Fwd: [6.18.2018 41838585] Suspicious Activity Originating from Your Cox. net IP

1. Fwd: [6.18.2018 41838585] Suspicious Activity Originating from Your Cox. net IP Address
2.  
3.  
4. ---------- Forwarded message ---------
5. From: Cox Customer Safety <abuse@cox.net>
6. Date: Mon, Jun 18, 2018, 7:36 AM
7. Subject: [6.18.2018 41838585] Suspicious Activity Originating from Your Cox. net IP Address
8. To: <REDACTED@cox.net>, <REDACTED@gmail.com>
9.  
10.  
11. Dear Subscriber,
12.  
13. We have received data or complaints showing a possible attack, probe or trojan-generated spam activity originating from your Cox.net IP address. Details of this activity are included below.
14.  
15. If you are unaware of how this occurred, we suggest that you speak with any other persons whom you may share your Cox Internet Service with. If you are operating a wireless network, we recommend enabling encryption to prevent unauthorized parties from using your service. You should also update your anti-virus software and run a full scan on your systems.
16.  
17. You might also try scanning your systems with these free trojan removal tools:
18.  
19. Malware Bytes
20. http://www.malwarebytes.org/
21.  
22. Microsoft Safety Scanner
23. http://www.microsoft.com/security/scanner/
24.  
25. Thank you for your prompt attention to this matter.
26.  
27. - Cox Customer Safety
28.  
29.  
30. * Periodically Cox sends emails about changes in our service that affect you. Please note that if you unsubscribe from promotional emails, we will continue to send you important or time sensitive email messages about your service such as this. Cox will never send you an email asking for your personal information, such as passwords.
31.  
32.  
33. --- The following material was provided to us as evidence ---
34.  
35.  
36. [Part 0:0 (plain text)]
37.  
38. Dear Provider,
39.  
40.  
41. I’m George Egri, the Co-Founder and CEO of BitNinja Server Security. I’m writing to inform you that we have detected malicious requests from the IP 72.195.209.215 directed at our clients’ servers.
42.  
43.  
44. As a result of these attacks, we have added your IP to our greylist to prevent it from attacking our clients’ servers.
45.  
46.  
47. Servers are increasingly exposed as the targets of botnet attacks and you might not be aware that your server is being used as a “bot” to send malicious attacks over the Internet.
48.  
49.  
50. I've collected the 3 earliest logs below, and you can find the freshest 100, that may help you disinfect your server, under the link.
51. http://bitninja.io/incidentReport.php?details=a224f06adb808375e5?utm_source=incident&utm_content=publicpage. The timezone is UTC +1:00.
52.  
53. <pre style='padding:10px 20px; background:#e6e6e6;margin-bottom:10px'>{
54. "PORT HIT": "72.195.209.215:47300->X.X.X.X:23",
55. "MESSAGES": "Array
56. (
57. [09:56:08] => enable
58. system
59. shell
60. sh
61.  
62. [09:56:08+1] => cat /proc/mounts; /bin/busybox ANTCU
63.  
64. )
65. "
66. }</pre><pre style='padding:10px 20px; background:#e6e6e6;margin-bottom:10px'>{
67. "PORT HIT": "72.195.209.215:39173->X.X.X.X:23",
68. "MESSAGES": "Array
69. (
70. [17:04:52] => enable
71. system
72. shell
73. sh
74.  
75. [17:04:52+1] => cat /proc/mounts; /bin/busybox UYUNA
76.  
77. )
78. "
79. }</pre><pre style='padding:10px 20px; background:#e6e6e6;margin-bottom:10px'>{
80. "PORT HIT": "72.195.209.215:55960->X.X.X.X:23",
81. "MESSAGES": "Array
82. (
83. [12:03:38] => enable
84. system
85. shell
86. sh
87.  
88. [12:03:38+1] => cat /proc/mounts; /bin/busybox EBGBL
89.  
90. )
91. "
92. }</pre>
93.  
94. Please keep in mind that after the first intrusion we log all traffic between your server and the BitNinja-protected servers until the IP is removed from the greylist. This means you may see valid logs beside the malicious actions in the link above. If you need help finding the malicious logs, please don’t hesitate to contact our incident experts by replying to this e-mail.
95.  
96. For more information on analyzing and understanding outbound traffic, check out this:
97. https://doc.bitninja.io/_images/bitninja-incident-report-1.jpg?utm_source=incident&utm_campaign=investigation&utm_content=image
98.  
99. We’ve also dedicated an entire site help people prevent their server from sending malicious attacks:
100. https://doc.bitninja.io/investigations.html?utm_source=incident&utm_campaign=investigation&utm_content=documentation
101.  
102.  
103. Thank you for helping us make the Internet a safer place!
104.  
105.  
106. Regards,
107.  
108.  
109. George Egri
110. CEO at BitNinja.io
111.  
