Current File : /home/mak/mail/new/1750840693.M699247P25740.cloud.berardocollection.com,S=11617,W=11828

Return-Path: <takedown-response+71496460@netcraft.com>
Delivered-To: mak@cloud.berardocollection.com
Received: from cloud.berardocollection.com
	by cloud.berardocollection.com with LMTP
	id CsaFKXW1W2iMZAAAuY/3dA
	(envelope-from <takedown-response+71496460@netcraft.com>)
	for <mak@cloud.berardocollection.com>; Wed, 25 Jun 2025 09:38:13 +0100
Return-path: <takedown-response+71496460@netcraft.com>
Envelope-to: webmaster@mak.pt
Delivery-date: Wed, 25 Jun 2025 09:38:13 +0100
Received: from mail-1c.netcraft.com ([52.31.138.216]:47537)
	by cloud.berardocollection.com with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.98.1)
	(envelope-from <takedown-response+71496460@netcraft.com>)
	id 1uULe0-000000006eW-26UB
	for webmaster@mak.pt;
	Wed, 25 Jun 2025 09:38:13 +0100
Received: from walleye.netcraft.com (unknown [10.9.0.81])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mail-1c.netcraft.com (Postfix) with ESMTPS id E8C994839
	for <webmaster@mak.pt>; Wed, 25 Jun 2025 08:38:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netcraft.com;
	s=default202405-yu9bqteb95aqcfpg; t=1750840691;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=Hs6X6jtVimyrt2cOXzpCgKD4XaH2/c++0KhkLdFKtFg=;
	b=pyzfqgKKQeOfnu0hsojREob0vpgQAQkD0oMB480E8ZNdYXnX23uvlPseErXOROXVan5tlJ
	tOR4Jy8yC+Zcd1dnYtP2GAKhwNUXzHTFCEAE3Xv5OWlxtIbw/+tfZ80Y0D6xqb5Mqtxdgs
	1DeaDPM1dALRsE0QtmzTBYmyowyVMcWhPjqK2cF2FZLR33/9NWa2LZ11/zIbu4ibbeq25r
	iHMM1mV5h2cr8NT60h4iEHzckOJIx69JniIZ3M3HAsDJkUl17pMCf4gnQnNrz+mRoXqB0U
	9wkaIiz2HgTbMHeFWKNUAT6YgKVw7QmiUt8NrfYJbFgCylnx7ALuQtgCwxaOYg==
Received: by walleye.netcraft.com (Postfix, from userid 507)
	id E3AD91AB6; Wed, 25 Jun 2025 08:38:11 +0000 (UTC)
Content-Transfer-Encoding: 8bit
Content-Type: multipart/report; boundary="_----------=_175084069197137816"; report-type="feedback-report"
MIME-Version: 1.0
Date: Wed, 25 Jun 2025 08:38:11 +0000
From: Netcraft Takedown Service <takedown-response+71496460@netcraft.com>
Subject: Re: Issue 71496460: Malicious web shell at hxxp://mak[.]pt/simple.php
References: <f2582872a3334c41d179cf6cf2436d2d@takedown.netcraft.com>
In-Reply-To: <f2582872a3334c41d179cf6cf2436d2d@takedown.netcraft.com>
To: webmaster@mak.pt
Message-Id: <f96a7d29429cbc1e97da832c7166f23f@takedown.netcraft.com>
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
X-Spam-Status: No, score=-2.1
X-Spam-Score: -20
X-Spam-Bar: --
X-Ham-Report: Spam detection software, running on the system "cloud.berardocollection.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  Olá, Descobrimos um web shell malicioso hospedado em sua
   rede: hxxps://mak[.]pt/edit.php [109.71.44.169] hxxp://mak[.]pt/malo.php [109.71.44.169]
    hxxp://mak[.]pt/chosen.php [109.71.44.169] hxxp://mak[.]pt/edit.php [109.71.44.169]
    hxxps://mak[.]pt/simple.php [109. [...] 
 Content analysis details:   (-2.1 points, 5.0 required)
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
                             blocked.  See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URIs: netcraft.com]
  0.0 URIBL_DBL_BLOCKED      ADMINISTRATOR NOTICE: The query to
                             dbl.spamhaus.org was blocked. See
                             https://www.spamhaus.org/returnc/vol/
                             [URIs: netcraft.com]
  0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The
                             query to Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                          [52.31.138.216 listed in sa-trusted.bondedsender.org]
  0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
                             query to Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                             [52.31.138.216 listed in bl.score.senderscore.com]
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                             [score: 0.0000]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
                             author's domain
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                             valid
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
X-Spam-Flag: NO

