Hacked By AnonymousFox

Current Path : /home/allslyeo/mail/.info@zombie_wtf/new/
Upload File :
Current File : /home/allslyeo/mail/.info@zombie_wtf/new/1716896755.M438735P1220881.business33.web-hosting.com,S=9148,W=9321

Return-Path: <takedown-response+56482953@netcraft.com>
Delivered-To: info@zombie.wtf
Received: from business33.web-hosting.com
	by business33.web-hosting.com with LMTP
	id qBPuGfPDVWYRoRIA3lZrWA
	(envelope-from <takedown-response+56482953@netcraft.com>)
	for <info@zombie.wtf>; Tue, 28 May 2024 07:45:55 -0400
Return-path: <takedown-response+56482953@netcraft.com>
Envelope-to: info@zombie.wtf
Delivery-date: Tue, 28 May 2024 07:45:55 -0400
Received: from mail2.netcraft.com ([52.31.138.216]:54950)
	by business33.web-hosting.com with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96.2)
	(envelope-from <takedown-response+56482953@netcraft.com>)
	id 1sBvH3-00592N-1V
	for info@zombie.wtf;
	Tue, 28 May 2024 07:45:55 -0400
Received: from walleye.netcraft.com (ip-10-8-0-81.eu-west-1.compute.internal [10.8.0.81])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail2.netcraft.com (Postfix) with ESMTPS id 932402F07
	for <info@zombie.wtf>; Tue, 28 May 2024 12:44:45 +0100 (BST)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail2.netcraft.com 932402F07
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netcraft.com;
	s=default202405-yu9bqteb95aqcfpg; t=1716896685;
	bh=wTLdCDWpQovx12gmPtEZndVGclZToXgQXPpsbU+k32E=;
	h=Date:From:Subject:References:In-Reply-To:To:From;
	b=f/Z69T1I99zc473jzN41Cy5sarwJSGcvsPCccPYkpmrDp17eubLyugtp+RiJgLz9R
	 sGuc4wsPVL4N79zxJoI1o45FMNFx6cipvp6O4dGIB40oWjGOYoWEcoozsaVaz8HJyl
	 dKgGt9LaudZ6n2/QfG5+z5Q4xzqCKX2sf/rxKVUVB+yM0fHpQ1Obm8BMgz+zP0Qdk2
	 KikUVtRVWQQ7acCMd9MXwIBG1bGpSxq97K3zF6PBdf44ftGQVQ12/Sju6pZUEM8rwG
	 X2EIkFOCRIZ8P3BmRLJ1jQ7qC3NSgMCei538CTcGhqpgMWe/n6xNhksuZv48Gh4iqK
	 tsItJr+4l/IfA==
Received: by walleye.netcraft.com (Postfix, from userid 507)
	id 8FCF28F2; Tue, 28 May 2024 11:44:45 +0000 (UTC)
Content-Transfer-Encoding: 8bit
Content-Type: multipart/report; boundary="_----------=_1716896685213003410422"; report-type="feedback-report"
MIME-Version: 1.0
Date: Tue, 28 May 2024 11:44:45 +0000
From: Netcraft Takedown Service <takedown-response+56482953@netcraft.com>
Subject: Re: Issue 56482953: Malicious web shell at hxxps://zombie[.]wtf/wp-admin/4muGsRoSBq3.php
References: <06804b1498f3fdd0d0af7bc2739d91eb@takedown.netcraft.com>
In-Reply-To: <06804b1498f3fdd0d0af7bc2739d91eb@takedown.netcraft.com>
To: info@zombie.wtf
Message-Id: <3c45781339ad5d6a5f6be638ea342748@takedown.netcraft.com>
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
X-Spam-Status: No, score=4.0
X-Spam-Score: 40
X-Spam-Bar: ++++
X-Ham-Report: Spam detection software, running on the system "business33.web-hosting.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  Hello, We have discovered a malicious web shell being hosted
    on your network: hxxps://zombie[.]wtf/wp-admin/BiECSgeZXR6.php [198.54.116.167]
    hxxps://zombie[.]wtf/wp-admin/qR3j6mBHcSK.php [198.54.116.167] hxxps://zombie[.]wtf/wp-admin/waBmZUYy1jp.php
    [198.54.116.167] hxxps://zom [...] 
 Content analysis details:   (4.0 points, 5.0 required)
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
                             blocked.  See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URIs: netcraft.com]
  0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The
                             query to Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                             [52.31.138.216 listed in sa-accredit.habeas.com]
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                             valid
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
                             author's domain
  2.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                             [cf: 100]
  1.7 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
X-Spam-Flag: NO

This is a multi-part message in MIME format.

