========== X-ARF Style Summary ==========
Date: 2025-01-14T23:32:14+01:00
Source: 80.71.227.138
Type of Abuse: Portscan/Malware/Intrusion Attempts
Logs: 23:32:05.788783 rule 0/0(match): block in on vtnet0: 80.71.227.138.64044 > 91.190.98.95.3389: Flags [S], seq 3404332753, win 0, options [mss 1460], length 0
——————————————
To whom it may concern,
80.71.227.138 is reported to you for performing unwanted activities toward our server(s).
=============================================================================
Current records of unwanted activities toward our server(s) on file;
the second field designates our server that received the unwanted connection;
if this is a webserver log, the [VirtualHost] designates the visited website.
——————————————————————————
Source IP / Targeted host / Issue processed @ / Log entry
——————————————————————————
* 80.71.227.138 tpc-005.mach3builders.nl 2025-01-14T23:32:14+01:00 23:32:05.788783 rule 0/0(match): block in on vtnet0: 80.71.227.138.64044 > 91.190.98.95.3389: Flags [S], seq 3404332753, win 0, options [mss 1460], length 0
* 80.71.227.138 tpc-031.mach3builders.nl 2025-01-14T23:31:15+01:00 23:31:11.659886 rule 0/0(match): block in on vtnet0: 80.71.227.138.56121 > 91.190.98.135.3389: Flags [S], seq 3757822848, win 0, options [mss 1460], length 0
* 80.71.227.138 tpc-031.mach3builders.nl 2025-01-14T23:31:14+01:00 23:31:11.441373 rule 0/0(match): block in on vtnet0: 80.71.227.138.56121 > 91.190.98.135.3389: Flags [S], seq 3757822848, win 0, options [mss 1460], length 0
* 80.71.227.138 tpc-031.mach3builders.nl 2025-01-14T23:31:13+01:00 23:31:11.108952 rule 0/0(match): block in on vtnet0: 80.71.227.138.56121 > 91.190.98.135.3389: Flags [S], seq 3757822848, win 0, options [mss 1460], length 0
* 80.71.227.138 tpc-015.mach3builders.nl 2025-01-14T23:28:29+01:00 23:28:26.446200 rule 0/0(match): block in on vtnet0: 80.71.227.138.52873 > 91.190.98.186.3389: Flags [S], seq 1177941842, win 0, options [mss 1460], length 0
* 80.71.227.138 offshore.bengrimm.net 2025-01-14T22:42:05+01:00 22:41:03.229106 rule 2/0(match): block in on vtnet0: 80.71.227.138.50637 > 84.22.108.242.3389: Flags [S], seq 1504544942, win 1024, length 0
=============================================================================
Notes:
——————————————————————————
* Unsolicited connections to well-known ports (e.g. FTP, SSH, Telnet, and others), and attempted database queries/injections/extractions are considered especially toxic; associated IP addresses are blocklisted on sight.
* Connections must have completed the three-way handshake before being logged and processed; spoofed connection attemtps are not logged and not blocklisted.
* Any line containing a «GET» or a «POST» request refers to an attempt to access, exploit, or test for, a vulnerability or an attack vector on one of our webservers.
* The most prevalent attempts are ‘wp-login’ and ‘wp-admin’, and Joomla/Drupal equivalents. We host zero WordPress/Joomla/Drupal installations. This is usually a sign of a computer that is itself infected with a trojan or other malware, and is looking to infect other machines. Scan the server at the reported IP address for outdated WordPress installations, trojans, and other malware.
* Please do not ask us which «outbound domain» an attack came from, or which «website» instigated the attack: we cannot know this. We can only give you the connecting IP address, the connected IP address, extremely accurate timestamps, and source/destination port numbers. If this is not enough information for you, YOU will have to increase or improve your tracing and logging to mitigate future attacks.
* A NOTE TO RESEARCH AND SECURITY SCANNERS: https://cloudblock.espresso-gridpoint.net/scanners.html
