I received an email like this from email@example.com:
What is our action item? I check and I do not have any of the following hosts. I even contacted their help but did not good response. I got a response that is something I do not understand. Also This is probably 4th or 5th email from them.
Recently we have received a notice that an IP address originating from your Sonic account was flagged for sending malicious requests to another party. I have included the original report below.
The IP in question is: XXXXXXXXXXXXXX
It is likely that your account was compromised and needs to be secured. Please take the necessary action to check your devices for malware or viruses, and then change your passwords.
If you have any questions, you can respond to this email or contact our customer support department.
It is possible that this host is one of the following, from the responses that others have sent us:
- A compromised router, such as a D-Link that is running with WAN access enabled; a China Telecom which still allows a default admin username and password; a Netis, with a built-in internet-accessible backdoor (http://blog.trendmicro.com/trendlabs-se ... -backdoor/); or one running an old AirOS version with a vulnerable and exposed administrative interface
- An IPTV device that is vulnerable to compromise (such as HTV), either directly through the default firmware or through a trojan-downloaded app
- A compromised webhost, such as one running a vulnerable version of Drupal (for instance, using the vulnerability discussed at https://groups.drupal.org/security/faq-2018-002), WordPress, phpMyAdmin, or zPanel
- A compromised DVR, such as a "Hikvision" brand device (ref: https://www.hikvision.com/en/support/cy ... -products/)
- A compromised IPMI device, such as one made by Supermicro (possibly because it uses the default U/P of ADMIN/ADMIN or because its password was found through an exploit described at http://arstechnica.com/security/2014/06 ... ory-warns/)
- A compromised Xerox-branded device
- Some other compromised standalone device
- A server with an insecure password that was brute-forced, such as through SSH or RDP
- A server running an improperly secured Hadoop installation
- A server running a pre-13.10.3 GitLab instance that is vulnerable to CVE-2021-22205
- A compromised Microsoft DNS server (through the July 2020 critical vulnerability)
The overall botnet attack was Nx10Gbps in size (with traffic from your host as well as some others) and caused significant packet loss for our clients due to external link saturation. It required an emergency null-route operation on our side to mitigate.
Attacks like this are usually made very short, intentionally, so that they are not as noticeable and slip past certain automatic mitigation systems. From your side, you would be able to observe the attack as a burst of traffic that likely saturated the network adapter of the source device for perhaps 30 seconds. Since the source device is a member of a botnet that is being used for many attacks, you will see many other mysterious bursts of outbound traffic, as well.