While only a few failed SMTP AUTH attempts came from
95.51.2.78/24, there are thousands of SQL Injection
attempts being submitted on web-based contact forms
on various web sites, which are all failing due to
sanitization or direct Postfix SMTP queue injection.

95.51.2.78 is in our block-and-forget list now.

I'm wondering, has anyone encountered attacks from
any other IP addresses in this /24? I'm not finding
anything aside from 95.51.2.78 in our logs.

Thanks.

WHOIS output for 95.51.2.78...

% Abuse contact for '92.51.2.0 - 92.51.2.255' is
'abuse@digi-cloud.net'

inetnum: 92.51.2.0 - 92.51.2.255
netname: DIGICLOUD-NET
org: ORG-AHL11-RIPE
country: EU
admin-c: IG2940-RIPE
admin-c: DCN26-RIPE
tech-c: DCN26-RIPE
status: ASSIGNED PA
mnt-routes: DIGI
mnt-domains: DIGI
mnt-by: ru-permtelecom-1-mnt
created: 2023-05-12T12:01:35Z
last-modified: 2023-05-29T12:27:39Z
source: RIPE

organisation: ORG-AHL11-RIPE
org-name: Alviva Holding Limited
country: SC
org-type: OTHER
address: Suite 1, Second Floor,
Sound & Vision House,
Francis Rachel Str.,
Victoria, Mahe, Seychelles
abuse-c: DCN26-RIPE
mnt-ref: IVC-MNT
admin-c: DCN26-RIPE
tech-c: DCN26-RIPE
mnt-ref: mnt-ru-am-1
mnt-ref: ru-permtelecom-2-mnt
mnt-ref: DIGI
mnt-by: DIGI
created: 2019-02-20T20:32:02Z
last-modified: 2024-06-12T13:57:15Z
source: RIPE # Filtered

role: DIGI CLOUD NOC
abuse-mailbox: abuse@digi-cloud.net
address: Suite 1, Second Floor,
Sound & Vision House,
Francis Rachel Str.,
Victoria, Mahe, Seychelles
nic-hdl: DCN26-RIPE
mnt-by: DIGI
created: 2019-02-20T20:29:47Z
last-modified: 2019-05-22T08:55:01Z
source: RIPE # Filtered

person: Igor Gilmutdinov
address: Malkova, 12
address: 614087
address: Perm
address: RUSSIAN FEDERATION
phone: +73422000289
nic-hdl: IG2940-RIPE
mnt-by: ru-permtelecom-1-mnt
created: 2016-04-01T13:54:40Z
last-modified: 2016-04-01T13:54:40Z
source: RIPE

% Information related to '92.51.2.0/24AS209588'

route: 92.51.2.0/24
origin: AS209588
mnt-by: ru-permtelecom-1-mnt
created: 2023-05-12T12:04:13Z
last-modified: 2023-05-12T12:04:13Z
source: RIPE

% This query was served by the RIPE Database Query
Service version 1.113.2 (ABERDEEN)

--
Randolf Richardson 張文道, CNA - noc@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Beautiful British Columbia, Canada
https://www.inter-corporate.com/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 7/11/24 20:04, Randolf Richardson 張文道 wrote:
...

person: Igor Gilmutdinov
address: Malkova, 12
address: 614087
address: Perm
address: RUSSIAN FEDERATION
phone: +73422000289
nic-hdl: IG2940-RIPE
mnt-by: ru-permtelecom-1-mnt
created: 2016-04-01T13:54:40Z
last-modified: 2016-04-01T13:54:40Z
source: RIPE

% Information related to '92.51.2.0/24AS209588'

route: 92.51.2.0/24
origin: AS209588
mnt-by: ru-permtelecom-1-mnt
created: 2023-05-12T12:04:13Z
last-modified: 2023-05-12T12:04:13Z
source: RIPE

Reporting to NATO?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On fre, 2024/07/12 at 05:35:57 +0200, tjoen wrote:

On 7/11/24 20:04, Randolf Richardson 張文道 wrote:
...

person: Igor Gilmutdinov
address: Malkova, 12
address: 614087
address: Perm
address: RUSSIAN FEDERATION
phone: +73422000289
nic-hdl: IG2940-RIPE
mnt-by: ru-permtelecom-1-mnt
created: 2016-04-01T13:54:40Z
last-modified: 2016-04-01T13:54:40Z
source: RIPE

% Information related to '92.51.2.0/24AS209588'

route: 92.51.2.0/24
origin: AS209588
mnt-by: ru-permtelecom-1-mnt
created: 2023-05-12T12:04:13Z
last-modified: 2023-05-12T12:04:13Z
source: RIPE

Reporting to NATO?