112. BitNinja.io @ BusinessInsider UK
113.  
114. BitNinja.io hits the WHIR.com
115. BitNinja @ CodeMash conference
116.  
117.  
118.  
119. [Part 0:1:0 (html text)]
120.  
121. <html><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
122. <title>Incident report - BitNinja.io</title>
123. <style type="text/css">
124. .consview a:link, .consview a:visited {
125. color: #2669a3 !important;
126. }
127. a[class='consview'], a.consview {
128. text-decoration: none !important;
129. border-bottom: 1px solid #2669a3 !important;
130. }
131. a {
132. text-decoration: none !important;
133. }
134. </style>
135. </head><body style="background-color: #ffffff;">
136. <p><meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
137. <title>Incident report - BitNinja.io</title>
138. </p>
139. <table style="width: 665px; min-width: 665px; max-width: 665px;" cellspacing="0" cellpadding="0" border="0">
140. <tbody>
141. <tr>
142. <td style="background-color: #fff; vertical-align: top;" valign="top" bgcolor="#fff">
143. <div style="background: #282C37; padding: 20px; text-align: center;"><img alt="" src="cid:part1.6af6d9518894aae1d19b7c794ab98496" title="" width="199" height="67"></div>
144. </td>
145. </tr>
146. <tr>
147. <td style="height: 40px; min-height: 40px; max-height: 40px; vertical-align: top; background-color: #ffffff;" valign="top" height="40" bgcolor="#ffffff"> </td>
148. </tr>
149. <tr>
150. <td style="vertical-align: top; background-color: #ffffff; height: 20px; min-height: 20px; max-height: 20px;" valign="top" height="20" bgcolor="#ffffff">
151. <table style="width: 665px; min-width: 665px; max-width: 665px;" cellspacing="0" cellpadding="0" border="0">
152. <tbody>
153. <tr>
154. <td style="width: 40px; min-width: 40px; max-width: 40px;" width="40"> </td>
155. <td style="width: 585px; min-width: 585px; max-width: 585px; text-align: justify;" width="585"><span style="font-size: small; font-family: tahoma, arial, helvetica, sans-serif;"><div id="cons_content_tartalom" aria-hidden="true" style=""><p><span style="font-family: tahoma, arial, helvetica, sans-serif; font-size: small;">Dear Provider,</span></p>
156. <p><br><span style="font-family: tahoma, arial, helvetica, sans-serif; font-size: small;">I’m George Egri, the Co-Founder and CEO of BitNinja Server Security. I’m writing to inform you that we have detected malicious requests from the IP 72.195.209.215 directed at our clients’ servers.</span></p>
157. <p><br><span style="font-family: tahoma, arial, helvetica, sans-serif; font-size: small;">As a result of these attacks, we have added your IP to our greylist to prevent it from attacking our clients’ servers.</span></p>
158. <p><br><span style="font-family: tahoma, arial, helvetica, sans-serif; font-size: small;">Servers are increasingly exposed as the targets of botnet attacks and you might not be aware that your server is being used as a “bot” to send malicious attacks over the Internet.<br></span></p>
159. <p><br><span></span><span style="font-family: tahoma, arial, helvetica, sans-serif; font-size: small;">I've collected the 3 earliest logs below, and you can find the freshest 100, that may help you disinfect your server, under the link. The timezone is UTC +2:00.</span><br><a href="http://bitninja.io/incidentReport.php?details=a224f06adb808375e5?utm_source=incident&utm_content=publicpage" target="_blank">http://bitninja.io/incidentReport.php?details=a224f06adb808375e5</a><a href="http://bitninja.io/incidentReport.php?details=a224f06adb808375e5"></a></p>
160. <p></p>
161. <p><pre style='padding:10px 20px; background:#e6e6e6;margin-bottom:10px'>{
162. "PORT HIT": "72.195.209.215:47300->X.X.X.X:23",
163. "MESSAGES": "Array
164. (
165. [09:56:08] => enable
166. system
167. shell
168. sh
169.  
170. [09:56:08+1] => cat /proc/mounts; /bin/busybox ANTCU
171.  
172. )
173. "
174. }</pre><pre style='padding:10px 20px; background:#e6e6e6;margin-bottom:10px'>{
175. "PORT HIT": "72.195.209.215:39173->X.X.X.X:23",
176. "MESSAGES": "Array
177. (
178. [17:04:52] => enable
179. system
180. shell
181. sh
182.  
183. [17:04:52+1] => cat /proc/mounts; /bin/busybox UYUNA
184.  
185. )
186. "
187. }</pre><pre style='padding:10px 20px; background:#e6e6e6;margin-bottom:10px'>{
188. "PORT HIT": "72.195.209.215:55960->X.X.X.X:23",
189. "MESSAGES": "Array
190. (
191. [12:03:38] => enable
192. system
193. shell
194. sh
195.  
