OVH.com SAS: Hosting Botnets, Scrappers, Spammers and Hacking Scripts

Checking our logs from 2016 (and now of 2017 and 2018), we see thousands of hacking attempts from OVH SAS (Yes France again. What is going on with French Hosting providers, i wonder ….). They mainly target WordPress sites, searching for plugin vulnerabilities or trying to create spam accounts.

Time Sent: Sun, 30 And this is of no surprise. See what happens at OVH.com:

https://www.spamhaus.org/sbl/listings/ovh.net

So i think i will dedicate a few pages to this bad French (?) company with branches all over the world, claiming to be the 3rd hosting company in the world. Here is a small sample from their attacks. At some point we will (try to) block all their IPs (edit: not actually possible because they are too many coming from several European countries now, like UK).

Here is a sample from their attacks (updated Apr 2019):

/wp-content/themes/sst-cafe/baer.php
/wp-content/themes/shunar/baer.php
wp-content/uploads/2019/03/baer.php
/wp-content/themes/kklo3/zwi-cofg.php
/wp-content/themes/psmag/baer.php
/wp-includes/pomo/jss.php
/wp-content/themes/webpoint/baer.php
/wp-content/zwi-cofg.php
/wp-includes/zwi-cofg.php
/wp-content/themes/web-point/baer.php
/wp-json/oembed/1.0/embed?url=*removed*
/components/com_jbcatalog/libraries/jsupload/server/php
/components/com_facileforms/libraries/jquery/uploadify.php
/administrator/components/com_extplorer/uploadhandler.php
/administrator/components/com_rokdownloads/assets/uploadhandler.php
/index.php?option=com_adsmanager&task=upload&tmpl=component
/index.php?option=com_jdownloads&Itemid=0&view=upload
/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form
/components/com_sexycontactform/fileupload/
/components/com_facileforms/libraries/jquery/up.php
/components/com_jbcatalog/libraries/jsupload/server/php/files/up.php
/index.php?option=com_macgallery&view=download&albumid=../../configuration.php
/index.php?option=com_joomanager&controller=details&task=download&path=configuration.php
/admin/login.php
/wp-content/plugins/vegashero/settings/templates/operator-table.php
/wp-content/themes/twentyfifteen/genericons/wp-console.php
/wp-content/plugins/yellow-pencil-visual-theme-customizer/css/frame.css


You can also discuss this topic in our Forums.

32 thoughts on “OVH.com SAS: Hosting Botnets, Scrappers, Spammers and Hacking Scripts”

  1. Johannes de Sacrobosco says:

    #: 78532 @: Wed, 21 Dec 2016 08:14:40 -0500

    Host: 213.32.77.44

    IP: 213.32.77.44 (OVH SAS)

    Score: 1

    Violation count: 1

    Why blocked: Phishing a WordPress plugin or theme changelog or readme file is not allowed (QU-320).

    Query:

    Referer:

    User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

    Reconstructed URL: http:// www. website . com /wp-content/plugins/wysija-newsletters/readme.txt

  2. Johannes de Sacrobosco says:

    Host: ns311758.ip-188-165-207.eu

    IP: 188.165.207.133

    Score: 1

    Violation count: 1

    Why blocked: OVH Networks (ASN-16276-OVH-40).

    Query:

    Referer:

    User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/23.0.1271.17 Safari/537.11

    Reconstructed URL: hxxp : / / www [.] website.com [.] com /js/mage/cookies [.] js

    This DEFINITELY Ovh.net

    https://apps.db.ripe.net/search/query.html?searchtext=188.165.207.133#resultsAnchor#resultsAnchor

    1. Johannes de Sacrobosco says:

      Those guys are a total joke. They didn’t reply about their IP (188.165.207.133) but for OUR IP (our site that was abused by their IP). They can’t even read a ticket properly and understand it ! Or they spend something like 1 second reading it.

      They replied:

      Hello,

      Thank you for taking the time to contact the OVH Abuse Team, this message confirms that we did receive your report, and created the Abuse Ticket #XZLHQGTNCK to reference it.

      After a careful examination of the elements you communicated to us, it appears that the abusive behavior you’re reporting is not being perpetrated from an OVH IP.

      We suggest you contact the proper Abuse service that handles this IP range, which you’ll be able to find by using “whois” records. The whois service being public and free, several websites permit an easy access to it, such as hxxp : / /who [.] is for example (please note that this website is not affiliated to OVH).

      Your Abuse Ticket #XZLHQGTNCK is now closed.

    2. Johannes de Sacrobosco says:

      source: RIPE

      Responsible organisation: OVH SAS
      Abuse contact info: abuse@ovh.net

      inetnum: 188.165.192.0 – 188.165.255.255
      netname: OVH
      descr: OVH SAS
      descr: Dedicated Servers
      descr: http://www.ovh.com
      country: FR
      admin-c: OK217-RIPE
      tech-c: OTC2-RIPE
      status: ASSIGNED PA
      mnt-by: OVH-MNT
      created: 2009-12-18T15:48:40Z
      last-modified: 2009-12-18T15:48:40Z
      source: RIPE

      role: OVH Technical Contact
      address: OVH SAS
      address: 2 rue Kellermann
      address: 59100 Roubaix
      address: France
      e-mail: noc@ovh.net
      admin-c: OK217-RIPE
      tech-c: GM84-RIPE
      tech-c: SL10162-RIPE
      nic-hdl: OTC2-RIPE
      notify: noc@ovh.net
      abuse-mailbox: abuse@ovh.net
      mnt-by: OVH-MNT
      created: 2004-01-28T17:42:29Z
      last-modified: 2014-09-05T10:47:15Z

  3. Johannes de Sacrobosco says:

    #: 78448 @: Mon, 19 Dec 2016 14:46:31

    Host: proxy-109-190-254-7.ovh.net

    IP: 109.190.254.7

    Score: 141

    Violation count: 41

    Why blocked: Cloud Services. Not an access provider ISP. Allows IP hopping. (CLD-0210).

    Query:

    Referer:

    User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0

    Reconstructed URL: http:// www . website. com /js/mage/cookies.js

  4. Johannes de Sacrobosco says:

    #: 78439 @: Mon, 19 Dec 2016 10:29:46 -0500

    Host: 158.69.71.193

    IP: 158.69.71.193 (OVH.com Canada)

    Score: 2

    Violation count: 1

    Why blocked: OVH Networks (ASN-16276-OVH-34). Phishing a WordPress plugin or theme changelog or readme file is not allowed (QU-320).

    Query:

    Referer:

    User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

    Reconstructed URL: http:// www. website. com /wp-content/plugins/wysija-newsletters/readme.txt

  5. Johannes de Sacrobosco says:

    #: 78430 @: Mon, 19 Dec 2016 06:16:58 -0500

    Host: 213.32.77.44

    IP: 213.32.77.44 (OVH SAS)

    Score: 11

    Violation count: 14

    Why blocked: OVH France – Phishing a WordPress plugin or theme changelog or readme file is not allowed (QU-320).

    Query:

    Referer:

    User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

    Reconstructed URL:http:// www. website. com /wp-content/plugins/wysija-newsletters/readme.txt

Leave a Reply

Your email address will not be published. Required fields are marked *