Encore une demande de rançon : 1Bo6BKUekTefV4kKPz2nhqsWCELuR6Ep1N

30 x served & 4 x viewed

Dans le source de l’email :

Return-Path: <luomingxiu@jygdy.com>
...
X-Spam-Flag: YES
X-Spam-Level: ***************
X-Spam-Status: Yes, score=15.9 required=5.0 tests=COUNTRY2,
	HEADER_FROM_DIFFERENT_DOMAINS,HTML_IMAGE_ONLY_04,HTML_MESSAGE,
	LOCALPART_IN_SUBJECT,MIME_HTML_MOSTLY,MPART_ALT_DIFF,
	RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_RP_RNBL,RCVD_IN_SBL_CSS,
	RCVD_IN_SORBS_WEB,TO_NAME_SUBJ_NO_RDNS,TO_NO_BRKTS_HTML_IMG,
	TVD_SPACE_RATIO autolearn=no autolearn_force=no version=3.4.2
X-Spam-Relay-Country: CN AL
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on spamd16.phpnet.org
X-Spam-Report: 
	*  3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
	*      [111.11.180.157 listed in zen.spamhaus.org]
	*  3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
	*      [84.20.83.21 listed in zen.spamhaus.org]
	*  1.0 COUNTRY2 No description available.
	*  0.7 LOCALPART_IN_SUBJECT Local part of To: address appears in
	*      Subject
	*  1.5 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server
	*      [84.20.83.21 listed in dnsbl.sorbs.net]
	*  1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
	*      bl.spamcop.net
	*      [Blocked - see <https://www.spamcop.net/bl.shtml?84.20.83.21>]
	*  1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
	*      https://senderscore.org/blacklistlookup/
	*      [111.11.180.157 listed in bl.score.senderscore.com]
	*  0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
	*      mail domains are different
	*  0.3 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes of words
	*  0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
	*  0.7 MPART_ALT_DIFF BODY: HTML and text parts are different
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  0.0 TVD_SPACE_RATIO No description available.
	*  0.0 TO_NAME_SUBJ_NO_RDNS Recipient username in subject + no rDNS
	*  2.0 TO_NO_BRKTS_HTML_IMG To: lacks brackets and HTML and one image
Received: from mail.jygdy.com (unknown [111.11.180.157])
...
Received: from [21.83.20.84.in-addr.arpa] ([84.20.83.21])
	(envelope-sender <luomingxiu@jygdy.com>)
...
X-WM-AuthFlag: YES
X-WM-AuthUser: luomingxiu@jygdy.com
...
X-Mailer: Sun Java(tm) System Messenger Express 6.1 HotFix 0.11 (builtJan 28
X-Complaints-To: abuse@mailer.jygdy.com
Abuse-Reports-To: <abuse@mailer.jygdy.com>
...
X-Sender: luomingxiu@jygdy.com

Et on retrouve dans Bitcoin Abuse : https://www.bitcoinabuse.com/reports/1Bo6BKUekTefV4kKPz2nhqsWCELuR6Ep1N .

Le serveur est en Chine …

https://haveibeenpwned.com : Afin de voir si notre email est dans une fuite de donnée

Lien

141 x served & 38 x viewed

Je conseille vivement le site : https://haveibeenpwned.com . Il permet de voir si notre email est dans les récentes fuites de données.

Liste des IP bloquées sur mon blog

En passant

118 x served & 16 x viewed

Voici la liste :

91.200.12.114
91.200.12.65
91.200.12.4
103.251.25.60
83.222.27.75
213.251.182.111
72.1.219.230
173.249.53.80
173.212.196.158
50.62.161.19
47.100.10.128
91.189.41.165
91.189.41.16
96.125.162.13
198.71.230.25
213.251.182.113
178.89.110.135
122.114.251.82
222.86.214.132
192.99.63.202
112.78.5.70
81.177.135.161
221.2.137.143

LaCie Setup App : connexion sur data collection.api.mylyve.com

69 x served & 12 x viewed

Pourquoi une connexion sur datacollection.api.mylyve.com ? ( 52.34.218.207 )

Misère.

Le whois de mylyve.com :

WordPress : Beaucoup d’attaque par injection aujourd’hui ( wordfence_logHuman=11111111111111′ UNION SELECT ).

83 x served & 34 x viewed

J’ai donc bloquer les IP :

91.189.41.165 (Sweden) / 96.125.162.13 (United States) . Cela change des Russes …

Les attaques : 

  • 91.189.41.165 (Sweden)     Blocked for SQL Injection in query string: wordfence_logHuman=11111111111111′ UNION SELECT CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81
  • 96.125.162.13 (United States)     Blocked for SQL Injection in query string: wordfence_logHuman=11111111111111′ UNION SELECT CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81

Mise à jours du 26/12/2018 :

  • décembre 26, 2018 7:50   72.1.219.230 (Canada)     Blocked for SQL Injection in query string: wordfence_logHuman=11111111111111″ UNION SELECT CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81
  • décembre 26, 2018 7:44   173.249.53.80 (Germany)     Blocked for SQL Injection in query string: wordfence_logHuman=11111111111111″ UNION SELECT CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81
  • décembre 26, 2018 7:38   173.212.196.158 (Germany)     Blocked for SQL Injection in query string: hid=657FB0DBB2C8282D149D6F927F316FF0″ or (1,2)=(select*from(select name_const(CHAR(111,108,111,108,111,1

Mise à jours du 03/01/2019 :

  • janvier 2, 2019 11:42 213.251.182.111 (France)     Blocked for SQL Injection in query string: pg=rec99999″ union select unhex(hex(version()))
  • janvier 2, 2019 9:50 83.222.27.75 (Russian Federation)     Blocked for SQL Injection in query string: lang=de99999″ union select unhex(hex(version()))
  • janvier 2, 2019 9:45   103.251.25.60 (India)     Blocked for SQL Injection in query string: lang=de1111111111111″ UNION SELECT CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),