This is an automated abuse complaint regarding active TCP port scan
(establishing multiple connections). All these connections are to dynamically
located tarpit type honeypots and thus provide sufficiently reliable evidence
to claim an ongoing port scan activity.
This means the host behind IP address 195.200.76.142 is either:
- serves a public proxy/VPN;
- participates in a botnet operation or another kind of malware;
- a VPS used by an illicit actor to find vulnerable publicly exposed services
(Telnet at 23/tcp, Samba at 445/tcp, FTP at 21/tcp, SSH at 22/tcp and so on).
We insist that you and/or your end-user will take all necessary actions to
resolve the current issue. If you are an established VPN provider with zero-log
policy, please let us know about that, so we will be able to whitelist you.
**We are a hosting provider Skhron, please DO NOT block any of our single IP
address or entire blocks!**
Wish to stop receiving such messages (are you a security researcher)? Please
reply to this message - all replies are processed manually.
Incident details are attached below:
Timestamp SrcIP SrcPort DstIP DstPort
2024-08-02T23:44:26.376Z 195.200.76.142 34874 88.218.206.12 21
2024-08-03T00:14:55.311Z 195.200.76.142 55252 88.218.206.58 21
2024-08-03T00:15:51.363Z 195.200.76.142 34448 88.218.206.4 21
2024-08-03T01:03:44.416Z 195.200.76.142 60984 88.218.206.122 21
----------------------------------------------------------------------
This table contains established TCP connections (ones confirmed using 3WHS -
three way handshake, which makes our data not vulnerable to an IP spoofing
attack). These events cannot be forged and can be reliably verified even if you
use sampled network monitoring, for example, with sFlow.
Please do not hesitate to reply to this letter if you have any questions or
concerns regarding the current case.
We also provide hourly feed of all detected malicious IP addresses here:
https://otx.alienvault.com/pulse/66794486bda6c3cf8823c604
Kind regards,
Network department
Skhron.COM.UA
