Hacked By AnonymousFox
Return-Path: <takedown-response+56482953@netcraft.com>
Delivered-To: info@zombie.wtf
Received: from business33.web-hosting.com
by business33.web-hosting.com with LMTP
id YE/lLglrV2ao7wEA3lZrWA
(envelope-from <takedown-response+56482953@netcraft.com>)
for <info@zombie.wtf>; Wed, 29 May 2024 13:51:05 -0400
Return-path: <takedown-response+56482953@netcraft.com>
Envelope-to: info@zombie.wtf
Delivery-date: Wed, 29 May 2024 13:51:05 -0400
Received: from mail2.netcraft.com ([52.31.138.216]:57523)
by business33.web-hosting.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.96.2)
(envelope-from <takedown-response+56482953@netcraft.com>)
id 1sCNS0-0018IJ-0D
for info@zombie.wtf;
Wed, 29 May 2024 13:51:05 -0400
Received: from walleye.netcraft.com (ip-10-8-0-81.eu-west-1.compute.internal [10.8.0.81])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail2.netcraft.com (Postfix) with ESMTPS id A3755333F
for <info@zombie.wtf>; Wed, 29 May 2024 18:50:17 +0100 (BST)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail2.netcraft.com A3755333F
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netcraft.com;
s=default202405-yu9bqteb95aqcfpg; t=1717005017;
bh=cca3jvZVtj1S/aL8yVzxHjWUUVSj56OmIGN3WWAacOo=;
h=Date:From:Subject:References:In-Reply-To:To:From;
b=h2Hpu9jg2eXgv360T3E+ztpI7QijdZM3lFjwthLs4KCDP3UBYVzFdWEbrhEclJGwF
L4drqhkePUFGCZugxuC05wrEz93xjgRqc4wAxc+E06J/j+wYGiuEE2C/KJvhYIq7Rd
ftiR+++DdaeJyqLHE6nT0R13rkvsmL10Tzxf2VnvTv+xCcbIFK+FY0uoTiRNlaAww6
m0zaITukDCIQKHToYgS7HT+iBDP81m/i5zrfbSAl+DqraQxGVHtbzF+e8yKZ1c2f1T
ityE7AgVqns2SZnxFRNAYe1IVd0P66xO3FjTdBfhD5PsGjtt1oHkMYBt+fM7qbHmlG
i/WE9uM1J3mWw==
Received: by walleye.netcraft.com (Postfix, from userid 507)
id 9E7931347; Wed, 29 May 2024 17:50:17 +0000 (UTC)
Content-Transfer-Encoding: 8bit
Content-Type: multipart/report; boundary="_----------=_1717005017724253422"; report-type="feedback-report"
MIME-Version: 1.0
Date: Wed, 29 May 2024 17:50:17 +0000
From: Netcraft Takedown Service <takedown-response+56482953@netcraft.com>
Subject: Re: Issue 56482953: Malicious web shell at hxxps://zombie[.]wtf/wp-admin/4muGsRoSBq3.php
References: <3c45781339ad5d6a5f6be638ea342748@takedown.netcraft.com>
In-Reply-To: <3c45781339ad5d6a5f6be638ea342748@takedown.netcraft.com>
To: info@zombie.wtf
Message-Id: <1a756994564e8611d0d2261b18a29ecc@takedown.netcraft.com>
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
X-Spam-Status: No, score=-0.2
X-Spam-Score: -1
X-Spam-Bar: /
X-Ham-Report: Spam detection software, running on the system "business33.web-hosting.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: Hello, We have discovered a malicious web shell being hosted
on your network: hxxps://zombie[.]wtf/wp-admin/BiECSgeZXR6.php [198.54.116.167]
hxxps://zombie[.]wtf/wp-admin/qR3j6mBHcSK.php [198.54.116.167] hxxps://zombie[.]wtf/wp-admin/waBmZUYy1jp.php
[198.54.116.167] hxxps://zom [...]
Content analysis details: (-0.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: netcraft.com]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The
query to Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243
for more information.
[52.31.138.216 listed in sa-trusted.bondedsender.org]
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
-0.0 T_SCC_BODY_TEXT_LINE No description available.
X-Spam-Flag: NO
This is a multi-part message in MIME format.
