Thursday, August 25, 2016

Represenative Wagner Pennsylvania - Just a quick note

So we started seeing some references to Representative Wagner in PA in dumps today. It was his username and obvious password. Tried to contact them and let them know and was greeted with this:

<dwagner@state.pa.us>: host mx1.pa.iphmx.com[68.232.140.80] said: 550 #5.1.0
    Address rejected. (in reply to RCPT TO command)
 
Now what if I was trying to email my state representative? I guess I would be screwed because Cisco decided that I can't email them right? 
 
Well you can thank Cisco Ironport. Apparently Cisco has us on their blocklist and hasn't removed us. Maybe because we make them look stupid by posting their passwords such as this one...
 
August 24th 2016, 20:00:00.000

August 24th 2016, 20:00:00.000
nhg@cisco.com|Gold*****
9988
 
 
Don't you just love it when these companies rely on a useless piece of technology like the Ironport devices?

Monday, June 20, 2016

Deep Diving xDedic Marketplace

First off I would like to thank SecureList for posting the full unredacted IP address information on the servers posted to Pastebin in their recent article. Upon seeing the file I decided to have our analyst take a look and see what servers were affected and figure out who owns those server (The companies affected).

Using our Intelligence Platform to process the 70000+ entries and to perform analytic modeling on the data we came up with the following.

Ingest Time: 35 seconds
Total Records Ingested: 176,076
DNS Enrichment: 5 minutes 25 seconds

So now we have the data in our big data platform and we want to see exactly what the IP's resolve to. Our goal is to figure out what companies are affected by this and breached without them being aware of it and notify them.

More information will be posted shortly...

Monday, June 6, 2016

UPDATED: A look at Guardzilla - They have eyes even when you don't!

Look familiar? Well this device started showing up in all the big box retailers last year so we decided to give one a try. Hooking the device up to a EVDO hotspot on Verizon was interesting at best. During our testing we discovered that the device streams continuously back to Guardzilla (even if you don't subscribe to their monitoring) all the time. So this "security" device has some serious "privacy" issues. The way most camera's work is that you access the camera and it streams the images to you directly but Guardzilla is not setup that way. When you setup the device it ALWAYS streams the video back to Guardzilla even if you don't subscribe to that service.

This is troubling for a number of reasons as now Guardzilla get's a sneak peek into your "secure" area without your consent.

The Guardzilla Privacy Policy:
Practecol takes reasonable efforts to ensure that your personal information is protected while you use the Services.

Oh and theres this line:
Also, video, audio, and other information received or recorded by your Guardzilla device may be stored on our servers or the servers of third parties.

I wonder who these third parties are because they are not disclosed anywhere in the privacy policy or terms of use.

Wait what?! So let me get this straight the information is protected while you use the services but not when your not using the services. So if I'm watching the video I'm now being protected by reasonable efforts to ensure that my information is protected but when I stop using the services they are not protected any longer? This is quite confusing honestly. So while your in bed sleeping your information is not protected because your not actively using the services?

Here's the problem. Even when you don't subscribe to the recording and playback features offered by Guardzilla the devices still stream to Guardzilla and we assume that the video is being stored otherwise why would you send it? What tipped us off was the fact that the device uses nearly 1GB of bandwidth per day even when your not viewing the camera. So basically your allowing Guardzilla to see into your protected space and to hear everything that goes on in this space because these devices are constantly streaming even when you are not using them.

We thought you might like to know. I can tell you this. Our Guardzilla test unit is about to be smashed in the parking lot never to be seen or heard from again.... Ever...

UPDATE: So Guardzilla reached out to me via email and specifically stated that this is how the product works. I definitely would NOT recommend the purchase of these devices under any circumstances since the terms of service basically says they can do what they want with your videos, and the fact that it will use 30GB of data per month which is ridiculous. Best to purchase a camera that only sends the information to you and only when requested.

Saturday, June 4, 2016

University of Berkely In Trouble AGAIN

Started seeing reports from the University of Berkeley again this evening. Specifically 169.229.3.91 which has been observed trying to run shellcode against a rash of servers the last 2 weeks. The activity is very high today. Maybe the "Office of the President" at Berkeley can hire somebody to secure their network. Not that they have ever been breached or anything.

We have a history with reporting on activity at Berkeley. Search our archives for more information. 

Tuesday, May 24, 2016

Russia gets the jump with DMA Locker

Over the course of the last few days we have been monitoring the malware known as DMA locker. It appears as though Russia is building some really good capabilities for infecting workstations with zero detection currently in any of the antivirus products that we have tested.

In addition there is only 1 sample on Virustotal and none of the other vendors except MalwareBytes is even taking a look at this one.

As you can see below our analytics products are pointing squarely at Russia on this one. Keep your eyes out and check out our threat intelligence for more information.

Screenshot Courtesy of Jigsaw Security (www.jigsaw-security.com) 

Keep an eye on this one!

Thursday, February 25, 2016

Cornell University looks the other way

As part of a new initiative to notify users of leaked credentials Jigsaw Security a member of SLC Security notified Cornell of a security issue. The response from Tom McMahon was interesting.

Quote:
"Stop scaring our users."

The interesting thing is that Cornell has been hacked numerous times as evidenced by the following: 
http://www.databreaches.net/u-of-hawaii-and-cornell-university-hacked-by-marxistattorney/ 
http://pastebin.com/GRTDZ6Ns
http://timesofindia.indiatimes.com/tech/it-services/Indian-student-in-Cornell-University-hacks-into-ICSE-ISC-database/articleshow/20450666.cms

We could go on and on but we can certainly understand their reluctance to respond to notifications. Hopefully the end users are more concerned about these disclosures than the administration. 

Saturday, February 20, 2016

American Museum of Natural History

Looks to us like information from this site has been pulled down by hackers. We are notifying the affected users...

Tuesday, January 19, 2016

Large Numbers of MIT Email accounts leaked

We have noted a large amount of MIT related email accounts showing up on Darknet forums and in leaks posted to Paste sites.

The information posted includes 98 accounts and additional information. The information is verified as we have been able to get confirmation from several students and staff.

Sunday, January 17, 2016

Credit Suisse accounts start appearing online

We started noticing credit-suisse accounts showing up online this evening. Our system that collects information on compromised accounts started alerting to accounts at the firm. It is not known if the accounts detected are end user accounts or corporate accounts.

Wednesday, January 13, 2016

State of Virginia DHRM fails to respond to notification

On 1-7-2016 a researcher that assist Jigsaw Security noted some issues with documents posted on the DHRM website. A PDF posted by this organization contained information that was obfuscated by blocks but was a layered image so if you edit the document the blocks can be removed and the original content is then visible.

The Jigsaw Security Operations Center sent a standard notification advising them of the issue but they have failed to respond to the request.

As of the posting of this article the document remains on the web1.dhrm.virginia.gov website and there has been no response for the contact Nancy Tobin identified as the documents author. Our email was not returned as undeliverable.

We can't show you the actual email because it would expose the actual issue but we did what we could to notify them of the issue. 


We we notified them and followed up but no response. 


So basically they tried to do the right thing by blocking out personally identifiable information in these documents but the method used was inadequate. 

It is unknown of the individuals affected by this issue are still employed by the State of Virginia as we have not received any response to our inquiry. 

Hopefully bringing this information to light will prevent this type of information disclosure in the future but the lack of response is troubling. 

UPDATE:
As of 14 January, 2016 a response was received indicating that the issue is being corrected.

"DHRM takes any possible data breach very seriously, and we wanted to notify you that measures are being taken to address the issue:

·         Removal of the referenced documents and links from DHRM’s servers so that data is no longer exposed that might impact employee privacy and security;
·         Software that has proper redacting capability supplied to users;
·         Staff training introduced to ensure that no lapses will occur in the future.

Thank you for bringing this matter to our attention."

Friday, January 8, 2016

2 Big Stories Next Week

We are currently reviewing 2 issues both of which are confirmed issues of PII and/or PHI data that we uncovered in the course of reading user submissions this week. Both involve some high profile entities of which neither has replied to our request for comments.

We have provided evidence of the issues to both and are awaiting any response.


Monday, December 21, 2015

Walmart Leaked Data Appearing Online

With the holiday season right around the corner we started noting post on forums with a list of usernames and passwords. We have begun notifying the end users of the leaked information to see if we can verify if they re legitimate.

Of the 5 people that responded so far 3 of the accounts were legitimate and 2 were old login details that were no longer valid so the data looks somewhat dated. We are still notifying individuals of the leaked information.




Saturday, December 5, 2015

chaffey.edu Breached

A database containing the personal contact information at chaffey.edu was reported today. It appears through our research that the information is legitimate.

In addition to name, phone number the breach also indicates if the employee is full or part time, departments and additional information that should not have been posted.

It's interesting watching as these organizations fall victim to SQLi attacks.

Friday, December 4, 2015

Grace Life Church Compromised

gracelifechurchct.com appears to be distributing malware and appears to have been compromised. Login to the Threat Intelligence portal for more information.

Tuesday, September 29, 2015

Tuesday, September 8, 2015

Goodbye Bloggers

As many of you know we have been running this site in a volunteering capacity for awhile now. We have decided to shut down this blog and move everything to our commercial offering. That being said don't expect any new post on this blog.

If you would like more information on our offerings please call (919)441-7353 to subscribe.

While we enjoy volunteering our time it has occurred to use that we cannot sustain and in order to improve and grow we need to find more creative ways to get the word out and to support the analyst that spend ours protecting our customers.

Signing off... Kevin, Rick, Ashley, Michael, Kurt, Mark, Steven, Tommy and Ashley II...

If you want notifications you can join the alertfeeds list (heavily restricted) or you can visit our website in a few weeks and sign up for our commercial offering! Until then, chill out, grab a coffee, learn a new skill, take a break or go Kayaking...


Thursday, August 27, 2015

CONFIRMED BREACHED: August Benefits Inc - Attack on SLC Security

The following host have been detected as being potentially breached based on data from SLC Security owned and operated sensors. We have decided that we would start publishing a daily list to help these organizations get their network under control. While we believe these host to be breached they may also be involved in hacking attempts on other entities or may be used by hackers as a jump point to conduct other attacks. The following list are the bad entities for the last 24 hours. Our volunteers have detected the following attackers:

Our Security Operations Center has detected a US company attempting to hack into our network. We believe this host to be compromised and have sent a notification to August Benefits to alert them of the situation.

173.220.57.150 - Observed in Attacks

Tuesday, August 25, 2015

Alert Posted

A new critical alert was posted for SLC Security clients in regards to a new unknown APT like activity that was detected by the SOC. This activity has been ongoing for over a year so if you received the bulletin it may be a good time to check your networks and infrastructure.


Friday, August 21, 2015

Why did Ashley Madison lie about the data breach initially and who was responsible for the fake torrents that appeared?

So it's been nothing short of an interesting week for Ashley Madison and the information that has come out of the breach. Initially we reported that the data was incomplete but that was because the information we obtained was an earlier "purported" breach that had bad data in it. So the question then becomes where did that information come from? Also during this same time the Avid Life Media stated that full credit card data was not leaked.

Upon researching with one of our partner firms the public data shows only partial card numbers but the fact that the CEO's email was leaked in the 2nd wave of leaked data shows that the hacker(s) more than likely had access to everything or that it was an inside job.

Surprisingly some media has decided to share the information without redaction. We are not sure of the legal ramifications of doing so but it's very interesting to watch this play out. I would be willing to bet that a jilted spouse is either responsible for this activity or is actively supporting this activity.

What is interesting is that many attorneys are sure to be dancing with Joy at the influx of new cases heading their way and law firms responsible for protecting Ashley Madison will have jobs for the foreseeable future when the legal drums start beating.

We still wonder who is responsible for the previous data that was leaked as there are some crossover of data indicating that this may not have been the first time the company had been breached.

We are watching this as it unfolds...

Wednesday, August 12, 2015

US Government and Military Hacked by ISIS?

Absolutely. It's the same information I posted yesterday.

See this article - Click Here

Now we have seen information being leaked and cannot name individual companies at this time but they are getting in through Government contractors. Information has been shared to confirm that they have actively stolen information on communications facilities and may have used that information in farther attacks. We have 6 days left in our notification wait period and then we will post the information we received in our Threat Intelligence Platform to our subscribers.

Government contracting companies should start looking through their systems and get real security vendors to help you protect your networks.

Here we go again...

BREACH: habbo.nl

The system at www.habbo.nl has been compromised and user information has since been posted to several forums. The information on this incident is available in the SLC Security Services LLC threat intelligence platform.


SLC Security HIDS Client

SLC Security Services has developed a HIDS client that works with the open source MISP system (www.misp-project.org). The platform was designed with business and point of sales terminals in mind and comes with some really useful features such as: IP Source and Destination monitoring, MD5, SHA256 and SHA1 malware hash checking as well as a feature to disconnect any compromised system or deny network access to any device that is detected going to any malicious sites present in the MISP platform.

The initial release will only be for our paying customers with an open source version planned that will connect to ANY MISP server allowing a company to use the open source product to protect their network assets. Currently the supported platforms are Windows 95,98, NT, XP, 2000, 2008, Windows 7/8/10 and Linux (via Wrapper that is not included in the Open Source Version). The open source version will be released on 1 September 2015 and the closed source version is now available to SLC Security Services LLC customers and business partners.

For more information please email the soc for a 30 day trial of our MISP platform with integrated Host Intrusion Detection client. The free open source version will be posted to our GITHUB account in early September.

Screenshot of threat detection (this was just a test)

Minimal Hardware Resources Required (4MB of RAM)




Tuesday, August 11, 2015

Large Telecommunications Company Appears to have been Breached

SLC Security researchers have located information indicating that a large telecommunications company servicing Government clients has had a database compromised. We are in the process of notifying the affected company and will wait our standard 7 days until we release the information that we have located.

Notifications Sent: 8-11-2015

After farther review it appears as though the information found may also impact a large Government contractor. Additional research is currently being performed but it appears as though the leaked information is confirmed based on OSINT research that was conducted earlier.

Related Article: http://www.nbcnews.com/storyline/isis-terror/isis-group-claims-have-hacked-information-military-personnel-n408236

8-12-2015: As of 8-12-2015 none of the notified entities have responded to our notification. We will wait 6 more days before posting the entities involved giving them time to perform remediation on any issues they may have discovered as part of this incident. 

8-19-2015: None of the notified entities have responded. SLC Security Services LLC has posted information concerning the release of proprietary information from Zayo concerning facilities in Northern Virginia. to our Threat Intelligence Platform. 

For a trial of of our threat intelligence platform please visit www.slcsecurity.com. 


Monday, August 10, 2015

Recent Attackers

Seems these attackers would like to be blocked on 400+ corporations networks.

