[committee] [wheel] abuse report - 130.95.13.140 - mpw.ucc.gu.uwa.edu.au

Owen Que owen.que at uwa.edu.au
Tue Feb 11 09:19:32 AWST 2020 

Good Morning,

It is in our (UWA Cyber Security) interest and responsibility to report any network abuse and suspicious activities within UWA's network.

Yesterday, we have blocked 130.95.13.140 inbound and outbound connections and we are monitoring closely 130.95.13.x IP ranges.
This IP ranges are plugged directly into UWA network.

UWA Cyber Security has seen many unauthorised connections especially from host devices that are open to the internet.
We will continue blocking any malicious activities to/from 130.95.13.x IP Ranges, this align with UWA acceptable use policy/standard.

https://cybersecurity.it.uwa.edu.au/#policies_standards


Thanks.


Owen Que
Cyber Security Analyst, Cyber Security Technology Risk

University IT  •  M463, 35 Stirling Hwy, Perth WA 6009
T +61 8 6488 2092 •  E owen.que at uwa.edu.au

For guidance on how to stay safe online visit: http://cybersecurity.it.uwa.edu.au 


   


-----Original Message-----
From: Elliot Nunn <elliotnunn at fastmail.com> 
Sent: Monday, 10 February 2020 5:40 PM
To: Matt Johnston <matt at ucc.asn.au>
Cc: Owen Que <owen.que at uwa.edu.au>
Subject: Re: [wheel] abuse report - 130.95.13.140 - mpw.ucc.gu.uwa.edu.au

Oh dear! The machine formerly known as mpw.ucc.gu.uwa.edu.au is a Power Mac running Mac OS 9, and is currently unplugged in my cupboard. Not sure what happened here.

