The IP attempted to perform Cross-Site Scripting (XSS) attacks through the Apache server.

The detected IP address was responsible for the distribution of botnets aimed at automating data theft.

The IP made multiple requests with the same Warning header.

The IP attempted to use the FTP server to distribute child pornography.

This particular IP displayed behaviour typical of a ransomware-infected system, encrypting several files.

The malicious IP was found trying to exploit the IMAP 'unselect' vulnerability.

Signal of DDoS Attacks: Multiple IP addresses sending a significantly high volume of traffic.

Multiple requests with the same X-Att-Deviceid header.

Usage of Obscure HTTP Verbs: Seeing non-standard HTTP methods like DEBUG, PUT, or CONNECT could imply a web-based attack.

By leveraging the AgeTunnel software, the IP attempted to establish a covert channel across the SSH session.

We flagged down attempts from the IP to leak backdoor viruses into the system.

It attempted to perform XML Entity Expansion attacks on the Apache server.

This malicious IP was reported for attempting a Sniffing attack, capturing and analyzing FTP traffic to glean sensitive information.

Command Injection in Requests: Logs indicate HTTP requests with Unix or Windows command-line instructions.

The IP was seen trying to exploit known vulnerabilities in server software, a common tactic for gaining unauthorized access or control.

The IP was detected while sending out malicious spyware-infected emails.

It attempted to use the Asterisk server to perform a reflection DDoS attack.

Suspicious Http Referrer Field: HTTP requests with external referrer headers that usually originate from internal source.

This IP belongs to Anthem.

FOR YOUR INFORMATIONS and ACTIONS against these basterds HACKERS USING your servers IP and accounts and mails boxes ! Recu Mercredi 04 Juin 2025 après 14h24 11ème mails escroc usurpant encore SNCF CONNECT et venant de l’adresse mail escroc : mcguire@mdwestserve.com Gérée par abuse@wildwestdomains.com Et adresse IP 54.240.8.16 gérée par email-abuse@amazon.com utilisant encore des serveurs mails AMAZONSES.com Received : from a8-16.smtp-out.amazonses.com (a8-16.smtp-out.amazonses.com [54.240.8.16]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mlpnf0104.laposte.net (SMTP Server) with ESMTPS id 4bC6G42fgkzqSHR GROS problèmes de sécurité chez AMAZONSES.com ! ************************* Codes HTML des hackers ********************* Return-Path : <010001973ae6681a-adb5d899-7d3d-412a-a80d-f4849bf19802-000000@amazonses.com> Received : from mlpnf0104.laposte.net (mlpnf0104.sys.meshcore.net [10.94.128.83]) by mlpnb0108 with LMTPA; Wed, 04 Jun 2025 14:24:28 +0200 X-Cyrus-Session-Id : cyrus-1749039868-46527-3-2095229890356004845 X-Sieve : CMU Sieve 3.0 ARC-Seal : i=1; a=rsa-sha256; d=laposte.net; s=lpn-wlmd; t=1749039868; cv=none; b=SCxyu1yDuMn9lw6w66+CK/RVd3vTDhA1m1aJDkbZXBxKygPZ3i1t6UWndrRwhaVP5MSP2ZDRiXd zv0ewioh8RT0gH3n5gTn9HP7BuLLeCQQB+pCCAx6owQp02+wSJGa14M8/0+XM8qrD154p4DVWJ5F 8x4PJNE+AL6l5DlwgpRirjWmvo6/TtD5unxGoklbipz77M4thsaZV6vG1m8AyAHxRPUsB775goGb q4H1iBwya+i+NI0yodHoPMXRidGiyQbQRvM3VgsnbbSSA0PmQMaFB8nkXzFkRi9n+YJ7ZRdVLS73 4AiEwJnk+Pq6jScFtCSGlpBa7D4en3MDG4Mwqiw== ARC-Message-Signature : i=1; a=rsa-sha256; c=relaxed/relaxed; d=laposte.net; s=lpn-wlmd; t=1749039868; h=DKIM-Signature:DKIM-Signature:From:To:Subject:Date; bh=rGqA8bROTUee5CHnblJ+vjyotqhzfEWqKhwmJoHXSLU=; b=In471EnOTpYAN2h907s2rvuLU6 iBnVJDynBPbDQQznyM4tPSGWEjxJfEEoNsOHUcWAp20ZXarAfl76qcwS0SeOkQ8jdLPpaeSzjAwP Itzrg20B6yU5DOoIzgodkgqHRg9yw/tTINHamro9MTKgDdPcFqFGyawMqrCcCjBTqB627pv5PM+u 5eo+FWKTjQCsbuqrszBSSrQyOhMzFOjh6tyZKdbeLviWoBFguDWZWwmb9O3C/XOHxgch8HB5t9qC n4eYW1CF4LdNzVNYEe9xjlrBw+dR+s/D0ZRraKgzqXZ7c2Z7MO++xiZyhU6pFIlq4PALIUF4g2jb cRU5zCXHgQ+Q== ARC-Authentication-Results : i=1; laposte.net; spf=pass smtp.helo=a8-16.smtp-out.amazonses.com smtp.mailfrom=010001973ae6681a-adb5d899-7d3d-412a-a80d-f4849bf19802-000000@amazonses.com; dkim=pass reason="good signature" header.b=JTn353 header.d=mdwestserve.com header.s=oxehg327czssnsio2iam2nqhxtevnded; dkim=pass reason="good signature" header.b=Krz0W8 header.d=amazonses.com header.s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; dmarc=none reason="No policy found"; arc=none smtp.remote-ip=54.240.8.16; bimi=skipped reason="non-pass DMARC"

The IP attempted to send emails from the Mail server that violate the server's email sending limits.

Executed numerous SQL injection attacks in an attempt to manipulate the server's databases.

A majority of our user base received phishing emails originated from this particular IP address.

The IP made multiple unsuccessful login attempts to the Postfix server in a short period of time.

A majority of our user base received phishing emails originated from this particular IP address.