[committee] [wheel] abuse report - 130.95.13.140 - mpw.ucc.gu.uwa.edu.au

Owen Que owen.que at uwa.edu.au
Mon Feb 10 10:06:44 AWST 2020 

Thanks for your reply.

Can you give me more information to what really happening here?
Is user "elliotnunn" has been compromised? Computer has been compromised?

Is Elliot able to contact me?

Thanks.


Owen Que
Cyber Security Analyst, Cyber Security Technology Risk

University IT  •  M463, 35 Stirling Hwy, Perth WA 6009
T +61 8 6488 2092 •  E owen.que at uwa.edu.au

For guidance on how to stay safe online visit: http://cybersecurity.it.uwa.edu.au 


   


-----Original Message-----
From: James Andrewartha <trs80 at ucc.gu.uwa.edu.au> 
Sent: Monday, 10 February 2020 9:57 AM
To: Owen Que <owen.que at uwa.edu.au>; Elliot Nunn <elliotnunn at ucc.gu.uwa.edu.au>
Cc: wheel at ucc.asn.au; committee at ucc.asn.au
Subject: Re: [wheel] abuse report - 130.95.13.140 - mpw.ucc.gu.uwa.edu.au

Hi Owen,

I've firewalled the IP and shut down the VM. Our records indicate user elliotnunn (cc:ed) is responsible for it.

Thanks

-- 
# TRS-80              trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \
# UCC Wheel Member     https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftrs80.ucc.asn.au%2F&data=02%7C01%7Cowen.que%40uwa.edu.au%7C25eabd5772d7408205b908d7adcca9c4%7C05894af0cb2846d8871674cdb46e2226%7C1%7C1%7C637168966845348624&sdata=qpivWb4iSwE8vwk4nA103t067uJncba3pFUlC%2FVZOeE%3D&reserved=0 #|  what squirrels do best     |
[ "There's nobody getting rich writing          ]|  -- Collect and hide your   |
[  software that I know of" -- Bill Gates, 1980 ]\  nuts." -- Acid Reflux #231 /

On Mon, 10 Feb 2020, Owen Que wrote:

> 
> Hi UCC,
> 
>  
> 
> We’ve received numerous alerts and reports from abusix regarding 
> login-attack abuse originated from IP 130.95.13.140
> 
> I need to get in touch with an admin looking after the system. Are you able to contact me ASAP?
> 
>  
> 
> ----------------------------------------------
> 
> Reported-From: admin at hostingru.net
> 
> Report-ID: 1581246427 at s7.hostingru.net
> 
> Category: abuse
> 
> Report-Type: login-attack
> 
> Service: sshd
> 
> User-Agent: csf v14.01
> 
> Date: 2020-02-09T14:07:07+0300
> 
> Source: 130.95.13.140
> 
> Source-Type: ipv4
> 
> Attachment: text/plain
> 
> Schema-URL: 
> https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdown
> load.configserver.com%2Fabuse_login-attack_0.2.json&data=02%7C01%7
> Cowen.que%40uwa.edu.au%7C25eabd5772d7408205b908d7adcca9c4%7C05894af0cb
> 2846d8871674cdb46e2226%7C1%7C1%7C637168966845348624&sdata=fmmUiB2g
> 8p%2BmxUFZQF8Hlc2fB1bzU9NhA48H2Ki19TE%3D&reserved=0
> 
> ----------------------------------------------
> 
> Feb  9 14:03:20 s7 sshd[210605]: Invalid user cay from 130.95.13.140
> 
> Feb  9 14:03:20 s7 sshd[210605]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=130.95.13.140
> 
> Feb  9 14:03:23 s7 sshd[210605]: Failed password for invalid user cay 
> from 130.95.13.140 port 48399 ssh2
> 
> Feb  9 14:07:05 s7 sshd[215548]: Invalid user nzp from 130.95.13.140
> 
> Feb  9 14:07:05 s7 sshd[215548]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=130.95.13.140
> 
> ----------------------------------------------
> 
> An attempt to brute-force account passwords over SSH/FTP by a machine in your domain or in your network has been detected.
> Attached are the host who attacks and time / date of activity. Please 
> take the necessary action(s) to stop this activity immediately. If you have any questions please reply to this email.
> 
>  
> 
> Host of attacker: 130.95.13.140 => mpw.ucc.gu.uwa.edu.au => 
> mpw.ucc.gu.uwa.edu.au Responsible email contacts: abuse at uwa.edu.au 
> Attacked hosts in our Network: 77.75.250.74, 178.250.15.156, 
> 37.228.154.132, 77.75.249.212, 77.75.253.74, 37.228.154.97, 
> 178.250.12.36, 178.250.12.154, 37.228.155.59, 37.228.156.7, 
> 37.228.154.45, 85.158.183.120, 85.158.183.205, 178.250.15.80, 
> 178.250.10.54, 37.228.156.61
> 
>  
> 
> Logfile entries (time is MET / GMT+1):
> 
> Sun Feb  9 01:07:19 2020: user: fiz service: ssh target: 37.228.154.97 
> source: 130.95.13.140 Sun Feb  9 01:04:19 2020: user: pfs
> service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 
> 01:01:29 2020: user: php service: ssh target: 37.228.154.97
> source: 130.95.13.140 Sun Feb  9 00:58:39 2020: user: zvr service: ssh 
> target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9
> 00:55:49 2020: user: wz service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:53:09 2020: user: yna service:
> ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:50:19 2020: user: bzj service: ssh target: 37.228.154.97 source:
> 130.95.13.140 Sun Feb  9 00:47:29 2020: user: huz service: ssh target: 
> 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:44:39
> 2020: user: nwt service: ssh target: 37.228.154.97 source: 
> 130.95.13.140 Sun Feb  9 00:41:49 2020: user: mdj service: ssh
> target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:39:09 2020: user: czb service: ssh target: 37.228.154.97 source:
> 130.95.13.140 Sun Feb  9 00:36:19 2020: user: soe service: ssh target: 
> 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:33:29
> 2020: user: lg service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:30:39 2020: user: uhj service: ssh target:
> 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:27:59 2020: user: 
> qpv service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  
> 9 00:25:19 2020: user: guu service: ssh target: 37.228.154.97 source: 
> 130.95.13.140 Sun Feb  9 00:22:29 2020: user: eqe
> service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 
> 00:19:39 2020: user: vzw service: ssh target: 37.228.154.97
> source: 130.95.13.140 Sun Feb  9 00:16:59 2020: user: iij service: ssh 
> target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9
> 00:14:29 2020: user: tsm service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:12:09 2020: user: uxm service:
> ssh target: 37.228.154.97 source: 130.95.13.140 Sat Feb  8 23:55:29 2020: user: jhw service: ssh target: 37.228.154.97 source:
> 130.95.13.140 Sat Feb  8 23:46:37 2020: user: ung service: ssh target: 
> 37.228.156.61 source: 130.95.13.140 Sat Feb  8 23:46:00
> 2020: user: ung service: ssh target: 178.250.12.154 source: 
> 130.95.13.140 Sat Feb  8 23:45:23 2020: user: ung service: ssh
> target: 85.158.183.205 source: 130.95.13.140 Sat Feb  8 23:39:03 2020: user: ung service: ssh target: 77.75.253.74 source:
> 130.95.13.140 Sat Feb  8 23:37:34 2020: user: ung service: ssh target: 
> 37.228.155.59 source: 130.95.13.140 Sat Feb  8 23:36:28
> 2020: user: ung service: ssh target: 77.75.249.212 source: 
> 130.95.13.140 Sat Feb  8 23:34:46 2020: user: ung service: ssh
> target: 178.250.10.54 source: 130.95.13.140 Sat Feb  8 23:31:46 2020: user: ung service: ssh target: 85.158.183.120 source:
> 130.95.13.140 Sat Feb  8 23:22:12 2020: user: bvt service: ssh target: 
> 178.250.15.156 source: 130.95.13.140 Sat Feb  8 23:20:50
> 2020: user: bvt service: ssh target: 178.250.12.36 source: 
> 130.95.13.140 Sat Feb  8 23:13:45 2020: user: uni service: ssh
> target: 37.228.156.7 source: 130.95.13.140 Sat Feb  8 17:30:19 2020: user: eqj service: ssh target: 77.75.250.74 source:
> 130.95.13.140 Sat Feb  8 17:25:04 2020: user: eqj service: ssh target: 
> 178.250.15.80 source: 130.95.13.140 Sat Feb  8 17:24:38
> 2020: user: eqj service: ssh target: 37.228.154.132 source: 
> 130.95.13.140 Sat Feb  8 17:18:13 2020: user: eqj service: ssh
> target: 37.228.154.45 source: 130.95.13.140
> 
> ----------------------------------------------
> 
>  
> 
>  
> 
> Thanks.
> 
>  
> 
> Owen Que
> 
> Cyber Security Analyst, Cyber Security Technology Risk
> 
>  
> 
> University IT  •  M463, 35 Stirling Hwy, Perth WA 6009
> 
> T +61 8 6488 2092 •  E owen.que at uwa.edu.au
> 
>  
> 
> For guidance on how to stay safe online visit: 
> https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcyber
> security.it.uwa.edu.au&data=02%7C01%7Cowen.que%40uwa.edu.au%7C25ea
> bd5772d7408205b908d7adcca9c4%7C05894af0cb2846d8871674cdb46e2226%7C1%7C
> 1%7C637168966845348624&sdata=8Lnxz7e89z%2BPQ5nql%2BrkrzJFa8E6v5N4k
> e0LPd4LGyg%3D&reserved=0
> 
>  
> 
> The University of Western Australia
> 
> Pursue Impossible  Facebook  Twitter  Youtube
> 
>  
> 
>  
> 
> 
>

More information about the committee mailing list