Portal Home > Knowledgebase > Transparency Report > 26/06/2014 [DMCA] @ United Kingdom 1 (80)

26/06/2014 [DMCA] @ United Kingdom 1 (80)

Hello Abuse-Team,
>
> your Server/Customer with the IP: *46.17.63.182* has attacked one of our servers/partners.
> The attackers used the method/service: *regbot* on: *Tue, 24 Jun 2014 21:46:32 +0100*.
> The time listed is from the server-time of the Blocklist-user who submitted the report.
> The attack was reported to the Blocklist.de-System on: *Tue, 24 Jun 2014 21:46:46 +0200*
>
> The IP has been automatically blocked for a period of time. For an IP to be blocked, it needs
> to have made several failed logins (ssh, imap....), tried to log in for an "invalid user", or have
> triggered several 5xx-Error-Codes (eg. Blacklist on email...), all during a short period of time.
> The Server-Owner configures the number of failed attempts, and the time period they have
> to occur in, in order to trigger a ban and report. Blocklist has no control over these settings.
> He has registered automatically on a honeypot Wiki/Forum/Blog-System....
> At the site there is a notice that all postings and registrations will be reported.
> He used xrumer or other Tools or had a false configured mod_rewrite/mod_proxy who is abused:
> http://blog.blocklist.de/2011/03/14/erlauterung-der-einzelnen-dienste-badbots-apacheddos-postfix/#regbots
>
> If the IP is a Tor-Server: http://blog.blocklist.de/tor-server-owner/
>
> Please check the machine behind the IP 46.17.63.182 (relay.lusovps.com) and fix the problem.
> This is the 2 Attack (reported: 2) from this IP; see:
> http://www.blocklist.de/en/view.html?ip=46.17.63.182
>
> If you need the logs in another format (rather than an attachment), please let us know.
> You can see the Logfiles online again: https://www.blocklist.de/en/logs.html?rid=521610877&ip=46.17.63.182
>
>
> You can parse this abuse report mail with X-ARF-Tools from http://www.x-arf.org/tools.html e.g. validatexarf-php.tar.gz.
> You can find more information about X-Arf V0.2 at http://www.x-arf.org/specification.html
>
> This message will be sent again in one day if more attacks are reported to Blocklist.
> In the attachment of this message you can find the original logs from the attacked system.
>
> To pause this message for one week, you can use our "Stop Reports" feature on Blocklist.de to submit
> the IP you want to stop recieving emails about, and the email you want to stop receiving them on.
> If more attacks from your network are recognized after the seven day grace period, the reports will start
> being sent again.
>
> To pause these reports for one week:
> http://www.blocklist.de/en/insert.html?ip=46.17.63.182&email=abuse@goscomb.net
>
>
> We found this abuse email address in the Whois-Data from the IP under the SearchString "abuse-mailbox (own-db)"
> Reply to this message to let us know if you want us to send future reports to a different email. (e.g. to abuse-quiet or a special address)
>
>
> ------------------------------
> blocklist.de Abuse-Team
> This message was sent automatically. For questions please use our Contact-Form (autogenerated@ is not monitored!):
> https://www.blocklist.de/en/contact.html?RID=521610877
> Logfiles: https://www.blocklist.de/en/logs.html?rid=521610877&ip=46.17.63.182
> ------------------------------
>
> ---
> Reported-From: abuse-team@blocklist.de
> Category: abuse
> Report-Type: regbot
> Service: regbot
> Version: 0.2
> User-Agent: Fail2BanFeedBackScript blocklist.de V0.2
> Date: Tue, 24 Jun 2014 21:46:32 +0100
> Source-Type: ip-address
> Source: 46.17.63.182
> Port: 80
> Report-ID: 521610877@blocklist.de
> Schema-URL: http://www.blocklist.de/downloads/schema/info_0.1.1.json
> Attachment: text/plain
>
> 46.17.63.182 - - [24/Jun/2014:21:46:32 +0100] "POST /profile.php HTTP/1.0" 200 790 "-" "-"
>
> Username: juiceart29
> User Email: Gladisbwzgmj@outlook.com
> User ICQ:
> User AIM:
> User MSN:
> User Yahoo:
> Website:
> Location: Washington
> Occupation:
> Interests:
> User Signature:
>
>
>


Kind regards,

Luis Gigante

Action that has been taken from Proxy.sh: Because the server is located in a jurisdiction with precise intellectual property laws, we have reset accounts who forwarded port 80 (nothing may identify a single account) and we have blocked port 80 via Firewall.

Related Knowledgebase Articles