IP Abuse , how to check

Discussion in 'ISPConfig 3 Priority Support' started by illuder, Jul 17, 2021 at 10:37 PM.

  1. illuder

    illuder Member HowtoForge Supporter

    Hi guys,
    My Server host says there'n an IP Abuse.. i looked through all the settings and reports, and I cannot see as to how to trace the IP which is causing this havoc.. Could you assist in suggesting where I can check? Please see report below:
    Thank you in advance..
    =====================

    The abuse was reported on the IP(s) listed below, which is/are related to your service in Database Mart. Please read the report carefully, fix the abuse issue, answer our questions and reply to us as soon as possible.
    1. Why are you having IP abuse?
    2. What measures have you taken to stop the abuse?
    3. What measures will you take to prevent this from happening again?
    If we do not receive any updates within the next 12 hours, your service will be suspended. Thanks.


    163.123.183.223/32 (root IP: 163.123.183.223) (PTR: -) was added to the EGP Cloudblock RBL for the following reason:

    "Caught scanning for web/mail exploits / compromised hosts"

    ===========================================================================
    A T T E N T I O N ! T H I S I S A C O M P R O M I S E D H O S T !
    ---------------------------------------------------------------------------
    163.123.183.223 is listed in Spamhaus XBL / Abuseat CBL:
    - https://check.spamhaus.org/listed/?searchterm=163.123.183.223

    Check for other issues with 163.123.183.223:
    - http://multirbl.valli.org/dnsbl-lookup/163.123.183.223.html
    - https://blocklist.info?163.123.183.223
    - https://www.abuseipdb.com/check/163.123.183.223

    =============================================================
    BEWARE: AUTOMATIC DELISTING POLICY - DO NOT REQUEST DELISTING
    -------------------------------------------------------------
    The EGP Cloudblock RBL has an automated removal policy. The MINIMUM amount of days that 163.123.183.223 will be listed depends on the amount of times 163.123.183.223 was listed by us before. The current list status for 163.123.183.223 is:

    [ strike 1: 1 day minimum ]

    The countdown to automatic delisting starts at the timestamp of this notification. Listings will ONLY be removed after the minimum listing period (see 'strike') has lapsed. Delistings will be retried once every hour.

    The current automatic delisting periods for single IP addresses (/32) are:

    * strike 1: after a minimum of 1 day
    * strike 2: after a minimum of 3 days
    * strike 3: after a minimum of 7 days
    * strike 4: after a minimum of 30 days
    * strike 5: after a minimum of 60 days
    * strike > 5: after a minimum of 90 days

    Expanded listings occur automatically when at least 50% of a CIDR block is listed:

    CIDR /29: 4/8 blocked IP's -> the entire /29 is listed
    CIDR /28: 8/16 blocked IP's -> the entire /28 is listed
    CIDR /27: 16/32 blocked IP's -> the entire /27 is listed
    CIDR /26: 32/64 blocked IP's -> the entire /26 is listed
    CIDR /25: 64/128 blocked IP's -> the entire /25 is listed
    CIDR /24: 128/256 blocked IP's -> the entire /24 is listed

    Expanded listings (listings greater than a single IP address (/29, /26, /24, etc.)) are always listed for a minimum of 90 days.

    ==============
    ABOUT THIS RBL
    --------------
    * The EGP Cloudblock RBL is a semi-private RBL; its listings are not made public, and cannot be queried from the outside. They are, however, shared in real-time within our networks and our partners' and subscribers' networks, and they are used for firewalling, greylisting, tarpitting, and other types of blocking (mail, web, DNS, and others).
    * The purpose of this email (and a separate email, containing details about the abusive traffic) is to perform a basic, civic Internet duty: to make you aware of abuse coming from an IP address or network under your supervision.
    * How you decide to handle these reports (if at all) is entirely up to you. We do not require a reply, a ticket, an acknowledgment, or even any action from you. Just note that repeated abuse from your IP space will lead to an increasingly longer, and increasingly broader, refusal to accept any traffic from you to any of our networks, or our partners' networks.
    * We invite you to look at this information and to take action to prevent it from reoccurring or spreading. This may be a private list; public lists are even harder to get out of. It may not be too late to salvage your IP space's reputation. Consider this an early warning.
    * If you need to get in touch with us, the only point of contact is <[email protected]>. Requests for delisting (or exemption) will not be taken into consideration; the process is fully automated.
    * We offer as much information in our reports as we possibly can. Additional information will only be given to you if it is in our own interest to do so. We do not respond to demands, threats, or protests.
    * A NOTE TO RESEARCH AND SECURITY SCANNERS: https://cloudblock.espresso-gridpoint.net/scanners.txt

