[committee] abuse report - 130.95.13.140 - mpw.ucc.gu.uwa.edu.au

Owen Que owen.que at uwa.edu.au
Mon Feb 10 09:38:09 AWST 2020 

Hi UCC,

We've received numerous alerts and reports from abusix regarding login-attack abuse originated from IP 130.95.13.140
I need to get in touch with an admin looking after the system. Are you able to contact me ASAP?

----------------------------------------------
Reported-From: admin at hostingru.net
Report-ID: 1581246427 at s7.hostingru.net
Category: abuse
Report-Type: login-attack
Service: sshd
User-Agent: csf v14.01
Date: 2020-02-09T14:07:07+0300
Source: 130.95.13.140
Source-Type: ipv4
Attachment: text/plain
Schema-URL: https://download.configserver.com/abuse_login-attack_0.2.json
----------------------------------------------
Feb  9 14:03:20 s7 sshd[210605]: Invalid user cay from 130.95.13.140
Feb  9 14:03:20 s7 sshd[210605]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=130.95.13.140
Feb  9 14:03:23 s7 sshd[210605]: Failed password for invalid user cay from 130.95.13.140 port 48399 ssh2
Feb  9 14:07:05 s7 sshd[215548]: Invalid user nzp from 130.95.13.140
Feb  9 14:07:05 s7 sshd[215548]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=130.95.13.140
----------------------------------------------

An attempt to brute-force account passwords over SSH/FTP by a machine in your domain or in your network has been detected. Attached are the host who attacks and time / date of activity. Please take the necessary action(s) to stop this activity immediately. If you have any questions please reply to this email.



Host of attacker: 130.95.13.140 => mpw.ucc.gu.uwa.edu.au => mpw.ucc.gu.uwa.edu.au Responsible email contacts: abuse at uwa.edu.au<mailto:abuse at uwa.edu.au> Attacked hosts in our Network: 77.75.250.74, 178.250.15.156, 37.228.154.132, 77.75.249.212, 77.75.253.74, 37.228.154.97, 178.250.12.36, 178.250.12.154, 37.228.155.59, 37.228.156.7, 37.228.154.45, 85.158.183.120, 85.158.183.205, 178.250.15.80, 178.250.10.54, 37.228.156.61



Logfile entries (time is MET / GMT+1):

Sun Feb  9 01:07:19 2020: user: fiz service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 01:04:19 2020: user: pfs service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 01:01:29 2020: user: php service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:58:39 2020: user: zvr service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:55:49 2020: user: wz service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:53:09 2020: user: yna service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:50:19 2020: user: bzj service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:47:29 2020: user: huz service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:44:39 2020: user: nwt service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:41:49 2020: user: mdj service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:39:09 2020: user: czb service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:36:19 2020: user: soe service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:33:29 2020: user: lg service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:30:39 2020: user: uhj service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:27:59 2020: user: qpv service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:25:19 2020: user: guu service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:22:29 2020: user: eqe service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:19:39 2020: user: vzw service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:16:59 2020: user: iij service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:14:29 2020: user: tsm service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:12:09 2020: user: uxm service: ssh target: 37.228.154.97 source: 130.95.13.140 Sat Feb  8 23:55:29 2020: user: jhw service: ssh target: 37.228.154.97 source: 130.95.13.140 Sat Feb  8 23:46:37 2020: user: ung service: ssh target: 37.228.156.61 source: 130.95.13.140 Sat Feb  8 23:46:00 2020: user: ung service: ssh target: 178.250.12.154 source: 130.95.13.140 Sat Feb  8 23:45:23 2020: user: ung service: ssh target: 85.158.183.205 source: 130.95.13.140 Sat Feb  8 23:39:03 2020: user: ung service: ssh target: 77.75.253.74 source: 130.95.13.140 Sat Feb  8 23:37:34 2020: user: ung service: ssh target: 37.228.155.59 source: 130.95.13.140 Sat Feb  8 23:36:28 2020: user: ung service: ssh target: 77.75.249.212 source: 130.95.13.140 Sat Feb  8 23:34:46 2020: user: ung service: ssh target: 178.250.10.54 source: 130.95.13.140 Sat Feb  8 23:31:46 2020: user: ung service: ssh target: 85.158.183.120 source: 130.95.13.140 Sat Feb  8 23:22:12 2020: user: bvt service: ssh target: 178.250.15.156 source: 130.95.13.140 Sat Feb  8 23:20:50 2020: user: bvt service: ssh target: 178.250.12.36 source: 130.95.13.140 Sat Feb  8 23:13:45 2020: user: uni service: ssh target: 37.228.156.7 source: 130.95.13.140 Sat Feb  8 17:30:19 2020: user: eqj service: ssh target: 77.75.250.74 source: 130.95.13.140 Sat Feb  8 17:25:04 2020: user: eqj service: ssh target: 178.250.15.80 source: 130.95.13.140 Sat Feb  8 17:24:38 2020: user: eqj service: ssh target: 37.228.154.132 source: 130.95.13.140 Sat Feb  8 17:18:13 2020: user: eqj service: ssh target: 37.228.154.45 source: 130.95.13.140
----------------------------------------------


Thanks.

Owen Que
Cyber Security Analyst, Cyber Security Technology Risk

University IT  *  M463, 35 Stirling Hwy, Perth WA 6009
T +61 8 6488 2092 *  E owen.que at uwa.edu.au<mailto:owen.que at uwa.edu.au>

For guidance on how to stay safe online visit: http://cybersecurity.it.uwa.edu.au<http://cybersecurity.it.uwa.edu.au/>

[The University of Western Australia]<http://www.uwa.edu.au/university-campaigns-resources/emailsig2015/uwa-logo/>
[Pursue Impossible]<http://www.uwa.edu.au/university-campaigns-resources/emailsig2015/pursue> [Facebook] <http://www.uwa.edu.au/university-campaigns-resources/emailsig2015/facebook>  [Twitter] <http://www.uwa.edu.au/university-campaigns-resources/emailsig2015/twitter>  [Youtube] <http://www.uwa.edu.au/university-campaigns-resources/emailsig2015/youtube>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/committee/attachments/20200210/ec55b7cc/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 5442 bytes
Desc: image001.gif
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/committee/attachments/20200210/ec55b7cc/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.gif
Type: image/gif
Size: 2663 bytes
Desc: image002.gif
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/committee/attachments/20200210/ec55b7cc/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.gif
Type: image/gif
Size: 1308 bytes
Desc: image003.gif
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/committee/attachments/20200210/ec55b7cc/attachment-0002.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.gif
Type: image/gif
Size: 1374 bytes
Desc: image004.gif
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/committee/attachments/20200210/ec55b7cc/attachment-0003.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.gif
Type: image/gif
Size: 1654 bytes
Desc: image005.gif
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/committee/attachments/20200210/ec55b7cc/attachment-0004.gif>
-------------- next part --------------
Reported-From: admin at hostingru.net
Report-ID: 1581246427 at s7.hostingru.net
Category: abuse
Report-Type: login-attack
Service: sshd
User-Agent: csf v14.01
Date: 2020-02-09T14:07:07+0300
Source: 130.95.13.140
Source-Type: ipv4
Attachment: text/plain
Schema-URL: https://download.configserver.com/abuse_login-attack_0.2.json
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logfile.log
Type: application/octet-stream
Size: 522 bytes
Desc: logfile.log
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/committee/attachments/20200210/ec55b7cc/attachment.obj>

More information about the committee mailing list