| Current File : /home/mak/mail/new/1750730722.M696901P21951.cloud.berardocollection.com,S=10629,W=10813 |
Return-Path: <takedown-response+71496460@netcraft.com>
Delivered-To: mak@cloud.berardocollection.com
Received: from cloud.berardocollection.com
by cloud.berardocollection.com with LMTP
id ifCqKOIHWmi/VQAAuY/3dA
(envelope-from <takedown-response+71496460@netcraft.com>)
for <mak@cloud.berardocollection.com>; Tue, 24 Jun 2025 03:05:22 +0100
Return-path: <takedown-response+71496460@netcraft.com>
Envelope-to: webmaster@mak.pt
Delivery-date: Tue, 24 Jun 2025 03:05:22 +0100
Received: from mail-1c.netcraft.com ([52.31.138.216]:45269)
by cloud.berardocollection.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.98.1)
(envelope-from <takedown-response+71496460@netcraft.com>)
id 1uTt2G-000000005hw-2XO4
for webmaster@mak.pt;
Tue, 24 Jun 2025 03:05:22 +0100
Received: from walleye.netcraft.com (unknown [10.9.0.81])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by mail-1c.netcraft.com (Postfix) with ESMTPS id 7AE12548
for <webmaster@mak.pt>; Tue, 24 Jun 2025 02:05:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netcraft.com;
s=default202405-yu9bqteb95aqcfpg; t=1750730719;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding;
bh=TbMmPqX5rpBmyR6t9on5csNeMKdjAGrL0XpxLSDx2lc=;
b=Oc4iciDCY1NRCmEhv3vTGl0JoNtERkgpTIOEqjGS5s4KTsllqBoDqInjKkGvCgt4BYGac9
T+qNUSwuuSffJFMrDz48IUHOKFj5tvPYNA1+qpKzR8RQn5N2sernNB89+i+XsDYZIQ7XA4
FjgiFaQQV3bUhvgR6C6muGUEfF2CiamXV68Wr7iiyfGqXmiASr9FskxgGSTYxwn2lVpGZI
pcElzf3ia2iwIqgSIcju5+jzA1kRpoCOEPnNt45lmOh1LVhnRbTXwlL84mlRPzaBanGBAr
qZe88pfDzEcd4+r3Kw4pMSfDaCn6wCxTow1UT5BOSbBXMqPU5rtQWO4e0ivFeQ==
Received: by walleye.netcraft.com (Postfix, from userid 507)
id 6F32C1B42; Tue, 24 Jun 2025 02:05:19 +0000 (UTC)
Content-Transfer-Encoding: 8bit
Content-Type: multipart/report; boundary="_----------=_17507307192238749542"; report-type="feedback-report"
MIME-Version: 1.0
Date: Tue, 24 Jun 2025 02:05:19 +0000
From: Netcraft Takedown Service <takedown-response+71496460@netcraft.com>
Subject: Issue 71496460: Malicious web shell at hxxp://mak[.]pt/simple.php
To: webmaster@mak.pt
Message-Id: <f2582872a3334c41d179cf6cf2436d2d@takedown.netcraft.com>
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
X-Spam-Status: No, score=-2.1
X-Spam-Score: -20
X-Spam-Bar: --
X-Ham-Report: Spam detection software, running on the system "cloud.berardocollection.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: Olá, Descobrimos um web shell malicioso hospedado em sua
rede: hxxp://mak[.]pt/simple.php [109.71.44.169]
Content analysis details: (-2.1 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.0 URIBL_DBL_BLOCKED ADMINISTRATOR NOTICE: The query to
dbl.spamhaus.org was blocked. See
https://www.spamhaus.org/returnc/vol/
[URIs: xarf.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: netcraft.com]
0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE:
The query to Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243
for more information.
[52.31.138.216 listed in sa-accredit.habeas.com]
0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
query to Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243
for more information.
[52.31.138.216 listed in bl.score.senderscore.com]
-0.0 SPF_PASS SPF: sender matches SPF record
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Spam-Flag: NO
This is a multi-part message in MIME format.
--_----------=_17507307192238749542
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
Olá,
Descobrimos um web shell malicioso hospedado em sua rede:
hxxp://mak[.]pt/simple.php [109.71.44.169]
Os shells da Web são scripts que os invasores carregam em servidores da Web comprometidos para obter acesso remoto. Quando acessados usando um navegador da Web, os shells da Web podem permitir que invasores carreguem arquivos, executem comandos arbitrários no servidor e enviem spam. Os shells da Web são frequentemente usados para criar ataques de phishing ou malware no servidor comprometido.
Os invasores geralmente tentam disfarçar os shells da Web como páginas benignas. As técnicas comuns incluem retornar uma página 404 falsa e tornar os campos de entrada do shell da web na página invisíveis. Verifique se o invasor não está tentando ocultar o shell da Web antes de descartar este relatório.
