Tagged: Cloud Wordpress, Troubleshooting
- AuthorPosts
- January 12, 2023 at 10:13 am #75908Netcraft ReporterGuest
Hello,
We have discovered a phishing attack located on your network:
hxxps://demo3.cloudwp[.]dev/trial-3850xw14/Oppdater/manage/id/index.php [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-3850xw14/Oppdater/manage/wait/index.php [151.139.128.10]Please see the attached files for further evidence.
This attack targets our customer, FINN, website URL http://www.finn.no/.
Would it be possible to have the fraudulent content, and any other associated fraudulent content, taken down as soon as you are able to?
Additionally, please keep the fraudulent content safe so that our customer and law enforcement agencies can investigate this incident further once the site is offline.
More information about the detected issue is provided at https://incident.netcraft.com/230cbc356f1c/
Many thanks,
Netcraft
Phone: +44(0)1225 447500
Fax: +44(0)1225 448600
Netcraft Issue Number: 38693070This mail can be parsed with x-arf tools. Visit http://www.xarf.org/ for more information about x-arf.
January 12, 2023 at 10:14 am #75924Brandon CKeymasterHi Netcraft Reporter,
We’re sorry to hear you’re dealing with this issue for our Cloud-Wp Services. We have an abuse hotline that you can reach out to report this concern and have it eradicated.
After doing so we will reach back out to you directly with any updates. I hope this helps, please let us know if you have any other questions for us.
Thank you
January 13, 2023 at 10:40 am #76021Netcraft ReporterGuestHi there,
That abuse form does not seem to allow submission of the form. Are you able to investigate?
Also, I would like to bulk escalate several URLs that are being used for phishing, would this be possible?
Kind regards,
Netcraft.January 13, 2023 at 10:42 am #76048Brandon CKeymasterHello,
We can definitely report this on your behalf, if you’re having trouble with the abuse hotline. Rest assured our team will handle this issue for you. You can enter all Cloud WordPress URLs you suspect into the thread and we will address them promptly.
Thank you.
January 17, 2023 at 8:55 am #76292NetcraftGuestThank you.
Could you action this case?
hxxps://demo2.cloudwp[.]dev/trial-zyz94ttz/CA/mi-cuenta/acceso/es/clients/cc.php?verification#_ [151.139.128.10]
hxxps://demo2.cloudwp[.]dev/trial-zyz94ttz/CA/mi-cuenta/acceso/es/clients/app.php [151.139.128.10]
hxxps://demo2.cloudwp[.]dev/trial-8utz80u9/wp-content/avis/clients/login.php [151.139.128.10]
hxxps://demo2.cloudwp[.]dev/trial-15u06u99/wp-includes/avis/clients/login.php [151.139.128.10]
hxxp://demo2.cloudwp[.]dev/trial-15u06u99/wp-content/avis/clients/login.php [151.139.128.10]
hxxps://demo2.cloudwp[.]dev/trial-x7x701t5/Te/mi-cuenta/acceso/es/clients/app.php?verification [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-478t50xt/sa/ [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-478t50xt/sa/phone.php [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-478t50xt/sa/loading.php?id=3 [151.139.128.10]
hxxp://demo3.cloudwp[.]dev/trial-33z1wwyt/wp-content/plugins/sal/ [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-33z1wwyt/wp-content/plugins/sal/loading.php?id=1 [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-33z1wwyt/wp-content/plugins/sal/phone.php [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-33z1wwyt/wp-content/plugins/sal/sms.php [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-831z4tzu/wp-content/plugins/sa/loading.php?id=1 [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-831z4tzu/wp-content/plugins/sa/?utm_medium=marketing&_branch_referrer=H4sIAAAAAAAAA8soKSkottLXT05MTMysSNRLLCjQy8nMy9Z3BnGdEvOyAV4e4roiAAAA&_branch_match_id=1112279138968836057 [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-831z4tzu/wp-content/plugins/sa/phone.php [151.139.128.10]
hxxp://demo3.cloudwp[.]dev/trial-831z4tzu/wp-content/plugins/sa/?_branch_match_id=1030816195158739595&utm_medium=marketing&_branch_referrer=H4sIAAAAAAAAA8soKSkottLXT05MTMysSNRLLCjQy8nMy9Z3BnGdEvOyAV4e4roiAAAA [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-0615445y/wp-content/plugins/sal/ [151.139.128.10]
hxxp://demo3.cloudwp[.]dev/trial-0615445y/wp-content/plugins/sal/ [151.139.128.10]
hxxps://demo3.cloudwp[.]dev/trial-0615445y/wp-content/plugins/sal/loading.php?id=1 [151.139.128.10]January 17, 2023 at 8:56 am #76441Brandon CKeymasterThank you NetCraft,
I will submit these reported cases on your behave.
January 24, 2023 at 7:34 am #77123Netcraft ReporterGuestThank you, we are still seeing these URLs as active and the abuse form is not working. Can you escalate their removal? Full list can be found here: https://incident.netcraft.com/71ad31632950/
Kind regards,
Netcraft.January 24, 2023 at 7:35 am #77135Brandon CKeymasterThanks for the list Netcraft Reporter. I’ll get these over to our webmasters asap. We’re also working to restore functionality to the abuse form. We apologize for the inconvenience.
February 1, 2023 at 9:30 am #77924Netcraft ReporterGuestHi there,
Can you provide an update on this case?
We are still seeing a large amount of active URLs.
Kind regards,
Netcraft.February 1, 2023 at 9:33 am #77960Brandon CKeymasterHi Netcraft,
I finally heard back from our webmasters on this matter. I was informed that the https://demo3.cloudwp.dev/ is now managed by InMotion Hosting.
You should report your case using the following links for direct correspondence:
https://central.inmotionhosting.com/wordpress/
https://www.inmotionhosting.com/legal/general-notice/I hope this helps.
- AuthorPosts
- The topic ‘Phishing incident on BoldGrid CloudWP’ is closed to new replies.