[sudo-sys] Fwd: [omni-accounts] [LMi.net #82139] [ABUSE] Your server 142.254.26.9 has been registered as an attack source

[Yardena Cohen]

Somebody's infected windows laptop? Or spoofed user agent? I'm not
sure the best way to filter out stuff like this.

---------- Forwarded message ----------
From: Support <support at lmi.net>
Date: Mon, Aug 28, 2017 at 4:14 PM
Subject: Re: [omni-accounts] [LMi.net #82139] [ABUSE] Your server
142.254.26.9 has been registered as an attack source
To: accounts at omnicommons.org


Hello,

We have received a report that your IP address has participated in
sending known spam/a large-scale attack against another
network/detected malicious requests from the IP listed below.

The reported IP address is: 142.254.26.9
==================
16/Aug/2017:08:46:34 - 142.254.26.9 - - [  +0300] "POST /xmlrpc.php HTTP/1.0"
302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101
Firefox/40.1"
16/Aug/2017:08:46:35 - 142.254.26.9 - - [  +0300] "POST /xmlrpc.php HTTP/1.0"
302 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101
Firefox/40.1"
]
Url: [www1.edis.at:60412/verify.php]
Remote connection  [142.254.26.9:65325]
Agent: [Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101
Firefox/40.1]
Url: [noranoritastudiosandros.gr/xmlrpc.php]
Remote connection  [142.254.26.9:53884]
Agent: [Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101
Firefox/40.1]
Post data: [Array
(
    [<?xml version] => "1.0" encoding
)
]

It is likely that your network was compromised and needs to be
secured. Please check your network to ensure this does not repeat.

Best,

--
LMi.net Technical Support
510-843-6389 Ext. 4
lmi.net/support