Hola buenos días, hemos recibido esta semana dos correos electrónicos suyos sobre un ataque de denegación de servicio y no sabemos si se trata de un error o es una amenaza real, les adjunto el texto del correo.

Notificación de Ciberseguridad relacionada con tu conexión a Internet. [Nemesys#242372201]

Hola,

Te escribimos desde el equipo de ciberseguridad de Telefónica.

Nos ponemos en contacto contigo porque hemos recibido avisos que sugieren que, a través del acceso a Internet de algunos de nuestros clientes, se está participando en un ataque de Denegación de Servicio a otros sistemas. Si desconoces qué son o cómo funcionan este tipo de ataques, en la web de INCIBE encontrarás más información.

Hemos analizado estos avisos y parece que este tipo de actos se están llevando a cabo desde el acceso a Internet asociado a 98...

Por este motivo, te sugerimos revisar la seguridad de todos los equipos o dispositivos con los que accedes a Internet a través de esta conexión, dado que es posible que hayan sido infectados por algún tipo de malware y estén siendo utilizados atacar a otros.

Te recomendamos también visitar la página web de INCIBE, donde podrás encontrar herramientas gratuitas para el analizar tus equipos.

A continuación, te adjuntamos los datos recibidos para que puedas analizarnos y tomar las medidas que consideres:

=========== Inicio del correo recibido ================

An IP address (83..x (The value of x is 27)) under your control appears to have attacked one of our customers as part of a coordinated DDoS botnet. We manually reviewed the captures from this attack and do not believe that your IP address was spoofed, based on the limited number of distinct hosts attacking us, the identicality of many attacking IP addresses to ones we've seen in the past, and the non-random distribution of IP addresses.

It is possible that this host is one of the following, from the responses that others have sent us:

- A compromised router, such as a D-Link that is running with WAN access enabled; a China Telecom which still allows a default admin username and password; a Netis, with a built-in internet-accessible backdoor (hxxp://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/); or one running an old AirOS version with a vulnerable and exposed administrative interface
- An IPTV device that is vulnerable to compromise (such as HTV), either directly through the default firmware or through a trojan downloaded app
- A compromised webhost, such as one running a vulnerable version of Drupal (for instance, using the vulnerability discussed at hxxps://groups.drupal.org/security/faq-2018-002), WordPress, phpMyAdmin, or zPanel
- A compromised DVR, such as a "Hikvision" brand device (ref: hxxps://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection...)
- A compromised IPMI device, such as one made by Supermicro (possibly because it uses the default U/P of ADMIN/ADMIN or because its password was found through an exploit described at hxxp://arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/)
- A compromised Xerox-branded device
- Some other compromised standalone device
- A server with an insecure password that was brute-forced, such as through SSH or RDP
- A server running an improperly secured Hadoop installation
- A server running a pre-13.10.3 GitLab instance that is vulnerable to CVE-2021-22205
- A compromised Microsoft DNS server (through the July 2020 critical vulnerability)

The overall botnet attack was Nx10Gbps in size (with traffic from your host as well as some others) and caused significant packet loss for our clients due to external link saturation. It required an emergency null-route operation on our side to mitigate.

Attacks like this are usually made very short, intentionally, so that they are not as noticeable and slip past certain automatic mitigation systems. From your side, you would be able to observe the attack as a burst of traffic that likely saturated the network adapter of the source device for perhaps 30 seconds. Since the source device is a member of a botnet that is being used for many attacks, you will see many other mysterious bursts of outbound traffic, as well.

This is example traffic from the IP address, as interpreted by the "tcpdump" utility and captured by our router during the attack. Source and destination IP addresses, protocols, and ports are included.

Date/timestamps (at the very left) are UTC.

