Multiple failed login attempts from the same IP address.

The IP launched exploitation attacks based on the infamous 'Heartbleed' OpenSSL cryptographic vulnerabilities.

POST /db/images/: Attempt to post or insert a malicious file in the images directory of a database.

This IP belongs to Cloudfare.

It attempted to use the FTP server to distribute zombie network tools.

The IP was detected attempting to skirt our system's detection through spoofing.

This IP belongs to Softbank.

It made multiple requests with the same X-Requested-With header.

FOR YOUR INFORMATIONS and ACTIONS against these Bastards HACKERS USING your servers IP and accounts and mails boxes ! Reçu 12 ème mails usurpant le CREDIT AGRICOLE ! Mardi 13 Mai 2025 reçu après 06h46 (toujours envoyés les nuits, les week-ends, la veille au soir ) 12ème mail d'escroquerie usurpant le CREDIT AGRICOLE utilisant les boites mails GE.com venant de l’adresse mail: onels@ge.com gérée par domainabuse@cscglobal.com et domain.admin@ge.com et adresse IP 67.146.22.139 gérée par arin-abuse@brightspeed.com Bonjour Webmasters de SIGNAL SPAM, de LA POSTE.net, et du CREDIT AGRICOLE, et Ces escroqueries continuent encore en Mai 2025, et ceci depuis au moins +17 années ( 2007 )(emails tous archivés avec tous leurs codes HTML)! Idem Lundi 05 Mai 2025 à 02h44, et Lundi 06 Janvier 2025 après 02h28, et Lundi 04 Septembre 2023 après 09h53 (idem Mercredi 17 Mai 2023 après 17h52, et Mardi 03 Aout 2021 après 17h33, idem Lundi 26 Avril 2021 à 14h56, et Mercredi 20 Janvier 2021 après 12h07, idem Mardi 15 Décembre 2050 à 14h24, et Jeudi 26 Novembre 2020 à 15h04, idem Samedi 28 Novembre 2020 après 20h27, idem Dimanche 06 Décembre 2020 )( souvent les week-ends, et les nuits avant ou après les ouvertures ou fermetures des Bureaux et Administrations en France, méthodes d’escrocs et de faux culs ) j'ai reçu sur ma boite email Laposte.net, ce 11 ème mail ci-dessous d’escroquerie Bancaire usurpant ENCORE le CREDIT AGRICOLE et venant cette fois-ci de l'adresse email escroc: onels@ge.com Les adresses IP du serveur ou PC de ces hackers fous sont cette fois-ci: 67.146.22.139 gérée par gobrightspeed.net Received : from dhcp-67-146-22-139.gobrightspeed.net (dhcp-67-146-22-139.gobrightspeed.net [67.146.22.139]) by mlpnf0110.laposte.net (SMTP Server) with ESMTP id 4ZxP7M5c6Fz1nrw5 for <ele.lemoine@laposte.net>; Tue, 13 May 2025 06:46:06 +0200 (CEST) Content-Type : multipart/mixed; boundary="===============6360824178987976832==" MIME-Version : 1.0 IP Lookup Details: IP Information - 67.146.22.139 Host name: dhcp-67-146-22-139.gobrightspeed.net Country: United States Country Code: US Region: City: Latitude: 37.751 Longitude: -97.822 utilisant des boites mails usurpées des Sociétés gobrightspeed.net Je n’ai rien dans cette Banque. C'est clairement une tentative d’escroquerie ( fautes de Grammaire et de Conjugaisons ) ! Ci-dessous cet email d’escroquerie avec ces en-têtes complets : ******************* Codes HTML des hackers ci-dessous **************** Return-Path : <onels@ge.com> Received : from mlpnf0110.laposte.net (mlpnf0110.sys.meshcore.net [10.94.128.89]) by mlpnb0108 with LMTPA; Tue, 13 May 2025 06:46:09 +0200 X-Cyrus-Session-Id : cyrus-188252-1747111569-1-17556090884771340302 X-Sieve : CMU Sieve 3.0 ARC-Seal : i=1; a=rsa-sha256; d=laposte.net; s=lpn-wlmd; t=1747111569; cv=none; b=Rfai5tkQkmNs9A5RRxygz3LBN70v4lkAI2drjSyRpAEClKOBtfVpq0UtKFHyfFLsj7NsNPDD+VO AVzTq2Dp6OihOkpbhZGLQiJsRK7zcsCE9vq6Q6Evc7q+B1Baa+gO9Eaovc68mAvzt4

It made multiple requests with identical POST parameters.

Too Many HTTP GET Requests: An unusually high number of HTTP GET requests from a single IP or a small set of IPs could indicate a DoS attack.

FOR YOUR INFORMATIONS and ACTIONS against these Bastards HACKERS USING your servers IP and accounts and mails boxes ! Pour Services Sécurité FDJ ! Recu Lundi 12 Mai 2025 après 17h10 4ème mail escroc ( pseudo gain EURO DREAMS ) usurpant les LOGOS de la FRANCAISE des JEUX et venant de l’adresse mail escroc,usurpée, des hackers: dmosciatti@threepointoffice.com gérée par abuse@godaddy.com et venant de l’adresse IP 52.102.137.0 gérée par abuse@microsoft.com Received : from BL2PR02CU003.outbound.protection.outlook.com (mail-eastusazhn15010000.outbound.protection.outlook.com [52.102.137.0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mlpnf0113.laposte.net (SMTP Server) with ESMTPS id 4Zx32Q1bQkzYcn5 IP Lookup Details: IP Information - 52.102.137.0 Host name: mail-eastusazhn15010000.outbound.protection.outlook.com Country: United States Country Code: US Region: WA City: Redmond Latitude: 47.6801 Longitude: -122.1206 ************************* Codes HTML des hackers ********************* Return-Path : <dmosciatti@threepointoffice.com> Received : from mlpnf0113.laposte.net (mlpnf0113.sys.meshcore.net [10.94.128.92]) by mlpnb0108 with LMTPA; Mon, 12 May 2025 17:10:39 +0200 X-Cyrus-Session-Id : cyrus-43637-1747062639-1-17123856330239504099 X-Sieve : CMU Sieve 3.0 ARC-Seal : i=2; a=rsa-sha256; d=laposte.net; s=lpn-wlmd; t=1747062639; cv=pass; b=KMxb5CU3Jk67AKCCa58LqbwAqGjVyiJ2y5V2hl18tcf4TeLnk5VmvuQG7OyKIf3z7LhrTqGoyrl iFSSLN9HlSzBwGsqZ6hK6H3Wk7uIbGtGhwTHOm3WyU4B/n+OfrnSIZcEMoH6ftlloRp+IzJqWRGK UdwMPizWcbhmG40tSqY6De48tLwgHDGmzAr2bklPvtmgGAGYArHV01W1rrj39PFKfgTPiFdmRDom ngqeAnbCRMPNqW6qlKMwgO08e1mEQJ7cQEu2nK+HORYIgzVwuI7eZ/JKv4QY0OulaWbf2DCAe+Vk 7H08FfY3YaSyemlWDiD1Pa3/3FZta3iXaJBWlOg== ARC-Message-Signature : i=2; a=rsa-sha256; c=relaxed/relaxed; d=laposte.net; s=lpn-wlmd; t=1747062639; h=From:To:CC:Subject:Date:References:In-Reply-To; bh=HY7cubFLotvEqZvRrml/87CQN1MluSUlbfNXAwaJVLc=; b=RqZoHWFuckyz3K2V6m7W+eg+Sa 8yFFPHRfcxrYKtOhV5AnRq8f9wGj828BCSXHtLdGGU6IzECjQH81SkvD52K+oPK6Hh0D7Iyt2q4u Lo/P1RvRG7sqy7ByVoIwkY08E1yacBHePAxG7zemsf9VQOGyCsqVKywpeSyr9QBRhhFzpi9sQHs8 5dWY9pvmC9xEz8SXMJTVNORHnGDbOjTfewCyQ0nqxcAJGWfo6+eZgbxpemaQDC11v66DrdxG+wLR m4nDVIE160Sg7VwTSdbrRfmIFKiSieFz9y6erljcAthzhJKgJefGtH3OtYjHy5Cp2pXpG2u16UgS 7mew8dnbMKzw== ARC-Authentication-Results : i=2; laposte.net; spf=pass smtp.helo=BL2PR02CU003.outbound.protection.outlook.com smtp.mailfrom=dmosciatti@threepointoffice.com; dkim=none; dmarc=none reason="No policy found";

It attempted to use the FTP server to distribute hacking tools.

GET /vuln.html: Looking for any page vulnerabilities.

The IP address initiated attacks using DDoS, impacting our server response times.

Cross-Site Scripting (XSS): Logs show HTTP requests with string "

Multiple Requests from Different IPs with Same User-Agent: This could be a signal of a coordinated attack originating from compromised machines.

Multiple attempts to access the server using anonymous or generic user accounts.

It was responsible for an unusual increase in server CPU usage.

FOR YOUR INFORMATIONS and ACTIONS against these Bastards HACKERS USING your servers IP and accounts and mails boxes ! Pour Services Sécurité LIDL ! Recu 9 ème mails usurpant LIDL en France (pseudo gain LIDL ) ce Mardi 13 Mai 2025 après 02h53 ( toujours envoyé les nuits ) usurpant le LOGO LIDL et venant de l’adresse mail escroc,usurpée, des hackers: dincoiliev9v@outlook.com gérée par Microsoft et venant de l’adresse IP 77.32.148.21 gérée par abuse@brevo.com Received : from gv.d.sender-sib.com (gv.d.sender-sib.com [77.32.148.21]) by mlpnf0118.laposte.net (SMTP Server) with ESMTP id 4ZxHyP30Y3z12LCV for <@laposte.net>; Tue, 13 May 2025 02:53:01 +0200 (CEST) DKIM-Signature : v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendinblue.com; ET utilisant encore des boites mails sendinblue.com ************************* Codes HTML des hackers ********************* Return-Path : <bounces-324355306-4268519214@gv.d.sender-sib.com> Received : from mlpnf0118.laposte.net (mlpnf0118.sys.meshcore.net [10.94.128.97]) by mlpnb0108 with LMTPA; Tue, 13 May 2025 02:53:01 +0200 X-Cyrus-Session-Id : cyrus-150815-1747097581-1-10991419248668550981 X-Sieve : CMU Sieve 3.0 ARC-Seal : i=1; a=rsa-sha256; d=laposte.net; s=lpn-wlmd; t=1747097581; cv=none; b=EHs5kmoNBikSddT+5eYcVTGkv3lTQ9ikaP+2FRoFyrR6RRwO/VeoNAAIHWRD22LVQ3udYxSpYru aVWjvvRBETx4+5ZZyul8jWEioiZ0Rn7+Usi+T+awfnTOT2UgZm/ymGClt8aGd1zbYeEPDCJ8K/4U nIlNNE5WvWKN8QjFyvrqHg25K1+R8TLYJ50+vsJS0ORIe713s6JT78afTqr6nO5mqelTkSMNWmMR 9/xnj0bLYQPY7j4nn0wSs4I5sFE5yVvqSPa7RJTMJthrT8mdhqqNNcs2zVmyQLQWRvjJ9/h5iBsq aA6To5nKAgth7SVl2ZSGfyYomgy9CJ0OiIIkEpg== ARC-Message-Signature : i=1; a=rsa-sha256; c=relaxed/relaxed; d=laposte.net; s=lpn-wlmd; t=1747097581; h=DKIM-Signature:Date:Subject:To:From:List-Unsubscribe;

It was caught injecting malicious code into the SSH session attempting to compromise server integrity.

The IP was discovered trying Server Message Block relay attacks to gain unauthorized SSH access.

The IP made repeated attempts to authenticate with the VOIP server using different usernames.

The IP was involved in a FTP Anonymity attack, exploiting anonymous FTP access to upload or download files without detection.

The reported IP was identified as a BadBot, engaging in harmful activities such as unauthorized web scraping and data mining.