Latest Announcemnent
New thread

[BEWARE] Hosting Companies

Status
Not open for further replies.
Bharat

Bharat

Active Member
2,001
2010
840
320
Hey,

Recently we have a guy who hosted symlinks shell and other many types of shells with us but fortunately he didn't able to hack . After like 3 or 4 days he bought up hosting with our 4 or 5 other resellers hosted the same shells with them as well but again he didn't succeeded in his mission .

I would like to share his IP's and Information with every host here on WJunction so that they can be safe before accepting order for this person . Also i would like to mention that he uses hacked PayPal from the same country he belongs but after few hours be ready for an chargeback from the real owner .

Country : Israel
IP Address : 212.150.184.175
Domains he use :- asoft2.org , asoft2.net , asoft2.com .

His all domains are registered through :- NETWORK SOLUTIONS, LLC. .

He has one more domain on the same who.is records but unfortunately am not able to extract that .

ZZd4oqR.png


Emails :- asoftmaster2@gmail.com , Rozanh.1_1@hotmail.com.

yAMyxPM.png


Contents that he hosts :-

OcoUfic.png


jCFt9rt.png


VzlV4kw.png


x5EsZyX.png


I suggest every hosts to please keep an eye on these kind of orders , " Getting Hacked Is An Worst Nightmare "

Post in this thread if anyone gets more about this guy . As more information you'll share as more it will help others .

Regards
Bharat
 
12 comments
Hey , he has been one of our customers as well , he got terminated for using high resources maybe his scripts taken this much resources . Thanks for sharing this with us . Appreciate it
 
this shell script basically he used to get directory logs if i m not wrong it wont consume that much resource but is capable of getting throght the database
 
WJ needs to cross reference those emails and you need to hand over the IP that was logged in your whmcs as well as the net mask so we can ban it and so we can bust him on WJ
 
He registered with us too before. And I terminated his account. WTF! >.> Thanks Bharat for the info mate, Really Appreciate it. (y) :)

Ja2QPY7.png
 
Perhaps a section of WJ could be setup to help combat fraud. We get a lot of fraud orders actually and a community driven system to list fraud orders may help prevent other providers falling into the trap. The more difficult it is for fraudsters to succeed the less they will try (probably).

We would be more than happy to share our fraud information with others!
 
We suffered from this group (its not a single user).

They symlink using a simple text file (which apache is vulnerable due to cpanel) and it causes it to run as nobody and allows root access via directory. They target wordpress and blogs the most which they do a find command and edit.

If you have been hit by this guy or have not.

A fix to this issue is to set your apache module to mod_ruid2 or use cpanels patch (which they barely released took them long enough) which is included in a cpanel update.

You will be forced to run in DSO, but believe it or not mod_ruid2+DSO is much more secure and faster then suphp.

It was a nightmare when this group edited over 1000 of our clients wordpress files and made them all into a hidden shell. It took us 2 weeks straight to restore each single files edited.


edit: Also be aware they have a private wordpress exploit which they upload a tar gz file with the shell and they are able to run it and gain access to mysql + system. Unfortunately we were lucky they only got access to 1-2 users mysql db's
 
Last edited:
I dont get one thing, Why not use maxmind phone verification with WHMCS? Im sure most of noobs like that wont use real number like i saw on Pic

This couple of bucks save you problems + I suggest do manual calls to every new client to verify
 
Last edited:
Status
Not open for further replies.
Back
Top