The malicious IP was found to be running an Internet Relay Chat (IRC) bot, potentially spreading malware or launching Distributed Denial-of-Service (DDoS) attacks.

This IP belongs to CHS.

This IP is linked to the distribution of commercial keyloggers designed to capture users' keystrokes.

The IP attempted to mark emails as read on the POP3 server without authorization.

The IP attempted to flood the Apache server with requests, in a Denial of Service (DoS) attack.

Multiple requests with the same If-Range header.

The IP made repeated attempts to authenticate with the SIP server using different usernames.

Multiple requests with the same Origin header.

The IP was caught distributing VoIP crackers to exploit our communication channels.

The IP made multiple requests with the same If-Match header.

This IP belongs to American Express.

This malicious IP was reported for attempting a FTP Bounce attack, exploiting the FTP protocol's proxy command to scan ports and networks.

User-mode rootkits, originating from the particular IP, were causing system instability and crashes.

A dangerous data surveillance spyware was tied back to this IP.

The IP was involved in a SIP Message Tampering attack, altering SIP messages in transit to disrupt communication or gain unauthorized access.

Recu Samedi 07 Sept 2024 après 01h36 ( toujours les nuits ) nouveau mail usurpant la SOCIETE GENERALE avec boites mails DAKA.com: Venant de l’adresse mail bidon : From: Groupe <pops@face.com> Mais vraie adresse mail pour répondre aux hackers: Reply-To : cama@daka.com Pour votre Information et Actions contre ces hackers utilisant vos serveurs IP, les LOGOS BNP SOCIETE GENERALE, comptes et boites mails ! FOR YOUR INFORMATIONS and ACTIONS against these HACKERS USING your servers IP and accounts and mails boxes ! Pour votre Information et Actions contre ces hackers utilisant vos serveurs IP, les LOGOS BNP SOCIETE GENERALE, comptes et boites mails ! Utilisant encore les serveurs VIRGIN Medias et adresse IP 86.28.131.130 : Received : from [139.64.247.136] (cpc143858-cosh20-2-0-cust897.6-1.cable.virginm.net [86.28.131.130]) by mlpnf0115.laposte.net (SMTP Server) with ESMTP id 4X0t0n0Wk0zvPr6 for <@laposte.net>; Sat, 7 Sep 2024 01:36:40 +0200 (CEST) ************Contenu du mail des hackers ******************** DSP1Société Générale • Aujourd'hui, à 01:36 (il y a 7 heures) 5Ko • • • G De : Groupe • A : Moi • Bonjour, La nouvelles mises à jour ont été effectuées pour renforcer la sécurité lors de l'utilisation de votre compte. Votre compte est à présent à un statut dépassé. Vous devez dès lors procéder à la mise à jour de vos informations pour renforcer voire la sécurité. --Cliquez ici. Nous vous remercions de votre confiance. *********************** Ci-dessous Codes HTML des hackers ************************** Return-Path : <pops@face.com> Received : from mlpnf0115.laposte.net (mlpnf0115.sys.meshcore.net [10.94.128.94]) by mlpnb0108 with LMTPA; Sat, 07 Sep 2024 01:36:41 +0200 X-Cyrus-Session-Id : cyrus-65930-1725665801-2-10270358516806369974 X-Sieve : CMU Sieve 3.0 ARC-Seal : i=1; a=rsa-sha256; d=laposte.net; s=lpn-wlmd; t=1725665801; cv=none; b=XnKYvBybICVgaZk21JOBZfe0qbjb3vTUZ0V/14snw8HncPtRxGXpLuHV5qljsN8TDA1WDDzdblO Ttci+G0uXs0I7r7v4UiooJ7RyxWOzQA/Flgzn7iGcKjLHtkZNIayna+XpL1X0DSYi9li+g4AyAgf DbIM7I52DH5BJ2TSen2aHcn75X3CJ+x7CzqHRYbjsvlOMzoQ5f+GxQZjjQovikXEApLIL50y3O3z mDEv3UgL28UQmYDsgDWYAZK9u/uFywcl/MdQrJ6xNbYvBaxl0QdmCWOyTTQpi2xjtUqwj4uN28pG