OVH.com SAS: Hosting Botnets, Scrapers, Spammers and Hacking Scripts

Checking our logs from 2016 (and now of 2017 and 2018), we see thousands of hacking attempts from OVH SAS (Yes France again. What is going on with French Hosting providers, i wonder ….). They mainly target WordPress sites, searching for plugin vulnerabilities or trying to create spam accounts.

Time Sent: Sun, 30 And this is of no surprise. See what happens at OVH.com:

https://www.spamhaus.org/sbl/listings/ovh.net

So i think i will dedicate a few pages to this bad French (?) company with branches all over the world, claiming to be the 3rd hosting company in the world. Here is a small sample from their attacks. At some point we will (try to) block all their IPs (edit: not actually possible because they are too many coming from several European countries now, like UK).

Here is a sample from their attacks (updated Apr 2019):

If you have a way to BLOCK by “hostnames”, like a WordPress plugin or CIDRAM or whatever, block the following:

*ovh*
ns*.ip-*-*-*.net
*.ip-*-*-*.net
ip*.ip-*-*-*.us
ip*.ip-*-*-*.eu
ns*.ip-*-*-*.eu
ip-*-*-*.eu
vps-*.vps.ovh.net
*.*.hosting.ovh.net

Updated FEB 2023

31 Comments

  1. First attack of 2019, of cource from OVH IPs. A few hundred of those today:

    _____________

    Shield has blocked a page visit to your site.
    Log details for this visitor are below:
    – IP Address: 51.75.168.171
    – Page parameter failed firewall check. The offending parameter was \”pic\” with a value of \”../../../../../wp-config.php\”.
    – Firewall Trigger: Directory Traversal.
    You can look up the offending IP Address here: http://ip-lookup.net/?ip=51.75.168.171

    Email sent from the Shield Plugin v6.10.9, on https://www.valueweb.gr.
    Time Sent: Sat, 05 Jan 2019 03:56:41 +0000

    https://www.abuseipdb.com/check/51.75.168.171

  2. There is more today, Christmas time you see ….

    Shield has blocked a page visit to your site.
    Log details for this visitor are below:
    – IP Address: 51.68.77.204
    – Page parameter failed firewall check. The offending parameter was \”path\” with a value of \”../../../../../wp-config.php\”.
    – Firewall Trigger: Directory Traversal.
    You can look up the offending IP Address here: http://ip-lookup.net/?ip=51.68.77.204

    Email sent from the Shield Plugin v6.10.9, on https://www.valueweb.gr.
    Time Sent: Sun, 30 Dec 2018 12:20:40 +0000

  3. And the torture never stops (Frank Zappa). A few hundred of hack attempts the last days from UK OVH IPs.

    Shield has blocked a page visit to your site.
    Log details for this visitor are below:
    – IP Address: 54.37.2.174
    – Page parameter failed firewall check. The offending parameter was \”pic\” with a value of \”../../../../../wp-config.php\”.
    – Firewall Trigger: Directory Traversal.
    You can look up the offending IP Address here: http://ip-lookup.net/?ip=54.37.2.174

    Email sent from the Shield Plugin v6.10.9, on https://www.valueweb.gr.
    Time Sent: Sun, 30 Dec 2018 04:57:55 +0000

    ____

    Shield has blocked a page visit to your site.
    Log details for this visitor are below:
    – IP Address: 54.37.2.174
    – Page parameter failed firewall check. The offending parameter was \”path\” with a value of \”../../../../../wp-config.php\”.
    – Firewall Trigger: Directory Traversal.
    You can look up the offending IP Address here: http://ip-lookup.net/?ip=54.37.2.174

    Email sent from the Shield Plugin v6.10.9, on https://www.valueweb.gr.
    Time Sent: Sun, 30 Dec 2018 04:57:26 +0000

  4. A few hundred of attempts to hack our server:

    30/Dec/17 18:58:10 #8411451 CRITICAL 1 94.23.204.93 GET /index.php – Directory traversal – [GET:qqfile = /../../krd.php]

    https://www.valueweb.gr/wp-content/uploads/2017/12/OVH-France-malware.png

    and of cource from OVH IPs (94.23.204.93) France. “krd.php” is probably some LOCKY malware.

    Actually the whole IP range is like that:

    https://www.valueweb.gr/wp-content/uploads/2017/12/ovh-france-attacking-ips.png

    1. Because of many reasons.

      We already spend some daily time to cleanup several sites from their crap. We can’t spend even more to contact them. giving them screen shots and logs and for what ? Nothing. They do nothing about it.