196. [12:03:38+1] => cat /proc/mounts; /bin/busybox EBGBL
197.  
198. )
199. "
200. }</pre><br><br></p>
201. <p><span style="font-family: tahoma, arial, helvetica, sans-serif; font-size: small;">Please keep in mind that after the first intrusion we log all traffic between your server and the BitNinja-protected servers until the IP is removed from the greylist. This means you may see valid logs beside the malicious actions in the link above. If you need help finding the malicious logs, please don’t hesitate to contact our incident experts by replying to this e-mail.</span></p>
202. <p></p>
203. <p><span style="font-family: tahoma, arial, helvetica, sans-serif; font-size: small;">For more information on analyzing and understanding outbound traffic, check out this:<br><a href="https://doc.bitninja.io/_images/bitninja-incident-report-1.jpg?utm_source=incident&utm_campaign=investigation&utm_content=image" title="https://doc.bitninja.io/_images/bitninja-incident-report-1.jpg">https://doc.bitninja.io/_images/bitninja-incident-report-1.jpg?</a></span></p>
204. <p><span style="font-family: tahoma, arial, helvetica, sans-serif; font-size: small;"><a href="https://bitninja.io/wp-content/uploads/2016/07/bitninja-incident-report-1.jpg"></a></span><span style="font-family: tahoma, arial, helvetica, sans-serif; font-size: small;">We’ve also dedicated an entire site help people prevent their server from sending malicious attacks: <br></span><a href="https://doc.bitninja.io/investigations.html?utm_source=incident&utm_campaign=investigation&utm_content=documentation" style="font-family: tahoma, arial, helvetica, sans-serif; font-size: small;">https://doc.bitninja.io/investigations.html</a></p>
205. <p><br><span style="font-family: tahoma, arial, helvetica, sans-serif; font-size: small;">Our incident experts are also happy to help you and can provide detailed logs if needed. Please, feel free to connect me with the administrator or technical team responsible for managing your server.</span></p>
206. <p><br><span style="font-family: tahoma, arial, helvetica, sans-serif; font-size: small;">Thank you for helping us make the Internet a safer place!</span></p>
207. <p><br><span style="font-family: tahoma, arial, helvetica, sans-serif; font-size: small;">Regards,</span></p>
208. <p><br><span style="font-family: tahoma, arial, helvetica, sans-serif;"><span style="font-size: small;"><strong><span style="font-size: medium;">George Egri</span></strong><br></span><span style="font-size: small;">CEO at BitNinja.io</span></span></p>
209. <p><span style="font-family: tahoma, arial, helvetica, sans-serif; font-size: small;">BitNinja.io @ </span><a href="http://uk.businessinsider.com/cylons-grace-cassy-says-companies-fighting-asymmetric-warfare-against-hackers-2015-12" style="font-family: tahoma, arial, helvetica, sans-serif; font-size: small;">BusinessInsider UK</a></p>
210. <p><span style="font-size: small; font-family: tahoma, arial, helvetica, sans-serif;">BitNinja.io hits the <a href="http://www.thewhir.com/web-hosting-news/canadian-web-hosting-partners-with-bitninja-for-security">WHIR.com<br></a>BitNinja @ <a href="https://www.youtube.com/watch?v=fomS_3Q7520">CodeMash conference</a></span></p>
211. <p><span style="font-family: tahoma, arial, helvetica, sans-serif; font-size: small;"> </span></p></div></span></td>
212. <td style="width: 40px; min-width: 40px; max-width: 40px;" width="40"> </td>
213. </tr>
214. </tbody>
215. </table>
216. </td>
217. </tr>
218. <tr>
219. <td style="vertical-align: top; background-color: #ffffff; height: 40px; min-height: 40px; max-height: 40px;" valign="top" height="40" bgcolor="#ffffff"> </td>
220. </tr>
221. <tr>
222. <td>
223. <div style="background: #282C37; padding: 20px; text-align: center; color: #fff;"><div id="cons_content_lablec" aria-hidden="true" style=""><p style="text-align: center;"><span style="font-family: tahoma, arial, helvetica, sans-serif; font-size: medium;">Partnered by:</span></p>
224. <p style="text-align: center; background: rgba(255,255,255,.4); border-radius: 10px;"><span style="font-size: small; font-family: tahoma, arial, helvetica, sans-serif;"><img alt="" height="146" src="cid:part2.2876a67dba1708bff791ca2736d50afe" title="" width="534"></span></p>
225. <p style="text-align: center;"><span style="font-family: tahoma, arial, helvetica, sans-serif; font-size: small;"><span style="color: #ffffff;"></span></span></p></div></div>
226. </td>
227. </tr>
228. </tbody>
229. </table>
230. <p></p>
231. <p></p>
232. </body></html>
233.  
234.  
235. [Part 0:1:1 (png image)] Not displayed
236.  
237.  
238. [Part 0:1:2 (png image)] Not displayed