Domain,IP,Subnet,"MX Hostname","MX IP",DNS,"IP ISP","ISP City","ISP Region","ISP Country","IP Organization","Org City","Org Region","Org Country"
125.ip-92-222-221.eu,92.222.221.125,92.222.221.0,-,,-,"OVH SAS",france,Unknown,FR,"OVH SAS",france,Unknown,FR
freelive.arvixevps.com,198.58.95.13,198.58.95.0,-,,-,"Arvixe, LLC","Santa Rosa",CA,US,"Arvixe, LLC","Santa Rosa",CA,US
101.212.67.21,101.212.67.21,101.212.67.0,-,,-,Unknown,gurgaon,Unknown,IN,AIRCEL-Kolakta-MobileBroadband-Customer,gurgaon,Unknown,IN
nairobi.pollmans.co.ke,196.207.30.180,196.207.30.0,smtpin.accesskenya.com.,127.255.255.255,-,"African Network Information Center",Ebene,Unknown,MU,NET-196-207-30-180,Unknown,Unknown,KE
89.121.207.234,89.121.207.234,89.121.207.0,-,,-,Unknown,vitan,Unknown,RO,"Romtelecom Data Network",vitan,Unknown,RO
199.58.185.178,199.58.185.178,199.58.185.0,-,,-,"Total Server Solutions L.L.C.",Atlanta,GA,US,"Total Server Solutions L.L.C.",Atlanta,GA,US
193.0.200.135,193.0.200.135,193.0.200.0,-,,-,Unknown,moscow,Unknown,RU,"MediaServicePlus Ltd",moscow,Unknown,RU
193.0.200.134,193.0.200.134,193.0.200.0,-,,-,Unknown,moscow,Unknown,RU,"MediaServicePlus Ltd",moscow,Unknown,RU
asco-78-120.dns-iol.com,195.200.78.120,195.200.78.0,-,,-,"INFORMATIQUE ON LINE SARL",france,Unknown,FR,"INFORMATIQUE ON LINE SARL",france,Unknown,FR
101.212.72.107,101.212.72.107,101.212.72.0,-,,-,Unknown,gurgaon,Unknown,IN,AIRCEL-Kolakta-MobileBroadband-Customer,gurgaon,Unknown,IN
185.40.4.32,185.40.4.32,185.40.4.0,-,,-,Hostgrad,ivanovo,Unknown,RU,Hostgrad,ivanovo,Unknown,RU
118.98.75.78,118.98.75.78,118.98.75.0,-,,-,"PT TELKOM INDONESIA",Unknown,Unknown,ID,"PT TELKOM INDONESIA",Unknown,Unknown,ID
190.144.93.54,190.144.93.54,190.144.93.0,-,,-,Unknown,bogota,Unknown,CO,"Telmex Colombia S.A.",bogota,Unknown,CO
50-193-219-125-static.hfc.comcastbusiness.net,50.193.219.125,50.193.219.0,-,,-,"Comcast Cable Communications Holdings, Inc","Mt Laurel",NJ,US,"Comcast Cable Communications Holdings, Inc","Mt Laurel",NJ,US
23.238.235.108,23.238.235.108,23.238.235.0,-,,-,"Psychz Networks",Walnut,CA,US,"Psychz Networks",Walnut,CA,US
ip-97-74-114-49.ip.secureserver.net,97.74.114.49,97.74.114.0,-,,-,"GoDaddy.com, LLC",Scottsdale,AZ,US,"GoDaddy.com, LLC",Scottsdale,AZ,US
cri8.ro,80.97.51.238,80.97.51.0,mx2.zohomail.com.,74.201.154.201,ns1.cri8.ro.,"SC Full Duplex SRL",lacul,Unknown,RO,"SC Full Duplex SRL",lacul,Unknown,RO
ns3006932.ip-151-80-35.eu,151.80.35.207,151.80.35.0,-,,-,"RIPE Network Coordination Centre",Amsterdam,Unknown,NL,"OVH SAS",france,Unknown,FR
124.2.53.233,124.2.53.233,124.2.53.0,-,,-,Unknown,seoul,Unknown,KR,"SK Networks co., Ltd",seoul,Unknown,KR
76.66.232.19,76.66.232.19,76.66.232.0,-,,-,"Bell Canada",Ottawa,ON,CA,"Medix School",Scarborough,ON,CA
201.137.62.171,201.137.62.171,201.137.62.0,-,,-,"Gesti?n de direccionamiento UniNet",mexico,Unknown,MX,"Gesti?n de direccionamiento UniNet",mexico,Unknown,MX
180.250.214.34,180.250.214.34,180.250.214.0,-,,-,Unknown,jakarta,Unknown,ID,"PT TELKOM INDONESIA",jakarta,Unknown,ID
75.126.79.105-static.reverse.softlayer.com,75.126.79.105,75.126.79.0,-,,-,"SoftLayer Technologies Inc.",Dallas,TX,US,"SoftLayer Technologies Inc.",Dallas,TX,US
119.94.3.26,119.94.3.26,119.94.3.0,-,,-,PLDT_JNEHUBS002_DHCP,makati,Unknown,PH,PLDT_JNEHUBS002_DHCP,makati,Unknown,PH
ns3007688.ip-151-80-97.eu,151.80.97.75,151.80.97.0,-,,-,"RIPE Network Coordination Centre",Amsterdam,Unknown,NL,"OVH SAS",france,Unknown,FR

Sunday, August 9, 2015

OMB Credit Monitoring Failure

It has come to our attention that many of the affected individuals have not been able to sign up for credit monitoring. As part of the CSID program that was setup after the OMB breach potentially thousands of former contractors and employees are not being covered or have not received a PIN number to register for credit monitoring. In addition the system is a best effort attempt to reach affected individuals.

Several of our staff members who are active duty and reserve, employees and contractors have not been notified even though the addresses last used on SF-86's are up to date.

This is troubling in that unless you are still contracting they seem to have forgotten or have failed to notify said individuals.

Some people that have never had clearances or have never even applied for a clearance have been notified and are also scratching their heads.

One individual that has held at least a secret clearance since 1992 through this year has not received a notification. The question then becomes how are they determining if your information was stolen or if you are affected. Based on the provided time frame put out by the media this individual should have been affected since not only did they hold a DOD clearance but were also a former Federal Employee as well as active duty military and subsequently an Active Ready Reservist during the times indicated by OMB.

It seems as though OMB has turned their backs on some people either in an attempt to save money or because they simply don't care. This looks all too familiar to how private industry has handled breaches and is quite alarming.




Wednesday, August 5, 2015

Are we tired of this already??? - A look at the notorious Inbound Fax Messages

As most of you already know the incoming fax messages that show up in your email are infected. Many admins already block the content (as do we). Over the past few years we have noted several different malware variants being emailed into organizations in this way so we wanted to revisit it.

Let's look at the message (some items redacted)
From hqkojrw@brainspinepro.com Thu Jul 30 12:05:30 2015
Received: from [116.58.202.20] (port=52406 helo=banglalinkgsm.com)
 by www.slcsecurity.com with esmtp (Exim 4.85)
 (envelope-from <hqkojrw@brainspinepro.com>)
 id 1ZKqKh-0003xS-Pv; Thu, 30 Jul 2015 12:05:29 -0400
Received: from 9197.slcsecurity.com (10.34.222.15) by slcsecurity.com (10.0.0.89) with Microsoft SMTP Server id 2Z31JORQ; Thu, 30 Jul 2015 21:11:59 +0600
Date: Thu, 30 Jul 2015 21:11:59 +0600
From: "Incoming Fax" <Incoming.Fax@slcsecurity.com>
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator: <31DA69X079P7LBBJSZI4VZ7CIPTWMO758HB32B@slcsecurity.com>
X-MS-Exchange-Organization-AuthSource: N1H9TKQAUB454EE@slcsecurity.com
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 08
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;8;0;0 0 0
X-Priority: 3 (Normal)
Message-ID: <M3GL0YSLTX1N4Q9Q9OBT1X1PMHSYE0S37QZ6GW@slcsecurity.com>
To: docs8@slcsecurity.com
Subject: Incoming Fax
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----=_Next_13154_4863437313.0814823955998"
X-Spam-Status: No, score=0.3
X-Spam-Score: 3
X-Spam-Bar: /
X-Ham-Report: Spam detection software, running on the system "www.slcsecurity.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 
 Content preview:  INCOMING FAX REPORT Date/Time: Thu, 30 Jul 2015 21:11:59
   +0600 Speed: 4393bps Connection time: 03:07 Pages: 5 Resolution: Normal Remote
    ID: 496-347-5344 Line number: 2 DTMF/DID: Description: Internal only [...]
    
 
 Content analysis details:   (0.3 points, 5.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
                             domains are different
  0.0 SPF_HELO_FAIL          SPF: HELO does not match SPF record (fail)
 [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=banglalinkgsm.com;ip=116.58.202.20;r=www.slcsecurity.com]
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                             [score: 0.0000]
  0.0 RCVD_IN_MSPIKE_BL      Mailspike blacklisted
  0.8 RDNS_NONE              Delivered to internal network by a host with no rDNS
  1.4 RCVD_IN_MSPIKE_ZBI     No description available.
X-Spam-Flag: NO
X-BoxTrapper-Match: white: 99: incoming.fax@slcsecurity.com

------=_Next_13154_4863437313.0814823955998
Content-Type: text/plain; 
Content-Transfer-Encoding: 8bit

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: Thu, 30 Jul 2015 21:11:59 +0600
Speed: 4393bps
Connection time: 03:07
Pages: 5
Resolution: Normal
Remote ID: 496-347-5344
Line number: 2
DTMF/DID:
Description: Internal only

To download / view please download attached file

*********************************************************

------=_Next_13154_4863437313.0814823955998
Content-Type: application/zip; name="Incoming Fax_496-347-5344.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Incoming Fax_496-347-5344.zip"


As you can see the message makes it through the spam filter. It also makes it by boxtrapper without detection because of the spoofed domain. So let's have a look and see what we can find out about the incoming "fax" message. 

A phone number appears as 496-347-5344. Well we can tell you right off that if this is an SLC Security Services employee we must have an office in cyberspace somewhere because area code 496 doesn't exist. This just goes to show that these actors are blindly making up information to try and make it look legit. Normally I would just stop here but let's keep going and have a closer look. 

The source of the message is 116.58.202.20 so let's look and see what SLC Security Services LLC Threat Intelligence Platform knows about this IP. 

So after a quick search by IP source here is what we find:

Event ID 454  
Org SLC Security Services LLC   
Email
soc@slcsecurity.com  
Tags
TLP:AMBER 
Source Malware   
Description
Upatre Sample Received by Customers

So as you can see it's not the first time we have seen this particular malware from this source. 

Let's look at the binary attachment:

When sending this to the sandbox immediately the file is identified as a threat:
Incoming Fax_496-347-5344.zip
Submitted on August 3rd 2015 17:27:24 (CDT) with target system Windows 7 32 bit
Report generated by VxStream Sandbox v2.10 © Payload Security

41/55 Antivirus vendors marked sample as malicious (74% detection rate)

Filename Incoming Fax_496-347-5344.zip
Size 47KiB (47616 bytes)
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Architecture 32 Bit
MD5 7e01d9705da0a983af63906edffb5b08
SHA1 63433b4a2ced77ed330327b0cdb6704edc811654
SHA256 e11575f7d8abee81f345f6a754d0d42b2bf42f6b05b3a9c64b531830b4268d24
SHA512 436f98941b3627bf1eb38a992aee58e3c2a1122ff3fd566a53847e5aba87fad4d287f4545a43edfbf4f9b6ab008d6bb5fbe42cce124680763e562ef58ea390f9
SSDEEP 768:OpVuoqbBLfCei7s8sOY5JvW5JxVIAA3FLH6UVrx:OqPbA1sOwJvW5JvIAA3dH
IMPHASH b477cb958ff28fadb9e15660c99a77fe

We are so over these incoming fax messages...

Monday, August 3, 2015

AshleyMadison data appearing in the underground

Our researchers have started uncovering large amounts of information possibly from the AshleyMadison breach. We have identified several files containing the name, phone number and billing information as well as profile locations on the Ashley Madison website over the last several hours.

It appears as though some of the high frequency users of the systems information is starting to be posted so we are watching to see if a full dump of the stolen data appears.

UPDATE 8/5/2015:
As of today we have not seen a full dump of data on very specific information on high frequency users of the system. We are seeing some additional personal information being posted as well such as employment information which may be an attempt to ruin the persons reputation. This makes sense as the attacker had stated via Twitter that he wanted to get back at the immoral use of these sites.

If we see any additional information we will be posting it to our Threat Intelligence Platform. If you would like to get access to our threat intelligence platform please goto http://ui.slcsecurity.com/ and click on create an account. This service is only available to paid subscribers or trusted industry partners.

Thursday, July 23, 2015

Potentially Breached Entities (From Sensor Data) - 7-23-2015 6:44PM EST

The following host have been detected as being potentially breached based on data from SLC Security owned and operated sensors. We have decided that we would start publishing a daily list to help these organizations get their network under control. While we believe these host to be breached they may also be involved in hacking attempts on other entities or may be used by hackers as a jump point to conduct other attacks. The following list are the bad entities for the last 24 hours. Our volunteers have detected the following attackers:

  • doa.la.gov - Confirmed breached
  • bonescan.bidmc.harvard.edu - Confirmed breached

We have previously reported on Harvard and now they are serving up APT29 malware samples. I would seriously hope they start to contain their incidents or we will be forced to start blocking them via DNS at client sites. 


UPDATE:
It appears as though doa.la.gov has removed the infected file and bonescan.bidmc.harvard.edu has been removed from DNS records so it's not longer accessible. 

Tuesday, July 21, 2015

Potentially Breached Entities (From Sensor Data) - 7-21-2014 11:19PM EST

The following host have been detected as being potentially breached based on data from SLC Security owned and operated sensors. We have decided that we would start publishing a daily list to help these organizations get their network under control. While we believe these host to be breached they may also be involved in hacking attempts on other entities or may be used by hackers as a jump point to conduct other attacks. The following list are the bad entities for the last 24 hours. Our volunteers have detected the following attackers:


  • University of California - San Diego, CA (Multiple Systems Detected)
  • Deluth Holiday Inn Gwinneth (Still owned)

An interesting note is that there is a node with reverse dns of fbi-vps hosted in the data center of Data Shack in North Kansas City, MO. Was also seen by 3 other companies in the last 24 hours according to our stats. 

Wednesday, July 15, 2015

Potentially Breached Entities (From Sensor Data) - 7-15-2014 2:59 (M EST

The following host have been detected as being potentially breached based on data from SLC Security owned and operated sensors. We have decided that we would start publishing a daily list to help these organizations get their network under control. While we believe these host to be breached they may also be involved in hacking attempts on other entities or may be used by hackers as a jump point to conduct other attacks. The following list are the bad entities for the last 24 hours. Our volunteers have detected the following attackers:

  • Concord Consortium - Concord, MA
  • American Credit Card - Huntington, NY
  • Atlas Professional Services - Tampa, FL
  • Grand Plaza Owners LLC - Plano, TX
We have not notified the individual companies but we have archived the logs if needed. 

Tuesday, July 14, 2015

BREACHED: University of Maryland Serving up CVE-2015-5119??? I sure hope not! - UPDATED

An analyst reported to us today that University of Maryland is serving up exploits from CVE-2015-5119. That's not good but we alerted to University of Maryland issues in the past. Looks like somebody else has been inside for awhile now.

