It initiated requests to non-existent endpoints.

The IP sent malformed Asterisk requests, potentially indicating an attempt to crash the server.

IP Spoofing: Logs showing HTTP requests with IP ranges that are typically reserved for private networks or an unusual X-Forwarded-For header.

The IP attempted to perform a QOTD amplification attack on the SSH server.

It attempted to perform a SYN flood attack on the SSH server.

The IP attempted Forceful Browsing, trying to discover hidden directories or files which could contain SSH access data.

It attempted to use the FTP server to distribute pirated software.

It attempted to perform a SIP Register Flood on the Asterisk server.

It executed blind command injection, exploiting server inputs to gain unauthorized system control.

This malicious IP was reported for attempting a FTP Bounce attack, exploiting the FTP protocol's proxy command to scan ports and networks.

The IP attempted to use the FTP server to distribute rootkit software.

It attempted to perform a credential stuffing attack on the SSH server.

It attempted to take advantage of misconfigurations in the Apache server.

FOR YOUR INFORMATIONS and ACTIONS against these Bastards HACKERS USING your servers IP, accounts and mails boxes ! Pour votre Information et Actions contre ces hackers utilisant vos serveurs IP, comptes et boites mails ! Recu tard hier soir Lundi 09 Decembre après 23h25 ( envoyés toujours les nuits ou les week-ends ) MAILs escrocs via les Google.com usurpant les NOTAIRES de FRANCE et venant de l’adresse Mail bidon: hiteshjoshi900@gmail.com avec adresse IP utilisée: 209.85.128.50 gérée par: network-abuse@google.com Received : from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mlpnf0111.laposte.net (SMTP Server) with ESMTPS id 4Y6bzB5KtLzTgCX for <@laposte.net>; Mon, 9 Dec 2024 23:25:25 +0100 (CET) Received : by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-435005192d1so5909545e9.3 for <ele.lemoine@laposte.net>; Mon, 09 Dec 2024 14:25:25 -0800 (PST) DKIM-Signature : v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1733783124; x=1734387924; darn=laposte.net; IP Lookup Details: IP Information - 209.85.128.50 Host name: mail-wm1-f50.google.com Country: United States Country Code: US Region: City: Latitude: 37.751 Longitude: -97.822 ******************* Contenu du mail des hackers *************** Documents importants à votre disposition • lundi 9 Décembre, 23:25 (il y a 9 heures) 15Ko • • • CH De : CH / Hussier • A : Moi • Madame/Monsieur , Nous vous avons transmis des documents sécurisés qui nécessitent votre attention. Ces fichiers contiennent des informations que nous jugeons essentielles. Nous vous prions de les examiner dans les plus brefs délai [Télécharger le fichier sécurisé] Attention Nous vous encourageons vivement à les examiner dans les 24 heures suivant la réception de ce message. Soyez éco-responsable, n'imprimez ce mail que si nécessaire. **************** CODES HTML dess hackers ******************** Return-Path : <hiteshjoshi900@gmail.com> Received : from mlpnf0111.laposte.net (mlpnf0111.sys.meshcore.net [10.94.128.90]) by mlpnb0108 with LMTPA; Mon, 09 Dec 2024 23:25:28 +0100 X-Cyrus-Session-Id : cyrus-156530-1733783128-1-8496647559636748249 X-Sieve : CMU Sieve 3.0 ARC-Seal : i=1; a=rsa-sha256; d=laposte.net; s=lpn-wlmd; t=1733783128; cv=none; b=ZqhecqsRvHOXUFB2doa9guT01TyXY1Gsq+3i36U12m/O0h3llqxGK/Z8Q92IKtE+fbCsqzr7RNO IwSc5+xZaV7vt59Cn3lWLVxPRTMbEHmuh0El7p5Q3PUUB7luCluob71lj2ykCfha7e2PswDWuJrf LFGYvLyt65Izs9bLaQXF/BjBa9QChhf1iMuZs/TsFnojKN35etIkpxgnQN2YrByIUW4b4oA1CDRJ lisf6DNWVuXHOVrnvQ1Y5KF/2CgRF+IQ21JmmJ8vSQoDRUMnfRN+BL/wCpshv5MxzNkCQNFJ8Tmc mRJb0spEPQ4uljqN8QHZOV+axrH0CHovXhamFqA== ARC-Message-Signature : i=1; a=rsa-sha256; c=relaxed/relaxed; d=laposte.net; s=lpn-wlmd; t=1733783128; h=DKIM-Signature:Date:From:To:Subject; bh=2Z5twmOSE 909hIbJWC3/b2TJxUftlbv4rZmkbHYDELk=; b=b4NbCo4LnwY6YWpQNiPOAg96i1CoIW0vjG7gl mpOrRGSgtpe7V84VgDvBLZ8xKFnREVbUqa88kGaYsrjV6moIAhun13sdUgS9OrDVKKejKhlJtetk GHwfykt5CC+8DciDOYSplNjGnwrQiCjlnHfIQvnI/Ry1oYtdD3nwHIDquSvrlSyf9CSb6o6/FjM9 4QqDUzxmpYFFofhP2fLIK3ujo5HjCCeaLCfRiZX39V+Rr+BO0QjgSc8OPrDI9kG2ewm5bsMdJJlJ cG3f4Z8cB6ufp6aNUjZ4O1kAOqeOZlyIAMSGSRx6mulV7aUX4u3pgf57bMXECI8uGqaCMfEZOcJI A== ARC-Authentication-Results : i=1; laposte.net; spf=pass smtp.helo=mail-wm1-f50.google.com smtp.mailfrom=hiteshjoshi900@gmail.com; dkim=pass reason="good signature" header.b=PJ3of3 header.d=gmail.com header.s=20230601; dmarc=pass reason="SPF is aligned, DKIM is aligned"; arc=none smtp.remote-ip=209.85.128.50; bimi=skipped reason="non-compliant DMARC" X-mail-filterd : {"version":"1.8.0","queueID":"4Y6bzD5rybzTgCF","contextId": "57e39686-3063-4045-b47c-35539fb0ce5f"} X-ppbforward : {"queueID":"4Y6bzD5rybzTgCF","server":"mlpnf0111"} Received : from outgoing-mail.laposte.net (localhost.localdomain [127.0.0.1]) by mlpnf0111.laposte.net (SMTP Server) with ESMTP id 4Y6bzD5rybzTgCF for <lpn000000000000000018870443@back01-mail02-04.lpn.svc.meshcore.net>; Mon, 9

