RapidSwitch

Abuse Ticket: Has the web server at IP been hacked?

Opened: 18/01/2014 03:20 Last: 21/01/2014 21:59
Status: Report has been closed
18/01/2014 03:20 Not Buying It [notbuyingit@operamail.com] (Original Report)
78.129.221.104
Numerous webpages that are part of a black hat SEO campaign to promote
lemontartdiary.com have been planted on several domains that are hosted
at IP 78.129.221.104; these include the following

http://www.unllais.co.uk/buybabyliss.html
http://www.regencygold.co.uk/babyliss.html
http://www.artychoke.com/babylissviponline.html
http://www.artychoke.com/babylissukvip.html
http://www.bzadv.co.uk/welcome/babylissprouk.html
http://www.openchurchnetwork.co.uk/babylissvipsale.html
http://www.openchurchnetwork.co.uk/babyliss.html
http://www.micro-tag.com/babyliss.html

Your office may want to secure the web server and to remove the
offending scam webpages that promote counterfeit goods.

Respectfully yours.

--
http://www.fastmail.fm - Email service worth paying for. Try it for free
 
18/01/2014 12:22 Hosted Client Nick Ashton (Hosted Client)
A thorough search of the server for any files with 'baby' in the name has revealed quite a few, they have all been removed from the sites and the backups. We will continue to monitor the files for any more. Meanwhile the server administrator is checking the log files for any sign of intrusion and will report back soon.
 
21/01/2014 12:25 System-Generated Note
Reminder Sent
 
21/01/2014 12:40 Hosted Client Nick Ashton (Hosted Client)
The server has been checked over and we will continue to monitor in case of any further occurrences.
 
21/01/2014 15:01 Not Buying It (Complainant)
The unethical blackhat SEO exploit remains on the compromised websites. The following webpages still contain JavaScript to redirect to the website vipbsales.com which trades in counterfeit goods.

http://www.unllais.co.uk/buybabyliss.html
http://www.regencygold.co.uk/babyliss.html
http://www.artychoke.com/babylissviponline.html
http://www.artychoke.com/babylissukvip.html
http://www.bzadv.co.uk/welcome/babylissprouk.html
http://www.openchurchnetwork.co.uk/babylissvipsale.html
http://www.openchurchnetwork.co.uk/babyliss.html
http://www.micro-tag.com/babyliss.html

The promotion of counterfeit goods has nothing to do with the theme or purpose of any of these websites, so I suspect the sites are all still compromised.
 
21/01/2014 18:46 Hosted Client Nick Ashton (Hosted Client)
OK, we are looking into this now.
 
21/01/2014 20:47 Hosted Client Nick Ashton (Hosted Client)
All baby liss files have been deleted and a vulnerability has been found through the FCKeditor used on one of the site. This editor has been removed and a check is being carried out to see if there are any more FCKeditors in use on the machine. They will be removed if found.
 
21/01/2014 21:59 Not Buying It (Complainant)
I greatly appreciate the timely actions of Mr. Ashton! The same hackers who abused his network had also heavily spammed a forum I like (the anti-spam group InBoxRevenge.com) with links to the previously listed scam webpages.

Please accept my best wishes.