Abuse Message [AbuseID:C8D60A:22]: AbuseInfo: [CSIRT-MU #1291096] Útoky na autentizaci SSH z IP adresy 65.108.143.81 / SSH brute force attacks from IP address 65.108.143.81

Security incident report

Greetings,

the security team CSIRT-MU has detected involvement of the IP address
65.108.143.81 into the following incident:

  • Incident type: SSH brute force attacks
  • Time of detection: 2023-05-29 13:11:10 +0200
  • IP address: 65.108.143.81
  • Domain name: indefinity.shiza.server

Details of the incident
Detailed information about this incident can be found on our security portal.

Because of the severity of the incident, the IP address 65.108.143.81 was
blocked for 24 hours. The block was performed to protect the network and can
be lifted earlier only after the security issue that led to it is resolved.

Description of the incident
Computer with the aforementioned IP address engaged in a dictionary attack
against the SSH service. This attack is used to find an access password for
the service to gain unauthorized access to a system. This activity most often
means that the computer is infected by a virus or other malicious code.

Incident solution
We strongly recommend to check the computer with up-to-date antivirus software
and eventually check the configuration of network services.

How to communicate with the CSIRT-MU team?

Please review the source of the incident and fix the issue. Inform us about
the result within 5 business days.

Best regards,

CSIRT-MU
The security team of Masaryk University
https://csirt.muni.cz





  
  
  <title>CSIRT-MU Hlášení bezpečnostního incidentu</title>
  
  
  
<p style="margin-left:20px;">Please scroll down for the English version of this report</p>
<p>---------------------------------------------------------------------</p>

<div class="infobox">
    <h1>Hlášení bezpečnostního incidentu</h1>
</div>

<div class="content">

<p>Dobrý den,</p>


bezpečnostní tým CSIRT-MU detekoval zapojení <strong>IP adresy 65.108.143.81</strong> do následujícího incidentu:
<ul style="list-style-type:none">
<li><span style="width: 150px;display: inline-block;"><strong>Typ incidentu:</strong></span> <span>Útoky na autentizaci SSH</span></li>
<li><span style="width: 150px;display: inline-block;"><strong>Čas detekce:</strong></span> <span>2023-05-29 13:11:10 +0200</span></li>
<li><span style="width: 150px;display: inline-block;"><strong>IP adresa:</strong></span> <span>65.108.143.81</span></li><li><span style="width: 150px;display: inline-block;"><strong>Doménové jméno:</strong></span> <span>indefinity.shiza.server</span></li>
</ul>
<p style="text-align: justify;"><strong style="margin-top:7px;margin-bottom: 5px;">Detaily incidentu</strong><br>Podrobné informace o incidentu jsou dostupné na našem <u><a href="https://reports.csirt.muni.cz/getReport.php?uuid=A6689C1E-FE11-11ED-B952-3415B176C285">bezpečnostním portálu.</a></u></p><div style="text-align: justify;">Z důvodu závažnosti tohoto incidentu došlo k zablokování IP adresy 65.108.143.81 na dobu 24 hodin. Blokování bylo provedeno za účelem ochrany sítě a podmínkou pro předčasné odblokování je vyřešení bezpečnostního problému, který k zablokování vedl.</div><p style="\&quot;text-align:" justify;\"><strong style="\&quot;margin-top:7px;margin-bottom:" 5px;\">Popis incidentu</strong><br>Počítač s výše uvedenou IP adresou prováděl tzv. slovníkový útok proti službě SSH. Touto metodou se útočník snaží prolomit vstupní heslo služby a získat tak neoprávněně přístup do systému. Tato aktivita v drtivé většině případů znamená, že je daný počítač nakažen virem či jiným škodlivým kódem.</p><p style="text-align: justify;"><strong style="margin-top:7px;margin-bottom: 5px;">Řešení incidentu</strong><br>Důrazně doporučujeme zkontrolovat počítač pomocí aktualizovaného antivirového software, případně zkontrolovat nastavení síťových služeb.</p>
<u><a href="https://reports.csirt.muni.cz/help/rt_instructions.html"> Jak nejlépe komunikovat s bezpečnostním týmem CSIRT-MU?</a></u>
<p>Prověřte prosím zdroj incidentu a postarejte se o nápravu. O výsledku nás do 5 pracovních dnů informujte.</p>
<p>
S pozdravem<br><br>
CSIRT-MU<br>
Bezpečnostní tým Masarykovy univerzity<br>
<a href="https://csirt.muni.cz/">https://csirt.muni.cz</a>
</p>
</div>
<div class="infobox">
  <h1>Security incident report</h1>
</div>

    <div class="content">

<p>Greetings,</p>


the security team CSIRT-MU has detected involvement of <strong>the IP address 65.108.143.81</strong> into the following incident:
<ul style="list-style-type:none">
<li><span style="width: 150px;display: inline-block;"><strong>Incident type:</strong></span> <span>SSH brute force attacks</span></li>
<li><span style="width: 150px;display: inline-block;"><strong>Time of detection:</strong></span> <span>2023-05-29 13:11:10 +0200</span></li>
<li><span style="width: 150px;display: inline-block;"><strong>IP address:</strong></span> <span>65.108.143.81</span></li><li><span style="width: 150px;display: inline-block;"><strong>Domain name:</strong></span> <span>indefinity.shiza.server</span></li>
</ul>
<p style="text-align: justify;"><strong style="margin-top:7px;margin-bottom: 5px;">Details of the incident</strong><br>Detailed information about this incident can be found on our <u><a href="https://reports.csirt.muni.cz/getReport.php?uuid=A6689C1E-FE11-11ED-B952-3415B176C285&amp;lang=EN">security portal.</a></u></p><div style="text-align: justify;">Because of the severity of the incident, the IP address 65.108.143.81 was blocked for 24 hours. The block was performed to protect the network and can be lifted earlier only after the security issue that led to it is resolved.</div><p style="\&quot;text-align:" justify;\"><strong style="\&quot;margin-top:7px;margin-bottom:" 5px;\">Description of the incident</strong><br>Computer with the aforementioned IP address engaged in a dictionary attack against the SSH service. This attack is used to find an access password for the service to gain unauthorized access to a system. This activity most often means that the computer is infected by a virus or other malicious code.</p><p style="text-align: justify;"><strong style="margin-top:7px;margin-bottom: 5px;">Incident solution</strong><br>We strongly recommend to check the computer with up-to-date antivirus software and eventually check the configuration of network services.</p>
<u><a href="https://reports.csirt.muni.cz/help/rt_instructions.html?lang=EN"> How to communicate with the CSIRT-MU team?</a></u>
<p>Please review the source of the incident and fix the issue. Inform us about the result within 5 business days.</p>
<p>
Best regards,<br><br>
CSIRT-MU<br>
The security team of Masaryk University<br>
<a href="https://csirt.muni.cz/">https://csirt.muni.cz</a>
</p>
</div>