject:from:from; s=dkim; t= 1730734062; x=1731598063; bh=pBiF4/n5W0AEa4FcjhMCtsTOHlOLUotOgXI u2karoQ0=; b=GW0RlXQqWE1A1nRhrs2lVt2xJPq+WUGOFBGFmygVgjhPqMhvqXO 9h911Uap/XTBzEPOOIoTfQ9FZBhDv7Fa6LHZqehkFCbLCXRytkCdo3m5i8Qa+mQC aY8SEstX9v2fp5F4Gaxq4lcNi3vueyMY1wvnxLHlUXWCYUOjrtq7D4l4= X-Virus-Scanned : amavisd-new at mail.multigama.ro X-Spam-Flag : NO X-Spam-Score : -98.908 IP Lookup Details: IP Information - 92.86.6.214 Host name: mail.multigama.ro Country: Romania Country Code: RO Region: 30 City: Ploiesti Latitude: 44.95 Longitude: 26.0167 ********************* Contenu du mail des hackers ***************** Urgent: votre compte a été suspendu • Aujourd'hui, à 16:27 (il y a 4 minutes) 9Ko • • • N De : Nickel • A : Moi • Bonjour, Pour continuer à utiliser notre service bancaire en ligne, veuillez activer le nouveau système de sécurité web. Une fois vos informations mises à jour, l'utilisation de votre carte reviendra à la normale. Pour éviter la suppression de votre compte, validez la mise à jour en cliquant ci-dessous : Vous avez 24 heures à partir de la réception de ce message pour effectuer la mise à jour, sans quoi votre compte sera supprimé. Cordialement, xxxxxxxxxxxxxxxxxxxxxxxxxxx CODES HTML des hackers xxxxxxxxxxxxxxxxxxxx Return-Path : <website@multigama.ro> Received : from mlpnf0109.laposte.net (mlpnf0109.sys.meshcore.net [10.94.128.88]) by mlpnb0108 with LMTPA; Mon, 04 Nov 2024 16:27:45 +0100 X-Cyrus-Session-Id : cyrus-189913-1730734065-1-4309534639260004063 X-Sieve : CMU Sieve 3.0 ARC-Seal : i=1; a=rsa-sha256; d=laposte.net; s=lpn-wlmd; t=1730734065; cv=none; b=OqGEXqgqs/N+KwKXjwgXLwUroao2uIEtSDw716JzU8ZJOgNJUMraqjvrNV5QpLj371QqGHVYmxw oRhG4es/8HxEIrDeTz+ghYEL/KOTfvn5wCFeRnaSO/KpD/MuSF4+9O48V9yeIdJtAt72u6gmM9dw EQaVFQRhdeYc70L0f1BzIUqmw14aY9Q2ZKZpQ0L30CtGvSFOrHRHnlDv1AeZo89Y+0rK9pyQmNgP 24RB4dj0WMIeuKvooktSGIycM5p5b3z9kNeb6v8/p9Gv6yEshrTwtkahZlwSzVbg5JG4EejNCrmj W1XXnchMz4VHTLNZJjZY3V7DB5am6+fz7eBYa2Q== ARC-Message-Signature : i=1; a=rsa-sha256; c=relaxed/relaxed; d=laposte.net; s=lpn-wlmd; t=1730734065; h=DKIM-Signature:From:Subject:To:Date:In-Reply-To; bh=pBiF4/n5W0AEa4FcjhMCtsTOHlOLUotOgXIu2karoQ0=; b=isRVMOF9Trh2e6d1aV5ulVAIJL tFKsO68ixPnmmLoi5F25EBTS5p01ZjNwmnCqykhrNoDePSWTgkxF2MhvanvQpMDFU5e576xft25m jTCRmS7B4JjzSMyY18Jkdom+7yzopigzxVz8jDpfg9Tl8Bt9TkQniOKDAIsHpHDjs89/KDyhydpB guWpDU+zVvKSbRuo3rID7bmMPHfxupcmTvZhNSkcKbVkjeIUnU9c8aglqTc2CsIFI2a9pdvLvpsi s4udKsDUZIAt8yqze6btmGHA+IO4NzhoEJ0Ro2r4kxpBnTI4eNFDV+RW3ef9iaMcbqgMEHe0OxhN zsA9p1a3aVaA== ARC-Authentication-Results : i=1; laposte.net; spf=pass smtp.helo=mail.multigama.ro smtp.mailfrom=website@multigama.ro; dkim=pass reason="good signature" header.b=GW0RlX header.d=multigama.ro header.s=dkim; dmarc=none reason="No policy found"; arc=none smtp.remote-ip=92.86.6.214; bimi=skipped reason="non-pass DMARC" X-mail-filterd : {"version":"1.8.0","queueID":"4XhwMP3G7rz1xmm","contextId": "8ee4827d-32d6-4a01-bd0e-4614d4e1a676"} X-ppbforward : {"queueID":"4XhwMP3G7rz1xmm","server":"mlpnf0109"} Received : from outgoing-mail.laposte.net (localhost.localdomain [127.0.0.1]) by mlpnf0109.laposte.net (SMTP Server) with ESMTP id 4XhwMP3G7rz1xmm for <lpn000000000000000018870443@back01-mail02-04.lpn.svc.meshcore.net>; Mon, 4 Nov 2024 16:27:45 +0100 (CET) X-mail-filterd : {"version":"1.8.0","queueID":"4XhwMP2lvHz1xmH","contextId": "b05cc716-6f9a-4457-b3cb-b370aef18ae4"} X-lpn-mailing : LEGIT X-lpn-spamrating : 40 X-lpn-spamlevel : not-spam

We traced a significant increase in the distribution of malicious fake security software to the reported IP.

POST /admin/upload.php?_upl: An attempt to exploit the JQuery File Upload vulnerability.

It attempted to perform a Steam protocol amplification attack on the SSH server.

It continually sought to exploit known vulnerabilities within SSH through crafted packet attempts.

The IP attempted to send emails from the Postfix server to blacklisted email addresses.

It attempted to send emails from the Mail server that violate the server's usage policy.

This IP belongs to Freddie Mac.

By launching ApacheKiller attacks, the IP aimed to cause a Denial of Service by exhausting memory resources.

This IP belongs to PepsiCo.

This IP belongs to Walmart.

It attempted to perform a denial of service attack on the SSH server.

This IP belongs to Walgreens Boots Alliance.

This IP belongs to Prudential Financial.

GET /CFIDE/administrator/enter.cfm: An attempt to get into the ColdFusion admin console.

It made multiple requests with the same If-None-Match header.

It attempted to use the FTP server to distribute SQL injection tools.

The IP attempted to send emails from the Postfix server pretending to be from a different sender.

It made multiple requests with the same X-Wap-Profile header.