mo85IBqZdQWgsQF5TLM/8o/Ae91akcfBNUaiUvw== ARC-Message-Signature : i=1; a=rsa-sha256; c=relaxed/relaxed; d=laposte.net; s=lpn-wlmd; t=1725665801; h=Subject:To:From:Date:Reply-To; bh=OMJ47ckL+cChjjC 3XFEUYz4wE0ztwvwzwgODV52KyX0=; b=hKNlxqD6XRICBx53Bo+a0cssCBCewX0MAIdTpVTLGA1 +/fsabql1Vl4NHGdwacGsHcmKafPOWoMmkN4G2b/nRLlRv66Qy9opJHuFA+hEgk0kTOGxFq1lU0U 0kBc+5bWW7F/to3l2CNyS9hLlVSz1k1Xjd9fUI7YXJXA3jn6PQyXhbeDjrKllodz1OLEfS07hBrM H8CGfxxI7KP7iN+BXRE0C8zZ+Nj7NpaCaC66pqK6aQx5+/oTjV65+tagkWw8rUjjJxMgGn16Zqdk ttTHda+0teNnn9fzI2PcGEEPeNaV7E837nopkSFv6GmJ19F30sL+zg7Dg8l062vjUMpbUaQ== ARC-Authentication-Results : i=1; laposte.net; spf=none smtp.helo=[139.64.247.136] smtp.mailfrom=pops@face.com; dkim=none; dmarc=none reason="No policy found"; arc=none smtp.remote-ip=86.28.131.130; bimi=skipped reason="non-pass DMARC" X-mail-filterd : {"version":"1.8.0","queueID":"4X0t0n63d3zvPrS","contextId": "54cdf13b-6a75-4020-a926-9c9d0c850358"} X-ppbforward : {"queueID":"4X0t0n63d3zvPrS","server":"mlpnf0115"} Received : from outgoing-mail.laposte.net (localhost.localdomain [127.0.0.1]) by mlpnf0115.laposte.net (SMTP Server) with ESMTP id 4X0t0n63d3zvPrS for <lpn000000000000000018870443@back01-mail02-04.lpn.svc.meshcore.net>; Sat, 7 Sep 2024 01:36:41 +0200 (CEST) X-mail-filterd : {"version":"1.8.0","queueID":"4X0t0n0Wk0zvPr6","contextId": "c41c9ad7-d93e-4159-852a-846c9e05a1c3"} X-lpn-mailing : LEGIT X-lpn-spamrating : 57 X-lpn-spamlevel : not-spam Authentication-Results : laposte.net; spf=none smtp.mailfrom=pops@face.com smtp.helo=[139.64.247.136]; dkim=none; dmarc=none reason="No policy found"; arc=none smtp.remote-ip=86.28.131.130; bimi=skipped reason="non-pass DMARC" X-lpn-spamcause : OK, (10)(0000)gggruggvucftvghtrhhoucdtuddrgeeftddrudeivddgvdegucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecunfetrffquffvgfdpggftfghnshhusghstghrihgsvgenuceurghilhhouhhtmecufedtudenucgopfhokfffucdluddtmdenucfjughrpegtggfguffvhfffrhfoiffpsehhqhdttdfitddunecuhfhrohhmpefirhhouhhpvgcuuceophhophhssehfrggtvgdrtghomheqnecuggftrfgrthhtvghrnhepffffhfegheeuteetfeeiheelvdevieelhfehgffhhfetjeekhefffeehtdetgedvnecuffhomhgrihhnpehshhhrihhmrghhrghvihhrshgthhhoohhlrdgtohhmnecukfhppeekiedrvdekrddufedurddufedtnecuvehluhhsthgvrhfuihiivgepudefnecurfgrrhgrmhepihhnvghtpeekiedrvdekrddufedurddufedtpdhhvghloheplgdufeelrdeigedrvdegjedrudefiegnpdhmrghilhhfrhhomhepphhophhssehfrggtvgdrtghomhdpnhgspghrtghpthhtohepuddprhgtphhtthhopegvlhgvrdhlvghmohhinhgvsehlrghpohhsthgvrdhnvghtpdhsphhfpehnohhnvgdpughkihhmpehnohhnvgdpughmrghrtgepnhhonhgvpdhrvghvkffrpegtphgtudegfeekheekqdgtohhshhdvtddqvddqtddqtghushhtkeeljedriedquddrtggrsghlvgdrvhhirhhgihhnmhdrnhgvthdpghgvohfkrfepifeu Received : from [139.64.247.136] (cpc143858-cosh20-2-0-cust897.6-1.cable.virginm.net [86.28.131.130]) by mlpnf0115.laposte.net (SMTP Server) with ESMTP id 4X0t0n0Wk0zvPr6

The IP made multiple requests with the same If-Range header.

The IP made numerous attempts at SMTP Relay abuse by trying to send emails not meant for or from local users.

The IP attempted code injection attacks, injecting malicious codes in HTTP headers.

The IP attempted to exploit known vulnerabilities in the SIP protocol.

This IP belongs to Cigna.

This IP was reported for attempting a Teardrop attack, sending mangled IP fragments with overlapping and oversized payloads to crash the target network device.

It attempted phishing scams by sending malicious mails through compromised accounts.

Unusual activity in the server's error logs.

The IP exhibited unusual patterns in the Accept-Language header.