OVH.com SAS: Hosting Botnets, Scrapers, Spammers and Hacking Scripts
Checking our logs from 2016 (and now of 2017 and 2018), we see thousands of hacking attempts from OVH SAS (Yes France again. What is going on with French Hosting providers, i wonder ….). They mainly target WordPress sites, searching for plugin vulnerabilities or trying to create spam accounts.
Time Sent: Sun, 30 And this is of no surprise. See what happens at OVH.com:
https://www.spamhaus.org/sbl/listings/ovh.net
So i think i will dedicate a few pages to this bad French (?) company with branches all over the world, claiming to be the 3rd hosting company in the world. Here is a small sample from their attacks. At some point we will (try to) block all their IPs (edit: not actually possible because they are too many coming from several European countries now, like UK).
Here is a sample from their attacks (updated Apr 2019):
If you have a way to BLOCK by “hostnames”, like a WordPress plugin or CIDRAM or whatever, block the following:
*ovh*
ns*.ip-*-*-*.net
*.ip-*-*-*.net
ip*.ip-*-*-*.us
ip*.ip-*-*-*.eu
ns*.ip-*-*-*.eu
ip-*-*-*.eu
vps-*.vps.ovh.net
*.*.hosting.ovh.net
Updated FEB 2023
First attack of 2019, of cource from OVH IPs. A few hundred of those today:
_____________
Shield has blocked a page visit to your site.
Log details for this visitor are below:
– IP Address: 51.75.168.171
– Page parameter failed firewall check. The offending parameter was \”pic\” with a value of \”../../../../../wp-config.php\”.
– Firewall Trigger: Directory Traversal.
You can look up the offending IP Address here: http://ip-lookup.net/?ip=51.75.168.171
Email sent from the Shield Plugin v6.10.9, on https://www.valueweb.gr.
Time Sent: Sat, 05 Jan 2019 03:56:41 +0000
https://www.abuseipdb.com/check/51.75.168.171
There is more today, Christmas time you see ….
Shield has blocked a page visit to your site.
Log details for this visitor are below:
– IP Address: 51.68.77.204
– Page parameter failed firewall check. The offending parameter was \”path\” with a value of \”../../../../../wp-config.php\”.
– Firewall Trigger: Directory Traversal.
You can look up the offending IP Address here: http://ip-lookup.net/?ip=51.68.77.204
Email sent from the Shield Plugin v6.10.9, on https://www.valueweb.gr.
Time Sent: Sun, 30 Dec 2018 12:20:40 +0000
And the torture never stops (Frank Zappa). A few hundred of hack attempts the last days from UK OVH IPs.
Shield has blocked a page visit to your site.
Log details for this visitor are below:
– IP Address: 54.37.2.174
– Page parameter failed firewall check. The offending parameter was \”pic\” with a value of \”../../../../../wp-config.php\”.
– Firewall Trigger: Directory Traversal.
You can look up the offending IP Address here: http://ip-lookup.net/?ip=54.37.2.174
Email sent from the Shield Plugin v6.10.9, on https://www.valueweb.gr.
Time Sent: Sun, 30 Dec 2018 04:57:55 +0000
____
Shield has blocked a page visit to your site.
Log details for this visitor are below:
– IP Address: 54.37.2.174
– Page parameter failed firewall check. The offending parameter was \”path\” with a value of \”../../../../../wp-config.php\”.
– Firewall Trigger: Directory Traversal.
You can look up the offending IP Address here: http://ip-lookup.net/?ip=54.37.2.174
Email sent from the Shield Plugin v6.10.9, on https://www.valueweb.gr.
Time Sent: Sun, 30 Dec 2018 04:57:26 +0000
A few hundred of attempts to hack our server:
30/Dec/17 18:58:10 #8411451 CRITICAL 1 94.23.204.93 GET /index.php – Directory traversal – [GET:qqfile = /../../krd.php]
https://www.valueweb.gr/wp-content/uploads/2017/12/OVH-France-malware.png
and of cource from OVH IPs (94.23.204.93) France. “krd.php” is probably some LOCKY malware.
