Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- We have received information about spam or abuse from esp@blockbuster.com . Please take all necessary measures to avoid this in the future.
- Furthermore we request that you send a short response within 24 hours to us and to the complainant. This response should contain information about how this could have happened and what you intend to do about it.
- How to proceed:
- - Solve the problem
- - Send a response to us: Use the following link: http://abuse.hetzner.de/statements/?token=93f2a1cdea7d209ca50608e324527297
- - Send a response by email to the complainant
- A technician will check the data and coordinate further proceeding. If we have received many complaints the situation can be lead to a server blocking.
- Important note:
- When you reply to us, please leave the abuse ID [AbuseID:078848:1A] unchanged in the subject line.
- Best Regards,
- Sandra Kreidl
- Hetzner Online AG
- Stuttgarter Str. 1
- 91710 Gunzenhausen
- Tel: +49 [0] 9831 610061
- Fax: +49 [0] 9831 61006-2
- abuse@hetzner.de
- www.hetzner.de
- Register Court: Registergericht Ansbach, HRB 3204
- Management Board: Dipl. Ing. (FH) Martin Hetzner
- Chairwoman of the Supervisory Board: Diana Rothhan
- ----- attachment -----
- Return-path: < esp@blockbuster.com >
- Envelope-to: abuse@hetzner.de
- Delivery-date: Fri, 25 May 2012 16:40:36 +0200
- Received: from [64.18.1.191] (helo=exprod6og106.obsmtp.com)
- by lms.your-server.de with smtps (TLSv1:AES256-SHA:256)
- (Exim 4.74)
- (envelope-from < esp@blockbuster.com >)
- id 1SXvga-0004G9-NG
- for abuse@hetzner.de ; Fri, 25 May 2012 16:40:35 +0200
- Received: from MER2-BBCASHUB2.usa.Blockbuster.com ([204.76.128.15]) by exprod6ob106.postini.com ([64.18.5.12]) with SMTP
- ID DSNKT7+ZwgTNXt1OgXw8hkuXFFRhh2/fh9om@postini.com ; Fri, 25 May 2012 07:40:07 PDT
- Received: from MCU.localdomain (10.194.222.70) by
- MER2-BBCASHUB2.usa.Blockbuster.com (10.50.106.51) with Microsoft SMTP Server
- id 14.1.323.3; Fri, 25 May 2012 08:40:01 -0600
- Received: from localhost.localdomain (fe80023048fffe93a9b2 [127.0.0.1]) by
- MCU.localdomain (8.12.11/8.12.11) with ESMTP id q4PEe0Db029859; Fri, 25 May
- 2012 09:40:01 -0500
- Message-ID: < 201205251440.q4PEe0Db029859@MCU.localdomain >
- Content-Type: multipart/related; boundary="_----------=_1337956800298360"
- MIME-Version: 1.0
- X-Mailer: MIME::Lite 3.01 (F2.73; B3.08; Q3.08)
- Date: Fri, 25 May 2012 14:40:00 +0000
- From: < esp@blockbuster.com >
- To: < abuse@hetzner.de >
- Subject: Abuse report:
- CC: < scc@globaldataguard.com >
- Reply-To: < scc@globaldataguard.com >
- X-Virus-Scanned: Clear (ClamAV 0.97.3/14962/Fri May 25 09:19:04 2012)
- X-Spam-Score: -1.0 (-)
- Delivered-To: he1-abuse@hetzner.de
- --_----------=_1337956800298360
- Content-Disposition: inline
- Content-Length: 1329
- Content-Transfer-Encoding: quoted-printable
- Content-Type: text/plain
- To Whom it May Concern,
- You have a system on your network that is actively scanning and/or attackin=
- g external sites on the Internet. This can come from many sources and beca=
- use it is often difficult to detect this activity, we are sending this E-ma=
- il in an attempt to help you solve the problem.
- We have detected your system with an IP of, 78.46.45.179, scanning a client=
- we monitor. This was not a short attack but a prolonged scan and/or probe=
- that was designed to find and intrude into the target network.
- This may be someone on your network who is actively trying to hack others. =
- This person may be a legitimate user on your network or it may be that this=
- system has been compromised and is being used by someone to hack others. I=
- t is also likely that the system is running automated tools that have been =
- installed to perform these actions without any human intervention.
