Your contract number: 86501125 Your customer ID: 718080425 Your reference number: AB125893220 Dear Noble Becker, A security risk has been detected on your IONOS server. We have been informed that your server is the source of outgoing attacks against third parties. Host / IP of your server: 74.208.93.221 Details about this incident can be found at the end of this e-mail. The following measures will be necessary in order to restore security to your IONOS contract: 1. Remove the affected files and services Please analyze which service, software and files have been saved or modified by third parties on your server. Please remove the malicious content or configuration within 48 hours. 2. Protect yourself from future attacks Keep the operating system of your server and the software up-to-date. Change all passwords saved on your server (e.g. for mail servers, external services, database). It is highly likely that attackers stole them. 3. Inform us about the measures you have taken Please give us a short feedback after cleaning the server. Please reference [Ticket AB125893220] in your message. Give Us a Call: 24 Hours a Day, 7 Days a Week (+1) 877 206 4253 (toll-free within the US and CA). Note: If the security incident is not resolved within 48 hours, we will disconnect your server from the network. Tip: If it is not possible to clean up the server, please reinitialize it. We recommend checking any backups you have for malicious content, before restoring them. Thank you for cooperating with us to ensure the security of your server and the security of others on the web. Details about the incident: 74.208.93.221 is blacklisted in Spamhaus XBL / Abuseat CBL: - https://www.spamhaus.org/query/ip/74.208.93.221 - http://www.abuseat.org/lookup.cgi?ip=74.208.93.221 Check for other issues with 74.208.93.221: - http://multirbl.valli.org/dnsbl-lookup/74.208.93.221.html - https://blocklist.info?74.208.93.221 - https://www.abuseipdb.com/check/74.208.93.221 ============================================================= BEWARE: AUTOMATIC DELISTING POLICY - DO NOT REQUEST DELISTING ------------------------------------------------------------- The EGP Cloudblock RBL has an automated removal policy. The MINIMUM amount of days that 74.208.93.221 will be blacklisted depends on the amount of times 74.208.93.221 was blacklisted by us before. The current blacklist status for 74.208.93.221 is: [ strike 1: 1 day minimum ] The countdown to automatic delisting starts at the timestamp of this notification. Listings will ONLY be removed after the minimum blacklisting period (see 'strike') has lapsed. Delistings will be retried once every hour. The current automatic delisting periods for single IP addresses (/32) are: * strike 1: after a minimum of 1 day * strike 2: after a minimum of 3 days * strike 3: after a minimum of 7 days * strike 4: after a minimum of 30 days * strike 5: after a minimum of 60 days * strike > 5: after a minimum of 90 days Expanded listings occur automatically when at least 50% of a CIDR block is blacklisted: CIDR /29: 4/8 blocked IP's -> the entire /29 is blacklisted CIDR /28: 8/16 blocked IP's -> the entire /28 is blacklisted CIDR /27: 16/32 blocked IP's -> the entire /27 is blacklisted CIDR /26: 32/64 blocked IP's -> the entire /26 is blacklisted CIDR /25: 64/128 blocked IP's -> the entire /25 is blacklisted CIDR /24: 128/256 blocked IP's -> the entire /24 is blacklisted Expanded listings (listings greater than a single IP address (/29, /26, /24, etc.)) are always blacklisted for a minimum of 90 days. ============== ABOUT THIS RBL -------------- * The EGP Cloudblock RBL is a semi-private RBL; its listings are not made public, and cannot be queried from the outside. They are, however, shared in real-time within our networks and our partners' and subscribers' networks, and they are used for firewalling, greylisting, tarpitting, and other types of blocking (mail, web, DNS, and others). * The purpose of this email (and a separate email, containing details about the abusive traffic) is to perform a basic, civic Internet duty: to make you aware of abuse coming from an IP address or network under your supervision. * How you decide to handle these reports (if at all) is entirely up to you. We do not require a reply, a ticket, an acknowledgment, or even any action from you. Just note that repeated abuse from your IP space will lead to an increasingly longer, and increasingly broader, refusal to accept any traffic from you to any of our networks, or our partners' networks. * We invite you to look at this information and to take action to prevent it from reoccurring or spreading. This may be a private blacklist; public blacklists are even harder to get out of. It may not be too late