HelioHost Posted April 12, 2022 Posted April 12, 2022 Username: N/A, Server: N/A, Main Domain: N/AHello, We have discovered a malicious web shell being hosted on your network: hxxp://abbasshamshi[.]com/v5.php [65.19.141.67] hxxp://mymailtest[.]tk/v5.php [65.19.141.67] hxxp://www.infinity-galaxy[.]ga/v5.php [65.19.141.67] hxxp://ebrueren[.]design/v5.php [65.19.141.67] hxxp://jnckinc.my[.]id/v5.php [65.19.141.67] hxxp://buyabible.org[.]za/v5.php [65.19.141.67] hxxp://catoxliu[.]net/v5.php [65.19.141.67] hxxps://mkp95[.]io/v5.php [65.19.141.67] hxxp://mail.levnyboban[.]cz/v5.php [65.19.141.67] hxxp://doyouevergetsadfornoreasonandhavenoideawhy[.]lol/v5.php [65.19.141.67] Web shells are scripts that attackers upload to compromised web-servers in order to gain remote access. When accessed using a web browser, web shells can allow attackers to upload files, execute arbitrary commands on the server, and send spam. Web shells are often used to create phishing or malware attacks on the compromised server. Attackers often attempt to disguise web shells as benign pages. Common techniques include returning a fake 404 page and making the web shell input fields on the page invisible. Please check the attacker is not attempting to hide the web shell before dismissing this report. We understand that this site is simply a redirect to a page showing benign content, however it used to redirect to fraudulent content. The redirect is controlled by a fraudster so can be reused for future attacks, making its removal all the more important. We previously contacted you about this issue on 2022-04-12 12:37:04 (UTC). Since our last notification, the following additional URL(s) have been detected: hxxp://abbasshamshi[.]com/v5.php hxxp://buyabible.org[.]za/v5.php hxxp://catoxliu[.]net/v5.php hxxp://ebrueren[.]design/v5.php hxxp://jnckinc.my[.]id/v5.php hxxp://mail.levnyboban[.]cz/v5.php hxxp://mymailtest[.]tk/v5.php hxxp://www.infinity-galaxy[.]ga/v5.php hxxps://mkp95[.]io/v5.php More information about the detected issue is provided at https://incident.netcraft.com/714271bdbe69/ Many thanks, Netcraft Phone: +44(0)1225 447500 Fax: +44(0)1225 448600 Netcraft Issue Number: 30655373 To contact us about updates regarding this attack, please respond to this email. Please note: replies to this address will be logged, but aren't always read. If you believe you have received this email in error, or you require further support, please contact: takedown@netcraft.com. This mail can be parsed with x-arf tools. Visit http://www.xarf.org/ for more information about x-arf.--- Attachment: none Category: abuse Date: 2022-04-12T18:45:40+00:00 Download-Link: http://abbasshamshi.com/v5.php Download-Port: 80 Report-ID: takedown-response+30639452@netcraft.com Report-Type: malware-attack Reported-From: takedown@netcraft.com Schema-URL: http://www.xarf.org/schema/abuse_malware-attack_0.1.4.json Source: 65.19.141.67 Source-Type: ipv4 User-Agent: Netcraft Takedown
Recommended Posts