Actually the whole IP range is like that:
https://www.valueweb.gr/wp-content/uploads/2017/12/ovh-france-attacking-ips.png
Nothing good comes from this provider. Spam and Spam and Spam and Spam (from other providers containing links for the OVH hosted sites).
https://www.valueweb.gr/wp-content/uploads/2017/12/OVH-Spamcop-report-ignored.png
Yes but why don’t you just report the problems to OVH abuse ?
Because of many reasons.
We already spend some daily time to cleanup several sites from their crap. We can’t spend even more to contact them. giving them screen shots and logs and for what ? Nothing. They do nothing about it.
Or in the best case, they stop some IP from spamming/abusing/hacking and after a few days some other IP start to attack us.
All-in-all OVH doesn’t care.
The last week we are spammed with comments pointing to a site hosted at IP 5.135.43.106 that belongs … guess what …. OVH Spain.
https://www.valueweb.gr/wp-content/uploads/2017/11/5-135-43-106-Spain-Ovh-IP-address-location-and-data-14-11-2017.png
https://www.valueweb.gr/wp-content/uploads/2017/11/Form-SEO-14-11-2017-12-24-29.png
and we are alone:
https://www.projecthoneypot.org/ip_5.135.43.106
OVH.net is no 8 among 10 at Spamhaus Noe 2017 for Worst Spam Support
https://www.valueweb.gr/wp-content/uploads/2017/11/Spamhaus-The-Top-10-World-s-Worst-Spam-Support-ISPs-13-11-2017-10-09-59.png
OVH is what I like to call a UBH, or an “Unofficially Bulletproof Host”: they do have an actual AUP/TOS & don’t publicly take the same “anything goes” stance as traditional bulletproof hosts, but in practice they’re just bad because they consistently fail to enforce their own policies (either because they don’t have sufficient/competent staff to deal with abuse, and/or they simply don’t care).
After the handful of dealings I’ve had with OVH staff, I’m personally inclined towards the “simply don’t care” explanation. A year or two back, I started a thread in their forums to gripe spam that we had been receiving for more than a year (at that point), with fake Kijiji alerts all linking to an OVH-hosted spam-support site (classifieds-news[dot]com) – and when their staff could even be bothered to respond, all I got were weaselly excuses about how they’re the “world’s third-largest hosting provider” (as if that someone justified turning a blind eye to rampant spam & malicious traffic originating from their network).
I wasn’t the only one, either: most of the threads on their support forums were complaints from people who weren’t OVH customers, griping about OVH ignoring spam and abuse complaints… or rather it was, until they completely shuttered their forums & replaced them with a “A new space will be available soon” message – which has been there for almost a year now.
So now we have to spend an hour daily to either Report the abuse attempts to OVH (and gain nothing just waste time and efforts) and also spend time to clean the comments.
If anyone has found a way to block all IPs from this damn OVH, please comment and help.
And new spam attack from a Russian server (151.80.203.177) hosted again …. by OHV SAS France. Ha !
https://www.valueweb.gr/wp-content/uploads/2017/11/Comments-‹-ValueWeb-gr-—-WordPress-8-11-2017.png
https://www.valueweb.gr/wp-content/uploads/2017/11/151-80-203-177-Hekmatyar-Koko-AbuseIPDB-8-11-2017.png
Again 46.105.109.41 has attempted to hack the Editor account and spam all over us. Didn’t succeed, since it was blocked, still several hundred of such attempts do slow us down. Not sure how we could totally block OVH IPs.