--_----------=_1717005017724253422
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
Hello,
We have discovered a malicious web shell being hosted on your network:
hxxps://zombie[.]wtf/wp-admin/BiECSgeZXR6.php [198.54.116.167]
hxxps://zombie[.]wtf/wp-admin/qR3j6mBHcSK.php [198.54.116.167]
hxxps://zombie[.]wtf/wp-admin/waBmZUYy1jp.php [198.54.116.167]
hxxps://zombie[.]wtf/wp-admin/MkIDtQBOifF.php [198.54.116.167]
hxxps://www[.]zombie[.]wtf/wp-admin/hl2xiaOwsXt.php [198.54.116.167]
hxxps://www[.]zombie[.]wtf/wp-admin/sao2r1E7feb.php [198.54.116.167]
hxxps://www[.]zombie[.]wtf/wp-admin/qR3j6mBHcSK.php [198.54.116.167]
hxxps://www[.]zombie[.]wtf/wp-admin/MkIDtQBOifF.php [198.54.116.167]
hxxps://www[.]zombie[.]wtf/wp-admin/waBmZUYy1jp.php [198.54.116.167]
hxxps://www[.]zombie[.]wtf/wp-admin/Mgr4CbxlZNX.php [198.54.116.167]
hxxps://zombie[.]wtf/wp-admin/4muGsRoSBq3.php [198.54.116.167]
Web shells are scripts that attackers upload to compromised web-servers in order to gain remote access. When accessed using a web browser, web shells can allow attackers to upload files, execute arbitrary commands on the server, and send spam. Web shells are often used to create phishing or malware attacks on the compromised server.
Attackers often attempt to disguise web shells as benign pages. Common techniques include returning a fake 404 page and making the web shell input fields on the page invisible. Please check the attacker is not attempting to hide the web shell before dismissing this report.
We previously contacted you about this issue on 2024-05-28 11:44:45 (UTC).
More information about the detected issue is provided at https://incident.netcraft.com/96325f265864/
Kind regards,
Netcraft
Phone: +44(0)1225 447500
Fax: +44(0)1225 448600
Netcraft Issue Number: 56482953
To contact us about updates regarding this attack, please respond to this email. Please note: replies to this address will be logged, but aren't always read. If you believe you have received this email in error, or you require further support, please contact: takedown@netcraft.com.
This mail can be parsed with x-arf tools. Visit http://www.xarf.org/ for more information about x-arf.
--_----------=_1717005017724253422
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: message/feedback-report
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
Date: Wed, 29 May 2024 17:50:17 +0000
Feedback-Type: xarf
User-Agent: Netcraft
Version: 1
--_----------=_1717005017724253422
Content-Disposition: attachment; filename="xarf.json"
Content-Transfer-Encoding: base64
Content-Type: application/json; charset=utf-8; name="xarf.json"
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
Date: Wed, 29 May 2024 17:50:17 +0000
eyJPbkJlaGFsZk9mIjp7IkNvbXBsYWluYW50T3JnIjoiRGVmYWNlZCBTaXRlIiwiQ29tcGxhaW5h
bnRPcmdFbWFpbCI6InRha2Vkb3duLXJlc3BvbnNlKzU2NDgyOTUzQG5ldGNyYWZ0LmNvbSIsIkNv
bXBsYWluYW50T3JnRG9tYWluIjoibmV0Y3JhZnQuY29tIn0sIkRpc2Nsb3N1cmUiOnRydWUsIlZl
cnNpb24iOiIxIiwiUmVwb3J0ZXJJbmZvIjp7IlJlcG9ydGVyT3JnRW1haWwiOiJ0YWtlZG93bi1y
ZXNwb25zZSs1NjQ4Mjk1M0BuZXRjcmFmdC5jb20iLCJSZXBvcnRlck9yZ0RvbWFpbiI6Im5ldGNy
YWZ0LmNvbSIsIlJlcG9ydGVyT3JnIjoiTmV0Y3JhZnQifSwiUmVwb3J0Ijp7IkZpcnN0U2VlbiI6
IjIwMjQtMDUtMjhUMTE6MTM6MTJaIiwiUmVwb3J0ZXJOb3RlcyI6IlNlZSBodHRwczovL2luY2lk
ZW50Lm5ldGNyYWZ0LmNvbS85NjMyNWYyNjU4NjQvIGZvciBtb3JlIGluZm9ybWF0aW9uIiwiUmVw
b3J0ZXJDYXNlSUQiOiI1NjQ4Mjk1MyIsIkRhdGUiOiIyMDI0LTA1LTI5VDE3OjQ4OjQwWiIsIlNv
dXJjZUlwIjoiMTk4LjU0LjExNi4xNjciLCJSZXBvcnRUeXBlIjoiTWFsd2FyZSIsIlNvdXJjZVVy
bCI6Imh0dHBzOi8vem9tYmllLnd0Zi93cC1hZG1pbi80bXVHc1JvU0JxMy5waHAiLCJSZXBvcnRD
bGFzcyI6IkNvbnRlbnQifX0=
--_----------=_1717005017724253422--
Hacked By AnonymousFox1.0, Coded By AnonymousFox