I haven't personally looked into this but I trust my source.

Update: After I found a few minutes to review this is in fact infected. Notifying University of Maryland to see if we can get a response.

UPDATE: It looks like they have removed the malicious SWF file from their servers as of 2:20PM EST.


Potentially Breached Entities (From Sensor Data) - 7-14-2014 1:32 AM EST

The following host have been detected as being potentially breached based on data from SLC Security owned and operated sensors. We have decided that we would start publishing a daily list to help these organizations get their network under control. While we believe these host to be breached they may also be involved in hacking attempts on other entities or may be used by hackers as a jump point to conduct other attacks. The following list are the bad entities for the last 24 hours. Our volunteers have detected the following attackers:

  • American Industrial Partners - New York
  • Micro-Globe ITS - Raleigh 


Well that's all for today... Hope your all having a great work week!





Saturday, July 11, 2015

MISP Server Coming Online

With our ongoing integration of the "Jigsaw" IOC platform we wanted to let you know that we are in the process of standing up a production MISP instance. This will allow us the ability to share our threat intelligence directly with other Intelligence Providers (IP's) in the industry.

The decision to build a MISP server is a direct result of request from some clients that are already using the platform for generating their own custom threat intelligence. Below is a list of all of the methods for communicating with our Jigsaw platform.


  • CSV updates from our TIP server - Conventional Download
  • XML update from our TIP server - Conventional Download
  • Elasticsearch IOC Search Interface (Requires an API account)
  • MISP Instance (Coming online now)
  • JIGSAW-DC - A big data platform utilizing Hadoop and other BD technologies
In addition our IOC's are currently being provided by email to select customers from our Alertfeeds mailing list. For more information or a trial of any of our service please contact us. 

Tuesday, July 7, 2015

Note: Hackedteam MD5 Hashes

There are over 500+ MD5 hashes that have been determined so far in regard to the hacker team (a.k.a Hacked Team) disclosure. We have posted them in our client portal for review and have sent some of the most frequently used infection vectors to selected partners.

To obtain the full list please signup for our TIP at http://www.slcsecurity.com/ and click on free trial.

Monday, July 6, 2015

Caltech - What are you guys doing? - California State Polytechnic University - Pomona (CSPUP)

Looks like 134.71.81.34 is having some fun really trying to get into our shared resources without authorization. If you want an account do like everybody else and go to www.slcsecurity.com and signup. Thank you and hopefully you guys are not owned or maliciously trying to gain access to our network.


Potentially Breached Entities (From Sensor Data) - 7-6-2014 2:20 AM EST

The following host have been detected as being potentially breached based on data from SLC Security owned and operated sensors. We have decided that we would start publishing a daily list to help these organizations get their network under control. While we believe these host to be breached they may also be involved in hacking attempts on other entities or may be used by hackers as a jump point to conduct other attacks. The following list are the bad entities for the last 24 hours. Our volunteers have detected the following attackers:


  • Kenrick-Glennon Seminary - Indications of Compromised Host - Multiple Sensors and Email Traffic

Sunday, July 5, 2015

Potentially Breached Entities (From Sensor Data) - 7-5-2014 3:11 AM EST

The following host have been detected as being potentially breached based on data from SLC Security owned and operated sensors. We have decided that we would start publishing a daily list to help these organizations get their network under control. While we believe these host to be breached they may also be involved in hacking attempts on other entities or may be used by hackers as a jump point to conduct other attacks. The following list are the bad entities for the last 24 hours. Our volunteers have detected the following attackers:


  • Atlas Professional Services - Florida - Brute Force and Scanning Activity
  • American Credit Card - Comenity
  • Global A Products Incorporated

Plus the usual chatter from Amazon Hosting., Shodan, etc. We really wish these entities would start to remove malicious clients from their networks. 

Saturday, July 4, 2015

Potentially Breached Entities (From Sensor Data) - 7-4-2014 2:21 AM EST

The following host have been detected as being potentially breached based on data from SLC Security owned and operated sensors. We have decided that we would start publishing a daily list to help these organizations get their network under control. While we believe these host to be breached they may also be involved in hacking attempts on other entities or may be used by hackers as a jump point to conduct other attacks. The following list are the bad entities for the last 24 hours. Our volunteers have detected the following attackers:


  • KM HOMES LLC - 74.11.11.66 - Seen attacking external networks
  • University of Michigan College of Engineering - 141.212.122.66 - Reported multiple times (No action taken)

Analyst Note: Please note that the Univ of Michigan has been reported at least 20 times and they have not stopped the activity. If they don't care about being on blacklist and about their end users not being able to access Internet resources then we don't care if they are breached. We have attempted to help them resolve their issues on numerous occasions however they continue to deny they have any issue. You can lead a cow to water but they don't drink milk! (makes about as much sense as the responses we have received).

UPDATE: Apparently the Univ of Michigan thinks it's OK to scan host. Some farther review of the IP in question shows that the IP is a research scanning system. So that being said they are not breached however they are definitely not good Netizens with the mass scanning. A review of logs indicates that the Univ of Michigan is scanning web servers for vulnerabilities and some other very nasty behavior.


SLC Security Services LLC operates honeypot and inline sensors located in 74 locations. Our OSINT-X platform collects data and is available in our paid feed products. For more information visit www.slcsecurity.com.


Wednesday, July 1, 2015

BREACH: Univ of Michigan 2nd Notification - UPDATED

Pay attention because we are seeing traffic from the Univ of Michigan as well as Horizon's Church in Michigan. They still appear to have issues. We previously posted that ISIS was cyber targetting Univ of Michigan and this host we are seeing has had activity for most of the month of June.

Host: 199.101.99.146

Analyst Notes: A quick review shows that this entity is on a number of blacklist. In addition SANS distributed sensors have seen 275 incidents of activity from this host. SLC Security has logged 1104 events in the last 7 days from this host. 

BREACH: Holiday Inn Express Malvern

This location is breached and has been for awhile... Again don't say we didn't tell ya! Our threat intelligence data shows that they have been attacking others for over a month now.

Harvard Breach - What did we see? - UPDATED

So it has been reported by news media this evening that Harvard has once again fallen to hackers. Security researcher and advocate databreaches.net contacted us to pass along the news article.

http://www.thecrimson.com/article/2015/7/2/harvard-it-security-breach/

So what did we know and when did we know it?

SLC Security Services LLC started seeing Dyre emails flowing through our sensor network on 21 June 2015. We posted a message about it on the Vulnerable Disclosures Blog on the 24th of June when we noticed the activity did not stop (which is staffed by our cybersecurity volunteers). Below is a screenshot of our original message:


Our sensors started seeing millions of email messages containing Dyre malware being sent out to many other systems.

This traffic started on the 21st of June late in the evening. On the 22nd we saw several dumps of Harvard email addresses on Pastebin and additional data on the 23rd and 24th. By the 25th the systems were scanning Internet host and attempting to hack into other systems (which we monitor and maintain).


Hopefully they can find a reputable security firm to secure their infrastructure. This has been at least 3 breaches since we really started paying attention to Harvard.

To be fair to all monitoring the situation Crowdstrike detected the activity on the 22nd of June as well and attributed the attack to Gothic Panda actors. Whether that is in fact the case remains to be seen.

Media Coverage:
https://threatpost.com/june-harvard-breach-hit-multiple-schools/113601

Upon researching it appears as though there may have been as many as 13 schools affected. In addition the personal login information from third party accounts may have also been compromised as we are seeing indications that some students personal email accounts have also been leaked in the same time frame. - Additional research performed on historical data on 3 July 2015.

Don't fall victim to breaches. Email our SOC soc(a-t)slcsecurity(dot)com and request a free 30 day trial of our threat intelligence platform today. We offer insights into breaches and in many cases we can tell entities are breached before they even notice it. SLC Security Services LLC operates a vast network of Intrusion Detection Sensors on the Internet, private networks and at select Internet Services Providers. For more information on our services visit www.slcsecurity.com today. 

Monday, June 29, 2015

Botnet Russia (From Russia With Love) - 109.230.131.95

Very interesting port activity on this host as well. May want to look for traffic going to this one... While there appears to be a router on the remote end of this connection what is being allowed through on ports 14400-14499 should be of concern for sure...

Have a look for yourselves...

PHISHING: Healthcare Related - 86.104.134.156

Looking through recent traffic we noted some very interesting packet data going to 86.104.134.156. We have noted a large amount of healthcare related sites but more importantly packet data shows PII being transferred to the IP in question.

Whois shows that the IP is in Romania. Just something to keep your eyes on.

Wednesday, June 24, 2015

Hey Harvard do you realize...

Hey Harvard to you realize your sending out millions of infected email messages. Dyre to be exact.

Source Host: 140.247.39.51


Tuesday, June 23, 2015

Adobe Zero Day Exploit - One Issue After Another

Adobe Systems Inc. today released an emergency update to fix a dangerous security hole in its widely-installed Flash Player browser plugin. The company warned that the vulnerability is already being exploited in targeted attacks, and urged users to update the program as quickly as possible.
In an advisory issued Tuesday morning, Adobe said the latest version of Flash — v. 18.0.0.194on Windows and Mac OS X — fixes a critical flaw (CVE-2015-3113) that is being actively exploited in “limited, targeted attacks.” The company said systems running Internet Explorer for Windows 7 and below, as well asFirefox on Windows XP, are known targets of these exploits.

Reported by Adobe and Krebs on Security

IMPORTANT NOTICE: If your a normal blog subscriber please read

If you would like to continue receiving information on this blog you will need to subscribe to the mailing list (it's free and to your right). We told you that we would be making changes last month and it's time to implement these changes. Below we are outlining exactly what will be changing.

What will be posted to the blog:
1. Breaches (publicly disclosed and available via OSINT)
2. Security Articles of Interest (Things we want to share)

What we will NOT be posting to the blog:
1. Indicators
2. Breaches that have not been acknowledged
3. Special Intelligence Information - Detailed Analysis

What we will post to the Mailing List:
1. Specific Intelligence to include indicators, TIPS, bulletins and similar security products.
2. Users can contribute to the list after approval and we highly encourage the sharing of intelligence information.

Members of the mailing list can import our PGP key and can receive intelligence directly via email (once you have been verified). Verification may take up to 24 hours. 

So basically any meaty items are being moved to the mailing list. Thank you for your support of our efforts to bring awareness and have a great weekend. 

Threat Intelligence Platform is Live

For those of you that have shown an interest you will be receiving a trial of our threat intelligence search platform within the next few weeks. The system is being rolled out in Beta. All that we ask is that you provide any feedback you may have if you find any bugs or issues. In addition we will be rolling out new features and visual tools over the next few weeks as well.

To obtain a trial account email your name, organization and email address to soc(a-t)slcsecurity.com and we will create your trial account.

Tuesday, June 9, 2015

BREACH: Element Vehicle Management Services

Seeing indications that this entity is breached. Information has been posted to the Internet and is already hitting some underground chat services.

Monday, June 8, 2015

BREACH: army.mil breached by Syrian Electronic Army

Reports have been coming in that the Syrian Electronic Army has breached (www.army.mil) and DOD has put out noticed to staff to not access the site. That doesn't matter though because the site has been taken offline by DOD at this hour.

Reference: http://www.newsweek.com/syrian-electronic-army-claims-have-hacked-us-army-website-340874


Thursday, June 4, 2015

BREACH: Shop T Wine

We noted usernames and passwords that could be confirmed being leaked today for the Shop T Wine website. The information first appeared in a hacking forum and then appears to have been posted to pastebin. As of the post time the information remains available on pastebin.


Wednesday, May 27, 2015

Web Scanning Engine

SLC Security Services LLC has just launched a web scanning engine with capabilities to find similar registered domain names, blacklist checker and link analysis tools for domains and threat intelligence data. The new system will be integrated into our Threat Intelligence Beta program. If you would like to be a part of the threat intelligence beta program please joint the mailing list and request access by emailing soc(-at-)slcsecurity(D-o-t.)com for access.

Tuesday, May 26, 2015

Disbelief, Legal Threats, Admissions of Guilt... What a week...

So it's been an interesting week at SLC Security. We have been doing many security notifications over the past few weeks and the number one reaction to put things in perspective is disbelief. One company that we previously reported on actually called us back in disbelief. From what we can gather they have been owned for quite some time but have failed to resolve the issue (and we are still seeing problems from their network).

We have been providing grace periods before we report the issues and it's funny because until we post information on a company nobody even cares. They ignore the notifications and then as soon as the post hits the blog they want to call in a panic when if they responded to our notifications in the first place we would have not posted the information in the first place.

Also here's the biggest issue. Many times we remove the post if requested if we feel that the company is doing something to resolve their issues but guess what happens 95% of the time? They get added to the blacklist and our system detects activity and we know that they are still vulnerable to the same issue that we attempted to notify them of in the first place. So what should a group of security professional volunteers to do? Do we let the public vulnerable? That's what most of these companies would like to see us do. No we simply block them in our blacklist and then it goes out to our clients and customers that subscribe to our feeds.

It's a shame really that these companies can make money off of the Internet yet they don't want to invest in a secure environment for their computing requirements. In fact the number one issue we see is that people just don't seem to care. They would rather deny that they have an issue or try and brush the activity under a rug. Well guess what? You can't stop foreign companies from calling you out and the blacklist are still showing a problem.

Here is what you should do. Hire us! We reported on issues at BCBS (2 months prior to them becoming public), we reported issues at JP Morgan Chase (prior to them acknowledging an issue). We all know the PR nightmares that were caused by these cases and there are a few others that we detected ahead of time. The reality here is that our subscriptions and solutions are way cheaper than the PR nightmare of actually having to disclose a breach so my suggestion is to consider the fact that we are detecting problems faster than some of the larger infosec companies out there and our technology is completely different than what is being used in a traditional security model.

It really makes you stop and wonder as in the case of one of the big breaches several other entities that were named never publicly disclosed any issues yet after the big breach notification we stopped seeing the malicious activity. Do you think it is possible that they decided to fix the issue and sweep it under the rug?

--

SLC Security Services LLC is a private intelligence company located in Raleigh, NC. The company has been making breach notifications to companies and organizations that are not customers in order to help protect clients that could be affected by security issues on their corporate networks. The company has been providing notifications with a 2 day grace period before posting the notifications.

SLC Security provides threat intelligence products that can be directly consumed by your IDS, Firewall and monitoring solutions. We also provide outsourced monitoring to companies that want to augment their security staff and do not want to have to hire expensive analyst in house. By outsourcing your monitoring you are allowing your security teams to fix problems while you leave the detection and notifications to our highly skilled analyst.

Sunday, May 17, 2015

Info: 216.146.38.70 being used by malware to get current IP address

Malware MD5's associated with this dynamic DNS domain checkip.dyndns.com and checkip9.dyndns.com.