This is a multi-part message in MIME format.

--_----------=_175084069197137816
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"

Olá,

Descobrimos um web shell malicioso hospedado em sua rede:

hxxps://mak[.]pt/edit.php [109.71.44.169]
hxxp://mak[.]pt/malo.php [109.71.44.169]
hxxp://mak[.]pt/chosen.php [109.71.44.169]
hxxp://mak[.]pt/edit.php [109.71.44.169]
hxxps://mak[.]pt/simple.php [109.71.44.169]
hxxps://mak[.]pt/goods.php [109.71.44.169]
hxxp://mak[.]pt/goods.php [109.71.44.169]
hxxps://mak[.]pt/chosen.php [109.71.44.169]
hxxps://mak[.]pt/defaults.php [109.71.44.169]
hxxp://mak[.]pt/simple.php [109.71.44.169]

Embora tenhamos contactado-lhe anteriormente sobre este ataque, nós estamos contactar-lhe novamente porque reapareceu recentemente.

Os shells da Web são scripts que os invasores carregam em servidores da Web comprometidos para obter acesso remoto. Quando acessados usando um navegador da Web, os shells da Web podem permitir que invasores carreguem arquivos, executem comandos arbitrários no servidor e enviem spam. Os shells da Web são frequentemente usados para criar ataques de phishing ou malware no servidor comprometido.

Os invasores geralmente tentam disfarçar os shells da Web como páginas benignas. As técnicas comuns incluem retornar uma página 404 falsa e tornar os campos de entrada do shell da web na página invisíveis. Verifique se o invasor não está tentando ocultar o shell da Web antes de descartar este relatório.

Anteriormente, entramos em contato com você sobre esse problema em 2025-06-24 02:05:19 (UTC).

Mais informações sobre o problema detectado são fornecidas em https://incident.netcraft.com/896b9ce406d6/

NOVO: Uma versão beta dos nossos relatórios de incidentes de próxima geração está disponível em https://beta.incident.netcraft.com/reports/4xcjznsc6tbqrc5ypkljes
Consulte https://beta.incident.netcraft.com/about para obter mais detalhes, incluindo suporte API. Entre em contato com incident-feedback@netcraft.com com qualquer comentário ou para obter mais informações.

Atenciosamente,

Netcraft

Telefone: +44(0)1225 447500
Fax: +44(0)1225 448600
Número do problema Netcraft: 71496460

Para contactar-nos sobre actualizações neste ataque, por favor responda a este e-mail. Por favor nota: respostas a este endereço são registrado, mas não são lidos sempre. Se você acredita que recebeu esta mensagem por engano, ou se precisa de mais apoio, por favor contacte: support@netcraft.com.

Este mail pode ser analisado com ferramentas x-arf. Visita http://www.xarf.org/ para mais informações sobre x-arf.
-------------------
Hello,

We have discovered a malicious web shell being hosted on your network:

hxxps://mak[.]pt/edit.php [109.71.44.169]
hxxp://mak[.]pt/malo.php [109.71.44.169]
hxxp://mak[.]pt/chosen.php [109.71.44.169]
hxxp://mak[.]pt/edit.php [109.71.44.169]
hxxps://mak[.]pt/simple.php [109.71.44.169]
hxxps://mak[.]pt/goods.php [109.71.44.169]
hxxp://mak[.]pt/goods.php [109.71.44.169]
hxxps://mak[.]pt/chosen.php [109.71.44.169]
hxxps://mak[.]pt/defaults.php [109.71.44.169]
hxxp://mak[.]pt/simple.php [109.71.44.169]

Although we have previously contacted you about this attack, we are contacting you again because it has recently reappeared.

