API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 29th, 2012
1,445
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.45 KB | None | 0 0
raw download clone embed print report
  1. We have received information about spam or abuse from esp@blockbuster.com . Please take all necessary measures to avoid this in the future.
  2.  
  3. Furthermore we request that you send a short response within 24 hours to us and to the complainant. This response should contain information about how this could have happened and what you intend to do about it.
  4.  
  5. How to proceed:
  6. - Solve the problem
  7. - Send a response to us: Use the following link: http://abuse.hetzner.de/statements/?token=93f2a1cdea7d209ca50608e324527297
  8. - Send a response by email to the complainant
  9.  
  10. A technician will check the data and coordinate further proceeding. If we have received many complaints the situation can be lead to a server blocking.
  11.  
  12. Important note:
  13. When you reply to us, please leave the abuse ID [AbuseID:078848:1A] unchanged in the subject line.
  14.  
  15.  
  16. Best Regards,
  17.  
  18. Sandra Kreidl
  19.  
  20. Hetzner Online AG
  21. Stuttgarter Str. 1
  22. 91710 Gunzenhausen
  23. Tel: +49 [0] 9831 610061
  24. Fax: +49 [0] 9831 61006-2
  25. abuse@hetzner.de
  26. www.hetzner.de
  27.  
  28. Register Court: Registergericht Ansbach, HRB 3204
  29. Management Board: Dipl. Ing. (FH) Martin Hetzner
  30. Chairwoman of the Supervisory Board: Diana Rothhan
  31.  
  32. ----- attachment -----
  33.  
  34. Return-path: < esp@blockbuster.com >
  35. Envelope-to: abuse@hetzner.de
  36. Delivery-date: Fri, 25 May 2012 16:40:36 +0200
  37. Received: from [64.18.1.191] (helo=exprod6og106.obsmtp.com)
  38. by lms.your-server.de with smtps (TLSv1:AES256-SHA:256)
  39. (Exim 4.74)
  40. (envelope-from < esp@blockbuster.com >)
  41. id 1SXvga-0004G9-NG
  42. for abuse@hetzner.de ; Fri, 25 May 2012 16:40:35 +0200
  43. Received: from MER2-BBCASHUB2.usa.Blockbuster.com ([204.76.128.15]) by exprod6ob106.postini.com ([64.18.5.12]) with SMTP
  44. ID DSNKT7+ZwgTNXt1OgXw8hkuXFFRhh2/fh9om@postini.com ; Fri, 25 May 2012 07:40:07 PDT
  45. Received: from MCU.localdomain (10.194.222.70) by
  46. MER2-BBCASHUB2.usa.Blockbuster.com (10.50.106.51) with Microsoft SMTP Server
  47. id 14.1.323.3; Fri, 25 May 2012 08:40:01 -0600
  48. Received: from localhost.localdomain (fe80023048fffe93a9b2 [127.0.0.1]) by
  49. MCU.localdomain (8.12.11/8.12.11) with ESMTP id q4PEe0Db029859; Fri, 25 May
  50. 2012 09:40:01 -0500
  51. Message-ID: < 201205251440.q4PEe0Db029859@MCU.localdomain >
  52. Content-Type: multipart/related; boundary="_----------=_1337956800298360"
  53. MIME-Version: 1.0
  54. X-Mailer: MIME::Lite 3.01 (F2.73; B3.08; Q3.08)
  55. Date: Fri, 25 May 2012 14:40:00 +0000
  56. From: < esp@blockbuster.com >
  57. To: < abuse@hetzner.de >
  58. Subject: Abuse report:
  59. CC: < scc@globaldataguard.com >
  60. Reply-To: < scc@globaldataguard.com >
  61. X-Virus-Scanned: Clear (ClamAV 0.97.3/14962/Fri May 25 09:19:04 2012)
  62. X-Spam-Score: -1.0 (-)
  63. Delivered-To: he1-abuse@hetzner.de
  64.  
  65. --_----------=_1337956800298360
  66. Content-Disposition: inline
  67. Content-Length: 1329
  68. Content-Transfer-Encoding: quoted-printable
  69. Content-Type: text/plain
  70.  
  71. To Whom it May Concern,
  72.  
  73. You have a system on your network that is actively scanning and/or attackin=
  74. g external sites on the Internet. This can come from many sources and beca=
  75. use it is often difficult to detect this activity, we are sending this E-ma=
  76. il in an attempt to help you solve the problem.
  77.  
  78. We have detected your system with an IP of, 78.46.45.179, scanning a client=
  79. we monitor. This was not a short attack but a prolonged scan and/or probe=
  80. that was designed to find and intrude into the target network.
  81.  
  82. This may be someone on your network who is actively trying to hack others. =
  83. This person may be a legitimate user on your network or it may be that this=
  84. system has been compromised and is being used by someone to hack others. I=
  85. t is also likely that the system is running automated tools that have been =
  86. installed to perform these actions without any human intervention.
  87.  
