Signs of CSRF Attacks: Logs demonstrating HTTP GET requests with sensitive actions that should ideally require POST requests.

POST /db/images/: Attempt to post or insert a malicious file in the images directory of a database.

We linked the IP to numerous attacks using RM adware, causing regular system interruptions.

This IP belongs to AT&T.

This IP belongs to Marathon Petroleum.

Arbitrarily Long GET Requests: Very long GET requests may suggest an attacker is attempting a GET Flood DDoS attack.

Our system flagged this IP as conducting fraudulent transactions activities.

Pour Services Sécurité FDJ et mails du CNRS usurpés ! Recu Mercredi 22 Mai 2024 après h (toujours les nuits, ou les week-ends) 3ème mail escroc ( pseudo gain EURO DREAMS ) usurpant les LOGOS et usurpant la FRANCAISE des JEUX et MICROSOFT et venant de l’adresse mail escroc, usurpée du CNRS, des hackers: anne-pascale.botonnet@cnrs.fr Mais vrai mail dans le mail, pour échanger avec les hackers: Bureau.me.descontem@zohomail.eu venant de l’adresse IP mails: 185.116.133.240 Mais vraie Adresse IP: x-Originating-IP: 10.78.4.15 Received : from smtp01.mhg.thalesgroup.com (smtp01.mhg.thalesgroup.com [185.116.133.240]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mlpnf0114.laposte.net (SMTP Server) with ESMTPS id 4VkfGY1YDRzjWvq; Wed, 22 May 2024 06:59:01 +0200 (CEST) From : BOTONNET Anne-Pascale <anne-pascale.botonnet@cnrs.fr> Subject : PACTOLE N° 124 -15 /659-Euro-Dreams Thread-Topic : PACTOLE N° 124 -15 /659-Euro-Dreams Thread-Index : AQHaq/l3jPlB5lvuUE2gN0ok/AzhSrGiqOOD Date : Wed, 22 May 2024 04:28:24 +0000 gérée par abuse@ripe.net et hostmaster@ripe.net et abuse-rie@pm.gouv.fr et venant des adresses IP 185.116.133.240 Mais vraie Adresse IP: x-Originating-IP: 10.78.4.15 gérée par : abuse@iana.org et abuse@zohocorp.com ************************* Codes HTML des hackers ********************* Return-Path : <anne-pascale.botonnet@cnrs.fr> Received : from mlpnf0114.laposte.net (mlpnf0114.sys.meshcore.net [10.94.128.93]) by mlpnb0108 with LMTPA; Wed, 22 May 2024 06:59:05 +0200 X-Cyrus-Session-Id : cyrus-62303-1716353945-2-14427840875409706543 X-Sieve : CMU Sieve 3.0 ARC-Seal : i=1; a=rsa-sha256; d=laposte.net; s=lpn-wlmd; t=1716353945; cv=none; b=a/5P8ONk1eQGwExqc5Ndz0U+H1P2m4OjBVc7+UZ4fAoPZTwO5iPMI5f578eLCqHQ3drgnfqOXa4 HTjyp7HCfFMXAY/ZdCPovaKn++LUaWGotYXKpduVutQ/0TAX48XLr6hRRInbF9SXBkZ2Ka3fBV6m 77S6oC8sgF1GGeMXcG3dwkh3B+iHy/zCzuJDWjOV8a3SHzI162XisGhniNYZLYm/eMeQOLYJaY31 x7+5P2gd1sX5r9uU9+7t7+GIujRYfalarp4DxWtrRmHkeepR2EyPliDeNU7VDSDXI4TVseLWnhM9 NHvNfhbjZiml0aYNUxSCrflFijqqdO7pCp6gO7Q== ARC-Message-Signature : i=1; a=rsa-sha256; c=relaxed/relaxed; d=laposte.net; s=lpn-wlmd; t=1716353945; h=From:Subject:Date:References:In-Reply-To:DKIM-Signature; bh=FIT5Ig4F6a8OVUrE/Pf4rM49FsmZztRo3+a6hKD/x44=; b=SbIWEdHDTw4KaK032pN8vz37se mRnpv1pPbbwHKiwpHuKST+TA4H+K+6ISZSgfJSXAl2Ta7j19FWQRozAodqdJVKHyU9FjnoJ1Nhxd d0cCPAqHwmCs5qxFHNvl7o2sKL/66W3PTLyo+oGf/+RzWtAXvGLLHl2PmasqRzbu9A7FUIM6vGXU IlUpj4F2IhYTRLJrEmm4C5na66p2GMY+qnC+9Lw1dibX68JIiXXvaJw1WufJC7s7uMYWnhm3u1Ut 9SP7VdNmuR64eOzl7rnXaaxvjRqptRB1jq/JqK5SbprlRyrZYqrQTxURKEjsBHhuFicWqmG6OXXY 63YmWFI49vzA== ARC-Authentication-Results : i=1; laposte.net; spf=pass smtp.helo=smtp01.mhg.thalesgroup.com smtp.mailfrom=anne-pascale.botonnet@cnrs.fr; dkim=pass reason="good signature" header.b=xjQc8E header.d=cnrs.fr header.s=bbhg20240201; dmarc=pass reason="SPF is aligned, DKIM is aligned"; arc=none smtp.remote-ip=185.116.133.240; bimi=skipped reason="non-compliant DMARC" X-mail-filterd : {"version":"1.7.5","queueID":"4VkfGd4z8qzjWwJ","contextId": "90315c4a-c989-4008-ba9b-613b265c6dae"} X-ppbforward : {"queueID":"4VkfGd4z8qzjWwJ","server":"mlpnf0114"} Received : from outgoing-mail.laposte.net (localhost.localdomain [127.0.0.1]) by mlpnf0114.laposte.net (SMTP Server) with ESMTP id 4VkfGd4z8qzjWwJ; Wed, 22 May 2024 06:59:05 +0200 (CEST) X-mail-filterd : {"version":"1.7.5","queueID":"4VkfGY1YDRzjWvq","contextId": "37068b51-291b-4e5e-9893-9872fcfdd0f7"} X-lpn-mailing : LEGIT X-lpn-spamrating : 46 X-lpn-spamlevel : not-spam Authentication-Results : laposte.net; spf=pass smtp.mailfrom=anne-pascale.botonnet@cnrs.fr smtp.helo=smtp01.mhg.thalesgroup.com; dkim=pass reason="good signature" header.d=cnrs.fr header.s=bbhg20240201 header.b=xjQc8E; dmarc=pass reason="SPF is aligned, DKIM is aligned"; arc=none smtp.remote-ip=185.116.133.240; bimi=skipped reason="non-compliant DMARC" X-lpn-spamcause : OK, (30)(0000)gggruggvucftvghtrhhoucdtuddrgedvledrvdeifedgkeekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecunfetrffquffvgfdpggftfghnshhusghstghrihgsvgenuceurghilhhouhhtmecufedtudenuchmihhsshhinhhgucfvqfcufhhivghlugculdeftddmnecujfgurhephffuthffkfhfjghitgggsehrtdhjredttddunecuhfhrohhmpeeuqffvqffppffgvfcutehnnhgvqdfrrghstggrlhgvuceorghnnhgvqdhprghstggrlhgvrdgsohhtohhnnhgvthestghnrhhsrdhfrheqnecuggftrfgrthhtvghrnhepgedugfefheefhefgjeeugeduffeffedtueelhfejkeffueetgffhhfdujeejueegnecukfhppedukeehrdduudeirddufeefrddvgedtpddutddrjeekrdegrdduheenucevlhhushhtvghrufhiiigvpeegnecurfgrrhgrmhepihhnvghtpedukeehrdduudeirddufeefrddvgedtpdhhvghlohepshhmthhptddurdhmhhhgrdhthhgrlhgvshhgrhhouhhprdgtohhmpdhmrghilhhfrhhomheprghnnhgvqdhprghstggrlhgvrdgsohhtohhnnhgvthestghnrhhsrdhfrhdpnhgspghrtghpthhtohepuddtpdhrtghpthhtohepvghlrghinhgvrdguihgsoheslhgrphhoshhtvgdrnhgvthdprhgtphhtthhopegvlhgtrghuvghtsehlrghpohhsthgvrdhnvghtpdhrtghpthhtohepvghlvgdrlhgvmhhoihhnvgeslhgrphhoshhtvgdrnhgvthdprhgtphh tthhopegvlhgvrgdruggvlhgrnhhouhgvsehlrghpohhsthgvrdhnvghtpdhrtghpthhtohepvghlvggrrdhfihhnohhtsehlrghpohhsthgvrdhnvghtpdhrtghpthhtohepvghlvghnrgdrphhrihhmohhvrgeslhgrphhoshhtvgdrnhgvth Received : from smtp01.mhg.thalesgroup.com (smtp01.mhg.thalesgroup.com [185.116.133.240]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mlpnf0114.laposte.net (SMTP Server) with ESMTPS id 4VkfGY1YDRzjWvq; Wed, 22 May 2024 06:59:01 +0200 (CEST) From : BOTONNET Anne-Pascale <anne-pascale.botonnet@cnrs.fr> Subject : PACTOLE N° 124 -15 /659-Euro-Dreams Thread-Topic : PACTOLE N° 124 -15 /659-Euro-Dreams Thread-Index : AQHaq/l3jPlB5lvuUE2gN0ok/AzhSrGiqOOD Date : Wed, 22 May 2024 04:28:24 +0000 Message-ID : <e796dba32ab9433b826e44ac8a41ba36@cnrs.fr> References : <d241f19ff9bc4f729d8c2029dcb6c71f@cnrs.fr> In-Reply-To : <d241f19ff9bc4f729d8c2029dcb6c71f@cnrs.fr> Accept-Language : fr-FR, en-US Content-Language : fr-FR X-MS-Has-Attach : yes X-MS-TNEF-Correlator : x-originating-ip : [10.78.4.15] x-tm-as-product-ver : SMEX-14.0.0.3197-9.1.2019-28402.005 x-tm-as-result : No-10--22.262900-5.000000 x-tmase-matchedrid : 9PtD9a7Wh4ygjbggvgu2k3QQY0HhVbhbQmS1M8+xzOXxYCD/41+S5yrw jK51Wln3i+ZjWETZUNTt5BztBdeUp/Wfh2c5LdkZkgmSFEJ80NGJC0yZ/aK3eNTSGjubFor4Mrw I14SW1VGcJqMonMlJOKsI9mq7U+4DHgBijq9CTD1T7PQhFbK2udx01X750uFESIWxwjSbWagFRs Mdm/DMtjl0WpHNZhLm0r2lXyfdRhrGl7o00EMBCA39+vtasoFW8CsHqdsq1hddWGOk0uc0xhE4I TRN2KZjSLifVRrid2ls/+mGW5S82+J8/L1VA2XuA6AU3VQOG2sOB8k9pejBR8cDgJYa5+It6HLi u/iQZSSqt1h+dMJDBLj5M1EjhyY3elSlUm0Vtt5hKudaJOR1Vxv36q+KU0pT x-tm-as-user-approved-sender : No x-tm-as-user-blocked-sender : No x-tmase-result : 10--22.262900-5.000000 x-tmase-version : SMEX-14.0.0.3197-9.1.2019-28402.005 x-tm-snts-smtp : EC6E149DCEB3BC75C4E5CE8EBD5FA6ABDA1024948013F610188AC1C0942A03712002:9 Content-Type : multipart/related; boundary="_004_e796dba32ab9433b826e44ac8a41ba36cnrsfr_"; type="multipart/alternative" MIME-Version : 1.0 X-FE-Attachment-Name : PROSPETUCE.jpg X-FEAS-Client-IP : 100.64.3.11 X-FE-Last-Public-Client-IP : 100.64.3.11 X-FE-Policy-ID : 12:4:2:cnrs.fr DKIM-Signature : v=1; a=rsa-sha256; q=dns/txt; d=cnrs.fr; s=bbhg20240201; c=relaxed/relaxed; h=from:subject:date:message-id:references:content-type:mime-version; bh=FIT5Ig4F6a8OVUrE/Pf4rM49FsmZztRo3+a6hKD/x44=; b=xjQc8EpiPYAyiEM/blbDiQfPDzDp8PA/3SF+2RVGTIZR82T0VL3WsmEie0Tv12TFhS6gaKqN1ZqG JSmgdw3lpyPHaR/FZTfkqdZZNZDkavdeq9o61SuhepMxq7+tJvc9by2SRrYuDHpt3Fn5Olaldb9n dP2D28ba9P5O4X7aK6fksFeidk2S+6Eg25EICAp32HrmqDfRSkWfpSnGOruwEwCiw5q3z20EPb73 jgp1GOn747niv6Sw3Qf6xwtKOLFOm0q2o0u44iUN4TFTzdeaHL+QLOfdksqXPwMcNYkcpU/ybEYR

