Posted on by

Abuse Report: Active portscan/attack detected from 89.125.33.78

Incident details are attached below. Please note that due to some automated
abuse complaint processing systems parsing destination IP addresses as ones
involved to this report, we are redacting destination IP addresses replacing
all "." and ":" characters with "x".

```
Timestamp                SrcIP          SrcPort DstIP          DstPort
2026-06-02T23:16:58.287Z 89.125.33.78   35546   144x79x58x203  22
2026-06-02T23:24:19.296Z 89.125.33.78   43012   45x154x199x210 22
2026-06-03T01:35:25.706Z 89.125.33.78   39058   45x154x199x46  1919
2026-06-03T14:58:47.265Z 89.125.33.78   60124   88x218x206x63  22
----------------------------------------------------------------------

Greetings,

the security team CSIRT-MU has detected involvement of the IP address
89.125.33.78 into the following incident:

SSH brute force attacks

Incident type: SSH brute force attacks
Detection time window: 2026-06-03T04:50:00+02:00 - 2026-06-03T04:55:00+02:00
Protocol: TCP
Source IP address: 89.125.33.78
Source domain name: ---
Target IP address: 78.128.235.41

SSH brute force attacks

Incident type:SSH brute force attacks
Detection time window:2026-06-03T02:45:00+02:00 – 2026-06-03T02:50:00+02:00
Protocol:TCP
Source IP address:89.125.33.78
Source domain name:
Target IP address:195.113.167.79
Description of the incident:Computer with the aforementioned IP address engaged in a dictionary attack against the SSH service. This attack is used to find an access password for the service to gain an unauthorized access to a system. This activity most often means that the computer is infected by a virus or other malicious code.
Incident solution:We strongly recommend to check the computer with up-to-date antivirus software and eventually check the configuration of network services.

SSH brute force attacks

Incident type:SSH brute force attacks
Detection time window:2026-06-03T02:20:00+02:00 – 2026-06-03T02:25:00+02:00
Protocol:TCP
Source IP address:89.125.33.78
Source domain name:
Target IP address:195.113.167.79
Description of the incident:Computer with the aforementioned IP address engaged in a dictionary attack against the SSH service. This attack is used to find an access password for the service to gain an unauthorized access to a system. This activity most often means that the computer is infected by a virus or other malicious code.
Incident solution:We strongly recommend to check the computer with up-to-date antivirus software and eventually check the configuration of network services.

89.125.33.78:         2026-06-03 00:52.Categories: SSH.
Comment: 2026-06-03T02:51:47.711703 pclab24.pl sshd[1116040]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.125.33.78 user=root 2026-06-03T02:51:49.867576 pclab24.pl sshd[1116040]: Failed password for root from 89.125.33.78 port 51312 ssh2 2026-06-03T02:51:53.679151 pclab24.pl sshd[1116565]: Connection from 89.125.33.78 port 34612 on 10.10.0.5 port 22 2026-06-03T02:52:05.288507 pclab24.pl sshd[1116565]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.125.33.78 user=root 2026-06-03T02:52:07.580909 pclab24.pl sshd[1116565]: Failed password for root from 89.125.33.78 port 34612 ssh2 …
        2026-06-03 00:19.Categories: Brute-Force, SSH.
Comment: SSH Brute force: 3 attempts were recorded from 89.125.33.78 2026-06-03T02:11:35+02:00 User root from 89.125.33.78 not allowed because none of user’s groups are listed in AllowGroups 2026-06-03T02:11:51+02:00 User root from 89.125.33.78 not allowed because none of user’s groups are listed in AllowGroups 2026-06-03T02:12:03+02:00 User root from 89.125.33.78 not allowed because none of user’s groups are listed in AllowGroups
        2026-06-02 23:15.Categories: Port Scan, Hacking, Exploited Host.
Comment: Unauthorized connection attempt

Published by SpaceCore