  88. Below is the information about the attack. Keep in mind that the source IP=
  89. of our client has been sanitized for anonymity.
  90.  
  91. Date: 2012-05-25
  92. Time: 09:23:39
  93. Time Zone: America/Chicago
  94. Source(s): 78.46.45.179
  95. Type of Attack/Scan: Generic
  96. Hosts: 10.10.10.173
  97.  
  98. Log:
  99. 78.46.45.179:65361 > 10.10.10.173:5900
  100.  
  101. Possible Cause:
  102. Infected Computer.
  103. Malicious User.=20
  104.  
  105. Thank you for your attention to this matter,
  106. Global DataGuard
  107. email: esp@blockbuster.com =20
  108.  
  109.  
  110.  
  111. The information transmitted is intended only for the person or entity to
  112. which it is addressed and may contain confidential and/or privileged
  113. material. If the reader of this message is not the intended recipient,
  114. you are hereby notified that your access is unauthorized, and any review,=
  115.  
  116. dissemination, distribution or copying of this message including any
  117. attachments is strictly prohibited. If you are not the intended
  118. recipient, please contact the sender and delete the material from any
  119. computer.
  120. =0D
  121. --_----------=_1337956800298360--
  122.  
  123. Dear Mr Boris Umitbaev,
  124.  
  125. We have received information about spam or abuse from no-auto-reponses@hopone.net . Please take all necessary measures to avoid this in the future.
  126.  
  127. Furthermore we request that you send a short response within 24 hours to us and to the complainant. This response should contain information about how this could have happened and what you intend to do about it.
  128.  
  129. How to proceed:
  130. - Solve the problem
  131. - Send a response to us: Use the following link: http://abuse.hetzner.de/statements/?token=ba34a7683538efaced61d11600943e1a
  132. - Send a response by email to the complainant
  133.  
  134. A technician will check the data and coordinate further proceeding. If we have received many complaints the situation can be lead to a server blocking.
  135.  
  136. Important note:
  137. When you reply to us, please leave the abuse ID [AbuseID:078844:1F] unchanged in the subject line.
  138.  
  139.  
  140. Best Regards,
  141.  
  142. Sandra Kreidl
  143.  
  144. Hetzner Online AG
  145. Stuttgarter Str. 1
  146. 91710 Gunzenhausen
  147. Tel: +49 [0] 9831 610061
  148. Fax: +49 [0] 9831 61006-2
  149. abuse@hetzner.de
  150. www.hetzner.de
  151.  
  152. Register Court: Registergericht Ansbach, HRB 3204
  153. Management Board: Dipl. Ing. (FH) Martin Hetzner
  154. Chairwoman of the Supervisory Board: Diana Rothhan
  155.  
  156. ----- attachment -----
  157.  
  158. Return-path: < no-auto-reponses@hopone.net >
  159. Envelope-to: abuse@hetzner.de
  160. Delivery-date: Sat, 26 May 2012 00:28:07 +0200
  161. Received: from [66.36.226.55] (helo=loghost.dca2.superb.net)
  162. by lms.your-server.de with esmtps (TLSv1:AES256-SHA:256)
  163. (Exim 4.74)
  164. (envelope-from < no-auto-reponses@hopone.net >)
  165. id 1SY2zE-00081A-67
  166. for abuse@hetzner.de ; Sat, 26 May 2012 00:28:07 +0200
  167. Received: from loghost.dca2.superb.net ( loghost.dca2.superb.net [127.0.0.1])
  168. by loghost.dca2.superb.net (8.13.8/8.13.8) with ESMTP id q4PMRj85002406;
  169. Fri, 25 May 2012 18:27:45 -0400
  170. Received: (from root@localhost)
  171. by loghost.dca2.superb.net (8.13.8/8.13.8/Submit) id q4PMRj1j002403;
  172. Fri, 25 May 2012 18:27:45 -0400
  173. Date: Fri, 25 May 2012 18:27:45 -0400
  174. Message-Id: < 201205252227.q4PMRj1j002403@loghost.dca2.superb.net >
  175. From: no-auto-reponses@hopone.net
  176. To: abuse@hetzner.de
  177. Subject: Abuse from your IP address - 78.46.45.179
  178. X-Virus-Scanned: Clear (ClamAV 0.97.3/14965/Fri May 25 22:19:14 2012)
  179. X-Spam-Score: 1.3 (+)
  180. Delivered-To: he1-abuse@hetzner.de
  181.  
  182. Hello Networking/Systems Admin,
  183.  
  184. We have detected abuse from the IP address 78.46.45.179 which, according to a whois lookup, is on your network. We would appreciate if you would investigate and take action as appropriate.
  185.  
  186. ** THIS IP ADDRESS IS NULL ROUTED on our entire network, including peering and transit, for a period of time not exceeding 24 hours from the date and time of this email. YOU ARE NOT REQUIRED to reply to this email unless you need more information.
  187.  
  188. You can see more information on this incident by reviewing the data at http://darknet.superb.net/ip/78.46.45.179 and log lines are given below. Please ask if you require any further information.
  189.  
  190. You may contact us at sec_reply@hopone.net
  191.  
  192. (If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)
  193.  
  194. Note: Local timezone is -0400 (EDT)
  195. /var/log/messages:May 25 10:27:26 darknet.superb.net Darknet: 78.46.45.179 exceeded connection attempt threshold to tcp:5900 11 times in a 30 minute period
  196. /var/log/messages:May 25 18:27:27 darknet.superb.net Darknet: 78.46.45.179 exceeded connection attempt threshold to tcp:5900 12 times in a 30 minute period
  197.  
  198.  
  199. ---------------------------------------------
  200.  
  201.  
  202. Dear Mr Boris Umitbaev,
  203.  
  204. We have received information about spam or abuse from DL-SecHaMASAC@att.com . Please take all necessary measures to avoid this in the future.
  205.  
  206. Furthermore we request that you send a short response within 24 hours to us and to the complainant. This response should contain information about how this could have happened and what you intend to do about it.
  207.  
  208. How to proceed:
  209. - Solve the problem
  210. - Send a response to us: Use the following link: http://abuse.hetzner.de/statements/?token=76e88f9d851771468e2f61800bebfcae
  211. - Send a response by email to the complainant
  212.  
  213. A technician will check the data and coordinate further proceeding. If we have received many complaints the situation can be lead to a server blocking.
  214.  
  215. Important note:
  216. When you reply to us, please leave the abuse ID [AbuseID:07881D:25] unchanged in the subject line.
  217.  
  218.  
  219. Best Regards,
  220.  
  221. Sandra Kreidl
  222.  
  223. Hetzner Online AG
  224. Stuttgarter Str. 1
  225. 91710 Gunzenhausen
  226. Tel: +49 [0] 9831 610061
  227. Fax: +49 [0] 9831 61006-2
  228. abuse@hetzner.de
  229. www.hetzner.de
  230.  
  231. Register Court: Registergericht Ansbach, HRB 3204
  232. Management Board: Dipl. Ing. (FH) Martin Hetzner
  233. Chairwoman of the Supervisory Board: Diana Rothhan
  234.  
  235. ----- attachment -----
  236.  
  237. Return-path: < root@msuiaids3.usi.net >
  238. Envelope-to: abuse@your-server.de
  239. Delivery-date: Fri, 25 May 2012 21:49:26 +0200
  240. Received: from [209.135.36.206] (helo=mdsxaes01.usi.net)
  241. by lms.your-server.de with esmtps (TLSv1:AES256-SHA:256)
  242. (Exim 4.74)
  243. (envelope-from < root@msuiaids3.usi.net >)
  244. id 1SY0Vg-0001UE-0d; Fri, 25 May 2012 21:49:26 +0200
  245. Received: from msuiaids3.usi.net ( msuiaids3.usi.net [209.135.51.108])
  246. by mdsxaes01.usi.net (Postfix) with ESMTP id C01DD4C1C4B;
  247. Fri, 25 May 2012 15:49:06 -0400 (EDT)
  248. Received: (from root@localhost)
  249. by msuiaids3.usi.net (8.12.11.20060308/8.12.11/Submit) id q4PJn65C009422;
  250. Fri, 25 May 2012 15:49:06 -0400
  251. Date: Fri, 25 May 2012 15:49:06 -0400
  252. Message-Id: < 201205251949.q4PJn65C009422@msuiaids3.usi.net >
  253. From: DL-SecHaMASAC@att.com
  254. To: abuse@hetzner.de , abuse@your-server.de , postmaster@your-server.de
  255. CC: DL-SecHaMASAC@att.com
  256. Subject: Security incident originating from your network - 78.46.45.179 (ID#120525-3T63)
  257. X-Virus-Scanned: Clear (ClamAV 0.97.3/14964/Fri May 25 20:19:31 2012)
  258. X-Spam-Score: -1.0 (-)
  259. Delivered-To: he1-abuse@your-server.de
  260.  
  261. To the hetzner.de/your-server.de security or network administrators,
  262.  
  263. Hello from AT&T Hosting and Applications Services. I am a Security Engineer here trying to track down a security incident that appears to have originated from your network on May 25, 2012. Please investigate a TCP sweep of port 5900 from the IP 78.46.45.179 (static.179.45.46.78.clients.your-server.de) and inform me of the results (account cancelled, user warned, etc). I will require this information in order to close the ticket on this activity. I have attached a portion of the log details as evidence. All times are EDT (GMT -4).
  264.  
  265. (NOTE: This is an automated email response to the incoming scan/attack.)
  266.  
  267. 15:45:07 78.46.45.179 0.0.0.0 [TCP-SWEEP] (total=64,dp=5900,min=209.135.33.1,max=209.135.50.251,May25-15:45:03,May25-15:45:03) (USI-neids1)
  268.  
  269.  
  270. AT&T Hosting and Application Services Information Assurance Group
  271. DL-SecHaMASAC@att.com
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!