Dear Vova Kuchkovskiy,
We have received information regarding spam and/or abuse from botnet.tracker@gmail.com.
This is an information email only and does not require any further action on your part.
It is your choice whether or not to investigate the complaint.
We do not expect any response.
Information:
Hello,
This is a notification of unauthorized uses of systems or networks.
Some IP addresses from your networks probed my servers for TCP
open ports. Due to their dubious behavior, they are suspected to be
compromised botnet computers.
The log of TCP port scans is included below for your reference
(time zone is UTC). To prevent this mail from getting too big in size,
at most 5 attempts from each attacker IP are included. Those connection
attempts have all passed TCP’s 3-way handshake, so you can trust the source
IP addresses to be correct.
If you regularly collect IP traffic information of your network, you will see
the IPs listed connected to various TCP ports of my server at the time logged,
and I suspect that they also connected to TCP ports of many other IPs.
If a Linux system was at the attacker’s IP, you might want to use the
command «netstat -ntp» to list its active network connections. If there
is still some suspicious connection, find out what PID/program/user ID they
belong to. You might find something to help you solve this problem.
Please notify the victims (owners of those botnet computers) so that they
can take appropriate action to clean their computers, before even
more severe incidents, like data leakage, DDoS, and the rumored NSA spying
through hijacked botnets, arise. This also helps prevent botnets from
taking up your network bandwidth.
Chih-Cherng Chin
Daily Botnet Statistics
—- log of TCP port scans (time zone is UTC; sent to abuse@hetzner.com) —-
——————————————————————————-
(time in UTC)=2020-12-26T11:45:35 (attacker’s IP)=135.181.77.57 (IP being scanned)=140^238^215^81 (TCP port being scanned)=3389
(time in UTC)=2020-12-26T12:34:15 (attacker’s IP)=135.181.77.57 (IP being scanned)=140^238^172^100 (TCP port being scanned)=3389
(time in UTC)=2020-12-26T16:50:29 (attacker’s IP)=135.181.77.57 (IP being scanned)=185^219^132^53 (TCP port being scanned)=3389
(time in UTC)=2020-12-25T14:38:41 (attacker’s IP)=135.181.77.57 (IP being scanned)=23^95^215^146 (TCP port being scanned)=3389
(time in UTC)=2020-12-25T16:39:10 (attacker’s IP)=135.181.77.57 (IP being scanned)=66^23^246^124 (TCP port being scanned)=3389
(time in UTC)=2020-12-23T15:24:26 (attacker’s IP)=135.181.77.57 (IP being scanned)=185^164^137^31 (TCP port being scanned)=3389
Important note:
When replying to us, please leave the abuse ID [AbuseID:7D9AB1:15] unchanged in the subject line.