I am sure NATO is well aware. This is part of Russia's "Hybrid Warfare".
Do what you can to stay patched and secure. Aside from that, not a whole
lot we can do. Until their leadership changes, this will be happening with increasing intensity.

--
Kind regards,

/S

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 12.07.2024 um 05:35 Uhr tjoen wrote:

On 7/11/24 20:04, Randolf Richardson 張文道 wrote:
...

person: Igor Gilmutdinov
address: Malkova, 12
address: 614087
address: Perm
address: RUSSIAN FEDERATION
phone: +73422000289
nic-hdl: IG2940-RIPE
mnt-by: ru-permtelecom-1-mnt
created: 2016-04-01T13:54:40Z
last-modified: 2016-04-01T13:54:40Z
source: RIPE

% Information related to '92.51.2.0/24AS209588'

route: 92.51.2.0/24
origin: AS209588
mnt-by: ru-permtelecom-1-mnt
created: 2023-05-12T12:04:13Z
last-modified: 2023-05-12T12:04:13Z
source: RIPE

Reporting to NATO?

Feel free to do so, but computer operators know that attacks happen all
the time (it is normal internet noise) and the real origin can be
hidden rather easily to make evidence much harder, especially if ISPs
don't cooperate.


--
kind regards
Marco

Send spam to 1720755357muell@cartoonies.org

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 11.07.2024 um 11:04 Uhr Randolf Richardson 張文道 wrote:

I'm wondering, has anyone encountered attacks from
any other IP addresses in this /24? I'm not finding
anything aside from 95.51.2.78 in our logs.

I assume this is just a hacked machine that is being part of a botnet.
It isn't even listed on uceprotect, spamhaus nor blocklist, so the
amount of attacks to a wide range of addresses isn't that much.

fail2ban should handle that.

--
kind regards
Marco

Send spam to 1720688663muell@cartoonies.org

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 12 Jul 2024 09:00:51 +0200, Sirius <sirius@trudheim.com> wrote:

On fre, 2024/07/12 at 05:35:57 +0200, tjoen wrote:

On 7/11/24 20:04, Randolf Richardson ??? wrote:
...

I am sure NATO is well aware. This is part of Russia's "Hybrid Warfare".
Do what you can to stay patched and secure. Aside from that, not a whole
lot we can do. Until their leadership changes, this will be happening with >increasing intensity.

(using Tor Browser 13.5.1)
https://www.site24x7.com/tools/whois-lookup.html

Domain trudheim.com
Registrar Ascio Technologies, Inc
Registered On 2003-02-04T00:00:00Z
Expires On 2027-02-04T16:57:21Z
Updated On 2024-05-26T09:58:22Z
Status OK https://icann.org/epp#ok
Name Servers ds723.trudheim.com
ns1.loopia.se
ns2.loopia.se
# Copyright (c) 1997- The Swedish Internet Foundation.

[end quoted excerpt]

(using Tor Browser 13.5.1) https://duckduckgo.com/?q=stand+for+the+flag+kneel+for+the+cross+meme (substitute the american flag with any other national flag and viola!)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 12 Jul 2024 09:53:10 +0200
Marco Moock <mm+usenet-es@dorfdsl.de> wrote:

On 11.07.2024 um 11:04 Uhr Randolf Richardson 張文道 wrote:

I'm wondering, has anyone encountered attacks from
any other IP addresses in this /24? I'm not finding
anything aside from 95.51.2.78 in our logs.

I assume this is just a hacked machine that is being part of a botnet.
It isn't even listed on uceprotect, spamhaus nor blocklist, so the
amount of attacks to a wide range of addresses isn't that much.

This fits with what I suspected. Thanks for taking a
look into it.

fail2ban should handle that.

Indeed. :)

--
Randolf Richardson 張文道, CNA - noc@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Beautiful British Columbia, Canada
https://www.inter-corporate.com/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)