> On 10 Feb 2020, at 10:09 am, Matt Johnston <matt at ucc.asn.au> wrote:
> 
> Wonder if it'd be hard to set up outbound ssh-scan monitoring at ucc? Don't reckon there would be many false positives.
> 
> Matt
> 
> On 10 February 2020 9:38:09 am AWST, Owen Que <owen.que at uwa.edu.au> wrote:
> Hi UCC,
>  
> We’ve received numerous alerts and reports from abusix regarding 
> login-attack abuse originated from IP 130.95.13.140 I need to get in touch with an admin looking after the system. Are you able to contact me ASAP?
>  
> ----------------------------------------------
> Reported-From: admin at hostingru.net
> Report-ID: 1581246427 at s7.hostingru.net
> Category: abuse
> Report-Type: login-attack
> Service: sshd
> User-Agent: csf v14.01
> Date: 2020-02-09T14:07:07+0300
> Source: 130.95.13.140
> Source-Type: ipv4
> Attachment: text/plain
> Schema-URL: 
> https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdown
> load.configserver.com%2Fabuse_login-attack_0.2.json&amp;data=02%7C01%7
> Cowen.que%40uwa.edu.au%7C3ecc43b0c22c4e5f0e3308d7ae0d0f64%7C05894af0cb
> 2846d8871674cdb46e2226%7C1%7C0%7C637169243429378572&amp;sdata=L7UNcu0q
> OtdVOBQpot%2FoKslSGqe3Ey7Do7Hcbu%2Biltg%3D&amp;reserved=0
> ----------------------------------------------
> Feb  9 14:03:20 s7 sshd[210605]: Invalid user cay from 130.95.13.140 
> Feb  9 14:03:20 s7 sshd[210605]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=130.95.13.140 Feb  
> 9 14:03:23 s7 sshd[210605]: Failed password for invalid user cay from 
> 130.95.13.140 port 48399 ssh2 Feb  9 14:07:05 s7 sshd[215548]: Invalid 
> user nzp from 130.95.13.140 Feb  9 14:07:05 s7 sshd[215548]: 
> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 
> tty=ssh ruser= rhost=130.95.13.140
> ----------------------------------------------
> An attempt to brute-force account passwords over SSH/FTP by a machine in your domain or in your network has been detected. Attached are the host who attacks and time / date of activity. Please take the necessary action(s) to stop this activity immediately. If you have any questions please reply to this email.
>  
> Host of attacker: 130.95.13.140 => mpw.ucc.gu.uwa.edu.au => 
> mpw.ucc.gu.uwa.edu.au Responsible email contacts:abuse at uwa.edu.au 
> Attacked hosts in our Network: 77.75.250.74, 178.250.15.156, 
> 37.228.154.132, 77.75.249.212, 77.75.253.74, 37.228.154.97, 
> 178.250.12.36, 178.250.12.154, 37.228.155.59, 37.228.156.7, 
> 37.228.154.45, 85.158.183.120, 85.158.183.205, 178.250.15.80, 
> 178.250.10.54, 37.228.156.61
>  
> Logfile entries (time is MET / GMT+1):
> Sun Feb  9 01:07:19 2020: user: fiz service: ssh target: 37.228.154.97 
> source: 130.95.13.140 Sun Feb  9 01:04:19 2020: user: pfs service: ssh 
> target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 01:01:29 2020: 
> user: php service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun 
> Feb  9 00:58:39 2020: user: zvr service: ssh target: 37.228.154.97 
> source: 130.95.13.140 Sun Feb  9 00:55:49 2020: user: wz service: ssh 
> target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:53:09 2020: 
> user: yna service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun 
> Feb  9 00:50:19 2020: user: bzj service: ssh target: 37.228.154.97 
> source: 130.95.13.140 Sun Feb  9 00:47:29 2020: user: huz service: ssh 
> target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:44:39 2020: 
> user: nwt service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun 
> Feb  9 00:41:49 2020: user: mdj service: ssh target: 37.228.154.97 
> source: 130.95.13.140 Sun Feb  9 00:39:09 2020: user: czb service: ssh 
> target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:36:19 2020: 
> user: soe service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun 
> Feb  9 00:33:29 2020: user: lg service: ssh target: 37.228.154.97 
> source: 130.95.13.140 Sun Feb  9 00:30:39 2020: user: uhj service: ssh 
> target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:27:59 2020: 
> user: qpv service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun 
> Feb  9 00:25:19 2020: user: guu service: ssh target: 37.228.154.97 
> source: 130.95.13.140 Sun Feb  9 00:22:29 2020: user: eqe service: ssh 
> target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:19:39 2020: 
> user: vzw service: ssh target: 37.228.154.97 source: 130.95.13.140 Sun 
> Feb  9 00:16:59 2020: user: iij service: ssh target: 37.228.154.97 
> source: 130.95.13.140 Sun Feb  9 00:14:29 2020: user: tsm service: ssh 
> target: 37.228.154.97 source: 130.95.13.140 Sun Feb  9 00:12:09 2020: 
> user: uxm service: ssh target: 37.228.154.97 source: 130.95.13.140 Sat 
> Feb  8 23:55:29 2020: user: jhw service: ssh target: 37.228.154.97 
> source: 130.95.13.140 Sat Feb  8 23:46:37 2020: user: ung service: ssh 
> target: 37.228.156.61 source: 130.95.13.140 Sat Feb  8 23:46:00 2020: 
> user: ung service: ssh target: 178.250.12.154 source: 130.95.13.140 
> Sat Feb  8 23:45:23 2020: user: ung service: ssh target: 
> 85.158.183.205 source: 130.95.13.140 Sat Feb  8 23:39:03 2020: user: 
> ung service: ssh target: 77.75.253.74 source: 130.95.13.140 Sat Feb  8 
> 23:37:34 2020: user: ung service: ssh target: 37.228.155.59 source: 
> 130.95.13.140 Sat Feb  8 23:36:28 2020: user: ung service: ssh target: 
> 77.75.249.212 source: 130.95.13.140 Sat Feb  8 23:34:46 2020: user: 
> ung service: ssh target: 178.250.10.54 source: 130.95.13.140 Sat Feb  
> 8 23:31:46 2020: user: ung service: ssh target: 85.158.183.120 source: 
> 130.95.13.140 Sat Feb  8 23:22:12 2020: user: bvt service: ssh target: 
> 178.250.15.156 source: 130.95.13.140 Sat Feb  8 23:20:50 2020: user: 
> bvt service: ssh target: 178.250.12.36 source: 130.95.13.140 Sat Feb  
> 8 23:13:45 2020: user: uni service: ssh target: 37.228.156.7 source: 
> 130.95.13.140 Sat Feb  8 17:30:19 2020: user: eqj service: ssh target: 
> 77.75.250.74 source: 130.95.13.140 Sat Feb  8 17:25:04 2020: user: eqj 
> service: ssh target: 178.250.15.80 source: 130.95.13.140 Sat Feb  8 
> 17:24:38 2020: user: eqj service: ssh target: 37.228.154.132 source: 
> 130.95.13.140 Sat Feb  8 17:18:13 2020: user: eqj service: ssh target: 
> 37.228.154.45 source: 130.95.13.140
> ----------------------------------------------
>  
>  
> Thanks.
>  
> Owen Que
> Cyber Security Analyst, Cyber Security Technology Risk
>  
> University IT  •  M463, 35 Stirling Hwy, Perth WA 6009 T +61 8 6488 
> 2092 •  E owen.que at uwa.edu.au
>  
> For guidance on how to stay safe online visit: 
> https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcyber
> security.it.uwa.edu.au&amp;data=02%7C01%7Cowen.que%40uwa.edu.au%7C3ecc
> 43b0c22c4e5f0e3308d7ae0d0f64%7C05894af0cb2846d8871674cdb46e2226%7C1%7C
> 0%7C637169243429378572&amp;sdata=taRQI0kjgnpobiTRUkWAyhBcN1awhetkaDvTh
> T18168%3D&amp;reserved=0

More information about the committee mailing list