[sudo-sys] Fwd: [omni-accounts] [LMi.net #82139] [ABUSE] Your server 142.254.26.9 has been registered as an attack source

Somebody's infected windows laptop? Or spoofed user agent? I'm not sure the best way to filter out stuff like this. ---------- Forwarded message ---------- From: Support &lt;support(a)lmi.net&gt; Date: Mon, Aug 28, 2017 at 4:14 PM Subject: Re: [omni-accounts] [LMi.net #82139] [ABUSE] Your server 142.254.26.9 has been registered as an attack source To: accounts(a)omnicommons.org Hello, We have received a report that your IP address has participated in sending known spam/a large-scale attack against another network/detected malicious requests from the IP listed below. The reported IP address is: 142.254.26.9 ================== 16/Aug/2017:08:46:34 - 142.254.26.9 - - [ +0300] "POST /xmlrpc.php HTTP/1.0" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" 16/Aug/2017:08:46:35 - 142.254.26.9 - - [ +0300] "POST /xmlrpc.php HTTP/1.0" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" ] Url: [www1.edis.at:60412/verify.php] Remote connection [142.254.26.9:65325] Agent: [Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1] Url: [noranoritastudiosandros.gr/xmlrpc.php] Remote connection [142.254.26.9:53884] Agent: [Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1] Post data: [Array ( [<?xml version] => "1.0" encoding ) ] It is likely that your network was compromised and needs to be secured. Please check your network to ensure this does not repeat. Best, -- LMi.net Technical Support 510-843-6389 Ext. 4 lmi.net/support