- Below is the information about the attack. Keep in mind that the source IP=
- of our client has been sanitized for anonymity.
- Date: 2012-05-25
- Time: 09:23:39
- Time Zone: America/Chicago
- Source(s): 78.46.45.179
- Type of Attack/Scan: Generic
- Hosts: 10.10.10.173
- Log:
- 78.46.45.179:65361 > 10.10.10.173:5900
- Possible Cause:
- Infected Computer.
- Malicious User.=20
- Thank you for your attention to this matter,
- Global DataGuard
- email: esp@blockbuster.com =20
- The information transmitted is intended only for the person or entity to
- which it is addressed and may contain confidential and/or privileged
- material. If the reader of this message is not the intended recipient,
- you are hereby notified that your access is unauthorized, and any review,=
- dissemination, distribution or copying of this message including any
- attachments is strictly prohibited. If you are not the intended
- recipient, please contact the sender and delete the material from any
- computer.
- =0D
- --_----------=_1337956800298360--
- Dear Mr Boris Umitbaev,
- We have received information about spam or abuse from no-auto-reponses@hopone.net . Please take all necessary measures to avoid this in the future.
- Furthermore we request that you send a short response within 24 hours to us and to the complainant. This response should contain information about how this could have happened and what you intend to do about it.
- How to proceed:
- - Solve the problem
- - Send a response to us: Use the following link: http://abuse.hetzner.de/statements/?token=ba34a7683538efaced61d11600943e1a
- - Send a response by email to the complainant
- A technician will check the data and coordinate further proceeding. If we have received many complaints the situation can be lead to a server blocking.
- Important note:
- When you reply to us, please leave the abuse ID [AbuseID:078844:1F] unchanged in the subject line.
- Best Regards,
- Sandra Kreidl
- Hetzner Online AG
- Stuttgarter Str. 1
- 91710 Gunzenhausen
- Tel: +49 [0] 9831 610061
- Fax: +49 [0] 9831 61006-2
- abuse@hetzner.de
- www.hetzner.de
- Register Court: Registergericht Ansbach, HRB 3204
- Management Board: Dipl. Ing. (FH) Martin Hetzner
- Chairwoman of the Supervisory Board: Diana Rothhan
- ----- attachment -----
- Return-path: < no-auto-reponses@hopone.net >
- Envelope-to: abuse@hetzner.de
- Delivery-date: Sat, 26 May 2012 00:28:07 +0200
- Received: from [66.36.226.55] (helo=loghost.dca2.superb.net)
- by lms.your-server.de with esmtps (TLSv1:AES256-SHA:256)
- (Exim 4.74)
- (envelope-from < no-auto-reponses@hopone.net >)
- id 1SY2zE-00081A-67
- for abuse@hetzner.de ; Sat, 26 May 2012 00:28:07 +0200
- Received: from loghost.dca2.superb.net ( loghost.dca2.superb.net [127.0.0.1])
- by loghost.dca2.superb.net (8.13.8/8.13.8) with ESMTP id q4PMRj85002406;
- Fri, 25 May 2012 18:27:45 -0400
- Received: (from root@localhost)
- by loghost.dca2.superb.net (8.13.8/8.13.8/Submit) id q4PMRj1j002403;
- Fri, 25 May 2012 18:27:45 -0400
- Date: Fri, 25 May 2012 18:27:45 -0400
- Message-Id: < 201205252227.q4PMRj1j002403@loghost.dca2.superb.net >
- From: no-auto-reponses@hopone.net
- To: abuse@hetzner.de
- Subject: Abuse from your IP address - 78.46.45.179
- X-Virus-Scanned: Clear (ClamAV 0.97.3/14965/Fri May 25 22:19:14 2012)
- X-Spam-Score: 1.3 (+)
- Delivered-To: he1-abuse@hetzner.de
- Hello Networking/Systems Admin,
- We have detected abuse from the IP address 78.46.45.179 which, according to a whois lookup, is on your network. We would appreciate if you would investigate and take action as appropriate.
- ** THIS IP ADDRESS IS NULL ROUTED on our entire network, including peering and transit, for a period of time not exceeding 24 hours from the date and time of this email. YOU ARE NOT REQUIRED to reply to this email unless you need more information.
- You can see more information on this incident by reviewing the data at http://darknet.superb.net/ip/78.46.45.179 and log lines are given below. Please ask if you require any further information.
