The IP was involved in a RTP Bleeding attack, exploiting vulnerabilities in the VoIP server to listen to ongoing calls.

This IP belongs to Telefonica Spain.

This IP belongs to Cloudfare.

FOR YOUR INFORMATIONS and ACTIONS against these Basterds HACKERS USING your servers IP and accounts and mails boxes ! Pour votre Information et Actions contre ces hackers utilisant vos serveurs IP, LOGOS, Comptes et boites mails ! Reçu 12 ème mails usurpant la SOCIETE GENERALE avec serveurs IP et boites mails usurpées gabriel.roulhac1@univ-paris13.fr L’adresse IP du serveur de ces hackers fous est 81.194.43.175 gérée par certsvp@renater.fr Et celà continue toujours Fin Mai 2025, depuis Mars 2017 ! comme toute les années 2016, 2015, 2014, 2013 et 2012 ! Ce Jeudi 29 Mai 2025 après 05h12 (envoyés toujours les nuits, ou tôt les matinées, avant ou après les ouvertures de Bureaux et Administrations en France, méthodes d’escrocs et de faux-culs ) j'ai reçu sur ma boite mails ce 12 ème mail ci-dessous d’escroquerie Bancaire avec faux contenu SOCIETE GENERALE et venant de l'adresse email bidon ou usurpée: gabriel.roulhac1@univ-paris13.fr gérée par sec-dsi@univ-paris13.fr L’adresse IP du serveur de ces hackers fous est 81.194.43.175 gérée par certsvp@renater.fr Received : from smtp1.univ-paris13.fr (smtp1.univ-paris13.fr [81.194.43.175]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by mlpnf0111.laposte.net (SMTP Server) with ESMTPS id 4b7BHm403tzTgCF; Thu, 29 May 2025 05:12:20 +0200 (CEST) Received : from [10.10.4.191] (unknown [84.17.48.131]) (Authenticated sender: gabriel.roulhac1) by smtp1.univ-paris13.fr (Postfix) with ESMTPSA id 110A7F2399F; Thu, 29 May 2025 05:05:44 +0200 (CEST) DKIM-Signature : v=1; a=rsa-sha256; c=relaxed/relaxed; d=univ-paris13.fr; s=dkim; t=1748487946; C'est visiblement et clairement une tentative d’escroquerie ! Je ne suis pas prêt d’avoir un Compte à la SOCIETE GENERALE, ni de gérer mes comptes par Internet ! Ci-dessous cet email de phishing avec ces en-têtes : *********************** Ci-dessous CODES HTML des hackers **************************************** Return-Path : <gabriel.roulhac1@univ-paris13.fr> Received : from mlpnf0111.laposte.net (mlpnf0111.sys.meshcore.net [10.94.128.90]) by mlpnb0108 with LMTPA; Thu, 29 May 2025 05:12:23 +0200 X-Cyrus-Session-Id : cyrus-1748488343-131556-1-8656268281330120828 X-Sieve : CMU Sieve 3.0 ARC-Seal : i=1; a=rsa-sha256; d=laposte.net; s=lpn-wlmd; t=1748488343; cv=none; b=eVojphuoh/3YHPZV7JYy0GXKj2CcMBCmlVGpPLDrRv7tphvd7/zvEtsNTyc/WsU6XuyFIzALkY+ 3BoBGJIgpL3pkFeu6GWI1pmPb9k1oY53GpJl+SM1QFeySXbNnflZyVhPSITL0Po37XbRlWYLXbPd Xg4wSXIdG0azhuR6AoM41mW3fZ+P+S9QyKIYXhS+ZygbHjQ82yer/eKhYYaBeKZn/3C95Qz4k+41 AJFRJnJVc3T1gPFPEUsgF/RMUdvxe7H01gjdTzTVrVv8OvIul9sKarmB4eBBBzSgbRalMDpx/+Xe q+uENcVY49QZIMqstjQuLNwxLOA4vCQBfCchzdw== ARC-Message-Signature : i=1; a=rsa-sha256; c=relaxed/relaxed; d=laposte.net; s=lpn-wlmd; t=1748488343; h=DKIM-Signature:Date:From:Subject:To; bh=tKTMUCJlG 4NU68q5RCvk0Pn5GGHXT+SiOFm8bSd5u4U=; b=pozzE+0pBeYYzixJrxbM2NXqctVp7YFXEBala Lkm00d+nL6gFUAYbITgiXfW52uK+ddiehBGQZj/Oszi3Ezqv2REw2zZp7hbJEJVzLJWgpj3GATyD 4vlWlCRao1IdYp/n2C1OP9l7gupUpOs+/7cBpqg8TiVE35ioPmDqQfpjqt4zIb+q1x7q5MhltDXb cVvEGozbjo1QdkLMsmPzfvbetyEZxe9PEyIFqCXo39Pn3xi91WiHBG4vY70jTzquewrBIB40eLZb edA1E1QfHXlv6+9Zb/j2b08wbDM6qqXzHXIOdb7fOTHlD6rp9Al2BjEBgaJ22q4nZ8RmCCUlTrjF g== ARC-Authentication-Results : i=1; laposte.net; spf=pass smtp.helo=smtp1.univ-paris13.fr smtp.mailfrom=gabriel.roulhac1@univ-paris13.fr; dkim=pass reason="good signature" header.b=JwaA5u header.d=univ-paris13.fr header.s=dkim; dmarc=pass reason="SPF is aligned, DKIM is aligned"; arc=none smtp.remote-ip=81.194.43.175; bimi=skipped reason="non-compliant DMARC" X-mail-filterd : {"version":"1.9.1","queueID":"4b7BHq4yxRzTgCk","contextId": "ef1ef83c-147a-4fee-9427-5ed94660457e"} X-ppbforward : {"queueID":"4b7BHq4yxRzTgCk","server":"mlpnf0111"} Received : from outgoing-mail.laposte.net (localhost.localdomain [127.0.0.1]) by mlpnf0111.laposte.net (SMTP Server) with ESMTP id 4b7BHq4yxRzTgCk; Thu, 29 May 2025 05:12:23 +0200 (CEST) X-mail-filterd : {"version":"1.9.1","queueID":"4b7BHm403tzTgCF","contextId": "345104a6-aa80-4f13-8018-7ff23a61d119"} X-lpn-mailing : LEGIT X-lpn-spamrating : 49 X-lpn-spamlevel : not-spam Authentication-Results : laposte.net; spf=pass smtp.mailfrom=gabriel.roulhac1@univ-paris13.fr smtp.helo=smtp1.univ-paris13.fr; dkim=pass reason="good signature" header.d=univ-paris13.fr header.s=dkim header.b=JwaA5u; dmarc=pass reason="SPF is aligned, DKIM is aligned"; arc=none smtp.remote-ip=81.194.43.175; bimi=skipped reason="non-compliant DMARC" X-lpn-spamcause : OK,