    ==============================
    Why did *YOU* get this e-mail?
    ------------------------------
    * We like to operate in a transparent and predictable fashion and think you should be made aware of abuse emanating from your IP space; so we will inform you about listing. Your e-mail address <[email protected]> was retrieved (best-guessed) automatically from public WHOIS/RDAP data (e.g. https://www.whois.com/whois/163.123.183.223 and https://client.rdap.org/?type=ip&object=163.123.183.223/32) and other public IP/domain-related information. If <[email protected]> is not the correct e-mail address to report abuse and security issues inside your network(s), please update your public WHOIS/RDAP data or ask your ISP or IP owner to do so.
    * Check http://multirbl.valli.org/dnsbl-lookup/163.123.183.223.html, https://blocklist.info?163.123.183.223, and https://www.abuseipdb.com/check/163.123.183.223 for possible other issues with 163.123.183.223/32.
    * Note that we also list (and expand listings) based on traffic flow analysis and DNS/BGP/AS/RIR/LIR data without actual evidence of abuse on record; i.e. we take broader network hygiene and reputation into account.
    * Warning: the continued presence of either an 'SBL' or an 'XBL' listing at https://check.spamhaus.org/listed/?searchterm=163.123.183.223 will lead to automatic (re)listing when 163.123.183.223 contacts any of our servers, and it will prevent automatic delisting from the EGP Cloudblock RBL.

    Is 163.123.183.223/32 listed in the Spamhaus CSS / Spamhaus SBL? No.
    Is 163.123.183.223/32 listed in the Spamhaus XBL / Abuseat CBL? --> YES. <--


    ----------------------------------------------------------------------------------------------------
    Below is an overview of recently recorded abusive activity from 163.123.183.223/32 (time zone: CEST)

    ----------------------------------------------------------------------------------------------------
    Fields: IP / Contacted host / Local time / Log line (see notes below)
    ----------------------------------------------------------------------------------------------------
    163.123.183.223 tpc-004.mach3builders.nl 20210716/19:07:25 163.123.183.223 - - [16/Jul/2021:19:07:17 +0200] "GET /wp-login.php HTTP/1.1" 301 515 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" [VirtualHost: www.slide-skirt.nl]

    =============================================
    Notes:
    ---------------------------------------------
    * Any line containing a 'GET' or a 'POST' request refers to an attempt to access, exploit, or test for, a vulnerability or an attack vector on a webserver. The most prevalent attempts are 'wp-login' and 'wp-admin', and Joomla/Drupal equivalents. We host zero WordPress/Joomla/Drupal installations. This is usually a sign of a computer that is itself infected with a trojan or other malware, and is looking to infect other machines.
    * Connections must have completed the three-way handshake before being logged and processed; spoofed connection attemtps are not logged and not listed.
    * We will not help you solve your problem. Please talk to a professional systems administrator, and/or scan your system using up-to-date antivirus software, and/or talk to your ISP or hoster.

    ----------------------------------------------------------------------------------------------------
    Current EGP Cloudblock RBL listings in 163.123.183.223/32:
    ----------------------------------------------------------------------------------------------------
    163.123.183.223/32 Caught scanning for web/mail exploits / compromised hosts [strike 1: 1 day minimum] @@1626455247

    ========== X-ARF Style Summary ==========
    Date: 2021-07-16 17:07:25 GMT
    Source: 163.123.183.223
    Type of Abuse: Portscan/Malware/Intrusion Attempts
    Logs: 163.123.183.223 - - [16/Jul/2021:19:07:17 +0200] "GET /wp-login.php HTTP/1.1" 301 515 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" [VirtualHost: www.slide-skirt.nl]
    -----------------------------------------

    To whom it may concern,

    163.123.183.223 is reported to you for performing unwanted activities toward our server(s).

    =============================================================================
    Current records of unwanted activities toward our server(s) on file;
    the second field designates our server that received the unwanted connection;
    if this is a webserver log, the [VirtualHost] designates the visited website.
    -----------------------------------------------------------------------------
    * 163.123.183.223 tpc-004.mach3builders.nl 20210716/19:07:25 163.123.183.223 - - [16/Jul/2021:19:07:17 +0200] "GET /wp-login.php HTTP/1.1" 301 515 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" [VirtualHost: www.slide-skirt.nl]

    =============================================================================
    Notes:
    -----------------------------------------------------------------------------
    * Unsolicited connections to well-known ports (e.g. FTP, SSH, Telnet, and others), and attempted database queries/injections/extractions are considered especially toxic; associated IP addresses are blacklisted on sight.
    * Connections must have completed the three-way handshake before being logged and processed; spoofed connection attemtps are not logged and not blacklisted.
    * Any line containing a "GET" or a "POST" request refers to an attempt to access, exploit, or test for, a vulnerability or an attack vector on one of our webservers. The most prevalent attempts are 'wp-login' and 'wp-admin', and Joomla/Drupal equivalents. We host zero WordPress/Joomla/Drupal installations. This is usually a sign of a computer that is itself infected with a trojan or other malware, and is looking to infect other machines. Note that these are attempted URLs on OUR webservers, not on a webserver at the reported IP address. Scan the server at the reported IP address for outdated WordPress installations, trojans, and other malware.
    * Please do not ask us which "outbound domain" an attack came from, or which "website" instigated the attack: we cannot know this. We can only give you the connecting IP address, the connected IP address, extremely accurate timestamps, and source/destination port numbers. If this is not enough information for you, YOU will have to increase or improve your tracing and logging to mitigate future attacks.
    * A NOTE TO RESEARCH AND SECURITY SCANNERS: https://cloudblock.espresso-gridpoint.net/scanners.txt

    ===========================================================================
    ATTENTION! THIS IS A COMPROMISED HOST!
    ---------------------------------------------------------------------------
    163.123.183.223 is blacklisted in Spamhaus XBL / Abuseat CBL:
    - https://check.spamhaus.org/listed/?searchterm=163.123.183.223

    Check for other issues with 163.123.183.223:
    - http://multirbl.valli.org/dnsbl-lookup/163.123.183.223.html
    - https://blocklist.info?163.123.183.223
    - https://www.abuseipdb.com/check/163.123.183.223


    =============================================================================
    Number of hosts in this network (/24) making recent unwanted connections: 1
    -----------------------------------------------------------------------------
    Host Last logged attempt (Netherlands time zone)
    -----------------------------------------------------------------------------
    .223 20210716/19:07:25

    =============================================================================
    Remarks:
    -----------------------------------------------------------------------------
    * Your e-mail address <[email protected]> was retrieved (best-guessed) automatically from public WHOIS/RDAP data (e.g. https://www.whois.com/whois/163.123.183.223 and https://client.rdap.org/?type=ip&object=163.123.183.223) and other IP/domain-related information. If <[email protected]> is not the correct e-mail address to report spam and security issues inside your network(s), please update your public WHOIS/RDAP data or ask your ISP or IP owner to do so.
    * Please accept ALL email sent to your abuse address; we will never use a web form or any other reporting medium for this automated process.
    * We also blacklist (and expand blacklistings) based on mail flow analysis, netblock hygiene (the more hosts in a network are already blacklisted, the faster additional hosts in that network will be blacklisted), DNS/BGP/AS/RIR/LIR data, and third-party sources and reports.
    * We will send you no more than one report per week per IP address; this does not mean that the attacks do not continue during that week. The only exception to this is when we make the blacklisting permanent, because the attacks are too wide-spread and persistent.
    * We will not help you solve your problem. Please talk to a professional systems administrator, and/or scan your system using up-to-date antivirus software, and/or talk to your ISP or hoster.
    * The fully automated nature of this reporting process, and the fact that this type of activity takes place 24/7, means that there will be the occasional false positive. We apologize in advance. When we find those, we will report them to you and take measures to prevent them from reoccurring.
    * You cannot reply to this e-mail directly. If you need to get in touch with us, the only point of contact is <[email protected]>.