Pour Services Sécurité FDJ et mails du CNRS usurpés ! Recu Mercredi 22 Mai 2024 après h (toujours les nuits, ou les week-ends) 3ème mail escroc ( pseudo gain EURO DREAMS ) usurpant les LOGOS et usurpant la FRANCAISE des JEUX et MICROSOFT et venant de l’adresse mail escroc, usurpée du CNRS, des hackers: anne-pascale.botonnet@cnrs.fr Mais vrai mail dans le mail, pour échanger avec les hackers: Bureau.me.descontem@zohomail.eu venant de l’adresse IP mails: 185.116.133.240 Mais vraie Adresse IP: x-Originating-IP: 10.78.4.15 Received : from smtp01.mhg.thalesgroup.com (smtp01.mhg.thalesgroup.com [185.116.133.240]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mlpnf0114.laposte.net (SMTP Server) with ESMTPS id 4VkfGY1YDRzjWvq; Wed, 22 May 2024 06:59:01 +0200 (CEST) From : BOTONNET Anne-Pascale <anne-pascale.botonnet@cnrs.fr> Subject : PACTOLE N° 124 -15 /659-Euro-Dreams Thread-Topic : PACTOLE N° 124 -15 /659-Euro-Dreams Thread-Index : AQHaq/l3jPlB5lvuUE2gN0ok/AzhSrGiqOOD Date : Wed, 22 May 2024 04:28:24 +0000 gérée par abuse@ripe.net et hostmaster@ripe.net et abuse-rie@pm.gouv.fr et venant des adresses IP 185.116.133.240 Mais vraie Adresse IP: x-Originating-IP: 10.78.4.15 gérées par : abuse@iana.org et abuse@ripe.net et hostmaster@ripe.net IP Lookup Details: IP Information - 185.116.133.240 Host name: smtp01.mhg.thalesgroup.com Country: France Country Code: FR Region: City: Latitude: 48.8582 Longitude: 2.3387 et abuse@zohocorp.com ************************* Codes HTML des hackers ********************* Return-Path : <anne-pascale.botonnet@cnrs.fr> Received : from mlpnf0114.laposte.net (mlpnf0114.sys.meshcore.net [10.94.128.93]) by mlpnb0108 with LMTPA; Wed, 22 May 2024 06:59:05 +0200 X-Cyrus-Session-Id : cyrus-62303-1716353945-2-14427840875409706543 X-Sieve : CMU Sieve 3.0 ARC-Seal : i=1; a=rsa-sha256; d=laposte.net; s=lpn-wlmd; t=1716353945; cv=none; b=a/5P8ONk1eQGwExqc5Ndz0U+H1P2m4OjBVc7+UZ4fAoPZTwO5iPMI5f578eLCqHQ3drgnfqOXa4 HTjyp7HCfFMXAY/ZdCPovaKn++LUaWGotYXKpduVutQ/0TAX48XLr6hRRInbF9SXBkZ2Ka3fBV6m 77S6oC8sgF1GGeMXcG3dwkh3B+iHy/zCzuJDWjOV8a3SHzI162XisGhniNYZLYm/eMeQOLYJaY31 x7+5P2gd1sX5r9uU9+7t7+GIujRYfalarp4DxWtrRmHkeepR2EyPliDeNU7VDSDXI4TVseLWnhM9 NHvNfhbjZiml0aYNUxSCrflFijqqdO7pCp6gO7Q== ARC-Message-Signature : i=1; a=rsa-sha256; c=relaxed/relaxed; d=laposte.net; s=lpn-wlmd; t=1716353945; h=From:Subject:Date:References:In-Reply-To:DKIM-Signature; bh=FIT5Ig4F6a8OVUrE/Pf4rM49FsmZztRo3+a6hKD/x44=; b=SbIWEdHDTw4KaK032pN8vz37se mRnpv1pPbbwHKiwpHuKST+TA4H+K+6ISZSgfJSXAl2Ta7j19FWQRozAodqdJVKHyU9FjnoJ1Nhxd d0cCPAqHwmCs5qxFHNvl7o2sKL/66W3PTLyo+oGf/+RzWtAXvGLLHl2PmasqRzbu9A7FUIM6vGXU IlUpj4F2IhYTRLJrEmm4C5na66p2GMY+qnC+9Lw1dibX68JIiXXvaJw1WufJC7s7uMYWnhm3u1Ut 9SP7VdNmuR64eOzl7rnXaaxvjRqptRB1jq/JqK5SbprlRyrZYqrQTxURKEjsBHhuFicWqmG6OXXY 63YmWFI49vzA== ARC-Authentication-Results : i=1; laposte.net; spf=pass smtp.helo=smtp01.mhg.thalesgroup.com