Skip to content

My ISP revised this message and contacted me for "hacking"

THE MESSAGE:

Hi,
We have had hack attempts on our website from your network, from IP address 46.xx.6x.xxx

We believe this server is compromised by hackers in Turkey, and is part of a botnet attack, possibly using eggdrop bot/psybnc, controlled by UDP via port 80.

Please check this server for malware or if this is a user account, please inform them that this kind of behaviour is unacceptable..

The criminal controlling the botnet usually targets CPanel/WHM, WordPress Akismet, Joomla Open Flash Chart library (ofc_upload_image.php) and ccmail installations, so please check any other servers running these.

Disinfectant scripts are here:

Your country's CERT is aware of this botnet, so please report this incident.
Extract from Logs follows:

46.xx.6x.xxx - - [09/Feb/2014:02:25:13 +1100] 'GET /botnet_hack.txt HTTP/1.1' 200 1054859
46.xx.6x.xxx - - [09/Feb/2014:02:25:13 +1100] 'GET /botnet_hack.txt HTTP/1.1' 200 1054859 'http://www.designsim.com.au/' 'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36'

46.xx.6x.xxx - - [10/Feb/2014:06:42:37 +1100] 'GET /hacker_php.txt HTTP/1.1' 200 1537456
46.xx.6x.xxx - - [10/Feb/2014:06:42:37 +1100] 'GET /hacker_php.txt HTTP/1.1' 200 1537456 'http://designsim.com.au/' 'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36'

46.xx.6x.xxx - - [01/Mar/2014:00:59:41 +1100] 'GET /hacker_php.txt/RK=0/RS=.SnnA0Hkr8gpII3D9e4EId.ENTg- HTTP/1.1' 404 249

46.xx.6x.xxx - - [01/Mar/2014:00:59:41 +1100] 'GET /hacker_php.txt/RK=0/RS=.SnnA0Hkr8gpII3D9e4EId.ENTg- HTTP/1.1' 404 249 'http://designsim.com.au/' 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/27.0.1453.116 Safari/537.36'

46.xx.6x.xxx - - [08/Apr/2014:05:49:26 +1000] 'GET /hacker_php.txt/RK=0/RS=E_FixIdWauQx3Q2ZEET3DgfyJ08- HTTP/1.1' 404 249

46.xx.6x.xxx - - [08/Apr/2014:05:49:26 +1000] 'GET /hacker_php.txt/RK=0/RS=E_FixIdWauQx3Q2ZEET3DgfyJ08- HTTP/1.1' 404 249 'http://designsim.com.au/' 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)'

--
Best Regards
Mark

I managed to get this message (without them knowing). Not gonna say how :P  Now I believe this is because of a function in GSA. Im not 100% sure. But since I own the server I am sure it docent have any viruses and I received this wen I used GSA. I am using 10 private proxies. 

NOWWW I was talking to my IPS and manged to prove that i have not done any "atacks/hacking" and the case was closed.. Now today I revised Another phone call from them about the same company complaining for another attack!! GSA has not stop ruining in any time. 

Please share thoughts on why this is happening? Is GSA really doing this kind of atacks? And why would it attack the same site twice http://designsim.com.au/
I have GSA never to post on the same site.

Comments

  • SvenSven www.GSA-Online.de
    The user agents are at least all used within SER. Though that hacker link is not part of any engine. I have no idea why it would want to crawl that link. I also can't open that mentioned webpage.
  • Is there anyway of fixing this? This is the second complaint and I am on thin ice of losing my net.. Now I don't understand why my Ip is compromises if i'm using proxies.. Now Cause i am not a very "programming guy" I didnot understand what you saying Sven. And the website although I cant open it cause they blocked my ip, I tried using a web proxy and  the site opens. 

    Sorry just rechecked, seams there website is down..

    Anyways please any suggestions at to what I can do to prevent other attacks leaving my personal IP?
  • SvenSven www.GSA-Online.de
    add that site to the global filter.
  • Thank you very much! If there is any further problems i will message you :) 
  • Complaints from this individual are most likely unrelated completely to GSA (or GSA hitting the domain indicated), it appears to be someone who is crawling sites like BL.DE and sending generic abuse complaints like the one above to all IP's listed in bulk.

    We can confirm this as we null routed the entire network which hosts the site indicated, and received identical abuse complaints on previously unused IP's.

    User Agents are simply pulled from "evidence" sections of these sites (BL.DE, SFS, CT etc.) so they may actually reflect real user agents used by GSA.
  • I received the same message as well, blacklisted that domain in global settings.
  • To Delta: Look at twilightofidols comment..
  • Just got the same notice .
Sign In or Register to comment.