Very interesting, well likely I'm not understanding something...
These two IP were blocked by Admin, not sure when... note: Serv-U sometimes adds the http probably on a DNS lookup
"120.245.64.189","Admin "0"">www.labs.greynoise.io/.../","0"
"221.4.215.215","Admin "0"">www.labs.greynoise.io/.../","0"
However, SW email notice...
https://launch.solarwinds.com/index.php/email/emailWebview?email=NTY0LVZGUi0wMDgAAAGUGQF7JGUSYv8JGuiQlsgp4tkWVZheT6sH45qJQVvGA6tgFIjYdBWXWnhbOhA89SJXyh8TJJLiWxRkVNIE9O3W9xJ65esPh1tzosI
Contains a link to CVE-2024-28995, which is here... same server as the one attempting to logon to our mFTP server
https://www.labs.greynoise.io/grimoire/2024-06-solarwinds-serv-u/
How is it that the SW Vulnerability notice contains a Link for an IP that's Attempting to Log into our mFTP Server?
Regards, JeffP...