Abuse Ticket: web server at IP 78.129.221.104

Opened:	23/01/2014 23:42	Last:	24/01/2014 01:39
Status:	Report has been closed

23/01/2014 23:42 Not Buying It [notbuyingit@operamail.com] (Original Report)

IP Address: 78.129.221.104

Details:

ref:
https://myservers.rapidswitch.com/Abuse/AbuseTicket.aspx?ticketid=PDHL-ARY-CTLR&key=ikarwnzaow#reply

I submitted a trouble ticket that reported scam webpages that were
apparently planted by hackers who breached the security of the web
server at IP 78.129.221.104 several days ago. I closed the report after
seeing that HTTP 404 errors were returned for the webpages. However,
now most of the same webpages are back; perhaps some have updated
JavaScript redirection code.

webpage:
www.unllais.co.uk/buybabyliss.html
script:
self.location='www.vipbsales.com/';

webpage:
www.regencygold.co.uk/babyliss.html
new script:
<script src="www.bestbagg.com/babyliss.txt"></script>
target script:
self.location='http://www.babylissonlinemalls.co.uk/';

webpage:
www.artychoke.com/babylissukvip.html
new script:
<script src="www.bestbagg.com/babyliss.txt"></script>

webpage:
www.bzadv.co.uk/welcome/babylissprouk.html
new script:
<script src="www.bestbagg.com/babyliss.txt"></script>

webpage:
www.openchurchnetwork.co.uk/babylissvipsale.html
script:
self.location='www.vipbsales.com/';

webpage:
www.openchurchnetwork.co.uk/babyliss.html
script:
self.location='www.vipbsales.com/';

webpage:
www.micro-tag.com/babyliss.html
new script:
<script src="www.bestbagg.com/babyliss.txt"></script>
arget script:
self.location='http://www.babylissonlinemalls.co.uk/';

--
http://www.fastmail.fm - A fast, anti-spam email service.

24/01/2014 01:39

Nick Ashton (Hosted Client)

All offending files have been deleted and the hacked web site has been cleaned and re set, we will monitor it closely to check there are no recurrence. I have also disabled .NET on the server as it is only used by one site and I will move them elsewhere.