[committee] [wheel] abuse report - 130.95.13.140 - mpw.ucc.gu.uwa.edu.au

James Andrewartha trs80 at ucc.gu.uwa.edu.au
Mon Feb 10 09:56:59 AWST 2020 

Hi Owen,

I've firewalled the IP and shut down the VM. Our records indicate user 
elliotnunn (cc:ed) is responsible for it.

Thanks

-- 
# TRS-80              trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \
# UCC Wheel Member     http://trs80.ucc.asn.au/ #|  what squirrels do best     |
[ "There's nobody getting rich writing          ]|  -- Collect and hide your   |
[  software that I know of" -- Bill Gates, 1980 ]\  nuts." -- Acid Reflux #231 /

On Mon, 10 Feb 2020, Owen Que wrote:

> 
> Hi UCC,
> 
>  
> 
> We’ve received numerous alerts and reports from abusix regarding login-attack abuse originated from IP 130.95.13.140
> 
> I need to get in touch with an admin looking after the system. Are you able to contact me ASAP?
> 
>  
> 
> ----------------------------------------------
> 
> Reported-From: admin at hostingru.net
> 
> Report-ID: 1581246427 at s7.hostingru.net
> 
> Category: abuse
> 
> Report-Type: login-attack
> 
> Service: sshd
> 
> User-Agent: csf v14.01
> 
> Date: 2020-02-09T14:07:07+0300
> 
> Source: 130.95.13.140
> 
> Source-Type: ipv4
> 
> Attachment: text/plain
> 
> Schema-URL: https://download.configserver.com/abuse_login-attack_0.2.json
> 
> ----------------------------------------------
> 
> Feb  9 14:03:20 s7 sshd[210605]: Invalid user cay from 130.95.13.140
> 
> Feb  9 14:03:20 s7 sshd[210605]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=130.95.13.140
> 
> Feb  9 14:03:23 s7 sshd[210605]: Failed password for invalid user cay from 130.95.13.140 port 48399 ssh2
> 
> Feb  9 14:07:05 s7 sshd[215548]: Invalid user nzp from 130.95.13.140
> 
> Feb  9 14:07:05 s7 sshd[215548]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=130.95.13.140
> 
> ----------------------------------------------
> 
> An attempt to brute-force account passwords over SSH/FTP by a machine in your domain or in your network has been detected.
> Attached are the host who attacks and time / date of activity. Please take the necessary action(s) to stop this activity
> immediately. If you have any questions please reply to this email.
> 
>  
> 
> Host of attacker: 130.95.13.140 => mpw.ucc.gu.uwa.edu.au => mpw.ucc.gu.uwa.edu.au Responsible email contacts: abuse at uwa.edu.au
> Attacked hosts in our Network: 77.75.250.74, 178.250.15.156, 37.228.154.132, 77.75.249.212, 77.75.253.74, 37.228.154.97,
> 178.250.12.36, 178.250.12.154, 37.228.155.59, 37.228.156.7, 37.228.154.45, 85.158.183.120, 85.158.183.205, 178.250.15.80,
> 178.250.10.54, 37.228.156.61
> 
>  
> 
> Logfile entries (time is MET / GMT+1):
> 
> Sun Feb  9 01:07:19 2020: user: fiz service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 01:04:19 2020: user: pfs
> service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 01:01:29 2020: user: php service: ssh target: 37.228.154.97
> source: 130.95.13.140 Sun Feb  9 00:58:39 2020: user: zvr service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9
> 00:55:49 2020: user: wz service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:53:09 2020: user: yna service:
> ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:50:19 2020: user: bzj service: ssh target: 37.228.154.97 source:
> 130.95.13.140 Sun Feb  9 00:47:29 2020: user: huz service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:44:39
> 2020: user: nwt service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:41:49 2020: user: mdj service: ssh
> target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:39:09 2020: user: czb service: ssh target: 37.228.154.97 source:
> 130.95.13.140 Sun Feb  9 00:36:19 2020: user: soe service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:33:29
> 2020: user: lg service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:30:39 2020: user: uhj service: ssh target:
> 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:27:59 2020: user: qpv service: ssh target: 37.228.154.97 source: 130.95.13.140
> Sun Feb  9 00:25:19 2020: user: guu service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:22:29 2020: user: eqe
> service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:19:39 2020: user: vzw service: ssh target: 37.228.154.97
> source: 130.95.13.140 Sun Feb  9 00:16:59 2020: user: iij service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9
> 00:14:29 2020: user: tsm service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:12:09 2020: user: uxm service:
> ssh target: 37.228.154.97 source: 130.95.13.140 Sat Feb  8 23:55:29 2020: user: jhw service: ssh target: 37.228.154.97 source:
> 130.95.13.140 Sat Feb  8 23:46:37 2020: user: ung service: ssh target: 37.228.156.61 source: 130.95.13.140 Sat Feb  8 23:46:00
> 2020: user: ung service: ssh target: 178.250.12.154 source: 130.95.13.140 Sat Feb  8 23:45:23 2020: user: ung service: ssh
> target: 85.158.183.205 source: 130.95.13.140 Sat Feb  8 23:39:03 2020: user: ung service: ssh target: 77.75.253.74 source:
> 130.95.13.140 Sat Feb  8 23:37:34 2020: user: ung service: ssh target: 37.228.155.59 source: 130.95.13.140 Sat Feb  8 23:36:28
> 2020: user: ung service: ssh target: 77.75.249.212 source: 130.95.13.140 Sat Feb  8 23:34:46 2020: user: ung service: ssh
> target: 178.250.10.54 source: 130.95.13.140 Sat Feb  8 23:31:46 2020: user: ung service: ssh target: 85.158.183.120 source:
> 130.95.13.140 Sat Feb  8 23:22:12 2020: user: bvt service: ssh target: 178.250.15.156 source: 130.95.13.140 Sat Feb  8 23:20:50
> 2020: user: bvt service: ssh target: 178.250.12.36 source: 130.95.13.140 Sat Feb  8 23:13:45 2020: user: uni service: ssh
> target: 37.228.156.7 source: 130.95.13.140 Sat Feb  8 17:30:19 2020: user: eqj service: ssh target: 77.75.250.74 source:
> 130.95.13.140 Sat Feb  8 17:25:04 2020: user: eqj service: ssh target: 178.250.15.80 source: 130.95.13.140 Sat Feb  8 17:24:38
> 2020: user: eqj service: ssh target: 37.228.154.132 source: 130.95.13.140 Sat Feb  8 17:18:13 2020: user: eqj service: ssh
> target: 37.228.154.45 source: 130.95.13.140
> 
> ----------------------------------------------
> 
>  
> 
>  
> 
> Thanks.
> 
>  
> 
> Owen Que
> 
> Cyber Security Analyst, Cyber Security Technology Risk
> 
>  
> 
> University IT  •  M463, 35 Stirling Hwy, Perth WA 6009
> 
> T +61 8 6488 2092 •  E owen.que at uwa.edu.au
> 
>  
> 
> For guidance on how to stay safe online visit: http://cybersecurity.it.uwa.edu.au
> 
>  
> 
> The University of Western Australia
> 
> Pursue Impossible  Facebook  Twitter  Youtube
> 
>  
> 
>  
> 
> 
>

More information about the committee mailing list