Somebody's infected windows laptop? Or spoofed user agent? I'm not
sure the best way to filter out stuff like this.
---------- Forwarded message ----------
From: Support <support(a)lmi.net>
Date: Mon, Aug 28, 2017 at 4:14 PM
Subject: Re: [omni-accounts] [
LMi.net #82139] [ABUSE] Your server
142.254.26.9 has been registered as an attack source
To: accounts(a)omnicommons.org
Hello,
We have received a report that your IP address has participated in
sending known spam/a large-scale attack against another
network/detected malicious requests from the IP listed below.
The reported IP address is: 142.254.26.9
==================
16/Aug/2017:08:46:34 - 142.254.26.9 - - [ +0300] "POST /xmlrpc.php HTTP/1.0"
302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101
Firefox/40.1"
16/Aug/2017:08:46:35 - 142.254.26.9 - - [ +0300] "POST /xmlrpc.php HTTP/1.0"
302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101
Firefox/40.1"
]
Url: [www1.edis.at:60412/verify.php]
Remote connection [142.254.26.9:65325]
Agent: [Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101
Firefox/40.1]
Url: [noranoritastudiosandros.gr/xmlrpc.php]
Remote connection [142.254.26.9:53884]
Agent: [Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101
Firefox/40.1]
Post data: [Array
(
[<?xml version] => "1.0" encoding
)
]
It is likely that your network was compromised and needs to be
secured. Please check your network to ensure this does not repeat.
Best,
--
LMi.net Technical Support
510-843-6389 Ext. 4
lmi.net/support