smtp.mailfrom=anne-pascale.botonnet@cnrs.fr; dkim=pass reason="good signature" header.b=xjQc8E header.d=cnrs.fr header.s=bbhg20240201; dmarc=pass reason="SPF is aligned, DKIM is aligned"; arc=none smtp.remote-ip=185.116.133.240; bimi=skipped reason="non-compliant DMARC" X-mail-filterd : {"version":"1.7.5","queueID":"4VkfGd4z8qzjWwJ","contextId": "90315c4a-c989-4008-ba9b-613b265c6dae"} X-ppbforward : {"queueID":"4VkfGd4z8qzjWwJ","server":"mlpnf0114"} Received : from outgoing-mail.laposte.net (localhost.localdomain [127.0.0.1]) by mlpnf0114.laposte.net (SMTP Server) with ESMTP id 4VkfGd4z8qzjWwJ; Wed, 22 May 2024 06:59:05 +0200 (CEST) X-mail-filterd : {"version":"1.7.5","queueID":"4VkfGY1YDRzjWvq","contextId": "37068b51-291b-4e5e-9893-9872fcfdd0f7"} X-lpn-mailing : LEGIT X-lpn-spamrating : 46 X-lpn-spamlevel : not-spam Authentication-Results : laposte.net; spf=pass smtp.mailfrom=anne-pascale.botonnet@cnrs.fr smtp.helo=smtp01.mhg.thalesgroup.com; dkim=pass reason="good signature" header.d=cnrs.fr header.s=bbhg20240201 header.b=xjQc8E; dmarc=pass reason="SPF is aligned, DKIM is aligned"; arc=none smtp.remote-ip=185.116.133.240; bimi=skipped reason="non-compliant DMARC" X-lpn-spamcause : OK, (30)(0000)gggruggvucftvghtrhhoucdtuddrgedvledrvdeifedgkeekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecunfetrffquffvgfdpggftfghnshhusghstghrihgsvgenuceurghilhhouhhtmecufedtudenuchmihhsshhinhhgucfvqfcufhhivghlugculdeftddmnecujfgurhephffuthffkfhfjghitgggsehrtdhjredttddunecuhfhrohhmpeeuqffvqffppffgvfcutehnnhgvqdfrrghstggrlhgvuceorghnnhgvqdhprghstggrlhgvrdgsohhtohhnnhgvthestghnrhhsrdhfrheqnecuggftrfgrthhtvghrnhepgedugfefheefhefgjeeugeduffeffedtueelhfejkeffueetgffhhfdujeejueegnecukfhppedukeehrdduudeirddufeefrddvgedtpddutddrjeekrdegrdduheenucevlhhushhtvghrufhiiigvpeegnecurfgrrhgrmhepihhnvghtpedukeehrdduudeirddufeefrddvgedtpdhhvghlohepshhmthhptddurdhmhhhgrdhthhgrlhgvshhgrhhouhhprdgtohhmpdhmrghilhhfrhhomheprghnnhgvqdhprghstggrlhgvrdgsohhtohhnnhgvthestghnrhhsrdhfrhdpnhgspghrtghpthhtohepuddtpdhrtghpthhtohepvghlrghinhgvrdguihgsoheslhgrphhoshhtvgdrnhgvthdprhgtphhtthhopegvlhgtrghuvghtsehlrghpohhsthgvrdhnvghtpdhrtghpthhtohepvghlvgdrlhgvmhhoihhnvgeslhgrphhoshhtvgdrnhgvthdprhgtphh tthhopegvlhgvrgdruggvlhgrnhhouhgvsehlrghpohhsthgvrdhnvghtpdhrtghpthhtohepvghlvggrrdhfihhnohhtsehlrghpohhsthgvrdhnvghtpdhrtghpthhtohepvghlvghnrgdrphhrihhmohhvrgeslhgrphhoshhtvgdrnhgvth Received : from smtp01.mhg.thalesgroup.com (smtp01.mhg.thalesgroup.com [185.116.133.240]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mlpnf0114.laposte.net (SMTP Server) with ESMTPS id 4VkfGY1YDRzjWvq; Wed, 22 May 2024 06:59:01 +0200 (CEST) From : BOTONNET Anne-Pascale <anne-pascale.botonnet@cnrs.fr> Subject : PACTOLE N° 124 -15 /659-Euro-Dreams Thread-Topic : PACTOLE N° 124 -15 /659-Euro-Dreams Thread-Index : AQHaq/l3jPlB5lvuUE2gN0ok/AzhSrGiqOOD Date : Wed, 22 May 2024 04:28:24 +0000 