May 11th 2015, 13:33:04.358 iocs-slcmaster fc0af5d923b7988fe9ba24f440a10929734a2050&#39;, '2015-05-01 03:13:53')"
May 11th 2015, 13:33:04.332 iocs-slcmaster 8234df6eb626e024a625bd8f56c2163a5eac81cc&#39;, '2015-05-01 03:14:00')"
May 11th 2015, 13:33:04.329 iocs-slcmaster e447039272c445c4d7fc267aa40f171ff41c8776&#39;, '2015-05-01 03:14:11')"
May 11th 2015, 13:33:04.327 iocs-slcmaster b7abd0f35f1fe95824bf06713dd9e843c6a5591f&#39;, '2015-05-01 03:14:12')"
May 11th 2015, 13:33:04.324 iocs-slcmaster 84ee1fbf48c42603363ebf90a39e4510ec5101c6&#39;, '2015-05-01 03:14:41')"
May 11th 2015, 13:33:04.322 iocs-slcmaster bb5f649a820c430a259483cd9d2a115fe914b45b&#39;, '2015-05-01 03:15:01')"
May 11th 2015, 13:33:04.279 iocs-slcmaster c2680a7c46835edf6f611eb4138994e68ec9ef16&#39;, '2015-05-01 03:15:16')"
May 11th 2015, 13:33:04.275 iocs-slcmaster 7eb1dfb485b6983b35e9e44c8e33e40e07ace90c&#39;, '2015-05-01 03:15:17')"
May 11th 2015, 13:33:04.269 iocs-slcmaster 0763172dd8ba0fc48909dbe756f9ef876869d385&#39;, '2015-05-01 03:15:24')"
May 11th 2015, 13:33:04.263 iocs-slcmaster 9060966a2db161ca466a1c6ed391429ec1668e86&#39;, '2015-05-01 03:16:13')"
May 11th 2015, 13:33:04.256 iocs-slcmaster a57ff42c44cc36241bf6510bfd30891b5dd874f8&#39;, '2015-05-01 03:17:36')"
May 11th 2015, 13:33:04.251 iocs-slcmaster d0cad125c5f192aabab217dc2180bb710bbe74b9&#39;, '2015-05-01 03:17:44')"
May 11th 2015, 13:33:04.230 iocs-slcmaster 2680e0ae5bcc7858e03907ccacae4e4acd6ee400&#39;, '2015-05-01 03:18:29')"
May 11th 2015, 13:33:04.211 iocs-slcmaster 87b3d7aec495b971cf501c2776f2540b40dd24e6&#39;, '2015-05-01 03:18:57')"
May 11th 2015, 13:33:04.204 iocs-slcmaster 90776a7645c6d005f2cc238fbce10d392f1026f8&#39;, '2015-05-01 03:20:25')"
May 11th 2015, 13:33:04.197 iocs-slcmaster b35b2dc00dd216581f91f56c5c25f5559f7cfcf0&#39;, '2015-05-01 03:20:38')"
May 11th 2015, 13:33:04.192 iocs-slcmaster 184f89c5a6443774a212c1e1eaa6dddb13710774&#39;, '2015-05-01 03:20:38')"
May 11th 2015, 13:33:04.187 iocs-slcmaster 37fa1251617a0f5b88dca55ac1efd33a0a66f95b&#39;, '2015-05-01 03:21:45')"
May 11th 2015, 13:33:04.183 iocs-slcmaster d80a5b67b2b5199528c27af18ac5086238330e16&#39;, '2015-05-01 03:24:46')"
May 11th 2015, 13:33:04.178 iocs-slcmaster ac148f94cc80ca5ba6e5d086006b6b33da526174&#39;, '2015-05-01 03:29:21')"

Thursday, May 14, 2015

BREACH: mSpy Breached

A company linked to mobile phone spy software has become the victim of hacking.

See Kreb's report here.

SLC Security Targeted by Botnet

It goes without saying that the more information we put out there and the more we expose attackers the increase in likelihood that we will become the target of attacks. At approximately 12:05AM EST 5/14/2015 we began noticing a very coordinated attack on our systems and servers. What was interesting is that sheer number of host and varied locations. With our security features in place after 3 failed logins host are banned for 24 hours and if more than 4 attacks are made we block those host in our IDS/IPS products for a minimum of 7 days.

So again every time somebody unleashes their botnet against our infrastructure it allows us to correlate the connections and attacks and then actually map out the botnet and plot the information in our systems to protect clients, ISP's and our customers.

It's always interesting when somebody turns a botnet against our infrastructure or the infrastructure of a customer exposing hosts that are connected to various botnets or being used by attackers in various campaigns and operations. Normally we can't share collected data but in this case we have decided that it may be a fun experiment to actually map out the entire botnet and then provide packaged intelligence on what was discovered about the host involved with the attacks.

So look for this report. We will try and provide a summary of what happened, a list of host with various pieces of information so you can study the information on each of the attacking host and we will also see if we can make a determination of the operating systems of the attacking systems (more than likely compromised) and then a complete conclusion on our thoughts on this particular incident and attribution if we can trace it back to patients 0. We are fairly certain these are compromised systems and that rate at which we are seeing, blocking and responding is very quick so this will allow us to collect more data than we would normally be able to collect on these types of incidents. While we see and respond to these attacks at customer sites this was the first large scale attack on our infrastructure directly.

More on this will be posted shortly.


1:16PM EST (Posted by SOC):
Shortly after we posted the information above the attacks suddenly stopped. That's OK as we have what we need to carry out this "project". That shows that the attackers are monitoring. While we can't give specific details on what triggered this event we are pretty certain we know why we are being targeted.