It attempted to exploit known vulnerabilities in the Mail protocol.

It attempted to use the VOIP server to perform a reflection DDoS attack.

POST /ckupload.php,: A threat actor attempting to exploit CKEditor’s file uploader.

It attempted to login to the IMAP server with an invalid password.

This IP belongs to Kraft Heinz.

This IP belongs to Xbox Live.

It's observed that the IP operated a series of attacks exploiting insecure direct object references.

Attempts to use automated scripts or tools for password cracking.

The IP attempted to perform a downgrade attack on the SSH server.

The IP attempted to perform a DNS amplification attack on the SSH server.

This IP belongs to Rogers Cable.

Multiple requests with the same TE (Transfer Encoding) header.

Conducted various IP scans, seeking loopholes in our network's security.

The IP attempted to register with the VOIP server using an invalid username.

The IP attempted to exploit known vulnerabilities in the SIP protocol.

It attempted to use the FTP server to distribute web proxy tools.

The IP made multiple unsuccessful login attempts to the SASL server in a short period of time.

This IP was suspected of running a botnet, a network of compromised computers used for malicious activities like spamming or DDoS attacks.

Multiple failed login attempts from the same IP address.

Attempts to use privileged service accounts outside of their normal usage patterns.

This IP has participated in spreading adware-laden toolbar plugins, turning our workstations into advertising platforms.