Web shells are scripts that attackers upload to compromised web-servers in order to gain remote access. When accessed using a web browser, web shells can allow attackers to upload files, execute arbitrary commands on the server, and send spam. Web shells are often used to create phishing or malware attacks on the compromised server.

Attackers often attempt to disguise web shells as benign pages. Common techniques include returning a fake 404 page and making the web shell input fields on the page invisible. Please check the attacker is not attempting to hide the web shell before dismissing this report.

We previously contacted you about this issue on 2025-06-24 02:05:19 (UTC).

More information about the detected issue is provided at https://incident.netcraft.com/896b9ce406d6/

NEW: A beta version of our next generation incident reports is available at https://beta.incident.netcraft.com/reports/4xcjznsc6tbqrc5ypkljes
See https://beta.incident.netcraft.com/about for more details including API support. Please contact incident-feedback@netcraft.com with any feedback or for more information.

Kind regards,

Netcraft

Phone: +44(0)1225 447500
Fax: +44(0)1225 448600
Netcraft Issue Number: 71496460

To contact us about updates regarding this attack, please respond to this email. Please note: replies to this address will be logged, but aren't always read. If you believe you have received this email in error, or you require further support, please contact: support@netcraft.com.

This mail can be parsed with x-arf tools. Visit http://www.xarf.org/ for more information about x-arf.
--_----------=_175084069197137816
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: message/feedback-report
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
Date: Wed, 25 Jun 2025 08:38:11 +0000

Feedback-Type: xarf
User-Agent: Netcraft
Version: 1
--_----------=_175084069197137816
Content-Disposition: attachment; filename="xarf.json"
Content-Transfer-Encoding: base64
Content-Type: application/json; charset=utf-8; name="xarf.json"
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
Date: Wed, 25 Jun 2025 08:38:11 +0000

eyJEaXNjbG9zdXJlIjp0cnVlLCJSZXBvcnQiOnsiU291cmNlSXAiOiIxMDkuNzEuNDQuMTY5Iiwi
UmVwb3J0Q2xhc3MiOiJDb250ZW50IiwiRmlyc3RTZWVuIjoiMjAyNS0wNi0yMVQxNjowODo1MVoi
LCJSZXBvcnRlckNhc2VJRCI6IjcxNDk2NDYwIiwiUmVwb3J0ZXJOb3RlcyI6IlNlZSBodHRwczov
L2luY2lkZW50Lm5ldGNyYWZ0LmNvbS84OTZiOWNlNDA2ZDYvIGZvciBtb3JlIGluZm9ybWF0aW9u
IiwiRGF0ZSI6IjIwMjUtMDYtMjVUMDg6MjY6NDNaIiwiUmVwb3J0VHlwZSI6Ik1hbHdhcmUiLCJT
b3VyY2VVcmwiOiJodHRwOi8vbWFrLnB0L2Nob3Nlbi5waHAifSwiUmVwb3J0ZXJJbmZvIjp7IlJl
cG9ydGVyT3JnRW1haWwiOiJ0YWtlZG93bi1yZXNwb25zZSs3MTQ5NjQ2MEBuZXRjcmFmdC5jb20i
LCJSZXBvcnRlck9yZ0RvbWFpbiI6Im5ldGNyYWZ0LmNvbSIsIlJlcG9ydGVyT3JnIjoiTmV0Y3Jh
ZnQifSwiVmVyc2lvbiI6IjEifQ==

--_----------=_175084069197137816--