Here are some of the raw logs:
account 81.215.14.109 system smtp 2015-05-13 21:51:12 2015-05-14 03:51:12 157
account 81.215.14.109 system smtp 2015-05-13 21:51:07 2015-05-14 03:51:07 157
account 81.215.14.109 system smtp 2015-05-13 21:51:07 2015-05-14 03:51:07 157
account 81.215.14.109 system smtp 2015-05-13 21:51:06 2015-05-14 03:51:06 157
account 81.215.14.109 system smtp 2015-05-13 21:51:03 2015-05-14 03:51:03 157
account 81.215.14.109 system smtp 2015-05-13 21:51:03 2015-05-14 03:51:03 157
account 81.215.14.109 system smtp 2015-05-13 21:51:03 2015-05-14 03:51:03 157
account 81.215.14.109 system smtp 2015-05-13 21:51:02 2015-05-14 03:51:02 157
admin@REDACTED 190.216.197.162 mail smtp 2015-05-14 01:02:02 2015-05-14 07:02:02 348
admin@REDACTED 190.43.242.112 mail smtp 2015-05-14 01:10:18 2015-05-14 07:10:18 356
admin@REDACTED 188.159.146.146 mail smtp 2015-05-14 01:10:20 2015-05-14 07:10:20 356
admin@REDACTED 190.43.242.112 mail smtp 2015-05-14 01:10:24 2015-05-14 07:10:24 356
admin@REDACTED 188.159.146.146 mail smtp 2015-05-14 01:10:27 2015-05-14 07:10:27 356
admin@REDACTED 37.237.168.104 mail smtp 2015-05-14 01:10:55 2015-05-14 07:10:55 357
admin@REDACTED 27.34.248.40 mail smtp 2015-05-14 01:10:57 2015-05-14 07:10:57 357
admin@REDACTED 203.157.20.174 mail smtp 2015-05-14 01:10:57 2015-05-14 07:10:57 357
admin@REDACTED 37.237.168.104 mail smtp 2015-05-14 01:11:02 2015-05-14 07:11:02 357
admin@REDACTED 27.34.248.40 mail smtp 2015-05-14 01:11:03 2015-05-14 07:11:03 357
admin@REDACTED 27.34.248.40 mail smtp 2015-05-14 01:11:15 2015-05-14 07:11:15 357
admin@REDACTED 2.182.84.163 mail smtp 2015-05-14 01:11:39 2015-05-14 07:11:39 357
admin@REDACTED 203.205.28.51 mail smtp 2015-05-14 01:12:17 2015-05-14 07:12:17 358
admin@REDACTED 203.205.28.51 mail smtp 2015-05-14 01:12:24 2015-05-14 07:12:24 358
admin@REDACTED 94.102.179.116 mail smtp 2015-05-14 01:12:41 2015-05-14 07:12:41 358
admin@REDACTED 94.102.179.116 mail smtp 2015-05-14 01:12:48 2015-05-14 07:12:48 359
admin@REDACTED 94.102.179.116 mail smtp 2015-05-14 01:12:59 2015-05-14 07:12:59 359
admin@REDACTED 116.202.239.175 mail smtp 2015-05-14 01:08:55 2015-05-14 07:08:55 355
admin@REDACTED 116.202.239.175 mail smtp 2015-05-14 01:09:02 2015-05-14 07:09:02 355
admin@REDACTED 203.157.20.174 mail smtp 2015-05-14 01:09:22 2015-05-14 07:09:22 355
admin@REDACTED 61.7.186.46 mail smtp 2015-05-14 01:09:28 2015-05-14 07:09:28 355
admin@REDACTED 203.157.20.174 mail smtp 2015-05-14 01:09:29 2015-05-14 07:09:29 355
admin@REDACTED 181.67.39.57 mail smtp 2015-05-14 01:07:03 2015-05-14 07:07:03 353
admin@REDACTED 124.158.77.5 mail smtp 2015-05-14 01:07:04 2015-05-14 07:07:04 353
admin@REDACTED 181.64.177.51 mail smtp 2015-05-14 01:07:04 2015-05-14 07:07:04 353
admin@REDACTED 5.232.2.213 mail smtp 2015-05-14 01:07:06 2015-05-14 07:07:06 353
admin@REDACTED 124.158.77.5 mail smtp 2015-05-14 01:07:10 2015-05-14 07:07:10 353
admin@REDACTED 5.237.33.191 mail smtp 2015-05-14 01:07:12 2015-05-14 07:07:12 353
admin@REDACTED 5.232.2.213 mail smtp 2015-05-14 01:07:12 2015-05-14 07:07:12 353
admin@REDACTED 145.255.162.233 mail smtp 2015-05-14 01:07:25 2015-05-14 07:07:25 353
admin@REDACTED 145.255.162.233 mail smtp 2015-05-14 01:07:32 2015-05-14 07:07:32 353
admin@REDACTED 145.255.162.233 mail smtp 2015-05-14 01:07:46 2015-05-14 07:07:46 353
admin@REDACTED 95.86.168.30 mail smtp 2015-05-14 01:07:50 2015-05-14 07:07:50 354
admin@REDACTED 95.86.168.30 mail smtp 2015-05-14 01:07:56 2015-05-14 07:07:56 354
admin@REDACTED 91.106.75.36 mail smtp 2015-05-14 01:08:32 2015-05-14 07:08:32 354
admin@REDACTED 91.106.75.36 mail smtp 2015-05-14 01:08:38 2015-05-14 07:08:38 354
admin@REDACTED 181.64.177.51 mail smtp 2015-05-14 01:06:58 2015-05-14 07:06:58 353
admin@REDACTED 181.67.39.57 mail smtp 2015-05-14 01:06:57 2015-05-14 07:06:57 353
admin@REDACTED 5.237.33.191 mail smtp 2015-05-14 01:06:37 2015-05-14 07:06:37 352
admin@REDACTED 5.237.33.191 mail smtp 2015-05-14 01:06:43 2015-05-14 07:06:43 352
admin@REDACTED 103.249.77.2 mail smtp 2015-05-14 01:06:34 2015-05-14 07:06:34 352
admin@REDACTED 37.205.89.115 mail smtp 2015-05-14 01:04:56 2015-05-14 07:04:56 351
admin@REDACTED 178.91.193.33 mail smtp 2015-05-14 01:04:57 2015-05-14 07:04:57 351
admin@REDACTED 37.205.89.115 mail smtp 2015-05-14 01:05:02 2015-05-14 07:05:02 351
admin@REDACTED 178.91.193.33 mail smtp 2015-05-14 01:05:04 2015-05-14 07:05:04 351
admin@REDACTED 181.66.156.217 mail smtp 2015-05-14 01:05:33 2015-05-14 07:05:33 351
admin@REDACTED 181.66.156.217 mail smtp 2015-05-14 01:05:39 2015-05-14 07:05:39 351
admin@REDACTED 200.27.121.164 mail smtp 2015-05-14 01:06:05 2015-05-14 07:06:05 352
admin@REDACTED 200.27.121.164 mail smtp 2015-05-14 01:06:11 2015-05-14 07:06:11 352
admin@REDACTED 110.227.32.74 mail smtp 2015-05-14 01:06:17 2015-05-14 07:06:17 352
admin@REDACTED 103.249.77.2 mail smtp 2015-05-14 01:06:18 2015-05-14 07:06:18 352
admin@REDACTED 145.255.162.179 mail smtp 2015-05-14 00:38:46 2015-05-14 06:38:46 324
admin@REDACTED 110.227.32.74 mail smtp 2015-05-14 01:06:24 2015-05-14 07:06:24 352
admin@REDACTED 103.249.77.2 mail smtp 2015-05-14 01:06:25 2015-05-14 07:06:25 352
admin@REDACTED 147.30.16.107 mail smtp 2015-05-14 01:04:01 2015-05-14 07:04:01 350
admin@REDACTED 147.30.16.107 mail smtp 2015-05-14 01:04:07 2015-05-14 07:04:07 350
admin@REDACTED 178.88.188.15 mail smtp 2015-05-14 01:04:22 2015-05-14 07:04:22 350
admin@REDACTED 213.230.72.197 mail smtp 2015-05-14 01:04:24 2015-05-14 07:04:24 350
admin@REDACTED 178.88.188.15 mail smtp 2015-05-14 01:04:28 2015-05-14 07:04:28 350
admin@REDACTED 213.230.72.197 mail smtp 2015-05-14 01:04:30 2015-05-14 07:04:30 350
admin@REDACTED 5.34.7.85 mail smtp 2015-05-14 01:03:50 2015-05-14 07:03:50 350
admin@REDACTED 178.127.212.220 mail smtp 2015-05-14 01:03:57 2015-05-14 07:03:57 350
admin@REDACTED 145.255.162.179 mail smtp 2015-05-14 00:38:35 2015-05-14 06:38:35 324
admin@REDACTED 145.255.162.179 mail smtp 2015-05-14 00:38:31 2015-05-14 06:38:31 324
admin@REDACTED 145.255.162.179 mail smtp 2015-05-14 00:38:24 2015-05-14 06:38:24 324
admin@REDACTED 178.127.212.220 mail smtp 2015-05-14 01:03:51 2015-05-14 07:03:51 350
admin@REDACTED 85.154.60.254 mail smtp 2015-05-14 00:38:24 2015-05-14 06:38:24 324
admin@REDACTED 85.154.60.254 mail smtp 2015-05-14 00:38:17 2015-05-14 06:38:17 324
admin@REDACTED 5.34.7.85 mail smtp 2015-05-14 01:03:25 2015-05-14 07:03:25 349
admin@REDACTED 89.120.44.101 mail smtp 2015-05-14 01:03:28 2015-05-14 07:03:28 349
admin@REDACTED 5.34.7.85 mail smtp 2015-05-14 01:03:31 2015-05-14 07:03:31 349
admin@REDACTED 188.18.15.10 mail smtp 2015-05-14 01:03:32 2015-05-14 07:03:32 349
admin@REDACTED 188.18.15.10 mail smtp 2015-05-14 01:03:38 2015-05-14 07:03:38 349
admin@REDACTED 37.122.62.90 mail smtp 2015-05-14 01:03:38 2015-05-14 07:03:38 349
admin@REDACTED 37.122.62.90 mail smtp 2015-05-14 01:03:44 2015-05-14 07:03:44 349
admin@REDACTED 24.224.47.29 mail smtp 2015-05-14 01:01:56 2015-05-14 07:01:56 348
admin@REDACTED 93.110.223.28 mail smtp 2015-05-14 01:09:46 2015-05-14 07:09:46 355
admin@REDACTED 190.216.197.162 mail smtp 2015-05-14 01:02:08 2015-05-14 07:02:08 348
admin@REDACTED 95.86.177.118 mail smtp 2015-05-14 01:02:12 2015-05-14 07:02:12 348
admin@REDACTED 95.86.177.118 mail smtp 2015-05-14 01:02:19 2015-05-14 07:02:19 348
admin@REDACTED 72.252.244.244 mail smtp 2015-05-14 01:02:48 2015-05-14 07:02:48 349
admin@REDACTED 72.252.244.244 mail smtp 2015-05-14 01:02:55 2015-05-14 07:02:55 349
admin@REDACTED 24.224.47.29 mail smtp 2015-05-14 01:01:50 2015-05-14 07:01:50 348
admin@REDACTED 176.108.190.1 mail smtp 2015-05-14 01:01:49 2015-05-14 07:01:49 348
admin@REDACTED 176.108.190.1 mail smtp 2015-05-14 01:01:43 2015-05-14 07:01:43 347
admin@REDACTED 95.78.46.170 mail smtp 2015-05-14 00:37:47 2015-05-14 06:37:47 324
admin@REDACTED 193.93.117.213 mail smtp 2015-05-14 01:01:01 2015-05-14 07:01:01 347
admin@REDACTED 158.181.205.74 mail smtp 2015-05-14 01:00:29 2015-05-14 07:00:29 346
admin@REDACTED 158.181.205.74 mail smtp 2015-05-14 01:00:35 2015-05-14 07:00:35 346
admin@REDACTED 193.93.117.213 mail smtp 2015-05-14 01:00:55 2015-05-14 07:00:55 347
admin@REDACTED 189.202.41.28 mail smtp 2015-05-14 00:59:53 2015-05-14 06:59:53 346
admin@REDACTED 189.202.41.28 mail smtp 2015-05-14 00:59:59 2015-05-14 06:59:59 346
admin@REDACTED 95.78.46.170 mail smtp 2015-05-14 00:37:37 2015-05-14 06:37:37 323
admin@REDACTED 95.78.46.170 mail smtp 2015-05-14 00:37:26 2015-05-14 06:37:26 323
admin@REDACTED 5.232.139.213 mail smtp 2015-05-14 00:56:37 2015-05-14 06:56:37 342
admin@REDACTED 5.232.139.213 mail smtp 2015-05-14 00:56:44 2015-05-14 06:56:44 342
admin@REDACTED 95.78.46.170 mail smtp 2015-05-14 00:37:20 2015-05-14 06:37:20 323
admin@REDACTED 37.113.68.11 mail smtp 2015-05-14 00:37:02 2015-05-14 06:37:02 323
admin@REDACTED 37.113.68.11 mail smtp 2015-05-14 00:36:56 2015-05-14 06:36:56 323
admin@REDACTED 121.54.54.174 mail smtp 2015-05-14 00:36:25 2015-05-14 06:36:25 322
admin@REDACTED 27.55.111.136 mail smtp 2015-05-14 00:43:48 2015-05-14 06:43:48 330
admin@REDACTED 121.54.54.174 mail smtp 2015-05-14 00:36:18 2015-05-14 06:36:18 322
admin@REDACTED 203.157.20.174 mail smtp 2015-05-14 01:09:40 2015-05-14 07:09:40 355
admin@REDACTED 93.110.223.28 mail smtp 2015-05-14 01:09:39 2015-05-14 07:09:39 355
admin@REDACTED 2.179.69.88 mail smtp 2015-05-14 01:09:47 2015-05-14 07:09:47 356
admin@REDACTED 5.239.181.194 mail smtp 2015-05-14 01:09:47 2015-05-14 07:09:47 356
admin@REDACTED 203.157.20.174 mail smtp 2015-05-14 01:09:50 2015-05-14 07:09:50 356
admin@REDACTED 2.179.69.88 mail smtp 2015-05-14 01:09:54 2015-05-14 07:09:54 356
admin@REDACTED 37.254.221.193 mail smtp 2015-05-14 00:43:01 2015-05-14 06:43:01 329
admin@REDACTED 27.55.111.136 mail smtp 2015-05-14 00:43:55 2015-05-14 06:43:55 330
admin@REDACTED 37.254.221.193 mail smtp 2015-05-14 00:42:54 2015-05-14 06:42:54 329
admin@REDACTED 121.54.44.89 mail smtp 2015-05-14 00:35:44 2015-05-14 06:35:44 321
admin@REDACTED 121.54.44.89 mail smtp 2015-05-14 00:35:55 2015-05-14 06:35:55 322
admin@REDACTED 121.54.44.89 mail smtp 2015-05-14 00:35:37 2015-05-14 06:35:37 321
admin@REDACTED 121.54.44.89 mail smtp 2015-05-14 00:35:30 2015-05-14 06:35:30 321
admin@REDACTED 5.239.181.194 mail smtp 2015-05-14 01:09:58 2015-05-14 07:09:58 356
admin@REDACTED 178.131.179.105 mail smtp 2015-05-14 01:10:08 2015-05-14 07:10:08 356
admin@REDACTED 178.131.179.105 mail smtp 2015-05-14 01:10:15 2015-05-14 07:10:15 356
admin@REDACTED 77.28.120.232 mail smtp 2015-05-14 00:35:00 2015-05-14 06:35:00 321
admin@REDACTED 77.28.120.232 mail smtp 2015-05-14 00:34:54 2015-05-14 06:34:54 321
admin@REDACTED 121.54.44.95 mail smtp 2015-05-14 00:34:05 2015-05-14 06:34:05 320
admin@REDACTED 121.54.44.95 mail smtp 2015-05-14 00:34:11 2015-05-14 06:34:11 320
admin@REDACTED 121.54.44.95 mail smtp 2015-05-14 00:34:15 2015-05-14 06:34:15 320
admin@REDACTED 121.54.54.158 mail smtp 2015-05-14 00:34:25 2015-05-14 06:34:25 320
admin@REDACTED 121.54.44.95 mail smtp 2015-05-14 00:34:25 2015-05-14 06:34:25 320
admin@REDACTED 121.54.54.158 mail smtp 2015-05-14 00:34:32 2015-05-14 06:34:32 320
black 61.58.39.87 system smtp 2015-05-14 01:03:50 2015-05-14 07:03:50 350
black 61.58.39.87 system smtp 2015-05-14 01:03:50 2015-05-14 07:03:50 350
black 61.58.39.87 system smtp 2015-05-14 01:03:50 2015-05-14 07:03:50 350
black 61.58.39.87 system smtp 2015-05-14 01:03:50 2015-05-14 07:03:50 350
black 61.58.39.87 system smtp 2015-05-14 01:03:50 2015-05-14 07:03:50 350
bo 61.58.39.87 system smtp 2015-05-13 20:35:48 2015-05-14 02:35:48 82
bo 61.58.39.87 system smtp 2015-05-13 20:35:48 2015-05-14 02:35:48 82
bo 61.58.39.87 system smtp 2015-05-13 20:35:48 2015-05-14 02:35:48 82
bo 61.58.39.87 system smtp 2015-05-13 20:35:48 2015-05-14 02:35:48 82
bo 61.58.39.87 system smtp 2015-05-13 20:35:48 2015-05-14 02:35:48 82