Repeated requests for the same file or page, indicating an attempt to crack a password or exploit a vulnerability.

It attempted to use the IMAP server to relay spam.

A high number of unsuccessful SSH logins, a common target for brute force attacks.

This IP belongs to Mondelez International.

POST //user/register?element_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax: Drupalgeddon3 exploit, another Drupal remote execution vulnerability.

Multiple login attempts with slight variations in the password, suggesting a dictionary attack, a type of brute force attack.

FOR YOUR INFORMATIONS and ACTIONS against these Bastards HACKERS USING your servers IP, accounts and mails boxes ! Pour votre Information et Actions contre ces hackers utilisant vos serveurs IP, comptes et boites mails ! Recu tard hier soir Lundi 09 Decembre 2024 après 23h25 ( envoyés toujours les nuits ou les week-ends ) MAILs escrocs via Google.com usurpant les NOTAIRES de FRANCE et venant de l’adresse Mail bidon: hiteshjoshi900@gmail.com avec adresses IP utilisées: 209.85.128.50 gérée par: network-abuse@google.com et adresse IP originale : 105.68.200.196 Received : from DESKTOP-JEPNEJN [105.68.200.196] au MAROC gérée par abusepoc@afrinic.net Received : from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mlpnf0111.laposte.net (SMTP Server) with ESMTPS id 4Y6bzB5KtLzTgCX for <@laposte.net>; Mon, 9 Dec 2024 23:25:25 +0100 (CET) Received : by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-435005192d1so5909545e9.3 for <ele.lemoine@laposte.net>; Mon, 09 Dec 2024 14:25:25 -0800 (PST) DKIM-Signature : v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1733783124; x=1734387924; darn=laposte.net; IP Lookup Details: IP Information - 209.85.128.50 Host name: mail-wm1-f50.google.com Country: United States Country Code: US Region: City: Latitude: 37.751 Longitude: -97.822 IP Lookup Details: IP Information - 105.68.200.196 Host name: 105.68.200.196 Country: Morocco Country Code: MA Region: City: Latitude: 32 Longitude: -5 ******************* Contenu du mail des hackers *************** Documents importants à votre disposition • lundi 9 Décembre, 23:25 (il y a 9 heures) 15Ko • • • CH De : CH / Hussier • A : Moi • Madame/Monsieur , Nous vous avons transmis des documents sécurisés qui nécessitent votre attention. Ces fichiers contiennent des informations que nous jugeons essentielles. Nous vous prions de les examiner dans les plus brefs délai [Télécharger le fichier sécurisé] Attention Nous vous encourageons vivement à les examiner dans les 24 heures suivant la réception de ce message. Soyez éco-responsable, n'imprimez ce mail que si nécessaire. **************** CODES HTML des hackers ******************** Return-Path : <hiteshjoshi900@gmail.com> Received : from mlpnf0111.laposte.net (mlpnf0111.sys.meshcore.net [10.94.128.90]) by mlpnb0108 with LMTPA; Mon, 09 Dec 2024 23:25:28 +0100 X-Cyrus-Session-Id : cyrus-156530-1733783128-1-8496647559636748249 X-Sieve : CMU Sieve 3.0 ARC-Seal : i=1; a=rsa-sha256; d=laposte.net; s=lpn-wlmd; t=1733783128; cv=none; b=ZqhecqsRvHOXUFB2doa9guT01TyXY1Gsq+3i36U12m/O0h3llqxGK/Z8Q92IKtE+fbCsqzr7RNO IwSc5+xZaV7vt59Cn3lWLVxPRTMbEHmuh0El7p5Q3PUUB7luCluob71lj2ykCfha7e2PswDWuJrf LFGYvLyt65Izs9bLaQXF/BjBa9QChhf1iMuZs/TsFnojKN35etIkpxgnQN2YrByIUW4b4oA1CDRJ

Path/File Enumeration: Logs show multiple HTTP requests to non-existing pages and incrementing filenames, suggesting file or path enumeration.

Unwanted Web Crawler Activity: Observing unusual frequent requests from a known web crawler not granted to scan your site.

The IP was caught attempting to exploit known vulnerabilities within Postfix to gain unauthorized access.

This IP belongs to KT Corporation.