    =============================================================================
    If 163.123.183.223 is a (CG)NAT gateway, use the following packet data.
    Time stamps are in NTP-synced Unix seconds, time zone UTC (GMT, +0000);
    convert to regular date and your time zone at https://www.epochconverter.com/
    -----------------------------------------------------------------------------
    1626455237.679370 00:50:56:88:a7:18 > 00:50:56:a2:bf:35, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 50, id 43094, offset 0, flags [DF], proto TCP (6), length 60)
    163.123.183.223.44662 > 91.190.98.87.80: Flags , cksum 0x80b7 (correct), seq 1992402376, win 29200, options [mss 1460,sackOK,TS val 2286086196 ecr 0,nop,wscale 7], length 0
    0x0000: 0050 56a2 bf35 0050 5688 a718 0800 4500 .PV..5.PV.....E.
    0x0010: 003c a856 4000 3206 86f5 a37b b7df 5bbe .<[email protected]{..[.
    0x0020: 6257 ae76 0050 76c1 a5c8 0000 0000 a002 bW.v.Pv.........
    0x0030: 7210 80b7 0000 0204 05b4 0402 080a 8842 r..............B
    0x0040: e834 0000 0000 0103 0307 .4........
    1626455237.679536 00:50:56:88:a7:18 > 00:50:56:a2:bf:35, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 50, id 49923, offset 0, flags [DF], proto TCP (6), length 60)
    163.123.183.223.44680 > 91.190.98.87.80: Flags , cksum 0x9685 (correct), seq 334688951, win 29200, options [mss 1460,sackOK,TS val 2286086196 ecr 0,nop,wscale 7], length 0
    0x0000: 0050 56a2 bf35 0050 5688 a718 0800 4500 .PV..5.PV.....E.
    0x0010: 003c c303 4000 3206 6c48 a37b b7df 5bbe .<[email protected]{..[.
    0x0020: 6257 ae88 0050 13f2 f2b7 0000 0000 a002 bW...P..........
    0x0030: 7210 9685 0000 0204 05b4 0402 080a 8842 r..............B
    0x0040: e834 0000 0000 0103 0307 .4........
    1626455237.683353 00:50:56:88:a7:18 > 00:50:56:a2:bf:35, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 50, id 25944, offset 0, flags [DF], proto TCP (6), length 60)
    163.123.183.223.44666 > 91.190.98.87.80: Flags , cksum 0x3457 (correct), seq 3695545504, win 29200, options [mss 1460,sackOK,TS val 2286086196 ecr 0,nop,wscale 7], length 0
    0x0000: 0050 56a2 bf35 0050 5688 a718 0800 4500 .PV..5.PV.....E.
    0x0010: 003c 6558 4000 3206 c9f3 a37b b7df 5bbe .<[email protected]{..[.
    0x0020: 6257 ae7a 0050 dc45 8ca0 0000 0000 a002 bW.z.P.E........
    0x0030: 7210 3457 0000 0204 05b4 0402 080a 8842 r.4W...........B
    0x0040: e834 0000 0000 0103 0307 .4........
    1626455237.683407 00:50:56:88:a7:18 > 00:50:56:a2:bf:35, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 50, id 3671, offset 0, flags [DF], proto TCP (6), length 60)
    163.123.183.223.44678 > 91.190.98.87.80: Flags , cksum 0x4c23 (correct), seq 4238693480, win 29200, options [mss 1460,sackOK,TS val 2286086196 ecr 0,nop,wscale 7], length 0
    0x0000: 0050 56a2 bf35 0050 5688 a718 0800 4500 .PV..5.PV.....E.
    0x0010: 003c 0e57 4000 3206 20f5 a37b b7df 5bbe .<[email protected]{..[.
    0x0020: 6257 ae86 0050 fca5 5468 0000 0000 a002 bW...P..Th......
    0x0030: 7210 4c23 0000 0204 05b4 0402 080a 8842 r.L#...........B
    0x0040: e834 0000 0000 0103 0307 .4........
    1626455237.683450 00:50:56:88:a7:18 > 00:50:56:a2:bf:35, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 50, id 43153, offset 0, flags [DF], proto TCP (6), length 60)
    163.123.183.223.44668 > 91.190.98.87.80: Flags , cksum 0x713e (correct), seq 81864476, win 29200, options [mss 1460,sackOK,TS val 2286086196 ecr 0,nop,wscale 7], length 0
    0x0000: 0050 56a2 bf35 0050 5688 a718 0800 4500 .PV..5.PV.....E.
    0x0010: 003c a891 4000 3206 86ba a37b b7df 5bbe .<[email protected]{..[.
    0x0020: 6257 ae7c 0050 04e1 271c 0000 0000 a002 bW.|.P..'.......
    0x0030: 7210 713e 0000 0204 05b4 0402 080a 8842 r.q>...........B
    0x0040: e834 0000 0000 0103 0307 .4........
    1626455237.683479 00:50:56:88:a7:18 > 00:50:56:a2:bf:35, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 50, id 328, offset 0, flags [DF], proto TCP (6), length 60)
    163.123.183.223.44674 > 91.190
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Check first the e-mail you got really comes from your service provider and is not some hoax or blackmail.
    Is the IP address involved yours, that is used on a host you administer?
    Did you read the very long message you posted? It seems to tell what this is about and what to do about it.
    For example, the spamhaus web page shows
    So start with scanning for malware. For example: https://ispprotect.com/
    You can monitor network traffic on your host to see what it is sending, Internet Search Engines with
    Code:
    monitor network traffic linux
    help finding tools.
    Read mail log to see what is being sent and received. SPAM may be easy to spot.
     
  3. illuder

    illuder Member HowtoForge Supporter

    Hi, thank you for your response.
    1. yes, the warning is genuine, I have a ticket opened with the hosting co.
    2. yes, its my IP address of my server
    3. yes, i've read the message which says that there's spam from my server, but I dont know how to check which email account its sending from.
    4. I'll read the mail log, but I was hoping there's a report in ISP Config which shows unusual email activity, or high email usage, or data usage etc.. some sort of report.
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Check website statistics for unusual activity. The spam may use other ways for sending, though, so it does not show in these statistics.
    You can install tools to show such reports. I do not know what OS you are using, so can not give advice. On my Debian system I have installed pflogsumm and logwatch.
     
  5. illuder

    illuder Member HowtoForge Supporter

Share This Page