Email from Abuse@sonic

General discussions and other topics.
3 posts Page 1 of 1
by saggidarren » Sun Jan 29, 2023 5:02 pm
Hello,
I received an email like this from abuse@sonic.net:

What is our action item? I check and I do not have any of the following hosts. I even contacted their help but did not good response. I got a response that is something I do not understand. Also This is probably 4th or 5th email from them.




>>>>>>>>>>>>>

Recently we have received a notice that an IP address originating from your Sonic account was flagged for sending malicious requests to another party. I have included the original report below.
The IP in question is: XXXXXXXXXXXXXX
It is likely that your account was compromised and needs to be secured. Please take the necessary action to check your devices for malware or viruses, and then change your passwords.
If you have any questions, you can respond to this email or contact our customer support department.

It is possible that this host is one of the following, from the responses that others have sent us:

- A compromised router, such as a D-Link that is running with WAN access enabled; a China Telecom which still allows a default admin username and password; a Netis, with a built-in internet-accessible backdoor (http://blog.trendmicro.com/trendlabs-se ... -backdoor/); or one running an old AirOS version with a vulnerable and exposed administrative interface
- An IPTV device that is vulnerable to compromise (such as HTV), either directly through the default firmware or through a trojan-downloaded app
- A compromised webhost, such as one running a vulnerable version of Drupal (for instance, using the vulnerability discussed at https://groups.drupal.org/security/faq-2018-002), WordPress, phpMyAdmin, or zPanel
- A compromised DVR, such as a "Hikvision" brand device (ref: https://www.hikvision.com/en/support/cy ... -products/)
- A compromised IPMI device, such as one made by Supermicro (possibly because it uses the default U/P of ADMIN/ADMIN or because its password was found through an exploit described at http://arstechnica.com/security/2014/06 ... ory-warns/)
- A compromised Xerox-branded device
- Some other compromised standalone device
- A server with an insecure password that was brute-forced, such as through SSH or RDP
- A server running an improperly secured Hadoop installation
- A server running a pre-13.10.3 GitLab instance that is vulnerable to CVE-2021-22205
- A compromised Microsoft DNS server (through the July 2020 critical vulnerability)

The overall botnet attack was Nx10Gbps in size (with traffic from your host as well as some others) and caused significant packet loss for our clients due to external link saturation. It required an emergency null-route operation on our side to mitigate.

Attacks like this are usually made very short, intentionally, so that they are not as noticeable and slip past certain automatic mitigation systems. From your side, you would be able to observe the attack as a burst of traffic that likely saturated the network adapter of the source device for perhaps 30 seconds. Since the source device is a member of a botnet that is being used for many attacks, you will see many other mysterious bursts of outbound traffic, as well.
<<<<<<<<<<<<<<<<
by brandonc » Fri Mar 03, 2023 10:00 am
Hello,

This is an email from Sonic notifying you that a device/IP address on your network acted in a malicious way with another Sonic customer. In this case, it's reported that there was a DDoS attack (essentially data flooding someone's connection, so it freezes their connection for long periods of time) that originated from a device on your network. Most likely, a compromised computer.

You need to identify, which device on your network has that IP address we listed in the emails sent by abuse@sonic.com, then disconnect it from the internet connection until you can disinfect the device.

I hope this helps!

Kind regards,
Brandon C.
Community and Escalations
Sonic
by rus » Thu Mar 09, 2023 4:11 pm
Check the mail headers on that message. I got one of those messages about the same time and it was spam, sent from someone outside of Sonic according to the headers (that phishing friendly ISP aruba.it). I get monthly spams these days misrepresenting themselves as official sonic.net communications. Sometimes they have mostly real sonic.net URLs but often there's one that's there to phish for your personal and account info. And yes, they are familiar with Sonic message contents, style, formatting and fonts, so be careful. Support doesn't seem to want to hear about them.

rus
3 posts Page 1 of 1

Who is online

In total there are 31 users online :: 0 registered, 0 hidden and 31 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: No registered users and 31 guests