OVH.com thanks for the continious shit. Appreciated.
https://www.valueweb.gr/wp-content/uploads/2017/11/46-105-109-41-OVH-SAS-AbuseIPDB-6-11-2017.png
And they never stop spamming and hacking from OVH IPs. Today we had to cleanup again hundreds of spam from 87.98.184.245.
https://www.valueweb.gr/wp-content/uploads/2017/11/Shield-Audit-Trail-Viewer-WordPress-5-11-2017.png
https://www.valueweb.gr/wp-content/uploads/2017/11/87-98-184-245-Whois-lookup-IP-Blacklist-Cloud-Details-5-11-2017.png
OVH is right now the N1 spammer hosting service (….) that abuses our servers and don’t give a flying shit about it. And they have so many IPs that is it impossible to block all of them.
Just erased around 1000 spam comments that escaped our spam filters. Again OVH Canada.
https://www.valueweb.gr/wp-content/uploads/2017/11/IP-Address-142-44-131-56-4-11-2017.png
Today again we had a few thousands hacking attempts to one of our site from 213.251.185.53 (OVH). As you can see in the first capture, they were trying to hack the “editor” account.
https://www.valueweb.gr/wp-content/uploads/2017/11/Shield-Audit-Trail-Viewer-WordPress-3-11-2017-11-09-47.png
https://www.valueweb.gr/wp-content/uploads/2017/11/213-251-185-53-Whois-lookup-IP-Blacklist-Cloud-Details-3-11-2017.png
https://www.valueweb.gr/wp-content/uploads/2017/11/Iliad-et-OVH-encore-parmi-les-plus-complaisants-envers-le-spam.png
They are warmly supporting hackers and they are hackers, too. In one day our site has 75 attacksfrom 3 OVH SAS servers. Which very good means:
When not success with one server then we try with other server.
They have maybe very poor and stupid personnel which ch don’t know that their hosting collegues are more educated.
New hacking attemps from:
https://www.valueweb.gr/wp-content/uploads/2016/12/OVH_1.jpg
Not sure how we can block the whole IP ranges of OVH, since it seems that they are also providing ADSL services.
Maybe we could block on a per-incident cases. Not easy and very time-consuming, still we could limit the junk from their IPs.
#: 73414 @: Wed, 21 Dec 2016 22:13:39 -0500
Host: ns364967.ip-94-23-0.eu
IP: 94.23.0.221
Score: 1
Violation count: 3 BANNED
Why blocked: OVH Networks (ASN-16276-OVH-27).
Query:
Referer:
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0
Reconstructed URL: http:// website . com /site/ backup /
#: 78560 @: Wed, 21 Dec 2016 21:57:31 -0500
Host: ip-213-32-72.eu
IP: 213.32.72.115 – OVH France
Score: 1
Violation count: 1
Why blocked: Phishing a WordPress plugin or theme changelog or readme file is not allowed (QU-320).
Query:
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Reconstructed URL: http:// www. website. com /wp-content/plugins/wysija-newsletters/readme.txt
#: 78557 @: Wed, 21 Dec 2016 19:49:00 -0500
Host: 150.ip-167-114-237.eu
IP: 167.114.237.150 (OVH Hosting)
Score: 2
Violation count: 1
Why blocked: OVH Networks (ASN-16276-OVH-36). Phishing a WordPress plugin or theme changelog or readme file is not allowed (QU-320).
Query:
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Reconstructed URL: http:// www. website . com /wp-content/plugins/wysija-newsletters/readme.txt
#: 78542 @: Wed, 21 Dec 2016 16:11:36 -0500
Host: 158.69.71.193
IP: 158.69.71.193
Score: 2
Violation count: 1
Why blocked: OVH Networks (ASN-16276-OVH-34). Phishing a WordPress plugin or theme changelog or readme file is not allowed (QU-320).
Query:
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Reconstructed URL: http:// www. website. com /wp-content/plugins/wysija-newsletters/readme.txt
#: 78532 @: Wed, 21 Dec 2016 08:14:40 -0500
Host: 213.32.77.44
IP: 213.32.77.44 (OVH SAS)
Score: 1
Violation count: 1
Why blocked: Phishing a WordPress plugin or theme changelog or readme file is not allowed (QU-320).
