We have received an abuse report regarding network attacks for your IP address 65.21.34.188.
Please check the report for details and fix any (potential) problems:
——
Description:
————————————
We have detected unauthorized access to our services from the IP address: 65.21.34.188. This IP address accessed multiple servers via SFTP. To access our services they used credentials previously stolen from one of our user in an incident that occurred during the week of October 13-17.
So we believe that the IP address may also be compromised.
————————————
Log extract:
————————————
Nov 29 11:52:51 slucia sshd[7028]: Did not receive identification string from 65.21.34.188 port 57882
Nov 29 11:52:51 slucia sshd[7031]: Accepted password for santalucia from 65.21.34.188 port 58216 ssh2
Nov 29 11:52:51 slucia sshd[7031]: pam_unix(sshd:session): session opened for user santalucia by (uid=0)
Nov 29 11:52:51 slucia systemd-logind[598]: New session 129971 of user santalucia.
Nov 29 11:52:51 slucia systemd: pam_unix(systemd-user:session): session opened for user santalucia by (uid=0)
——
LOG IS TRUNCATED
——
Nov 29 11:57:56 hserver01 sshd[21844]: Did not receive identification string from 65.21.34.188 port 58275
Nov 29 11:57:56 hserver01 sshd[21846]: Accepted password for sodexo from 65.21.34.188 port 58582 ssh2
Nov 29 11:57:56 hserver01 sshd[21846]: pam_unix(sshd:session): session opened for user sodexo by (uid=0)
Nov 29 11:57:56 hserver01 systemd-logind[601]: New session 1709024 of user sodexo.
Nov 29 11:57:57 hserver01 sftp-server[21853]: session opened for local user sodexo from [65.21.34.188]
Nov 29 11:57:57 hserver01 sftp-server[21853]: received client version 3
Nov 29 11:57:57 hserver01 sftp-server[21853]: stat name «/var/www»
Nov 29 11:57:57 hserver01 sftp-server[21853]: opendir «/var/www»
Nov 29 11:57:57 hserver01 sftp-server[21853]: closedir «/var/www»
Nov 29 11:57:57 hserver01 sftp-server[21853]: opendir «/var/www/html»
Nov 29 11:57:57 hserver01 sftp-server[21853]: closedir «/var/www/html»
Nov 29 11:57:57 hserver01 sftp-server[21853]: remove name «/var/www/html/index.html»
Nov 29 11:57:57 hserver01 sftp-server[21853]: sent status Permission denied
Nov 29 11:57:57 hserver01 sftp-server[21853]: opendir «/»
Nov 29 11:57:57 hserver01 sftp-server[21853]: closedir «/»
Nov 29 11:57:57 hserver01 sftp-server[21853]: opendir «//initrd.img.old»
Nov 29 11:57:57 hserver01 sftp-server[21853]: sent status No such file
Nov 29 11:57:57 hserver01 sftp-server[21853]: opendir «//vmlinuz.old»
Nov 29 11:57:57 hserver01 sftp-server[21853]: sent status No such file
Nov 29 11:57:57 hserver01 sftp-server[21853]: opendir «//initrd.img»
Nov 29 11:57:57 hserver01 sftp-server[21853]: sent status No such file
Nov 29 11:57:57 hserver01 sftp-server[21853]: opendir «//www»
Nov 29 11:57:57 hserver01 sftp-server[21853]: closedir «//www»
Nov 29 11:57:57 hserver01 sftp-server[21853]: opendir «//www/sodexo.altabox.net»
Nov 29 11:57:57 hserver01 sftp-server[21853]: closedir «//www/sodexo.altabox.net»
Nov 29 11:57:57 hserver01 sftp-server[21853]: opendir «//www/sodexo.altabox.net/logs»