contact@REDACTED 121.54.54.174 mail smtp 2015-05-14 00:46:09 2015-05-14 06:46:09 332
contact@REDACTED 121.54.54.158 mail smtp 2015-05-14 00:43:42 2015-05-14 06:43:42 329
contact@REDACTED 121.54.54.158 mail smtp 2015-05-14 00:43:49 2015-05-14 06:43:49 330
contact@REDACTED 121.54.54.174 mail smtp 2015-05-14 00:46:02 2015-05-14 06:46:02 332
customer 61.58.39.87 system smtp 2015-05-13 22:06:12 2015-05-14 04:06:12 172
customer 61.58.39.87 system smtp 2015-05-13 22:06:12 2015-05-14 04:06:12 172
customer 61.58.39.87 system smtp 2015-05-13 22:06:12 2015-05-14 04:06:12 172
customer 61.58.39.87 system smtp 2015-05-13 22:06:12 2015-05-14 04:06:12 172
customer 61.58.39.87 system smtp 2015-05-13 22:06:12 2015-05-14 04:06:12 172
eliza@REDACTED 84.111.159.210 mail smtp 2015-05-13 22:21:05 2015-05-14 04:21:05 187
eliza@REDACTED 84.111.159.210 mail smtp 2015-05-13 22:20:57 2015-05-14 04:20:57 187
eliza@REDACTED 197.89.196.124 mail smtp 2015-05-13 22:21:48 2015-05-14 04:21:48 188
eliza@REDACTED 197.89.196.124 mail smtp 2015-05-13 22:21:42 2015-05-14 04:21:42 187
eliza@REDACTED 197.89.196.124 mail smtp 2015-05-13 22:21:33 2015-05-14 04:21:33 187
email@REDACTED 213.230.76.134 mail smtp 2015-05-14 00:56:15 2015-05-14 06:56:15 342
email@REDACTED 121.54.54.174 mail smtp 2015-05-14 00:43:38 2015-05-14 06:43:38 329
email@REDACTED 213.230.76.134 mail smtp 2015-05-14 00:56:21 2015-05-14 06:56:21 342
email@REDACTED 37.113.68.11 mail smtp 2015-05-14 00:47:40 2015-05-14 06:47:40 333
email@REDACTED 121.54.54.174 mail smtp 2015-05-14 00:43:31 2015-05-14 06:43:31 329
email@REDACTED 37.208.43.4 mail smtp 2015-05-14 01:06:22 2015-05-14 07:06:22 352
email@REDACTED 121.54.54.158 mail smtp 2015-05-14 00:41:24 2015-05-14 06:41:24 327
email@REDACTED 121.54.54.158 mail smtp 2015-05-14 00:41:17 2015-05-14 06:41:17 327
info 195.154.54.100 system smtp 2015-05-13 23:23:18 2015-05-14 05:23:18 249
info 195.154.54.100 system smtp 2015-05-13 23:12:02 2015-05-14 05:12:02 238
info@REDACTED 180.214.232.84 mail smtp 2015-05-14 00:54:31 2015-05-14 06:54:31 340
info@REDACTED 85.192.189.19 mail smtp 2015-05-14 00:54:11 2015-05-14 06:54:11 340
info@REDACTED 213.230.74.55 mail smtp 2015-05-14 00:54:15 2015-05-14 06:54:15 340
info@REDACTED 85.192.189.19 mail smtp 2015-05-14 00:54:18 2015-05-14 06:54:18 340
info@REDACTED 213.230.74.55 mail smtp 2015-05-14 00:54:22 2015-05-14 06:54:22 340
info@REDACTED 180.214.232.84 mail smtp 2015-05-14 00:54:24 2015-05-14 06:54:24 340
info@REDACTED 113.20.119.130 mail smtp 2015-05-14 00:54:25 2015-05-14 06:54:25 340
info@REDACTED 106.220.122.37 mail smtp 2015-05-14 00:54:28 2015-05-14 06:54:28 340
info@REDACTED 213.230.74.55 mail smtp 2015-05-14 00:54:30 2015-05-14 06:54:30 340
info@REDACTED 188.249.105.80 mail smtp 2015-05-14 00:53:45 2015-05-14 06:53:45 339
info@REDACTED 94.183.243.228 mail smtp 2015-05-14 00:52:40 2015-05-14 06:52:40 338
info@REDACTED 94.183.243.228 mail smtp 2015-05-14 00:52:45 2015-05-14 06:52:45 338
info@REDACTED 188.249.105.80 mail smtp 2015-05-14 00:52:48 2015-05-14 06:52:48 339
info@REDACTED 188.249.105.80 mail smtp 2015-05-14 00:52:56 2015-05-14 06:52:56 339
info@REDACTED 94.183.243.228 mail smtp 2015-05-14 00:52:56 2015-05-14 06:52:56 339
info@REDACTED 188.249.105.80 mail smtp 2015-05-14 00:51:20 2015-05-14 06:51:20 337
info@REDACTED 37.122.62.90 mail smtp 2015-05-14 00:43:32 2015-05-14 06:43:32 329
info@REDACTED 83.149.35.104 mail smtp 2015-05-14 00:51:45 2015-05-14 06:51:45 337
info@REDACTED 188.249.105.80 mail smtp 2015-05-14 00:51:48 2015-05-14 06:51:48 338
info@REDACTED 188.249.105.80 mail smtp 2015-05-14 00:51:55 2015-05-14 06:51:55 338
info@REDACTED 94.183.243.228 mail smtp 2015-05-14 00:52:33 2015-05-14 06:52:33 338
info@REDACTED 83.149.35.104 mail smtp 2015-05-14 00:52:28 2015-05-14 06:52:28 338
info@REDACTED 83.149.35.104 mail smtp 2015-05-14 00:51:55 2015-05-14 06:51:55 338
info@REDACTED 213.230.79.102 mail smtp 2015-05-14 00:43:32 2015-05-14 06:43:32 329
info@REDACTED 188.249.105.80 mail smtp 2015-05-14 00:51:11 2015-05-14 06:51:11 337
info@REDACTED 83.149.35.104 mail smtp 2015-05-14 00:51:00 2015-05-14 06:51:00 337
info@REDACTED 83.149.35.104 mail smtp 2015-05-14 00:50:51 2015-05-14 06:50:51 337
info@REDACTED 83.149.35.104 mail smtp 2015-05-14 00:50:42 2015-05-14 06:50:42 336
info@REDACTED 83.149.35.104 mail smtp 2015-05-14 00:50:33 2015-05-14 06:50:33 336
info@REDACTED 154.121.5.229 mail smtp 2015-05-14 00:50:15 2015-05-14 06:50:15 336
info@REDACTED 154.121.5.229 mail smtp 2015-05-14 00:50:08 2015-05-14 06:50:08 336
info@REDACTED 113.20.119.130 mail smtp 2015-05-14 00:49:47 2015-05-14 06:49:47 336
info@REDACTED 112.198.103.40 mail smtp 2015-05-14 00:48:21 2015-05-14 06:48:21 334
info@REDACTED 112.198.103.40 mail smtp 2015-05-14 00:48:30 2015-05-14 06:48:30 334
info@REDACTED 112.198.103.40 mail smtp 2015-05-14 00:48:37 2015-05-14 06:48:37 334
info@REDACTED 112.198.103.40 mail smtp 2015-05-14 00:49:03 2015-05-14 06:49:03 335
info@REDACTED 113.20.119.130 mail smtp 2015-05-14 00:49:40 2015-05-14 06:49:40 335
info@REDACTED 103.254.59.222 mail smtp 2015-05-14 00:48:10 2015-05-14 06:48:10 334
info@REDACTED 112.198.103.40 mail smtp 2015-05-14 00:48:11 2015-05-14 06:48:11 334
info@REDACTED 112.198.103.40 mail smtp 2015-05-14 00:48:02 2015-05-14 06:48:02 334
info@REDACTED 121.54.58.132 mail smtp 2015-05-14 00:47:57 2015-05-14 06:47:57 334
info@REDACTED 91.133.197.32 mail smtp 2015-05-14 00:47:54 2015-05-14 06:47:54 334
info@REDACTED 103.254.59.222 mail smtp 2015-05-14 00:47:44 2015-05-14 06:47:44 333
info@REDACTED 91.133.197.32 mail smtp 2015-05-14 00:47:47 2015-05-14 06:47:47 334
info@REDACTED 121.54.58.132 mail smtp 2015-05-14 00:47:50 2015-05-14 06:47:50 334
info@REDACTED 103.254.59.222 mail smtp 2015-05-14 00:47:51 2015-05-14 06:47:51 334
info@REDACTED 112.198.103.40 mail smtp 2015-05-14 00:47:52 2015-05-14 06:47:52 334
info@REDACTED 113.20.118.197 mail smtp 2015-05-14 00:47:26 2015-05-14 06:47:26 333
info@REDACTED 37.255.28.120 mail smtp 2015-05-14 00:47:35 2015-05-14 06:47:35 333
info@REDACTED 37.29.88.97 mail smtp 2015-05-14 00:47:36 2015-05-14 06:47:36 333
info@REDACTED 176.124.237.180 mail smtp 2015-05-14 01:04:13 2015-05-14 07:04:13 350
info@REDACTED 37.255.28.120 mail smtp 2015-05-14 00:47:41 2015-05-14 06:47:41 333
info@REDACTED 37.29.88.97 mail smtp 2015-05-14 00:47:43 2015-05-14 06:47:43 333
info@REDACTED 115.118.63.46 mail smtp 2015-05-14 00:45:55 2015-05-14 06:45:55 332
info@REDACTED 37.150.158.154 mail smtp 2015-05-14 00:45:59 2015-05-14 06:45:59 332
info@REDACTED 27.34.248.40 mail smtp 2015-05-14 00:45:59 2015-05-14 06:45:59 332
info@REDACTED 2.182.84.163 mail smtp 2015-05-14 00:46:00 2015-05-14 06:46:00 332
info@REDACTED 61.7.186.46 mail smtp 2015-05-14 00:46:00 2015-05-14 06:46:00 332
info@REDACTED 176.124.237.180 mail smtp 2015-05-14 01:02:49 2015-05-14 07:02:49 349
info@REDACTED 180.235.179.5 mail smtp 2015-05-14 01:03:19 2015-05-14 07:03:19 349
info@REDACTED 27.34.248.40 mail smtp 2015-05-14 00:46:05 2015-05-14 06:46:05 332
info@REDACTED 103.254.59.222 mail smtp 2015-05-14 00:46:17 2015-05-14 06:46:17 332
info@REDACTED 5.237.33.191 mail smtp 2015-05-14 00:43:29 2015-05-14 06:43:29 329
info@REDACTED 37.150.158.154 mail smtp 2015-05-14 00:46:21 2015-05-14 06:46:21 332
info@REDACTED 203.205.28.51 mail smtp 2015-05-14 00:46:21 2015-05-14 06:46:21 332
info@REDACTED 203.205.28.51 mail smtp 2015-05-14 00:46:28 2015-05-14 06:46:28 332
info@REDACTED 94.102.179.116 mail smtp 2015-05-14 00:46:28 2015-05-14 06:46:28 332
info@REDACTED 223.255.230.34 mail smtp 2015-05-14 00:46:29 2015-05-14 06:46:29 332
info@REDACTED 103.254.59.222 mail smtp 2015-05-14 00:46:29 2015-05-14 06:46:29 332
info@REDACTED 94.102.179.116 mail smtp 2015-05-14 00:46:35 2015-05-14 06:46:35 332
info@REDACTED 103.254.59.222 mail smtp 2015-05-14 00:46:36 2015-05-14 06:46:36 332
info@REDACTED 223.255.230.34 mail smtp 2015-05-14 00:46:36 2015-05-14 06:46:36 332
info@REDACTED 37.29.88.97 mail smtp 2015-05-14 00:46:37 2015-05-14 06:46:37 332
info@REDACTED 2.179.69.88 mail smtp 2015-05-14 00:46:39 2015-05-14 06:46:39 332
info@REDACTED 113.20.119.130 mail smtp 2015-05-14 00:46:43 2015-05-14 06:46:43 332
info@REDACTED 37.29.88.97 mail smtp 2015-05-14 00:46:44 2015-05-14 06:46:44 332
info@REDACTED 2.179.69.88 mail smtp 2015-05-14 00:46:46 2015-05-14 06:46:46 332
info@REDACTED 94.102.179.116 mail smtp 2015-05-14 00:46:48 2015-05-14 06:46:48 333
info@REDACTED 113.20.119.130 mail smtp 2015-05-14 00:46:50 2015-05-14 06:46:50 333
info@REDACTED 37.29.88.97 mail smtp 2015-05-14 00:46:53 2015-05-14 06:46:53 333
info@REDACTED 94.102.179.116 mail smtp 2015-05-14 00:46:55 2015-05-14 06:46:55 333
info@REDACTED 37.29.88.97 mail smtp 2015-05-14 00:47:00 2015-05-14 06:47:00 333
info@REDACTED 37.150.158.154 mail smtp 2015-05-14 00:43:28 2015-05-14 06:43:28 329
info@REDACTED 200.27.121.164 mail smtp 2015-05-14 00:43:27 2015-05-14 06:43:27 329
info@REDACTED 113.20.118.197 mail smtp 2015-05-14 00:47:19 2015-05-14 06:47:19 333
info@REDACTED 37.150.158.154 mail smtp 2015-05-14 00:45:52 2015-05-14 06:45:52 332
info@REDACTED 2.182.84.163 mail smtp 2015-05-14 00:45:53 2015-05-14 06:45:53 332
info@REDACTED 37.150.158.154 mail smtp 2015-05-14 00:43:22 2015-05-14 06:43:22 329
info@REDACTED 89.120.44.101 mail smtp 2015-05-14 00:43:21 2015-05-14 06:43:21 329
info@REDACTED 27.34.248.40 mail smtp 2015-05-14 00:45:51 2015-05-14 06:45:51 332
info@REDACTED 121.54.54.174 mail smtp 2015-05-14 00:33:22 2015-05-14 06:33:22 319
info@REDACTED 37.113.68.11 mail smtp 2015-05-14 00:32:48 2015-05-14 06:32:48 319
info@REDACTED 37.113.68.11 mail smtp 2015-05-14 00:32:42 2015-05-14 06:32:42 318
info@REDACTED 37.218.160.101 mail smtp 2015-05-14 00:31:41 2015-05-14 06:31:41 317
info@REDACTED 200.27.121.164 mail smtp 2015-05-14 00:43:20 2015-05-14 06:43:20 329
info@REDACTED 5.237.33.191 mail smtp 2015-05-14 00:43:19 2015-05-14 06:43:19 329
info@REDACTED 121.54.44.95 mail smtp 2015-05-14 00:31:31 2015-05-14 06:31:31 317
info@REDACTED 121.54.54.158 mail smtp 2015-05-14 00:31:35 2015-05-14 06:31:35 317
info@REDACTED 121.54.44.95 mail smtp 2015-05-14 00:31:35 2015-05-14 06:31:35 317
info@REDACTED 121.54.44.95 mail smtp 2015-05-14 00:31:37 2015-05-14 06:31:37 317
info@REDACTED 188.18.15.10 mail smtp 2015-05-14 00:43:18 2015-05-14 06:43:18 329
info@REDACTED 190.42.16.210 mail smtp 2015-05-14 00:43:17 2015-05-14 06:43:17 329
info@REDACTED 61.7.186.46 mail smtp 2015-05-14 00:45:49 2015-05-14 06:45:49 332
info@REDACTED 115.118.63.46 mail smtp 2015-05-14 00:45:48 2015-05-14 06:45:48 332
info@REDACTED 178.127.212.220 mail smtp 2015-05-14 00:43:49 2015-05-14 06:43:49 330
info@REDACTED 176.124.237.180 mail smtp 2015-05-14 01:02:55 2015-05-14 07:02:55 349
info@REDACTED 89.120.44.101 mail smtp 2015-05-14 00:43:15 2015-05-14 06:43:15 329
info@REDACTED 180.235.179.5 mail smtp 2015-05-14 01:03:00 2015-05-14 07:03:00 349
info@REDACTED 5.237.33.191 mail smtp 2015-05-14 00:43:47 2015-05-14 06:43:47 330
info@REDACTED 37.218.185.1 mail smtp 2015-05-14 00:43:44 2015-05-14 06:43:44 329
info@REDACTED 180.235.179.5 mail smtp 2015-05-14 01:03:06 2015-05-14 07:03:06 349
info@REDACTED 145.255.162.233 mail smtp 2015-05-14 00:43:42 2015-05-14 06:43:42 329
info@REDACTED 213.230.72.197 mail smtp 2015-05-14 00:43:39 2015-05-14 06:43:39 329
info@REDACTED 188.18.15.10 mail smtp 2015-05-14 00:43:12 2015-05-14 06:43:12 329
info@REDACTED 190.42.16.210 mail smtp 2015-05-14 00:43:11 2015-05-14 06:43:11 329
info@REDACTED 103.249.77.2 mail smtp 2015-05-14 00:43:09 2015-05-14 06:43:09 329
info@REDACTED 180.235.179.5 mail smtp 2015-05-14 01:03:14 2015-05-14 07:03:14 349
info@REDACTED 37.150.158.154 mail smtp 2015-05-14 00:43:07 2015-05-14 06:43:07 329
info@REDACTED 27.34.248.40 mail smtp 2015-05-14 00:45:44 2015-05-14 06:45:44 331
