Hacked By AnonymousFox

Current Path : /home/allslyeo/mail/.info@zombie_wtf/new/
Upload File :
Current File : //home/allslyeo/mail/.info@zombie_wtf/new/1708942577.M358609P1080622.business33.web-hosting.com,S=7101,W=7240

Return-Path: <takedown-response+52170381@netcraft.com>
Delivered-To: info@zombie.wtf
Received: from business33.web-hosting.com
	by business33.web-hosting.com with LMTP
	id 0Nu4E/Fk3GUufRAA3lZrWA
	(envelope-from <takedown-response+52170381@netcraft.com>)
	for <info@zombie.wtf>; Mon, 26 Feb 2024 05:16:17 -0500
Return-path: <takedown-response+52170381@netcraft.com>
Envelope-to: info@zombie.wtf
Delivery-date: Mon, 26 Feb 2024 05:16:17 -0500
Received: from mail2.netcraft.com ([52.31.138.216]:54095)
	by business33.web-hosting.com with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96.2)
	(envelope-from <takedown-response+52170381@netcraft.com>)
	id 1reY1q-004XR3-0o
	for info@zombie.wtf;
	Mon, 26 Feb 2024 05:16:17 -0500
Received: from barb.netcraft.com (ip-10-8-0-151.eu-west-1.compute.internal [10.8.0.151])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail2.netcraft.com (Postfix) with ESMTPS id 17B632E1B
	for <info@zombie.wtf>; Mon, 26 Feb 2024 10:14:10 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail2.netcraft.com 17B632E1B
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netcraft.com;
	s=default202103; t=1708942450;
	bh=Xq1OPVClSL2KZIAnlNtvccVXhU6kyITYN30DhLjfhtA=;
	h=Date:From:Subject:To:From;
	b=q2dsIoNmh2qwkFpeAFN1ytOKDhGaGDTAvNQAE8Zwsxvr60yeAYZG50Bxmj2s8VGmd
	 RaMt5yk91A6apd5e6TtxdRtDutwv1AMj8AcgrntTBwx6/ePBri2xyjLT+PodTddUua
	 NWVeV3twwk+JrmsGPw4g0ASk5P65itPw1ZQdNiMhH4dyrbffYHcUSXEXIjC0cQk2VC
	 TMN8/pCrtQmtKlgYFJd2HAXVAKDSNvvAz72q6Q47DA5tRcR9vQAjin/voKDzXOPnvp
	 /yDcEIbJ4T9eLl5Qv85cB+KULQT0yRVwaML6U/XhimYDx07ZAlGhEnxn+HL8qqA/zz
	 sQ3sdKBASfQiw==
Received: by barb.netcraft.com (Postfix, from userid 507)
	id 11D0D1EF; Mon, 26 Feb 2024 10:14:10 +0000 (UTC)
Content-Transfer-Encoding: 8bit
Content-Type: multipart/report; boundary="_----------=_1708942450206707372"; report-type="feedback-report"
MIME-Version: 1.0
Date: Mon, 26 Feb 2024 10:14:10 +0000
From: Netcraft Takedown Service <takedown-response+52170381@netcraft.com>
Subject: Issue 52170381: Malicious web shell at hxxps://zombie[.]wtf/wp-content/uploads/gravity_forms/g/b/d/h/ilwfgoatubk.php
To: info@zombie.wtf
Message-Id: <bd0f2d38be1587e4a45a60075377ec96@takedown.netcraft.com>
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
X-Spam-Status: No, score=-0.1
X-Spam-Score: 0
X-Spam-Bar: /
X-Ham-Report: Spam detection software, running on the system "business33.web-hosting.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  Hello, We have discovered a malicious web shell being hosted
    on your network: hxxps://zombie[.]wtf/wp-content/uploads/gravity_forms/g/b/d/h/ilwfgoatubk.php
    [198.54.116.167] 
 Content analysis details:   (-0.1 points, 5.0 required)
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
                             blocked.  See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URIs: netcraft.com]
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                             valid
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
                             author's domain
  0.1 GAPPY_SUBJECT          Subject: contains G.a.p.p.y-T.e.x.t
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
X-Spam-Flag: NO

This is a multi-part message in MIME format.