Entendemos que este site é simplesmente um redirecionamento para uma página que mostra conteúdo benigno, mas costumava redirecionar para conteúdo fraudulento. O redirecionamento é controlado por um fraudador, portanto, pode ser reutilizado para ataques futuros, tornando sua remoção ainda mais importante.
Mais informações sobre o problema detectado são fornecidas em https://incident.netcraft.com/fb269f05c767/
NOVO: Uma versão beta dos nossos relatórios de incidentes de próxima geração está disponível em https://beta.incident.netcraft.com/reports/4xcjznsc6tbqrc5ypkljes
Consulte https://beta.incident.netcraft.com/about para obter mais detalhes, incluindo suporte API. Entre em contato com incident-feedback@netcraft.com com qualquer comentário ou para obter mais informações.
Atenciosamente,
Netcraft
Telefone: +44(0)1225 447500
Fax: +44(0)1225 448600
Número do problema Netcraft: 71496469
Para contactar-nos sobre actualizações neste ataque, por favor responda a este e-mail. Por favor nota: respostas a este endereço são registrado, mas não são lidos sempre. Se você acredita que recebeu esta mensagem por engano, ou se precisa de mais apoio, por favor contacte: support@netcraft.com.
Este mail pode ser analisado com ferramentas x-arf. Visita http://www.xarf.org/ para mais informações sobre x-arf.
-------------------
Hello,
We have discovered a malicious web shell being hosted on your network:
hxxp://mak[.]pt/simple.php [109.71.44.169]
Web shells are scripts that attackers upload to compromised web-servers in order to gain remote access. When accessed using a web browser, web shells can allow attackers to upload files, execute arbitrary commands on the server, and send spam. Web shells are often used to create phishing or malware attacks on the compromised server.
Attackers often attempt to disguise web shells as benign pages. Common techniques include returning a fake 404 page and making the web shell input fields on the page invisible. Please check the attacker is not attempting to hide the web shell before dismissing this report.
We understand that this site is simply a redirect to a page showing benign content, however it used to redirect to fraudulent content. The redirect is controlled by a fraudster so can be reused for future attacks, making its removal all the more important.
More information about the detected issue is provided at https://incident.netcraft.com/fb269f05c767/
NEW: A beta version of our next generation incident reports is available at https://beta.incident.netcraft.com/reports/4xcjznsc6tbqrc5ypkljes
See https://beta.incident.netcraft.com/about for more details including API support. Please contact incident-feedback@netcraft.com with any feedback or for more information.
Kind regards,
Netcraft
Phone: +44(0)1225 447500
Fax: +44(0)1225 448600
Netcraft Issue Number: 71496469
To contact us about updates regarding this attack, please respond to this email. Please note: replies to this address will be logged, but aren't always read. If you believe you have received this email in error, or you require further support, please contact: support@netcraft.com.
This mail can be parsed with x-arf tools. Visit http://www.xarf.org/ for more information about x-arf.
--_----------=_17507307192238749542
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: message/feedback-report
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
Date: Tue, 24 Jun 2025 02:05:19 +0000
Feedback-Type: xarf
User-Agent: Netcraft
Version: 1
--_----------=_17507307192238749542
Content-Disposition: attachment; filename="xarf.json"
Content-Transfer-Encoding: base64
Content-Type: application/json; charset=utf-8; name="xarf.json"
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
Date: Tue, 24 Jun 2025 02:05:19 +0000
eyJSZXBvcnQiOnsiU291cmNlSXAiOiIxMDkuNzEuNDQuMTY5IiwiUmVwb3J0ZXJDYXNlSUQiOiI3
MTQ5NjQ2OSIsIlJlcG9ydFR5cGUiOiJNYWx3YXJlIiwiU291cmNlVXJsIjoiaHR0cDovL21hay5w
dC9zaW1wbGUucGhwIiwiUmVwb3J0ZXJOb3RlcyI6IlNlZSBodHRwczovL2luY2lkZW50Lm5ldGNy
YWZ0LmNvbS9mYjI2OWYwNWM3NjcvIGZvciBtb3JlIGluZm9ybWF0aW9uIiwiRGF0ZSI6IjIwMjUt
MDYtMjRUMDI6MDM6NDVaIiwiUmVwb3J0Q2xhc3MiOiJDb250ZW50IiwiRmlyc3RTZWVuIjoiMjAy
NS0wNi0yMVQxNjowOTowNloifSwiUmVwb3J0ZXJJbmZvIjp7IlJlcG9ydGVyT3JnRG9tYWluIjoi
bmV0Y3JhZnQuY29tIiwiUmVwb3J0ZXJPcmdFbWFpbCI6InRha2Vkb3duLXJlc3BvbnNlKzcxNDk2
NDYwQG5ldGNyYWZ0LmNvbSIsIlJlcG9ydGVyT3JnIjoiTmV0Y3JhZnQifSwiVmVyc2lvbiI6IjEi
LCJEaXNjbG9zdXJlIjp0cnVlfQ==
--_----------=_17507307192238749542--