My ISP revised this message and contacted me for "hacking"
THE MESSAGE:
Hi,
We have had hack attempts on our website from your network, from IP address 46.xx.6x.xxx
We believe this server is compromised by hackers in Turkey, and is part of a botnet attack, possibly using eggdrop bot/psybnc, controlled by UDP via port 80.
Please check this server for malware or if this is a user account, please inform them that this kind of behaviour is unacceptable..
The criminal controlling the botnet usually targets CPanel/WHM, WordPress Akismet, Joomla Open Flash Chart library (ofc_upload_image.php) and ccmail installations, so please check any other servers running these.
Disinfectant scripts are here:
Your country's CERT is aware of this botnet, so please report this incident.
Extract from Logs follows:
46.xx.6x.xxx - - [09/Feb/2014:02:25:13 +1100] 'GET /botnet_hack.txt HTTP/1.1' 200 1054859
46.xx.6x.xxx - - [09/Feb/2014:02:25:13 +1100] 'GET /botnet_hack.txt HTTP/1.1' 200 1054859 'http://www.designsim.com.au/' 'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36'
46.xx.6x.xxx - - [10/Feb/2014:06:42:37 +1100] 'GET /hacker_php.txt HTTP/1.1' 200 1537456
46.xx.6x.xxx - - [10/Feb/2014:06:42:37 +1100] 'GET /hacker_php.txt HTTP/1.1' 200 1537456 'http://designsim.com.au/' 'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36'
46.xx.6x.xxx - - [01/Mar/2014:00:59:41 +1100] 'GET /hacker_php.txt/RK=0/RS=.SnnA0Hkr8gpII3D9e4EId.ENTg- HTTP/1.1' 404 249
46.xx.6x.xxx - - [01/Mar/2014:00:59:41 +1100] 'GET /hacker_php.txt/RK=0/RS=.SnnA0Hkr8gpII3D9e4EId.ENTg- HTTP/1.1' 404 249 'http://designsim.com.au/' 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/27.0.1453.116 Safari/537.36'
46.xx.6x.xxx - - [08/Apr/2014:05:49:26 +1000] 'GET /hacker_php.txt/RK=0/RS=E_FixIdWauQx3Q2ZEET3DgfyJ08- HTTP/1.1' 404 249
46.xx.6x.xxx - - [08/Apr/2014:05:49:26 +1000] 'GET /hacker_php.txt/RK=0/RS=E_FixIdWauQx3Q2ZEET3DgfyJ08- HTTP/1.1' 404 249 'http://designsim.com.au/' 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)'
--
Best Regards
Mark
I managed to get this message (without them knowing). Not gonna say how :P Now I believe this is because of a function in GSA. Im not 100% sure. But since I own the server I am sure it docent have any viruses and I received this wen I used GSA. I am using 10 private proxies.
NOWWW I was talking to my IPS and manged to prove that i have not done any "atacks/hacking" and the case was closed.. Now today I revised Another phone call from them about the same company complaining for another attack!! GSA has not stop ruining in any time.
Please share thoughts on why this is happening? Is GSA really doing this kind of atacks? And why would it attack the same site twice http://designsim.com.au/
I have GSA never to post on the same site.
Comments
We can confirm this as we null routed the entire network which hosts the site indicated, and received identical abuse complaints on previously unused IP's.
User Agents are simply pulled from "evidence" sections of these sites (BL.DE, SFS, CT etc.) so they may actually reflect real user agents used by GSA.