Query:
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Reconstructed URL: http:// www. website . com /wp-content/plugins/wysija-newsletters/readme.txt
Host: ns311758.ip-188-165-207.eu
IP: 188.165.207.133
Score: 1
Violation count: 1
Why blocked: OVH Networks (ASN-16276-OVH-40).
Query:
Referer:
User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/23.0.1271.17 Safari/537.11
Reconstructed URL: hxxp : / / www [.] website.com [.] com /js/mage/cookies [.] js
This DEFINITELY Ovh.net
https://apps.db.ripe.net/search/query.html?searchtext=188.165.207.133#resultsAnchor#resultsAnchor
Those guys are a total joke. They didn’t reply about their IP (188.165.207.133) but for OUR IP (our site that was abused by their IP). They can’t even read a ticket properly and understand it ! Or they spend something like 1 second reading it.
They replied:
Hello,
Thank you for taking the time to contact the OVH Abuse Team, this message confirms that we did receive your report, and created the Abuse Ticket #XZLHQGTNCK to reference it.
After a careful examination of the elements you communicated to us, it appears that the abusive behavior you’re reporting is not being perpetrated from an OVH IP.
We suggest you contact the proper Abuse service that handles this IP range, which you’ll be able to find by using “whois” records. The whois service being public and free, several websites permit an easy access to it, such as hxxp : / /who [.] is for example (please note that this website is not affiliated to OVH).
Your Abuse Ticket #XZLHQGTNCK is now closed.
source: RIPE
Responsible organisation: OVH SAS
Abuse contact info: abuse@ovh.net
inetnum: 188.165.192.0 – 188.165.255.255
netname: OVH
descr: OVH SAS
descr: Dedicated Servers
descr: http://www.ovh.com
country: FR
admin-c: OK217-RIPE
tech-c: OTC2-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
created: 2009-12-18T15:48:40Z
last-modified: 2009-12-18T15:48:40Z
source: RIPE
role: OVH Technical Contact
address: OVH SAS
address: 2 rue Kellermann
address: 59100 Roubaix
address: France
e-mail: noc@ovh.net
admin-c: OK217-RIPE
tech-c: GM84-RIPE
tech-c: SL10162-RIPE
nic-hdl: OTC2-RIPE
notify: noc@ovh.net
abuse-mailbox: abuse@ovh.net
mnt-by: OVH-MNT
created: 2004-01-28T17:42:29Z
last-modified: 2014-09-05T10:47:15Z
#: 78448 @: Mon, 19 Dec 2016 14:46:31
Host: proxy-109-190-254-7.ovh.net
IP: 109.190.254.7
Score: 141
Violation count: 41
Why blocked: Cloud Services. Not an access provider ISP. Allows IP hopping. (CLD-0210).
Query:
Referer:
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
Reconstructed URL: http:// www . website. com /js/mage/cookies.js
#: 78439 @: Mon, 19 Dec 2016 10:29:46 -0500
Host: 158.69.71.193
IP: 158.69.71.193 (OVH.com Canada)
Score: 2
Violation count: 1
Why blocked: OVH Networks (ASN-16276-OVH-34). Phishing a WordPress plugin or theme changelog or readme file is not allowed (QU-320).
Query:
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Reconstructed URL: http:// www. website. com /wp-content/plugins/wysija-newsletters/readme.txt
#: 78430 @: Mon, 19 Dec 2016 06:16:58 -0500
Host: 213.32.77.44
IP: 213.32.77.44 (OVH SAS)
Score: 11
Violation count: 14
Why blocked: OVH France – Phishing a WordPress plugin or theme changelog or readme file is not allowed (QU-320).
Query:
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Reconstructed URL:http:// www. website. com /wp-content/plugins/wysija-newsletters/readme.txt