This IP belongs to BT Central Plus.

A multitude of spyware-infected download wrappers were linked to the spotted IP address.

FOR YOUR INFORMATIONS and ACTIONS against these HACKERS USING your servers IP and accounts and mails boxes ! Pour votre Information et Actions contre ces hackers utilisant vos serveurs IP, comptes et boites mails ! Recu mail escroc au faux loyer impayé et titré : Facture Loyer Lundi 10 Juin 2024 après 10h52 j’ai reçu ce mail escroc usurpant en pièce jointe .PDF le LOGO et un RIB de la Banque Française Mutualiste ( BFM ) et venant l’adresse mail bidon ou usurpée : escaner@oceanica.ws Mais vraie adresse mail trouvée dans le code HTML pour répondre aux hackers : Reply-To: Mme Helene BARAYRE <bureaugestionetcomptabilite@outlook.fr> Boites mails Outlook gérées par Microsoft Et utilisant les adresses IP MS Outlook : 40.107.244.120 Received : from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2120.outbound.protection.outlook.com [40.107.244.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mlpnf0106.laposte.net (SMTP Server) with ESMTPS id 4VyQY35rSPz5vLY for <@laposte.net>; Mon, 10 Jun 2024 10:52:23 +0200 (CEST) ARC-Seal : i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; IP Lookup Details: IP Information - 40.107.244.120 Host name: mail-mw2nam12on2120.outbound.protection.outlook.com Country: United States Country Code: US Region: City: Latitude: 37.751 Longitude: -97.822 ********************** Code HTML des hackers ************************ Return-Path : <escaner@oceanica.ws> Received : from mlpnf0106.laposte.net (mlpnf0106.sys.meshcore.net [10.94.128.85]) by mlpnb0108 with LMTPA; Mon, 10 Jun 2024 10:52:24 +0200 X-Cyrus-Session-Id : cyrus-151332-1718009544-2-16759083769934272232 X-Sieve : CMU Sieve 3.0 ARC-Seal : i=2; a=rsa-sha256; d=laposte.net; s=lpn-wlmd; t=1718009544; cv=pass; b=Tb8+wvAurMjFyEyUV1TQd+z1aPhmcIyytd/35LNpq4HWJm1QJTIB8hoEDOGwC0m2ZmBV0hwzDUK c0s6QhqM5F69jBxJho2hbtyTE6ppBaCI2xdF8a6u+QDtYmo7vtQPqbCxehP5TjyK2qmMeCQELArb 6ZFgzM8efbphCh5SzJeoXJdUt7QUELZuzwmmgOluIonWdu3TdV1xjzX3s4eouW3Lp347jQZOpRbf eJwBVRkDV21MGNmdY+2wiN1s0DE6YANTvdNiJJVxOeHt5gmzhbVUOS8On5a6NkuptMdb5VQNQLae gBQVe05l0Gl1/gTDo3VkeUebqV3Wo9CviXTHciw== ARC-Message-Signature : i=2; a=rsa-sha256; c=relaxed/relaxed; d=laposte.net; s=lpn-wlmd; t=1718009544; h=DKIM-Signature:FROM:TO:REPLY-TO:SUBJECT:DATE; bh= i2agMjv7aXrKDQtrCFdTR/k4F2BFDNpoHrmNPC6nNyo=; b=oIxoRICDoY6yQUZua0/3mMUuFUXg ekAG61lDoPD19AtSBw5K7DV/36X8CRHVS/07mQGSvJ2owBbg6kRTvo8rWM9Ehxv/5tAuej00KCLQ 92MM8RQBvba27ASpXEzxysDyZWQbfcEk2uzA9U6oyhCwtIFfrkHbHOpy/8K0owEqsqDyV0AKKycf 7TcQ7idmKptT5Du2HbJsdVy7SEkN6iyTnu5TebYAS3LJaFRugpNK8RsYKQUuTYonRudR7Q/zqzTD sHq8eWoZMCQHNfe8v8EIDuqb1jW78bPv4ggz+zXC0gGGVR0pTCb8iizMkW9DUPWHJpAueOvx9k0L NzenUZXytg== ARC-Authentication-Results : i=2; laposte.net; spf=pass smtp.helo=NAM12-MW2-obe.outbound.protection.outlook.com smtp.mailfrom=escaner@oceanica.ws; dkim=pass reason="good signature" header.b=Qh0wg/ header.d=oceanicaws.onmicrosoft.com header.s=selector2-oceanicaws-onmicrosoft-com; dmarc=none reason="No policy found"; arc=pass header.oldest-pass=0 smtp.remote-ip=40.107.244.120; bimi=skipped reason="non-pass DMARC" X-mail-filterd : {"version":"1.7.5","queueID":"4VyQY44J4mz5vLW","contextId": "e4648f1d-3f72-46f4-ad4e-1868f427278f"} X-ppbforward : {"queueID":"4VyQY44J4mz5vLW","server":"mlpnf0106"} Received : from outgoing-mail.laposte.net (localhost.localdomain [127.0.0.1]) by mlpnf0106.laposte.net (SMTP Server) with ESMTP id 4VyQY44J4mz5vLW for <lpn000000000000000018870443@back01-mail02-04.lpn.svc.meshcore.net>; Mon, 10 Jun 2024 10:52:24 +0200 (CEST) X-mail-filterd : {"version":"1.7.5","queueID":"4VyQY35rSPz5vLY","contextId": "502c3f68-c99c-4655-a8a0-c743a9cee4f4"} X-lpn-mailing : LEGIT X-lpn-spamrating : 42 X-lpn-spamlevel : not-spam Authentication-Results : laposte.net; spf=pass smtp.mailfrom=escaner@oceanica.ws smtp.helo=NAM12-MW2-obe.outbound.protection.outlook.com; dkim=pass reason="good signature" header.d=oceanicaws.onmicrosoft.com header.s=selector2-oceanicaws-onmicrosoft-com header.b=Qh0wg/; dmarc=none reason="No policy found"; arc=pass smtp.remote-ip=40.107.244.120 header.oldest-pass=0; bimi=skipped reason="non-pass DMARC" X-lpn-spamcause : OK, (13)(0000)gggruggvucftvghtrhhoucdtuddrgedvledrfedutddgtdelucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecunfetrffquffvgfdpggftfghnshhusghstghrihgsvgenuceurghilhhouhhtmecufedtudenucgfrhhlucfvnfffucdludefmdenucfjughrpegthffvrhfukfffggesmhdtreertddtjeenucfhrhhomhepvehomhhpthgrsghlvgcukfhmmhhosghilhhivghruceovghstggrnhgvrhesohgtvggrnhhitggrrdifsheqnecuggftrfgrthhtvghrnhepvddtueelgefftddvtddufeeuheffvedtvedvvddtvdevtdeghfeiieffueevfefgnecukfhppeegtddruddtjedrvdeggedruddvtddpvdeitdefmedutdgsieemrgdtfeemgegtvdemmeduieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeegtddruddtjedrvdeggedruddvtddphhgvlhhopefptefouddvqdfohgdvqdhosggvrdhouhhtsghouhhnugdrphhrohhtvggtthhiohhnrdhouhhtlhhoohhkrdgtohhmpdhmrghilhhfrhhomhepvghstggrnhgvrhesohgtvggrnhhitggrrdifshdpnhgspghrtghpthhtohepuddprhgtphhtthhopegvlhgvrdhlvghmohhinhgvsehlrghpohhsthgvrdhnvghtpdhsphhfpehprghsshdpughkihhmpehnohhnvgdpughmrghrtgepnhhonhgvpdhrvghvkffrpehmrghilhdqmhifvdhnrghmuddvohhnvdduvddtrdhouhhtsghouhhnugdrphh rohhtvggtthhiohhnrdhouhhtlhhoohhkrdgtohhmpdhgvghokffrpegfuf Received : from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2120.outbound.protection.outlook.com [40.107.244.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mlpnf0106.laposte.net (SMTP Server) with ESMTPS id 4VyQY35rSPz5vLY

