Don't you have some flow data you can analyze for those time frames to see what on your net it transmitting ?
If not I'd suggest you set something up and see all outbound traffic to port 22. -- J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume. > On Oct 31, 2024, at 13:40, Neel Chauhan <n...@neelc.org> wrote: > > Hi, > > I am a customer of Verizon Fios in NYC and received a very interesting abuse > complaint today from ab...@verizon.com. > > I got SSH bruteforce attempts between my IP address and this IPv4 prefix: > 202.91.160.0/20 > > This is hosted on a network called "AS17452 Bitstop Inc". > > My connection runs Tor relays, but not exit relays. I doubt it's Tor since > when I had Google Fiber or CenturyLink even when running Tor relays I never > got those complaints. I use a MikroTik core router so maybe it got malware, > although I recently updated it from 7.15.3 to 7.16.1. I decided to filter the > prefix. > > Maybe a Windows PC on our network is infected. Maybe it's my Rocky Linux > servers. Should I probably get a Supermicro/Deciso box and run an OPNsense > firewall instead? But I never got complaints from Frontier or Optimum when I > put MikroTik routers on both ISPs too, that for accounts not in my name. > Maybe it's a false positive and just TCP forgery pretending to me be (I hope > so). > > Just letting you know. > > -Neel > > === REDACTED COMPLAINT BELOW === > > Dear Verizon Online Customer, > > On 10-30-2024, your account was reported to have been used in an attempt to > gain unauthorized access to another system, or to transmit malicious traffic > to another Internet user. > > It is possible that a device connected to your network may have been infected > by a virus or a botnet that is causing this action. > > Report and/or Logs: > > To assist you in understanding the situation, we have provided the relevant > log data below, with timestamps adjusted to our GMT +8 timezone: > > > DateTime Action AttackClass SourceIP Srcport Protocol DestinationIP DestPort > 0 30-Oct-2024 13:37:21 BLOCKED attempted-recon 108.30.XXX.XXX 0 202.91.162.24 > 22 > 1 30-Oct-2024 13:49:38 BLOCKED attempted-recon 108.30.XXX.XXX 0 202.91.162.24 > 22 > 2 30-Oct-2024 14:00:01 BLOCKED attempted-recon 108.30.XXX.XXX 0 202.91.162.24 > 22 > 3 30-Oct-2024 14:10:12 BLOCKED attempted-recon 108.30.XXX.XXX 0 202.91.162.24 > 22 > 4 30-Oct-2024 15:17:15 DENIED 108.30.XXX.XXX 32769 TCP 202.91.162.17 22 > 5 30-Oct-2024 15:18:29 BLOCKED attempted-recon 108.30.XXX.XXX 0 202.91.162.39 > 22 > 6 30-Oct-2024 15:23:08 DENIED 108.30.XXX.XXX 54688 TCP 202.91.163.179 22 > 7 30-Oct-2024 15:30:22 BLOCKED attempted-recon 108.30.XXX.XXX 0 202.91.162.47 > 22 > 8 30-Oct-2024 15:47:32 BLOCKED attempted-recon 108.30.XXX.XXX 0 202.91.162.24 > 22 > 9 30-Oct-2024 15:58:03 DENIED 108.30.XXX.XXX 50405 TCP 202.91.163.143 22 > > Please immediately ensure your anti-virus and anti-malware software is > properly updated. Please perform full system scans on your device(s). > [Including - computers, tablets, cellular devices, network attached storage, > security camera recorders (DVR or NVR), and IOT devices, where possible.] > > Additional information and removal guidance of detected malware may be found > on the website of your scanner(s) manufacturer. > > It is difficult to verify the presence of an exact virus or malware infecting > a device without a full system scan with up-to-date software. > > Installing the most recent firmware and software updates can also assist in > securing your device(s). Please follow the device manufactures processes for > any updates. > > If you are unable to take immediate action, it would be advisable to remove > the device(s), which may be infected, from your network and the Internet > connection until it has been properly cleaned. This may be easily done by > unplugging the network cable that connects the device to the router. For > wireless devices removing power from the device will keep it off it the > network. > > Note: this information is being provided as a courtesy; you are solely > responsible for any changes you make to your device(s) or network. > > Verizon Policy: > > If you do not take steps to resolve this issue, we may be forced to take > further action. Actions could include the suspension or termination of your > service until the issue is resolved, in order to ensure the safety of our > network, and the safety of other Internet users. > > Please carefully review these agreements, which can be viewed at: > http://www.verizon.com/about/terms/ > > Any future violation will result in further action being taken, up to, > and including, the termination of your service. > > > Sincerely, > > Verizon Global IP Abuse > http://www.verizon.com/about/terms/ > http://www.verizon.com/securityinfo > ab...@verizon.com