to salvage your IP space's reputation. Consider this an early warning. * If you need to get in touch with us, the only point of contact is . Requests for delisting (or exemption) will not be taken into consideration; the process is fully automated. * We offer as much information in our reports as we possibly can. Additional information will only be given to you if it is in our own interest to do so. We do not respond to demands, threats, or protests. * A NOTE TO RESEARCH AND SECURITY SCANNERS: https://cloudblock.espresso-gridpoint.net/scanners.txt ============================== Why did *YOU* get this e-mail? ------------------------------ * We like to operate in a transparent and predictable fashion and think you should be made aware of abuse emanating from your IP space; so we will inform you about blacklisting. Your e-mail address was retrieved (best-guessed) automatically from public WHOIS/RDAP data (e.g. https://www.whois.com/whois/74.208.93.221 and https://client.rdap.org/?type=ip&object=74.208.93.221/32) and other public IP/domain-related information. If is not the correct e-mail address to report abuse and security issues inside your network(s), please update your public WHOIS/RDAP data or ask your ISP or IP owner to do so. * Check http://multirbl.valli.org/dnsbl-lookup/74.208.93.221.html, https://blocklist.info?74.208.93.221, and https://www.abuseipdb.com/check/74.208.93.221 for possible other issues with 74.208.93.221/32. * Note that we also blacklist (and expand blacklistings) based on traffic flow analysis and DNS/BGP/AS/RIR/LIR data without actual evidence of abuse on record; i.e. we take broader network hygiene and reputation into account. * Warning: the continued presence of either an 'SBL' or an 'XBL' listing at https://www.spamhaus.org/query/ip/74.208.93.221 will lead to automatic (re)listing when 74.208.93.221 contacts any of our servers, and it will prevent automatic delisting from the EGP Cloudblock RBL. Is 74.208.93.221/32 listed in the Spamhaus CSS / Spamhaus SBL? --> YES. YES. 91.190.x.x.587: Flags [S], seq 283690021, win 0, options [mss 1460], length 0 74.208.93.221 tpc-033.mach3builders.nl 20210220/23:00:15 23:00:07.581809 rule 0/0(match): block in on vmx0: 74.208.93.221.53749 > 91.190.x.x.587: Flags [S], seq 643779339, win 0, options [mss 1460], length 0 74.208.93.221 tpc-033.mach3builders.nl 20210220/23:00:18 23:00:07.805797 rule 0/0(match): block in on vmx0: 74.208.93.221.52497 > 91.190.x.x.587: Flags [S], seq 3997631172, win 0, options [mss 1460], length 0 74.208.93.221 tpc-033.mach3builders.nl 20210221/00:01:05 00:01:02.282286 rule 0/0(match): block in on vmx0: 74.208.93.221.60229 > 91.190.x.x.587: Flags [S], seq 660175137, win 0, options [mss 1460], length 0 74.208.93.221 tpc-033.mach3builders.nl 20210221/01:02:15 01:02:00.588427 rule 0/0(match): block in on vmx0: 74.208.93.221.55452 > 91.190.x.x.587: Flags [S], seq 268310055, win 0, options [mss 1460], length 0 74.208.93.221 tpc-003.mach3builders.nl 20210306/06:36:32 06:36:26.362393 rule 0/0(match): block in on vmx0: 74.208.93.221.57593 > 91.190.x.x.587: Flags [S], seq 1766365061, win 0, options [mss 1460], length 0 74.208.93.221 tpc-003.mach3builders.nl 20210306/07:37:06 07:37:01.784312 rule 0/0(match): block in on vmx0: 74.208.93.221.58977 > 91.190.x.x.587: Flags [S], seq 2229417757, win 0, options [mss 1460], length 0 74.208.93.221 tpc-003.mach3builders.nl 20210306/08:38:22 08:38:00.887052 rule 0/0(match): block in on vmx0: 74.208.93.221.59648 > 91.190.x.x.587: Flags [S], seq 2935335936, win 0, options [mss 1460], length 0 ============================================= Notes: --------------------------------------------- * Any line containing a 'GET' or a 'POST' request refers to an attempt to access, exploit, or test for, a vulnerability or an attack vector on a webserver. The most prevalent attempts are 'wp-login' and 'wp-admin', and Joomla/Drupal equivalents. We host zero WordPress/Joomla/Drupal installations. This is usually a sign of a computer that is itself infected with a trojan or other malware, and is looking to infect other machines. * Connections must have completed the three-way handshake before being logged and processed; spoofed connection attemtps are not logged and not blacklisted. * We will not help you solve your problem. Please talk to a professional systems administrator, and/or scan your system using up-to-date antivirus software, and/or talk to your ISP or hoster. ---------------------------------------------------------------------------------------------------- Current EGP Cloudblock RBL listings in 74.208.93.221/32: ------------------------------------------------------------------------------------------... Sincerely, Hosting Security -- 1&1 IONOS Inc.