      Or in the best case, they stop some IP from spamming/abusing/hacking and after a few days some other IP start to attack us.

      All-in-all OVH doesn’t care.

  5. OVH is what I like to call a UBH, or an “Unofficially Bulletproof Host”: they do have an actual AUP/TOS & don’t publicly take the same “anything goes” stance as traditional bulletproof hosts, but in practice they’re just bad because they consistently fail to enforce their own policies (either because they don’t have sufficient/competent staff to deal with abuse, and/or they simply don’t care).

    After the handful of dealings I’ve had with OVH staff, I’m personally inclined towards the “simply don’t care” explanation. A year or two back, I started a thread in their forums to gripe spam that we had been receiving for more than a year (at that point), with fake Kijiji alerts all linking to an OVH-hosted spam-support site (classifieds-news[dot]com) – and when their staff could even be bothered to respond, all I got were weaselly excuses about how they’re the “world’s third-largest hosting provider” (as if that someone justified turning a blind eye to rampant spam & malicious traffic originating from their network).

    I wasn’t the only one, either: most of the threads on their support forums were complaints from people who weren’t OVH customers, griping about OVH ignoring spam and abuse complaints… or rather it was, until they completely shuttered their forums & replaced them with a “A new space will be available soon” message – which has been there for almost a year now.

  6. So now we have to spend an hour daily to either Report the abuse attempts to OVH (and gain nothing just waste time and efforts) and also spend time to clean the comments.

    If anyone has found a way to block all IPs from this damn OVH, please comment and help.

  7. And they never stop spamming and hacking from OVH IPs. Today we had to cleanup again hundreds of spam from 87.98.184.245.

    https://www.valueweb.gr/wp-content/uploads/2017/11/Shield-Audit-Trail-Viewer-WordPress-5-11-2017.png

    https://www.valueweb.gr/wp-content/uploads/2017/11/87-98-184-245-Whois-lookup-IP-Blacklist-Cloud-Details-5-11-2017.png

    OVH is right now the N1 spammer hosting service (….) that abuses our servers and don’t give a flying shit about it. And they have so many IPs that is it impossible to block all of them.

  8. They are warmly supporting hackers and they are hackers, too. In one day our site has 75 attacksfrom 3 OVH SAS servers. Which very good means:
    When not success with one server then we try with other server.
    They have maybe very poor and stupid personnel which ch don’t know that their hosting collegues are more educated.

  9. Not sure how we can block the whole IP ranges of OVH, since it seems that they are also providing ADSL services.

    Maybe we could block on a per-incident cases. Not easy and very time-consuming, still we could limit the junk from their IPs.

  10. #: 73414 @: Wed, 21 Dec 2016 22:13:39 -0500
    Host: ns364967.ip-94-23-0.eu

    IP: 94.23.0.221

    Score: 1

    Violation count: 3 BANNED

    Why blocked: OVH Networks (ASN-16276-OVH-27).

    Query:

    Referer:

    User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0

    Reconstructed URL: http:// website . com /site/ backup /

  11. #: 78560 @: Wed, 21 Dec 2016 21:57:31 -0500

    Host: ip-213-32-72.eu

    IP: 213.32.72.115 – OVH France

    Score: 1

    Violation count: 1

    Why blocked: Phishing a WordPress plugin or theme changelog or readme file is not allowed (QU-320).

    Query:

    Referer:

    User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

    Reconstructed URL: http:// www. website. com /wp-content/plugins/wysija-newsletters/readme.txt

  12. #: 78557 @: Wed, 21 Dec 2016 19:49:00 -0500

    Host: 150.ip-167-114-237.eu

    IP: 167.114.237.150 (OVH Hosting)

    Score: 2

    Violation count: 1

    Why blocked: OVH Networks (ASN-16276-OVH-36). Phishing a WordPress plugin or theme changelog or readme file is not allowed (QU-320).

    Query:

    Referer:

    User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

    Reconstructed URL: http:// www. website . com /wp-content/plugins/wysija-newsletters/readme.txt

  13. #: 78542 @: Wed, 21 Dec 2016 16:11:36 -0500

    Host: 158.69.71.193

    IP: 158.69.71.193

    Score: 2

    Violation count: 1

    Why blocked: OVH Networks (ASN-16276-OVH-34). Phishing a WordPress plugin or theme changelog or readme file is not allowed (QU-320).

