OVH.com SAS: Hosting Botnets, Scrappers, Spammers and Hacking Scripts

Checking our logs from 2016 (and now of 2017 and 2018), we see thousands of hacking attempts from OVH SAS (Yes France again. What is going on with French Hosting providers, i wonder ….). They mainly target WordPress sites, searching for plugin vulnerabilities or trying to create spam accounts.

Time Sent: Sun, 30 And this is of no surprise. See what happens at OVH.com:

https://www.spamhaus.org/sbl/listings/ovh.net

So i think i will dedicate a few pages to this bad French (?) company with branches all over the world, claiming to be the 3rd hosting company in the world. Here is a small sample from their attacks. At some point we will (try to) block all their IPs (edit: not actually possible because they are too many coming from several European countries now, like UK).

Here is a sample from their attacks (updated Apr 2019):

/wp-content/themes/sst-cafe/baer.php
/wp-content/themes/shunar/baer.php
wp-content/uploads/2019/03/baer.php
/wp-content/themes/kklo3/zwi-cofg.php
/wp-content/themes/psmag/baer.php
/wp-includes/pomo/jss.php
/wp-content/themes/webpoint/baer.php
/wp-content/zwi-cofg.php
/wp-includes/zwi-cofg.php
/wp-content/themes/web-point/baer.php
/wp-json/oembed/1.0/embed?url=*removed*
/components/com_jbcatalog/libraries/jsupload/server/php
/components/com_facileforms/libraries/jquery/uploadify.php
/administrator/components/com_extplorer/uploadhandler.php
/administrator/components/com_rokdownloads/assets/uploadhandler.php
/index.php?option=com_adsmanager&task=upload&tmpl=component
/index.php?option=com_jdownloads&Itemid=0&view=upload
/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form
/components/com_sexycontactform/fileupload/
/components/com_facileforms/libraries/jquery/up.php
/components/com_jbcatalog/libraries/jsupload/server/php/files/up.php
/index.php?option=com_macgallery&view=download&albumid=../../configuration.php
/index.php?option=com_joomanager&controller=details&task=download&path=configuration.php
/admin/login.php
/wp-content/plugins/vegashero/settings/templates/operator-table.php
/wp-content/themes/twentyfifteen/genericons/wp-console.php
/wp-content/plugins/yellow-pencil-visual-theme-customizer/css/frame.css


You can also discuss this topic in our Forums.

32 thoughts on “OVH.com SAS: Hosting Botnets, Scrappers, Spammers and Hacking Scripts”

  1. Alessandro Cagliostro says:

    Not sure how we can block the whole IP ranges of OVH, since it seems that they are also providing ADSL services.

    Maybe we could block on a per-incident cases. Not easy and very time-consuming, still we could limit the junk from their IPs.

  2. Johannes de Sacrobosco says:

    #: 73414 @: Wed, 21 Dec 2016 22:13:39 -0500
    Host: ns364967.ip-94-23-0.eu

    IP: 94.23.0.221

    Score: 1

    Violation count: 3 BANNED

    Why blocked: OVH Networks (ASN-16276-OVH-27).

    Query:

    Referer:

    User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0

    Reconstructed URL: http:// website . com /site/ backup /

  3. Johannes de Sacrobosco says:

    #: 78560 @: Wed, 21 Dec 2016 21:57:31 -0500

    Host: ip-213-32-72.eu

    IP: 213.32.72.115 – OVH France

    Score: 1

    Violation count: 1

    Why blocked: Phishing a WordPress plugin or theme changelog or readme file is not allowed (QU-320).

    Query:

    Referer:

    User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

    Reconstructed URL: http:// www. website. com /wp-content/plugins/wysija-newsletters/readme.txt

  4. Johannes de Sacrobosco says:

    #: 78557 @: Wed, 21 Dec 2016 19:49:00 -0500

    Host: 150.ip-167-114-237.eu

    IP: 167.114.237.150 (OVH Hosting)

    Score: 2

    Violation count: 1

    Why blocked: OVH Networks (ASN-16276-OVH-36). Phishing a WordPress plugin or theme changelog or readme file is not allowed (QU-320).

    Query:

    Referer:

    User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

    Reconstructed URL: http:// www. website . com /wp-content/plugins/wysija-newsletters/readme.txt

  5. Johannes de Sacrobosco says:

    #: 78542 @: Wed, 21 Dec 2016 16:11:36 -0500

    Host: 158.69.71.193

    IP: 158.69.71.193

    Score: 2

    Violation count: 1

    Why blocked: OVH Networks (ASN-16276-OVH-34). Phishing a WordPress plugin or theme changelog or readme file is not allowed (QU-320).

    Query:

    Referer:

    User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

    Reconstructed URL: http:// www. website. com /wp-content/plugins/wysija-newsletters/readme.txt

Leave a Reply

Your email address will not be published. Required fields are marked *