Message-ID : <e796dba32ab9433b826e44ac8a41ba36@cnrs.fr> References : <d241f19ff9bc4f729d8c2029dcb6c71f@cnrs.fr> In-Reply-To : <d241f19ff9bc4f729d8c2029dcb6c71f@cnrs.fr> Accept-Language : fr-FR, en-US Content-Language : fr-FR X-MS-Has-Attach : yes X-MS-TNEF-Correlator : x-originating-ip : [10.78.4.15] x-tm-as-product-ver : SMEX-14.0.0.3197-9.1.2019-28402.005 x-tm-as-result : No-10--22.262900-5.000000 x-tmase-matchedrid : 9PtD9a7Wh4ygjbggvgu2k3QQY0HhVbhbQmS1M8+xzOXxYCD/41+S5yrw jK51Wln3i+ZjWETZUNTt5BztBdeUp/Wfh2c5LdkZkgmSFEJ80NGJC0yZ/aK3eNTSGjubFor4Mrw I14SW1VGcJqMonMlJOKsI9mq7U+4DHgBijq9CTD1T7PQhFbK2udx01X750uFESIWxwjSbWagFRs Mdm/DMtjl0WpHNZhLm0r2lXyfdRhrGl7o00EMBCA39+vtasoFW8CsHqdsq1hddWGOk0uc0xhE4I TRN2KZjSLifVRrid2ls/+mGW5S82+J8/L1VA2XuA6AU3VQOG2sOB8k9pejBR8cDgJYa5+It6HLi u/iQZSSqt1h+dMJDBLj5M1EjhyY3elSlUm0Vtt5hKudaJOR1Vxv36q+KU0pT x-tm-as-user-approved-sender : No x-tm-as-user-blocked-sender : No x-tmase-result : 10--22.262900-5.000000 x-tmase-version : SMEX-14.0.0.3197-9.1.2019-28402.005 x-tm-snts-smtp : EC6E149DCEB3BC75C4E5CE8EBD5FA6ABDA1024948013F610188AC1C0942A03712002:9 Content-Type : multipart/related; boundary="_004_e796dba32ab9433b826e44ac8a41ba36cnrsfr_"; type="multipart/alternative" MIME-Version : 1.0 X-FE-Attachment-Name : PROSPETUCE.jpg X-FEAS-Client-IP : 100.64.3.11 X-FE-Last-Public-Client-IP : 100.64.3.11 X-FE-Policy-ID : 12:4:2:cnrs.fr

Path/File Enumeration: Logs show multiple HTTP requests to non-existing pages and incrementing filenames, suggesting file or path enumeration.

The IP continually initiated a SYN-ACK flood aimed at slowing down SSH services.

It attempted to perform a phishing attack using the IMAP server.

The malicious IP was involved in a SPIT (Spam over IP Telephony) attack, sending unsolicited messages over the VoIP server.

The malicious IP was reported for engaging in port scanning, probing the server for open ports to discover potential vulnerabilities for exploitation.

It attempted to perform a dictionary attack on the SASL server.

Unexpected or unusual patterns in the server logs, such as repeated patterns of failed logins followed by successful logins.

Multiple requests with the same Proxy-Authorization header.

Repeated failed attempts to access application interfaces or ports that are typically not open to the public.

Multiple requests with the same If-Range header.

The IP conducted exhaustive dictionary attacks, trying to guess password and username combinations.

Multiple attempts to access the server using credentials that were previously compromised in a data breach.

Server Misconfiguration Exploitation: Logs illustrating attempts at exploiting known server misconfigurations.

This IP belongs to Tech Data.

The IP continually initiated a SYN-ACK flood aimed at slowing down SSH services.

This IP was tracked while attempting to distribute secretive and malicious keyloggers.