It tried to create buffer overflows by sending large amounts of data at once to overwhelm server resources.

The IP attempted to perform a Multicast DNS amplification attack on the SSH server.

The malicious IP tried to brute force its way into the SASL authentication process.

GET //web-console/Invoker: Might be an attempt to access JBoss server's web console for exploitation.

Login attempts from foreign IP addresses.

The IP attempted to perform a Kad network amplification attack on the SSH server.

This malicious IP was reported for trying to perform a FTP Zombie Scan, using the FTP server to mask its true location and identity.

It attempted to delete directories on the FTP server.

This IP belongs to Telstra.

The IP attempted to perform a password spraying attack on the SASL server.

This IP belongs to McKesson.

The IP tried to launch 'Dark Tequila' malware that steals banking information and login credentials from the server.

The IP attempted to perform Symlink attacks on the Apache server.

Unusual system or application errors related to authentication or access controls.

Repeated attempts to access the server using insecure or deprecated methods.

The IP tried to perform a cross-site request forgery attack on the IMAP service.

Purposefully tried to clog our mail server's resources by creating a mail loop configuration.

GET /CFIDE/administrator/enter.cfm: An attempt to get into the ColdFusion admin console.

The IP was found trying to maliciously clone the SSH certificates for privileged access.

Multiple requests with identical POST parameters.

It attempted to perform a SIP Register Flood on the SIP server.

Multiple requests with the same Origin header.