Nov 29 11:57:57 hserver01 sftp-server[21853]: sent status Permission denied
Nov 29 11:57:58 hserver01 sftp-server[21853]: opendir «//www/sodexo.altabox.net/htdocs»
Nov 29 11:57:58 hserver01 sftp-server[21853]: closedir «//www/sodexo.altabox.net/htdocs»
Nov 29 11:57:58 hserver01 sftp-server[21853]: remove name «//www/sodexo.altabox.net/htdocs/index.html»
Nov 29 11:57:58 hserver01 sftp-server[21853]: remove name «//www/sodexo.altabox.net/htdocs/index.html»
Nov 29 11:57:58 hserver01 sftp-server[21853]: sent status No such file
Nov 29 11:57:58 hserver01 sftp-server[21853]: open «//www/sodexo.altabox.net/htdocs/index.html» flags WRITE,CREATE,TRUNCATE mode 0666
Nov 29 11:57:58 hserver01 sftp-server[21853]: close «//www/sodexo.altabox.net/htdocs/index.html» bytes read 0 written 177
Nov 29 11:57:58 hserver01 sftp-server[21853]: stat name «//www/sodexo.altabox.net/htdocs/index.html»
Nov 29 11:57:58 hserver01 sftp-server[21853]: opendir «//www/sodexo.altabox.net/htdocs/video»
Nov 29 11:57:58 hserver01 sftp-server[21853]: closedir «//www/sodexo.altabox.net/htdocs/video»
Nov 29 11:57:59 hserver01 sftp-server[21853]: opendir «//www/sodexo.altabox.net/htdocs/lacaixa»
Nov 29 11:57:59 hserver01 sftp-server[21853]: closedir «//www/sodexo.altabox.net/htdocs/lacaixa»
Nov 29 11:57:59 hserver01 sftp-server[21853]: remove name «//www/sodexo.altabox.net/htdocs/lacaixa/index.html»
Nov 29 11:57:59 hserver01 sftp-server[21853]: remove name «//www/sodexo.altabox.net/htdocs/lacaixa/index.html»
Nov 29 11:57:59 hserver01 sftp-server[21853]: sent status No such file
Nov 29 11:57:59 hserver01 sftp-server[21853]: open «//www/sodexo.altabox.net/htdocs/lacaixa/index.html» flags WRITE,CREATE,TRUNCATE mode 0666
Nov 29 11:57:59 hserver01 sftp-server[21853]: close «//www/sodexo.altabox.net/htdocs/lacaixa/index.html» bytes read 0 written 177
Nov 29 11:57:59 hserver01 sftp-server[21853]: stat name «//www/sodexo.altabox.net/htdocs/lacaixa/index.html»
Nov 29 11:57:59 hserver01 sftp-server[21853]: opendir «//www/sodexo.altabox.net/htdocs/lacaixa/video»
Nov 29 11:57:59 hserver01 sftp-server[21853]: closedir «//www/sodexo.altabox.net/htdocs/lacaixa/video»
Nov 29 11:57:59 hserver01 sftp-server[21853]: opendir «//www/sodexo.altabox.net/htdocs/lacaixa/js»
Nov 29 11:57:59 hserver01 sftp-server[21853]: closedir «//www/sodexo.altabox.net/htdocs/lacaixa/js»
Nov 29 11:57:59 hserver01 sftp-server[21853]: opendir «//www/sodexo.altabox.net/htdocs/lacaixa/images»
Nov 29 11:57:59 hserver01 sftp-server[21853]: closedir «//www/sodexo.altabox.net/htdocs/lacaixa/images»
Nov 29 11:57:59 hserver01 sftp-server[21853]: opendir «//www/sodexo.altabox.net/htdocs/lacaixa/fonts»
Nov 29 11:57:59 hserver01 sftp-server[21853]: closedir «//www/sodexo.altabox.net/htdocs/lacaixa/fonts»
Nov 29 11:57:59 hserver01 sftp-server[21853]: opendir «//www/sodexo.altabox.net/htdocs/lacaixa/css»
Nov 29 11:57:59 hserver01 sftp-server[21853]: closedir «//www/sodexo.altabox.net/htdocs/lacaixa/css»
Nov 29 11:57:59 hserver01 sftp-server[21853]: opendir «//www/sodexo.altabox.net/htdocs/lacaixa/apk»
————————————