--_----------=_1708942450206707372
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"

Hello,

We have discovered a malicious web shell being hosted on your network:

hxxps://zombie[.]wtf/wp-content/uploads/gravity_forms/g/b/d/h/ilwfgoatubk.php [198.54.116.167]

Web shells are scripts that attackers upload to compromised web-servers in order to gain remote access. When accessed using a web browser, web shells can allow attackers to upload files, execute arbitrary commands on the server, and send spam. Web shells are often used to create phishing or malware attacks on the compromised server.

Attackers often attempt to disguise web shells as benign pages. Common techniques include returning a fake 404 page and making the web shell input fields on the page invisible. Please check the attacker is not attempting to hide the web shell before dismissing this report.

More information about the detected issue is provided at https://incident.netcraft.com/eff69baa85ac/

Kind regards,

Netcraft

Phone: +44(0)1225 447500
Fax: +44(0)1225 448600
Netcraft Issue Number: 52170381

To contact us about updates regarding this attack, please respond to this email. Please note: replies to this address will be logged, but aren't always read. If you believe you have received this email in error, or you require further support, please contact: takedown@netcraft.com.

This mail can be parsed with x-arf tools. Visit http://www.xarf.org/ for more information about x-arf.
--_----------=_1708942450206707372
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: message/feedback-report
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
Date: Mon, 26 Feb 2024 10:14:10 +0000

Feedback-Type: xarf
User-Agent: Netcraft
Version: 1
--_----------=_1708942450206707372
Content-Disposition: attachment; filename="xarf.json"
Content-Transfer-Encoding: base64
Content-Type: application/json; charset=utf-8; name="xarf.json"
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
Date: Mon, 26 Feb 2024 10:14:10 +0000

eyJWZXJzaW9uIjoiMSIsIk9uQmVoYWxmT2YiOnsiQ29tcGxhaW5hbnRPcmdFbWFpbCI6InRha2Vk
b3duLXJlc3BvbnNlKzUyMTcwMzgxQG5ldGNyYWZ0LmNvbSIsIkNvbXBsYWluYW50T3JnRG9tYWlu
IjoibmV0Y3JhZnQuY29tIiwiQ29tcGxhaW5hbnRPcmciOiJEZWZhY2VkIFNpdGUifSwiUmVwb3J0
Ijp7IlJlcG9ydENsYXNzIjoiQ29udGVudCIsIlJlcG9ydGVyTm90ZXMiOiJTZWUgaHR0cHM6Ly9p
bmNpZGVudC5uZXRjcmFmdC5jb20vZWZmNjliYWE4NWFjLyBmb3IgbW9yZSBpbmZvcm1hdGlvbiIs
IlNvdXJjZUlwIjoiMTk4LjU0LjExNi4xNjciLCJTb3VyY2VVcmwiOiJodHRwczovL3pvbWJpZS53
dGYvd3AtY29udGVudC91cGxvYWRzL2dyYXZpdHlfZm9ybXMvZy9iL2QvaC9pbHdmZ29hdHViay5w
aHAiLCJEYXRlIjoiMjAyNC0wMi0yNlQxMDoxMzoxNFoiLCJSZXBvcnRUeXBlIjoiTWFsd2FyZSIs
IlJlcG9ydGVyQ2FzZUlEIjoiNTIxNzAzODEifSwiUmVwb3J0ZXJJbmZvIjp7IlJlcG9ydGVyT3Jn
RW1haWwiOiJ0YWtlZG93bi1yZXNwb25zZSs1MjE3MDM4MUBuZXRjcmFmdC5jb20iLCJSZXBvcnRl
ck9yZ0RvbWFpbiI6Im5ldGNyYWZ0LmNvbSIsIlJlcG9ydGVyT3JnIjoiTmV0Y3JhZnQifSwiRGlz
Y2xvc3VyZSI6dHJ1ZX0=

--_----------=_1708942450206707372--


Hacked By AnonymousFox1.0, Coded By AnonymousFox