--_----------=_1716896685213003410422
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"

Hello,

We have discovered a malicious web shell being hosted on your network:

hxxps://zombie[.]wtf/wp-admin/BiECSgeZXR6.php [198.54.116.167]
hxxps://zombie[.]wtf/wp-admin/qR3j6mBHcSK.php [198.54.116.167]
hxxps://zombie[.]wtf/wp-admin/waBmZUYy1jp.php [198.54.116.167]
hxxps://zombie[.]wtf/wp-admin/MkIDtQBOifF.php [198.54.116.167]
hxxps://www[.]zombie[.]wtf/wp-admin/hl2xiaOwsXt.php [198.54.116.167]
hxxps://www[.]zombie[.]wtf/wp-admin/sao2r1E7feb.php [198.54.116.167]
hxxps://www[.]zombie[.]wtf/wp-admin/qR3j6mBHcSK.php [198.54.116.167]
hxxps://www[.]zombie[.]wtf/wp-admin/MkIDtQBOifF.php [198.54.116.167]
hxxps://www[.]zombie[.]wtf/wp-admin/waBmZUYy1jp.php [198.54.116.167]
hxxps://www[.]zombie[.]wtf/wp-admin/Mgr4CbxlZNX.php [198.54.116.167]
hxxps://zombie[.]wtf/wp-admin/4muGsRoSBq3.php [198.54.116.167]

Web shells are scripts that attackers upload to compromised web-servers in order to gain remote access. When accessed using a web browser, web shells can allow attackers to upload files, execute arbitrary commands on the server, and send spam. Web shells are often used to create phishing or malware attacks on the compromised server.

Attackers often attempt to disguise web shells as benign pages. Common techniques include returning a fake 404 page and making the web shell input fields on the page invisible. Please check the attacker is not attempting to hide the web shell before dismissing this report.

We previously contacted you about this issue on 2024-05-28 11:14:54 (UTC).
Since our last notification, the following additional URL(s) have been detected:

hxxps://www[.]zombie[.]wtf/wp-admin/hl2xiaOwsXt.php
hxxps://www[.]zombie[.]wtf/wp-admin/Mgr4CbxlZNX.php
hxxps://www[.]zombie[.]wtf/wp-admin/MkIDtQBOifF.php
hxxps://www[.]zombie[.]wtf/wp-admin/qR3j6mBHcSK.php
hxxps://www[.]zombie[.]wtf/wp-admin/sao2r1E7feb.php
hxxps://www[.]zombie[.]wtf/wp-admin/waBmZUYy1jp.php
hxxps://zombie[.]wtf/wp-admin/BiECSgeZXR6.php
hxxps://zombie[.]wtf/wp-admin/MkIDtQBOifF.php
hxxps://zombie[.]wtf/wp-admin/qR3j6mBHcSK.php
hxxps://zombie[.]wtf/wp-admin/waBmZUYy1jp.php

More information about the detected issue is provided at https://incident.netcraft.com/96325f265864/

Kind regards,

Netcraft

Phone: +44(0)1225 447500
Fax: +44(0)1225 448600
Netcraft Issue Number: 56482953

To contact us about updates regarding this attack, please respond to this email. Please note: replies to this address will be logged, but aren't always read. If you believe you have received this email in error, or you require further support, please contact: takedown@netcraft.com.

This mail can be parsed with x-arf tools. Visit http://www.xarf.org/ for more information about x-arf.
--_----------=_1716896685213003410422
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: message/feedback-report
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
Date: Tue, 28 May 2024 11:44:45 +0000

Feedback-Type: xarf
User-Agent: Netcraft
Version: 1
--_----------=_1716896685213003410422
Content-Disposition: attachment; filename="xarf.json"
Content-Transfer-Encoding: base64
Content-Type: application/json; charset=utf-8; name="xarf.json"
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
Date: Tue, 28 May 2024 11:44:45 +0000

eyJWZXJzaW9uIjoiMSIsIk9uQmVoYWxmT2YiOnsiQ29tcGxhaW5hbnRPcmciOiJEZWZhY2VkIFNp
dGUiLCJDb21wbGFpbmFudE9yZ0VtYWlsIjoidGFrZWRvd24tcmVzcG9uc2UrNTY0ODI5NTNAbmV0
Y3JhZnQuY29tIiwiQ29tcGxhaW5hbnRPcmdEb21haW4iOiJuZXRjcmFmdC5jb20ifSwiUmVwb3J0
ZXJJbmZvIjp7IlJlcG9ydGVyT3JnRG9tYWluIjoibmV0Y3JhZnQuY29tIiwiUmVwb3J0ZXJPcmdF
bWFpbCI6InRha2Vkb3duLXJlc3BvbnNlKzU2NDgyOTUzQG5ldGNyYWZ0LmNvbSIsIlJlcG9ydGVy
T3JnIjoiTmV0Y3JhZnQifSwiRGlzY2xvc3VyZSI6dHJ1ZSwiUmVwb3J0Ijp7IlNvdXJjZVVybCI6
Imh0dHBzOi8vem9tYmllLnd0Zi93cC1hZG1pbi80bXVHc1JvU0JxMy5waHAiLCJGaXJzdFNlZW4i
OiIyMDI0LTA1LTI4VDExOjEzOjEyWiIsIkRhdGUiOiIyMDI0LTA1LTI4VDExOjQ0OjA1WiIsIlJl
cG9ydGVyTm90ZXMiOiJTZWUgaHR0cHM6Ly9pbmNpZGVudC5uZXRjcmFmdC5jb20vOTYzMjVmMjY1
ODY0LyBmb3IgbW9yZSBpbmZvcm1hdGlvbiIsIlJlcG9ydFR5cGUiOiJNYWx3YXJlIiwiUmVwb3J0
Q2xhc3MiOiJDb250ZW50IiwiU291cmNlSXAiOiIxOTguNTQuMTE2LjE2NyIsIlJlcG9ydGVyQ2Fz
ZUlEIjoiNTY0ODI5NTMifX0=

--_----------=_1716896685213003410422--

Hacked By AnonymousFox1.0, Coded By AnonymousFox