info@REDACTED 147.30.16.107 mail smtp 2015-05-14 00:43:06 2015-05-14 06:43:06 329
info@REDACTED 5.34.7.85 mail smtp 2015-05-14 00:43:04 2015-05-14 06:43:04 329
info@REDACTED 176.124.237.180 mail smtp 2015-05-14 01:04:19 2015-05-14 07:04:19 350
info@REDACTED 180.235.179.5 mail smtp 2015-05-14 01:13:20 2015-05-14 07:13:20 359
info@REDACTED 91.133.197.32 mail smtp 2015-05-14 01:07:14 2015-05-14 07:07:14 353
info@REDACTED 202.67.45.39 mail smtp 2015-05-14 01:01:27 2015-05-14 07:01:27 347
info@REDACTED 37.122.62.90 mail smtp 2015-05-14 00:43:39 2015-05-14 06:43:39 329
info@REDACTED 178.91.193.33 mail smtp 2015-05-14 00:43:02 2015-05-14 06:43:02 329
info@REDACTED 37.150.158.154 mail smtp 2015-05-14 00:43:01 2015-05-14 06:43:01 329
info@REDACTED 171.6.246.145 mail smtp 2015-05-14 01:04:36 2015-05-14 07:04:36 350
info@REDACTED 5.232.139.213 mail smtp 2015-05-14 00:43:50 2015-05-14 06:43:50 330
info@REDACTED 37.122.62.90 mail smtp 2015-05-14 00:43:52 2015-05-14 06:43:52 330
info@REDACTED 37.205.89.115 mail smtp 2015-05-14 00:43:54 2015-05-14 06:43:54 330
info@REDACTED 5.237.33.191 mail smtp 2015-05-14 00:43:54 2015-05-14 06:43:54 330
info@REDACTED 202.67.45.39 mail smtp 2015-05-14 01:01:34 2015-05-14 07:01:34 347
info@REDACTED 178.127.212.220 mail smtp 2015-05-14 00:43:55 2015-05-14 06:43:55 330
info@REDACTED 147.30.16.107 mail smtp 2015-05-14 00:43:00 2015-05-14 06:43:00 329
info@REDACTED 145.255.162.233 mail smtp 2015-05-14 00:43:56 2015-05-14 06:43:56 330
info@REDACTED 110.227.32.74 mail smtp 2015-05-14 00:43:56 2015-05-14 06:43:56 330
info@REDACTED 5.232.139.213 mail smtp 2015-05-14 00:43:57 2015-05-14 06:43:57 330
info@REDACTED 37.218.185.1 mail smtp 2015-05-14 00:43:58 2015-05-14 06:43:58 330
info@REDACTED 37.122.62.90 mail smtp 2015-05-14 00:43:59 2015-05-14 06:43:59 330
info@REDACTED 2.182.84.163 mail smtp 2015-05-14 00:43:59 2015-05-14 06:43:59 330
info@REDACTED 37.205.89.115 mail smtp 2015-05-14 00:44:00 2015-05-14 06:44:00 330
info@REDACTED 159.0.67.96 mail smtp 2015-05-14 00:44:01 2015-05-14 06:44:01 330
info@REDACTED 145.255.162.233 mail smtp 2015-05-14 00:44:03 2015-05-14 06:44:03 330
info@REDACTED 110.227.32.74 mail smtp 2015-05-14 00:44:03 2015-05-14 06:44:03 330
info@REDACTED 37.218.185.1 mail smtp 2015-05-14 00:44:05 2015-05-14 06:44:05 330
info@REDACTED 2.182.84.163 mail smtp 2015-05-14 00:44:06 2015-05-14 06:44:06 330
info@REDACTED 103.249.77.2 mail smtp 2015-05-14 00:42:59 2015-05-14 06:42:59 329
info@REDACTED 159.0.67.96 mail smtp 2015-05-14 00:44:08 2015-05-14 06:44:08 330
info@REDACTED 181.64.177.51 mail smtp 2015-05-14 00:44:09 2015-05-14 06:44:09 330
info@REDACTED 5.34.7.85 mail smtp 2015-05-14 00:42:58 2015-05-14 06:42:58 329
info@REDACTED 181.64.177.51 mail smtp 2015-05-14 00:44:15 2015-05-14 06:44:15 330
info@REDACTED 5.232.2.213 mail smtp 2015-05-14 00:44:16 2015-05-14 06:44:16 330
info@REDACTED 178.91.193.33 mail smtp 2015-05-14 00:42:55 2015-05-14 06:42:55 329
info@REDACTED 2.182.84.163 mail smtp 2015-05-14 00:44:18 2015-05-14 06:44:18 330
info@REDACTED 181.66.156.217 mail smtp 2015-05-14 00:44:19 2015-05-14 06:44:19 330
info@REDACTED 5.232.2.213 mail smtp 2015-05-14 00:44:23 2015-05-14 06:44:23 330
info@REDACTED 2.182.84.163 mail smtp 2015-05-14 00:44:25 2015-05-14 06:44:25 330
info@REDACTED 5.239.181.194 mail smtp 2015-05-14 00:44:25 2015-05-14 06:44:25 330
info@REDACTED 181.66.156.217 mail smtp 2015-05-14 00:44:25 2015-05-14 06:44:25 330
info@REDACTED 188.34.131.15 mail smtp 2015-05-14 00:44:31 2015-05-14 06:44:31 330
info@REDACTED 5.239.181.194 mail smtp 2015-05-14 00:44:32 2015-05-14 06:44:32 330
info@REDACTED 89.120.44.101 mail smtp 2015-05-14 00:44:35 2015-05-14 06:44:35 330
info@REDACTED 93.110.223.28 mail smtp 2015-05-14 00:44:37 2015-05-14 06:44:37 330
info@REDACTED 37.150.158.154 mail smtp 2015-05-14 00:44:38 2015-05-14 06:44:38 330
info@REDACTED 188.34.131.15 mail smtp 2015-05-14 00:44:38 2015-05-14 06:44:38 330
info@REDACTED 89.120.44.101 mail smtp 2015-05-14 00:44:41 2015-05-14 06:44:41 330
info@REDACTED 190.43.242.112 mail smtp 2015-05-14 00:44:42 2015-05-14 06:44:42 330
info@REDACTED 91.106.75.36 mail smtp 2015-05-14 00:44:43 2015-05-14 06:44:43 330
info@REDACTED 124.158.77.5 mail smtp 2015-05-14 00:44:43 2015-05-14 06:44:43 330
info@REDACTED 93.110.223.28 mail smtp 2015-05-14 00:44:44 2015-05-14 06:44:44 330
info@REDACTED 37.150.158.154 mail smtp 2015-05-14 00:44:45 2015-05-14 06:44:45 330
info@REDACTED 181.67.39.57 mail smtp 2015-05-14 00:44:47 2015-05-14 06:44:47 331
info@REDACTED 95.86.168.30 mail smtp 2015-05-14 00:44:47 2015-05-14 06:44:47 331
info@REDACTED 190.43.242.112 mail smtp 2015-05-14 00:44:49 2015-05-14 06:44:49 331
info@REDACTED 124.158.77.5 mail smtp 2015-05-14 00:44:50 2015-05-14 06:44:50 331
info@REDACTED 91.106.75.36 mail smtp 2015-05-14 00:44:50 2015-05-14 06:44:50 331
info@REDACTED 181.67.39.57 mail smtp 2015-05-14 00:44:54 2015-05-14 06:44:54 331
info@REDACTED 95.86.168.30 mail smtp 2015-05-14 00:44:54 2015-05-14 06:44:54 331
info@REDACTED 203.157.20.174 mail smtp 2015-05-14 00:44:59 2015-05-14 06:44:59 331
info@REDACTED 5.232.139.213 mail smtp 2015-05-14 00:44:59 2015-05-14 06:44:59 331
info@REDACTED 203.157.20.174 mail smtp 2015-05-14 00:45:06 2015-05-14 06:45:06 331
info@REDACTED 5.232.139.213 mail smtp 2015-05-14 00:45:06 2015-05-14 06:45:06 331
info@REDACTED 37.237.168.104 mail smtp 2015-05-14 00:45:09 2015-05-14 06:45:09 331
info@REDACTED 116.202.239.175 mail smtp 2015-05-14 00:45:11 2015-05-14 06:45:11 331
info@REDACTED 37.150.158.154 mail smtp 2015-05-14 00:45:13 2015-05-14 06:45:13 331
info@REDACTED 37.237.168.104 mail smtp 2015-05-14 00:45:15 2015-05-14 06:45:15 331
info@REDACTED 37.218.185.1 mail smtp 2015-05-14 00:45:17 2015-05-14 06:45:17 331
info@REDACTED 116.202.239.175 mail smtp 2015-05-14 00:45:18 2015-05-14 06:45:18 331
info@REDACTED 2.182.84.163 mail smtp 2015-05-14 00:45:19 2015-05-14 06:45:19 331
info@REDACTED 37.150.158.154 mail smtp 2015-05-14 00:45:19 2015-05-14 06:45:19 331
info@REDACTED 61.7.186.46 mail smtp 2015-05-14 00:45:21 2015-05-14 06:45:21 331
info@REDACTED 37.218.185.1 mail smtp 2015-05-14 00:45:23 2015-05-14 06:45:23 331
info@REDACTED 2.182.84.163 mail smtp 2015-05-14 00:45:26 2015-05-14 06:45:26 331
info@REDACTED 178.131.179.105 mail smtp 2015-05-14 00:45:27 2015-05-14 06:45:27 331
info@REDACTED 61.7.186.46 mail smtp 2015-05-14 00:45:28 2015-05-14 06:45:28 331
info@REDACTED 91.133.197.32 mail smtp 2015-05-14 00:45:32 2015-05-14 06:45:32 331
info@REDACTED 188.159.146.146 mail smtp 2015-05-14 00:45:33 2015-05-14 06:45:33 331
info@REDACTED 178.131.179.105 mail smtp 2015-05-14 00:45:34 2015-05-14 06:45:34 331
info@REDACTED 61.7.186.46 mail smtp 2015-05-14 00:45:36 2015-05-14 06:45:36 331
info@REDACTED 171.6.246.145 mail smtp 2015-05-14 01:04:41 2015-05-14 07:04:41 350
info@REDACTED 91.133.197.32 mail smtp 2015-05-14 00:45:39 2015-05-14 06:45:39 331
info@REDACTED 188.159.146.146 mail smtp 2015-05-14 00:45:40 2015-05-14 06:45:40 331
info@REDACTED 61.7.186.46 mail smtp 2015-05-14 00:45:43 2015-05-14 06:45:43 331
info@REDACTED 159.0.67.96 mail smtp 2015-05-14 00:42:50 2015-05-14 06:42:50 329
info@REDACTED 176.124.237.180 mail smtp 2015-05-14 01:04:42 2015-05-14 07:04:42 350
info@REDACTED 171.6.246.145 mail smtp 2015-05-14 01:04:43 2015-05-14 07:04:43 350
info@REDACTED 176.124.237.180 mail smtp 2015-05-14 01:01:55 2015-05-14 07:01:55 348
info@REDACTED 5.236.133.162 mail smtp 2015-05-14 01:00:05 2015-05-14 07:00:05 346
info@REDACTED 5.34.7.85 mail smtp 2015-05-14 00:42:48 2015-05-14 06:42:48 329
info@REDACTED 103.249.77.2 mail smtp 2015-05-14 00:42:47 2015-05-14 06:42:47 329
info@REDACTED 5.236.133.162 mail smtp 2015-05-14 01:00:12 2015-05-14 07:00:12 346
info@REDACTED 112.72.13.174 mail smtp 2015-05-14 00:59:06 2015-05-14 06:59:06 345
info@REDACTED 37.218.185.1 mail smtp 2015-05-14 00:43:37 2015-05-14 06:43:37 329
info@REDACTED 171.6.246.145 mail smtp 2015-05-14 01:04:48 2015-05-14 07:04:48 351
info@REDACTED 176.124.237.180 mail smtp 2015-05-14 01:02:01 2015-05-14 07:02:01 348
info@REDACTED 159.0.67.96 mail smtp 2015-05-14 00:42:43 2015-05-14 06:42:43 328
info@REDACTED 89.120.44.101 mail smtp 2015-05-14 00:42:41 2015-05-14 06:42:41 328
info@REDACTED 5.34.7.85 mail smtp 2015-05-14 00:42:41 2015-05-14 06:42:41 328
info@REDACTED 103.249.77.2 mail smtp 2015-05-14 00:42:39 2015-05-14 06:42:39 328
info@REDACTED 85.154.60.254 mail smtp 2015-05-14 00:33:36 2015-05-14 06:33:36 319
info@REDACTED 95.78.46.170 mail smtp 2015-05-14 00:33:44 2015-05-14 06:33:44 319
info@REDACTED 95.78.46.170 mail smtp 2015-05-14 00:33:50 2015-05-14 06:33:50 320
info@REDACTED 95.78.46.170 mail smtp 2015-05-14 00:33:51 2015-05-14 06:33:51 320
info@REDACTED 95.78.46.170 mail smtp 2015-05-14 00:34:01 2015-05-14 06:34:01 320
info@REDACTED 91.133.197.32 mail smtp 2015-05-14 00:58:11 2015-05-14 06:58:11 344
info@REDACTED 82.114.94.198 mail smtp 2015-05-14 00:58:17 2015-05-14 06:58:17 344
info@REDACTED 91.133.197.32 mail smtp 2015-05-14 00:58:18 2015-05-14 06:58:18 344
info@REDACTED 112.72.13.174 mail smtp 2015-05-14 00:58:59 2015-05-14 06:58:59 345
info@REDACTED 1.179.166.97 mail smtp 2015-05-14 00:58:01 2015-05-14 06:58:01 344
info@REDACTED 82.114.94.198 mail smtp 2015-05-14 00:57:53 2015-05-14 06:57:53 344
info@REDACTED 145.255.162.179 mail smtp 2015-05-14 00:34:47 2015-05-14 06:34:47 321
info@REDACTED 145.255.162.179 mail smtp 2015-05-14 00:34:51 2015-05-14 06:34:51 321
info@REDACTED 145.255.162.179 mail smtp 2015-05-14 00:34:54 2015-05-14 06:34:54 321
info@REDACTED 1.179.166.97 mail smtp 2015-05-14 00:57:54 2015-05-14 06:57:54 344
info@REDACTED 145.255.162.233 mail smtp 2015-05-14 00:43:35 2015-05-14 06:43:35 329
info@REDACTED 145.255.162.179 mail smtp 2015-05-14 00:35:01 2015-05-14 06:35:01 321
info@REDACTED 27.55.111.136 mail smtp 2015-05-14 00:35:23 2015-05-14 06:35:23 321
info@REDACTED 27.55.111.136 mail smtp 2015-05-14 00:35:30 2015-05-14 06:35:30 321
info@REDACTED 103.254.59.222 mail smtp 2015-05-14 00:46:09 2015-05-14 06:46:09 332
info@REDACTED 180.214.232.84 mail smtp 2015-05-14 00:55:01 2015-05-14 06:55:01 341
info@REDACTED 180.214.232.84 mail smtp 2015-05-14 00:55:07 2015-05-14 06:55:07 341
info@REDACTED 62.117.96.60 mail smtp 2015-05-14 00:42:38 2015-05-14 06:42:38 328
info@REDACTED 178.88.188.15 mail smtp 2015-05-14 00:42:38 2015-05-14 06:42:38 328
info@REDACTED 5.235.187.222 mail smtp 2015-05-14 00:42:37 2015-05-14 06:42:37 328
info@REDACTED 89.120.44.101 mail smtp 2015-05-14 00:42:35 2015-05-14 06:42:35 328
info@REDACTED 106.220.122.37 mail smtp 2015-05-14 00:55:12 2015-05-14 06:55:12 341
info@REDACTED 94.20.88.33 mail smtp 2015-05-14 00:42:33 2015-05-14 06:42:33 328
info@REDACTED 178.88.188.15 mail smtp 2015-05-14 00:42:31 2015-05-14 06:42:31 328
info@REDACTED 190.216.197.162 mail smtp 2015-05-14 00:42:31 2015-05-14 06:42:31 328
info@REDACTED 85.154.60.254 mail smtp 2015-05-14 00:33:29 2015-05-14 06:33:29 319
info@REDACTED 121.54.54.174 mail smtp 2015-05-14 00:33:29 2015-05-14 06:33:29 319
info@REDACTED 121.54.44.89 mail smtp 2015-05-14 00:32:38 2015-05-14 06:32:38 318
info@REDACTED 121.54.54.158 mail smtp 2015-05-14 00:31:42 2015-05-14 06:31:42 317
info@REDACTED 121.54.44.95 mail smtp 2015-05-14 00:31:45 2015-05-14 06:31:45 317
info@REDACTED 37.218.160.101 mail smtp 2015-05-14 00:31:47 2015-05-14 06:31:47 318
info@REDACTED 77.28.120.232 mail smtp 2015-05-14 00:32:15 2015-05-14 06:32:15 318
info@REDACTED 77.28.120.232 mail smtp 2015-05-14 00:32:21 2015-05-14 06:32:21 318
info@REDACTED 121.54.44.89 mail smtp 2015-05-14 00:32:27 2015-05-14 06:32:27 318
info@REDACTED 121.54.44.89 mail smtp 2015-05-14 00:32:32 2015-05-14 06:32:32 318
info@REDACTED 121.54.44.89 mail smtp 2015-05-14 00:32:34 2015-05-14 06:32:34 318
info@REDACTED 180.214.232.84 mail smtp 2015-05-14 00:55:20 2015-05-14 06:55:20 341
info@REDACTED 106.220.122.37 mail smtp 2015-05-14 00:55:22 2015-05-14 06:55:22 341