- You may contact us at sec_reply@hopone.net
- (If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)
- Note: Local timezone is -0400 (EDT)
- /var/log/messages:May 25 10:27:26 darknet.superb.net Darknet: 78.46.45.179 exceeded connection attempt threshold to tcp:5900 11 times in a 30 minute period
- /var/log/messages:May 25 18:27:27 darknet.superb.net Darknet: 78.46.45.179 exceeded connection attempt threshold to tcp:5900 12 times in a 30 minute period
- ---------------------------------------------
- Dear Mr Boris Umitbaev,
- We have received information about spam or abuse from DL-SecHaMASAC@att.com . Please take all necessary measures to avoid this in the future.
- Furthermore we request that you send a short response within 24 hours to us and to the complainant. This response should contain information about how this could have happened and what you intend to do about it.
- How to proceed:
- - Solve the problem
- - Send a response to us: Use the following link: http://abuse.hetzner.de/statements/?token=76e88f9d851771468e2f61800bebfcae
- - Send a response by email to the complainant
- A technician will check the data and coordinate further proceeding. If we have received many complaints the situation can be lead to a server blocking.
- Important note:
- When you reply to us, please leave the abuse ID [AbuseID:07881D:25] unchanged in the subject line.
- Best Regards,
- Sandra Kreidl
- Hetzner Online AG
- Stuttgarter Str. 1
- 91710 Gunzenhausen
- Tel: +49 [0] 9831 610061
- Fax: +49 [0] 9831 61006-2
- abuse@hetzner.de
- www.hetzner.de
- Register Court: Registergericht Ansbach, HRB 3204
- Management Board: Dipl. Ing. (FH) Martin Hetzner
- Chairwoman of the Supervisory Board: Diana Rothhan
- ----- attachment -----
- Return-path: < root@msuiaids3.usi.net >
- Envelope-to: abuse@your-server.de
- Delivery-date: Fri, 25 May 2012 21:49:26 +0200
- Received: from [209.135.36.206] (helo=mdsxaes01.usi.net)
- by lms.your-server.de with esmtps (TLSv1:AES256-SHA:256)
- (Exim 4.74)
- (envelope-from < root@msuiaids3.usi.net >)
- id 1SY0Vg-0001UE-0d; Fri, 25 May 2012 21:49:26 +0200
- Received: from msuiaids3.usi.net ( msuiaids3.usi.net [209.135.51.108])
- by mdsxaes01.usi.net (Postfix) with ESMTP id C01DD4C1C4B;
- Fri, 25 May 2012 15:49:06 -0400 (EDT)
- Received: (from root@localhost)
- by msuiaids3.usi.net (8.12.11.20060308/8.12.11/Submit) id q4PJn65C009422;
- Fri, 25 May 2012 15:49:06 -0400
- Date: Fri, 25 May 2012 15:49:06 -0400
- Message-Id: < 201205251949.q4PJn65C009422@msuiaids3.usi.net >
- From: DL-SecHaMASAC@att.com
- To: abuse@hetzner.de , abuse@your-server.de , postmaster@your-server.de
- CC: DL-SecHaMASAC@att.com
- Subject: Security incident originating from your network - 78.46.45.179 (ID#120525-3T63)
- X-Virus-Scanned: Clear (ClamAV 0.97.3/14964/Fri May 25 20:19:31 2012)
- X-Spam-Score: -1.0 (-)
- Delivered-To: he1-abuse@your-server.de
- To the hetzner.de/your-server.de security or network administrators,
- Hello from AT&T Hosting and Applications Services. I am a Security Engineer here trying to track down a security incident that appears to have originated from your network on May 25, 2012. Please investigate a TCP sweep of port 5900 from the IP 78.46.45.179 (static.179.45.46.78.clients.your-server.de) and inform me of the results (account cancelled, user warned, etc). I will require this information in order to close the ticket on this activity. I have attached a portion of the log details as evidence. All times are EDT (GMT -4).
- (NOTE: This is an automated email response to the incoming scan/attack.)
- 15:45:07 78.46.45.179 0.0.0.0 [TCP-SWEEP] (total=64,dp=5900,min=209.135.33.1,max=209.135.50.251,May25-15:45:03,May25-15:45:03) (USI-neids1)
- AT&T Hosting and Application Services Information Assurance Group
- DL-SecHaMASAC@att.com
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement