Saturday, December 30, 2006

PhotoCart vulnerability claims another website

UPDATE: 12/31 and it appears Softlayer took the server on IP offline at this time. The PhotoCart attackers apparently aren't aware of this yet because there is still an ongoing attack referencing as I write this. At least it will do no harm to innocent sites at the moment. Thank You Softlayer for the prompt action.

The latest wave of PhotoCart vulnerability attacks just claimed a new website.

This time they claimed, someone's blog, as a victim.

I first notified the owner of Husnaweb and the data center Softlayer of the problem on 12/20. They promptly removed the file from the server and the PhotoCart attacks stopped for a couple of days. Then the attacks started up again when the file showed up on the server again, so apparently Husnaweb was still vulnerable itself and being actively exploited.

I wrote back to the site owner and Softlayer again on 12/25 assuming they would deal with it eventually, being it was a holiday, and today noticed they appear to have simply given up on the blog as Husnaweb is gone and it's now a parked page on GoDaddy.

Today the attacks started up all over again using this page request:

"GET /PhotoCart/adminprint.php?path="

host has address
host ->


OrgName: SoftLayer Technologies Inc.
Address: 1950 N Stemmons Freeway
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US

NetRange: -
Looks like will be their next victim, notifying data center Softlayer yet again that another Softlayer customer has been breached.

Anyone notice a trend here?

The other site I reported about,, was also a Softlayer customer.
host has address
host ->
The reverse DNS on the sites all point to which says "Coming Soon", no contact information.

I must be getting slow in my old age, they're all on the same IP address, it would appear that the server has been compromised.

Ah well, this makes my next letter to Softlayer a little different now doesn't it?


Anonymous said...

Yes, I have and I'm the owner of BaseRunner ...

I will be in touch for more info in the near future ...

Anonymous said...

Well, I am going to block baserunner until this is fixed.

deny from

+ ip-range

Anonymous said...

Actually, its Baserunner that is initiating the critical action here.

Softlayer is a datacenter and is helping us by responding to our request in this case.

FWIW, I'm very pleased with softlayer's support as they are doing everything they can to fix this ASAP.

But make no mistake, the expoits would have continued if we didn't request action on the server.

IncrediBILL said...

Both Softlayer and Baserunner were very responsive in this matter.

After I figured out it was more than just a single account that was compromised, action was very swift.

Thanks again to baserunner and Softlayer.

Now, the fun part, shutting down the botnet that's mounting the attack.

Anonymous said...

Awesome ... great to hear.