info@REDACTED 78.38.11.75 mail smtp 2015-05-14 00:55:57 2015-05-14 06:55:57 342
info@REDACTED 78.38.11.75 mail smtp 2015-05-14 00:56:04 2015-05-14 06:56:04 342
info@REDACTED 82.114.94.198 mail smtp 2015-05-14 00:56:11 2015-05-14 06:56:11 342
info@REDACTED 202.57.45.12 mail smtp 2015-05-14 00:56:15 2015-05-14 06:56:15 342
info@REDACTED 180.235.179.5 mail smtp 2015-05-14 01:13:27 2015-05-14 07:13:27 359
info@REDACTED 82.114.94.198 mail smtp 2015-05-14 00:56:17 2015-05-14 06:56:17 342
info@REDACTED 180.235.179.5 mail smtp 2015-05-14 01:13:33 2015-05-14 07:13:33 359
info@REDACTED 202.57.45.12 mail smtp 2015-05-14 00:56:21 2015-05-14 06:56:21 342
info@REDACTED 180.235.179.5 mail smtp 2015-05-14 01:13:35 2015-05-14 07:13:35 359
info@REDACTED 213.230.79.102 mail smtp 2015-05-14 00:43:39 2015-05-14 06:43:39 329
info@REDACTED 61.246.199.90 mail smtp 2015-05-14 00:57:07 2015-05-14 06:57:07 343
info@REDACTED 5.235.187.222 mail smtp 2015-05-14 00:42:30 2015-05-14 06:42:30 328
info@REDACTED 62.117.96.60 mail smtp 2015-05-14 00:42:30 2015-05-14 06:42:30 328
info@REDACTED 61.246.199.90 mail smtp 2015-05-14 00:57:15 2015-05-14 06:57:15 343
info@REDACTED 94.20.88.33 mail smtp 2015-05-14 00:42:27 2015-05-14 06:42:27 328
info@REDACTED 213.230.72.197 mail smtp 2015-05-14 00:43:32 2015-05-14 06:43:32 329
info@REDACTED 159.0.67.96 mail smtp 2015-05-14 00:42:27 2015-05-14 06:42:27 328
info@REDACTED 190.216.197.162 mail smtp 2015-05-14 00:42:25 2015-05-14 06:42:25 328
info@REDACTED 82.114.94.198 mail smtp 2015-05-14 00:57:47 2015-05-14 06:57:47 344
info@REDACTED 203.81.71.88 mail smtp 2015-05-14 00:54:55 2015-05-14 06:54:55 341
info@REDACTED 106.220.122.37 mail smtp 2015-05-14 00:54:52 2015-05-14 06:54:52 341
info@REDACTED 180.214.232.84 mail smtp 2015-05-14 00:54:40 2015-05-14 06:54:40 340
info@REDACTED 82.114.94.198 mail smtp 2015-05-14 00:54:41 2015-05-14 06:54:41 340
info@REDACTED 159.0.67.96 mail smtp 2015-05-14 00:42:20 2015-05-14 06:42:20 328
info@REDACTED 213.230.74.55 mail smtp 2015-05-14 00:54:43 2015-05-14 06:54:43 340
info@REDACTED 189.202.41.28 mail smtp 2015-05-14 00:42:18 2015-05-14 06:42:18 328
info@REDACTED 24.224.47.29 mail smtp 2015-05-14 00:42:17 2015-05-14 06:42:17 328
info@REDACTED 189.202.41.28 mail smtp 2015-05-14 00:42:12 2015-05-14 06:42:12 328
info@REDACTED 24.224.47.29 mail smtp 2015-05-14 00:42:11 2015-05-14 06:42:11 328
info@REDACTED 95.86.177.118 mail smtp 2015-05-14 00:42:06 2015-05-14 06:42:06 328
info@REDACTED 95.86.177.118 mail smtp 2015-05-14 00:42:00 2015-05-14 06:42:00 328
info@REDACTED 193.93.117.213 mail smtp 2015-05-14 00:42:00 2015-05-14 06:42:00 328
info@REDACTED 106.220.122.37 mail smtp 2015-05-14 00:54:44 2015-05-14 06:54:44 340
info@REDACTED 180.214.232.84 mail smtp 2015-05-14 00:54:47 2015-05-14 06:54:47 341
info@REDACTED 82.114.94.198 mail smtp 2015-05-14 00:54:35 2015-05-14 06:54:35 340
info@REDACTED 106.220.122.37 mail smtp 2015-05-14 00:54:36 2015-05-14 06:54:36 340
info@REDACTED 203.81.71.88 mail smtp 2015-05-14 00:54:37 2015-05-14 06:54:37 340
info@REDACTED 213.230.74.55 mail smtp 2015-05-14 00:54:40 2015-05-14 06:54:40 340
info@REDACTED 193.93.117.213 mail smtp 2015-05-14 00:41:54 2015-05-14 06:41:54 328
info@REDACTED 158.181.205.74 mail smtp 2015-05-14 00:41:41 2015-05-14 06:41:41 327
info@REDACTED 176.108.190.1 mail smtp 2015-05-14 00:41:40 2015-05-14 06:41:40 327
info@REDACTED 158.181.205.74 mail smtp 2015-05-14 00:41:35 2015-05-14 06:41:35 327
info@REDACTED 176.108.190.1 mail smtp 2015-05-14 00:41:34 2015-05-14 06:41:34 327
info@REDACTED 213.230.74.55 mail smtp 2015-05-14 00:54:33 2015-05-14 06:54:33 340
info@REDACTED 113.20.119.130 mail smtp 2015-05-14 00:54:32 2015-05-14 06:54:32 340
info@REDACTED 72.252.244.244 mail smtp 2015-05-14 00:40:44 2015-05-14 06:40:44 326
info@REDACTED 72.252.244.244 mail smtp 2015-05-14 00:40:38 2015-05-14 06:40:38 326
order 63.138.119.210 system smtp 2015-05-13 19:25:52 2015-05-14 01:25:52 12
order 63.138.119.210 system smtp 2015-05-13 19:25:51 2015-05-14 01:25:51 12
payment 52.5.13.206 system smtp 2015-05-13 19:51:14 2015-05-14 01:51:14 37
payment 52.5.13.206 system smtp 2015-05-13 19:51:14 2015-05-14 01:51:14 37
payments 207.20.229.121 system smtp 2015-05-13 20:11:36 2015-05-14 02:11:36 57
payments 207.20.229.121 system smtp 2015-05-13 20:11:36 2015-05-14 02:11:36 57
pos 191.238.13.43 system smtp 2015-05-13 20:54:12 2015-05-14 02:54:12 100
pos 191.238.13.43 system smtp 2015-05-13 20:54:12 2015-05-14 02:54:12 100
postmaster 23.22.220.254 system smtp 2015-05-13 22:12:11 2015-05-14 04:12:11 178
postmaster 23.22.220.254 system smtp 2015-05-13 22:12:07 2015-05-14 04:12:07 178
pr 52.6.130.221 system smtp 2015-05-13 22:27:12 2015-05-14 04:27:12 193
pr 52.6.130.221 system smtp 2015-05-13 22:27:12 2015-05-14 04:27:12 193
profile 52.6.71.222 system smtp 2015-05-13 23:16:47 2015-05-14 05:16:47 243
profile 52.6.71.222 system smtp 2015-05-13 23:16:47 2015-05-14 05:16:47 243
proxy 198.58.75.132 system smtp 2015-05-13 23:36:04 2015-05-14 05:36:04 262
proxy 198.58.75.132 system smtp 2015-05-13 23:36:00 2015-05-14 05:36:00 262
repair 191.238.13.43 system smtp 2015-05-14 00:25:15 2015-05-14 06:25:15 311
repair 191.238.13.43 system smtp 2015-05-14 00:25:15 2015-05-14 06:25:15 311
resume 49.236.204.181 system smtp 2015-05-14 01:01:34 2015-05-14 07:01:34 347
resume 49.236.204.181 system smtp 2015-05-14 01:01:34 2015-05-14 07:01:34 347
sales 121.121.42.18 system smtp 2015-05-13 20:08:12 2015-05-14 02:08:12 54
sales 121.121.42.18 system smtp 2015-05-13 20:08:06 2015-05-14 02:08:06 54
sales@REDACTED 37.208.43.4 mail smtp 2015-05-14 00:41:53 2015-05-14 06:41:53 328
sales@REDACTED 121.54.44.89 mail smtp 2015-05-14 00:40:48 2015-05-14 06:40:48 327
sales@REDACTED 121.54.44.89 mail smtp 2015-05-14 00:40:50 2015-05-14 06:40:50 327
sales@REDACTED 37.208.43.4 mail smtp 2015-05-14 00:42:00 2015-05-14 06:42:00 328
sales@REDACTED 121.54.44.95 mail smtp 2015-05-14 00:38:12 2015-05-14 06:38:12 324
sales@REDACTED 37.208.43.4 mail smtp 2015-05-14 00:40:59 2015-05-14 06:40:59 327
sales@REDACTED 37.208.43.4 mail smtp 2015-05-14 00:41:06 2015-05-14 06:41:06 327
sales@REDACTED 121.54.44.95 mail smtp 2015-05-14 00:38:01 2015-05-14 06:38:01 324
sales@REDACTED 121.54.54.174 mail smtp 2015-05-14 00:41:15 2015-05-14 06:41:15 327
sales@REDACTED 121.54.44.95 mail smtp 2015-05-14 00:37:55 2015-05-14 06:37:55 324
sales@REDACTED 85.154.60.254 mail smtp 2015-05-14 00:46:17 2015-05-14 06:46:17 332
sales@REDACTED 37.208.43.4 mail smtp 2015-05-14 00:42:19 2015-05-14 06:42:19 328
sales@REDACTED 121.54.54.174 mail smtp 2015-05-14 00:41:22 2015-05-14 06:41:22 327
sales@REDACTED 95.78.46.170 mail smtp 2015-05-14 00:43:55 2015-05-14 06:43:55 330
sales@REDACTED 37.208.43.4 mail smtp 2015-05-14 00:42:26 2015-05-14 06:42:26 328
sales@REDACTED 95.78.46.170 mail smtp 2015-05-14 00:44:07 2015-05-14 06:44:07 330
sales@REDACTED 37.113.68.11 mail smtp 2015-05-14 00:44:11 2015-05-14 06:44:11 330
sales@REDACTED 37.113.68.11 mail smtp 2015-05-14 00:44:17 2015-05-14 06:44:17 330
sales@REDACTED 145.255.162.179 mail smtp 2015-05-14 00:45:37 2015-05-14 06:45:37 331
sales@REDACTED 145.255.162.179 mail smtp 2015-05-14 00:45:44 2015-05-14 06:45:44 331
sales@REDACTED 145.255.162.179 mail smtp 2015-05-14 00:45:53 2015-05-14 06:45:53 332
sales@REDACTED 121.54.44.89 mail smtp 2015-05-14 00:40:42 2015-05-14 06:40:42 326
sales@REDACTED 37.208.43.4 mail smtp 2015-05-14 00:40:42 2015-05-14 06:40:42 326
sales@REDACTED 121.54.54.158 mail smtp 2015-05-14 00:39:06 2015-05-14 06:39:06 325
sales@REDACTED 37.208.43.4 mail smtp 2015-05-14 00:40:36 2015-05-14 06:40:36 326
sales@REDACTED 121.54.54.158 mail smtp 2015-05-14 00:38:59 2015-05-14 06:38:59 325
sales@REDACTED 95.78.46.170 mail smtp 2015-05-14 00:43:49 2015-05-14 06:43:49 330
sales@REDACTED 27.55.111.136 mail smtp 2015-05-14 00:59:34 2015-05-14 06:59:34 345
security 61.58.39.87 system smtp 2015-05-13 23:36:05 2015-05-14 05:36:05 262
security 61.58.39.87 system smtp 2015-05-13 23:36:05 2015-05-14 05:36:05 262
security 61.58.39.87 system smtp 2015-05-13 23:36:05 2015-05-14 05:36:05 262
security 61.58.39.87 system smtp 2015-05-13 23:36:05 2015-05-14 05:36:05 262
security 61.58.39.87 system smtp 2015-05-13 23:36:05 2015-05-14 05:36:05 262
slcsecurity 121.54.54.158 system smtp 2015-05-14 00:45:54 2015-05-14 06:45:54 332
slcsecurity 121.54.54.158 system smtp 2015-05-14 00:46:01 2015-05-14 06:46:01 332
slcsecurity 78.83.28.215 system smtp 2015-05-14 00:57:41 2015-05-14 06:57:41 343
slcsecurity 78.83.28.215 system smtp 2015-05-14 00:57:48 2015-05-14 06:57:48 344
support@REDACTED 121.54.44.95 mail smtp 2015-05-14 00:36:00 2015-05-14 06:36:00 322
support@REDACTED 121.54.44.89 mail smtp 2015-05-14 00:37:43 2015-05-14 06:37:43 323
support@REDACTED 121.54.44.89 mail smtp 2015-05-14 00:37:49 2015-05-14 06:37:49 324
support@REDACTED 85.154.60.254 mail smtp 2015-05-14 00:43:01 2015-05-14 06:43:01 329
support@REDACTED 95.78.46.170 mail smtp 2015-05-14 00:40:41 2015-05-14 06:40:41 326
support@REDACTED 121.54.44.89 mail smtp 2015-05-14 00:38:01 2015-05-14 06:38:01 324
support@REDACTED 37.113.68.11 mail smtp 2015-05-14 00:40:32 2015-05-14 06:40:32 326
support@REDACTED 121.54.44.89 mail smtp 2015-05-14 00:38:12 2015-05-14 06:38:12 324
support@REDACTED 85.154.60.254 mail smtp 2015-05-14 00:43:07 2015-05-14 06:43:07 329
support@REDACTED 121.54.54.174 mail smtp 2015-05-14 00:38:49 2015-05-14 06:38:49 325
support@REDACTED 145.255.162.179 mail smtp 2015-05-14 00:41:53 2015-05-14 06:41:53 328
support@REDACTED 37.113.68.11 mail smtp 2015-05-14 00:40:38 2015-05-14 06:40:38 326
support@REDACTED 121.54.54.174 mail smtp 2015-05-14 00:38:56 2015-05-14 06:38:56 325
support@REDACTED 121.54.44.95 mail smtp 2015-05-14 00:36:15 2015-05-14 06:36:15 322
support@REDACTED 145.255.162.179 mail smtp 2015-05-14 00:41:39 2015-05-14 06:41:39 327
support@REDACTED 95.78.46.170 mail smtp 2015-05-14 00:40:47 2015-05-14 06:40:47 327
support@REDACTED 145.255.162.179 mail smtp 2015-05-14 00:41:32 2015-05-14 06:41:32 327
support@REDACTED 121.54.44.95 mail smtp 2015-05-14 00:36:07 2015-05-14 06:36:07 322
support@REDACTED 95.78.46.170 mail smtp 2015-05-14 00:40:23 2015-05-14 06:40:23 326
support@REDACTED 78.83.28.215 mail smtp 2015-05-14 00:47:06 2015-05-14 06:47:06 333
support@REDACTED 78.83.28.215 mail smtp 2015-05-14 00:47:00 2015-05-14 06:47:00 333
support@REDACTED 95.78.46.170 mail smtp 2015-05-14 00:40:29 2015-05-14 06:40:29 326
support@REDACTED 121.54.44.95 mail smtp 2015-05-14 00:36:22 2015-05-14 06:36:22 322
support@REDACTED 27.55.111.136 mail smtp 2015-05-14 00:51:18 2015-05-14 06:51:18 337
support@REDACTED 27.55.111.136 mail smtp 2015-05-14 00:51:25 2015-05-14 06:51:25 337
support@REDACTED 121.54.54.158 mail smtp 2015-05-14 00:36:41 2015-05-14 06:36:41 322
support@REDACTED 121.54.54.158 mail smtp 2015-05-14 00:36:48 2015-05-14 06:36:48 323
support@REDACTED 145.255.162.179 mail smtp 2015-05-14 00:41:43 2015-05-14 06:41:43 327
test@REDACTED 85.25.211.119 mail smtp 2015-05-14 00:38:05 2015-05-14 06:38:05 324
user@REDACTED 74.55.126.234 mail smtp 2015-05-14 00:40:09 2015-05-14 06:40:09 326


Our analyst are looking at the data now and will run the information against our Jigsaw interface so we can provide specific information on what is known.

2:00AM EST:
So we decided we would just turn on a feature in our systems to automatically post tweets to Twitter on our @vulndisclosures account and within minutes we started seeing a slowdown. Maybe these guys really don't want their activities posted to public forums... Let the games begin! #HITME

2:43AM EST:
It appears as though the activity has stopped. That was the largest influx of login attempts in such as short period of time that we have ever observed... We will be pulling data together and sharing with the community tomorrow.