From grog@lemis.com Sun Sep 27 11:45:56 2020 Date: Sun, 27 Sep 2020 11:45:56 +1000 From: Greg 'groggy' Lehey To: abuse@af.mil Subject: Malicious web requests from your domain Message-ID: <20200927014556.GA72348@eureka.lemis.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o" Content-Disposition: inline Organization: LEMIS, 29 Stones Road, Dereel, VIC, Australia Phone: +61-3-5309-0418 Mobile: +61-490-494-038. Use only as instructed. WWW-Home-Page: http://www.lemis.com/grog X-PGP-Fingerprint: 9A1B 8202 BCCE B846 F92F 09AC 22E6 F290 507A 4223 User-Agent: Mutt/1.6.1 (2016-04-27) Status: RO Content-Length: 2784 Lines: 60 --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Yesterday I received the following email from my web server. It shows a client at 124fw-902.afnoc.af.mil attempting to access a non-existent URL. The nature of the URL suggests that it is malicious. Please investigate and confirm that this won't happen again. Greg Lehey From www@lax.lemis.com Sat Sep 26 00:12:27 2020 Return-Path: X-Original-To: groggyhimself@lemis.com Delivered-To: groggyhimself@lemis.com Received: from lax.lemis.com (www.lemis.com [45.32.70.18]) by eureka.lemis.com (Postfix) with ESMTP id 57BE4263598 for ; Sat, 26 Sep 2020 00:12:27 +1000 (AEST) Received: from lax.lemis.com (localhost [127.0.0.1]) by lax.lemis.com (Postfix) with ESMTP id 95053280BB for ; Fri, 25 Sep 2020 14:12:26 +0000 (UTC) Received: (from www@localhost) by lax.lemis.com (8.15.2/8.15.2/Submit) id 08PECQpr079392; Fri, 25 Sep 2020 14:12:26 GMT (envelope-from www) Date: Fri, 25 Sep 2020 14:12:26 GMT From: World Wide Web Owner Message-Id: <202009251412.08PECQpr079392@lax.lemis.com> To: groggyhimself@lemis.com Subject: FAILURE: /accepted-SubZero?aHR0cDovL3d3dy5sZW1pcy5jb20vZ3JvZy9Eb2N1bWVudGF0aW9uL0xpb25zLw==;cGPM5qAnLsbMaV7KZOmgdpyLReLuEGTO7yFyD9dPYd0= <- http://www.lemis.com/notify-SubZero?aHR0cDovL3d3dy5sZW1pcy5jb20vZ3JvZy9Eb2N1bWVudGF0aW9uL0xpb25zLw==;cGPM5qAnLsbMaV7KZOmgdpyLReLuEGTO7yFyD9dPYd0= Status: RO Content-Length: 671 Lines: 6 Referrer: http://www.lemis.com/notify-SubZero?aHR0cDovL3d3dy5sZW1pcy5jb20vZ3JvZy9Eb2N1bWVudGF0aW9uL0xpb25zLw==;cGPM5qAnLsbMaV7KZOmgdpyLReLuEGTO7yFyD9dPYd0= Referenced URL: http://www.lemis.com/accepted-SubZero?aHR0cDovL3d3dy5sZW1pcy5jb20vZ3JvZy9Eb2N1bWVudGF0aW9uL0xpb25zLw==;cGPM5qAnLsbMaV7KZOmgdpyLReLuEGTO7yFyD9dPYd0= Request URI: /accepted-SubZero?aHR0cDovL3d3dy5sZW1pcy5jb20vZ3JvZy9Eb2N1bWVudGF0aW9uL0xpb25zLw==;cGPM5qAnLsbMaV7KZOmgdpyLReLuEGTO7yFyD9dPYd0= Remote host: 124fw-902.afnoc.af.mil Remote IP: 131.60.47.198 Client: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36 -- Sent from my desktop computer. Finger grog@lemis.com for PGP public key. See complete headers for address and phone numbers. This message is digitally signed. If your Microsoft mail program reports problems, please read http://lemis.com/broken-MUA --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAl9v7tQACgkQIubykFB6QiPIBQCgovCnC7okR90p7YmHx3b0tnzh 6D0An1iC9lafU6tqAhn4y5g/P6766yyh =mpjM -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o--