2025-01-16 23:35:40.900860 IP (tos 0x20, ttl 56, id 14536, offset 0, flags [DF], proto UDP (17), length 1428)
83.58.19.x (The value of x is 27).39575 > 66.150.214.x.30811: UDP, length 1400
0x0000: 4520 0594 38c8 4000 3811 857d 533a 131b E...8.@.8..}S:..
0x0010: 4296 d608 9a97 785b 0580 5330 6ef9 a14f B.....x[..S0n..O
0x0020: 135f 1fba 88ba 2519 d7c4 2b6f d52a 012f ._....%...+o.*./
0x0030: e10f a66f 6709 635b a073 5f6a bcab 2e4c ...og.c[.s_j...L
0x0040: df7c a813 fc67 c350 37dc 90c1 f2fc daf8 .|...g.P7.......
0x0050: b229 .)
2025-01-16 23:35:40.941388 IP (tos 0x20, ttl 56, id 16010, offset 0, flags [DF], proto UDP (17), length 1428)
83.58.19.x (The value of x is 27).39575 > 66.150.214.x.30811: UDP, length 1400
0x0000: 4520 0594 3e8a 4000 3811 7fbb 533a 131b E...>@.8...S:..
0x0010: 4296 d608 9a97 785b 0580 008d 6bf3 c999 B.....x[....k...
0x0020: 6d6a 1920 1b8e 7a50 ef0e 6a52 62fd ee84 mj....zP..jRb...
0x0030: 90a5 4f6f 34f4 c1eb d582 dee9 6177 281a ..Oo4.......aw(.
0x0040: 9132 5908 fa07 ddec 9ef8 08f1 a10a c2a8 .2Y.............
0x0050: 9268 .h
2025-01-16 23:35:40.977552 IP (tos 0x20, ttl 56, id 17023, offset 0, flags [DF], proto UDP (17), length 1428)
83.58.19.x (The value of x is 27).39575 > 66.150.214.x.30811: UDP, length 1400
0x0000: 4520 0594 427f 4000 3811 7bc6 533a 131b E...B.@.8.{.S:..
0x0010: 4296 d608 9a97 785b 0580 d31d 7cbe 2c90 B.....x[....|.,.
0x0020: ea06 ea27 647d a40f 6b5a 22fb 2dc4 080e ...'d}..kZ".-...
0x0030: 504e a279 5d53 c155 8caa d9bc 9638 b8f4 PN.y]S.U.....8..
0x0040: 9f38 039f 99cb 07c0 df94 fbb1 fe76 b284 .8...........v..
0x0050: 3761 7a
2025-01-16 23:35:40.978745 IP (tos 0x20, ttl 56, id 17066, offset 0, flags [DF], proto UDP (17), length 1428)
83.58.19.x (The value of x is 27).39575 > 66.150.214.x.30811: UDP, length 1400
0x0000: 4520 0594 42aa 4000 3811 7b9b 533a 131b E...B.@.8.{.S:..
0x0010: 4296 d608 9a97 785b 0580 75e6 f396 b992 B.....x[..u.....
0x0020: 39e5 0efb 40ca 3f44 ce70 fa62 6c7c aa3c 9...@.?D.p.bl|.<
0x0030: ed71 01b0 67c0 d60a f3bd 1bbb e0ff 3dd4 .q..g.........=.
0x0040: 9372 086f ed52 61d3 5799 f3b5 f6b2 0a8e .r.o.Ra.W.......
0x0050: 4ed5 N.
2025-01-16 23:35:40.997021 IP (tos 0x20, ttl 56, id 17576, offset 0, flags [DF], proto UDP (17), length 1428)
83.58.19.x (The value of x is 27).39575 > 66.150.214.x.30811: UDP, length 1400
0x0000: 4520 0594 44a8 4000 3811 799d 533a 131b @.8.y.S:..
0x0010: 4296 d608 9a97 785b 0580 7586 00f3 2f57 B.....x[..u.../W
0x0020: 9d41 2dfb 6759 310f 6fc6 ca1c 0581 5534 .A-.gY1.o.....U4
0x0030: bb0f e5a5 0180 9a20 c3c3 296a 2a3a ecf2 ..........)j*:..
0x0040: 1b6b f97f 6d76 978b 078b 84af b7c9 2a3c .k..mv........*<
0x0050: 9adc ..

(The final octet of our customer's IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is "8".)

Based on the size, number of samples, and timestamps of received packets from your host in our capture, we estimate that your host was sending 57.1 Mbps of attack traffic at the peak of this coordinated attack. The peak of the attack may have lasted only a few seconds. (Most traffic graphing systems show numbers that are averaged over 30s or 5m, and it may appear to have been less in such a system; but, our estimate is generally accurate as a minimum bound.)

-John
President
NFOservers.com

(We're sending out so many of these notices, and seeing so many auto-responses, that we can't go through this email inbox effectively. If you have follow-up questions, please contact us at @nfoe.net.)

=========== Fin del correo recibido ================

Si tienes cualquier duda o consulta sobre este aviso o sobre los datos adjuntos, puedes contactar con nosotros respondiendo a este email, sin alterar el asunto, y te ayudaremos.

Esperamos que esta situación se resuelva lo antes posible.

Un saludo

 

.