    Query:

    Referer:

    User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

    Reconstructed URL: http:// www. website. com /wp-content/plugins/wysija-newsletters/readme.txt

  14. #: 78532 @: Wed, 21 Dec 2016 08:14:40 -0500

    Host: 213.32.77.44

    IP: 213.32.77.44 (OVH SAS)

    Score: 1

    Violation count: 1

    Why blocked: Phishing a WordPress plugin or theme changelog or readme file is not allowed (QU-320).

    Query:

    Referer:

    User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

    Reconstructed URL: http:// www. website . com /wp-content/plugins/wysija-newsletters/readme.txt

  15. Host: ns311758.ip-188-165-207.eu

    IP: 188.165.207.133

    Score: 1

    Violation count: 1

    Why blocked: OVH Networks (ASN-16276-OVH-40).

    Query:

    Referer:

    User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/23.0.1271.17 Safari/537.11

    Reconstructed URL: hxxp : / / www [.] website.com [.] com /js/mage/cookies [.] js

    This DEFINITELY Ovh.net

    https://apps.db.ripe.net/search/query.html?searchtext=188.165.207.133#resultsAnchor#resultsAnchor

    1. Those guys are a total joke. They didn’t reply about their IP (188.165.207.133) but for OUR IP (our site that was abused by their IP). They can’t even read a ticket properly and understand it ! Or they spend something like 1 second reading it.

      They replied:

      Hello,

      Thank you for taking the time to contact the OVH Abuse Team, this message confirms that we did receive your report, and created the Abuse Ticket #XZLHQGTNCK to reference it.

      After a careful examination of the elements you communicated to us, it appears that the abusive behavior you’re reporting is not being perpetrated from an OVH IP.

      We suggest you contact the proper Abuse service that handles this IP range, which you’ll be able to find by using “whois” records. The whois service being public and free, several websites permit an easy access to it, such as hxxp : / /who [.] is for example (please note that this website is not affiliated to OVH).

      Your Abuse Ticket #XZLHQGTNCK is now closed.

    2. source: RIPE

      Responsible organisation: OVH SAS
      Abuse contact info: abuse@ovh.net

      inetnum: 188.165.192.0 – 188.165.255.255
      netname: OVH
      descr: OVH SAS
      descr: Dedicated Servers
      descr: http://www.ovh.com
      country: FR
      admin-c: OK217-RIPE
      tech-c: OTC2-RIPE
      status: ASSIGNED PA
      mnt-by: OVH-MNT
      created: 2009-12-18T15:48:40Z
      last-modified: 2009-12-18T15:48:40Z
      source: RIPE

      role: OVH Technical Contact
      address: OVH SAS
      address: 2 rue Kellermann
      address: 59100 Roubaix
      address: France
      e-mail: noc@ovh.net
      admin-c: OK217-RIPE
      tech-c: GM84-RIPE
      tech-c: SL10162-RIPE
      nic-hdl: OTC2-RIPE
      notify: noc@ovh.net
      abuse-mailbox: abuse@ovh.net
      mnt-by: OVH-MNT
      created: 2004-01-28T17:42:29Z
      last-modified: 2014-09-05T10:47:15Z

  16. #: 78448 @: Mon, 19 Dec 2016 14:46:31

    Host: proxy-109-190-254-7.ovh.net

    IP: 109.190.254.7

    Score: 141

    Violation count: 41

    Why blocked: Cloud Services. Not an access provider ISP. Allows IP hopping. (CLD-0210).

    Query:

    Referer:

    User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0

    Reconstructed URL: http:// www . website. com /js/mage/cookies.js

  17. #: 78439 @: Mon, 19 Dec 2016 10:29:46 -0500

    Host: 158.69.71.193

    IP: 158.69.71.193 (OVH.com Canada)

    Score: 2

    Violation count: 1

    Why blocked: OVH Networks (ASN-16276-OVH-34). Phishing a WordPress plugin or theme changelog or readme file is not allowed (QU-320).

    Query:

    Referer:

    User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

    Reconstructed URL: http:// www. website. com /wp-content/plugins/wysija-newsletters/readme.txt

  18. #: 78430 @: Mon, 19 Dec 2016 06:16:58 -0500

    Host: 213.32.77.44

    IP: 213.32.77.44 (OVH SAS)

    Score: 11

    Violation count: 14

    Why blocked: OVH France – Phishing a WordPress plugin or theme changelog or readme file is not allowed (QU-320).

    Query:

    Referer:

    User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

    Reconstructed URL:http:// www. website. com /wp-content/plugins/wysija-newsletters/readme.txt

Comments are closed.