Return-Path: <takedown-response+81455276@netcraft.com>
Delivered-To: mshostin@s21.hosterpk.com
Received: from s21.hosterpk.com
by s21.hosterpk.com with LMTP
id cKa2AHMHcmnOAyIArcgM2A
(envelope-from <takedown-response+81455276@netcraft.com>)
for <mshostin@s21.hosterpk.com>; Thu, 22 Jan 2026 11:18:11 +0000
Return-path: <takedown-response+81455276@netcraft.com>
Envelope-to: support@ms-hostingladz.com
Delivery-date: Thu, 22 Jan 2026 11:18:11 +0000
Received: from mail-1c.netcraft.com ([52.31.138.216]:35113)
by s21.hosterpk.com with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384
(Exim 4.99.1)
(envelope-from <takedown-response+81455276@netcraft.com>)
id 1vishX-00000009LZg-2qoK
for support@ms-hostingladz.com;
Thu, 22 Jan 2026 11:18:10 +0000
Received: from walleye.netcraft.com (unknown [10.9.0.81])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by mail-1c.netcraft.com (Postfix) with ESMTPS id C199433CD
for <support@ms-hostingladz.com>; Thu, 22 Jan 2026 11:17:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netcraft.com;
s=default202405-yu9bqteb95aqcfpg; t=1769080646;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding;
bh=FB3zgFtoFigIoR6BYlwk+wTlJq8YntCBXC9v7+ug758=;
b=gLcbHvt5iPT68iPPu/kus4UkPo6Rmzn0gbUdQeLR9k9KeULb7sysJr21hYu5RniL/3quiL
FZHckEIHxnzJl8mLUDc05+fFqVLYGtHQOcJQzrjxP8E9Yi3Cn+3kx+UT4HUI12bGW4cjlJ
R9LtQDmibDIbCvuVoe035KZpT5BswZT7hpPrGrDP0n22uHRlz4wRh8V6fgLDv/rk9kAxfU
bfLWkC1m/yGdz2a+bDpt1HfQerTinKrFbWyfUMMLTaYYHTRInWDhXi875XoCPz6L3H2SfC
Rnx+lDsI4D7BhNsQSmZyLZMg3zSqqgG43vIlUsXqrFNbNlqr7q/S2tkicdR+1w==
Received: by walleye.netcraft.com (Postfix, from userid 507)
id BEC6D1194; Thu, 22 Jan 2026 11:17:26 +0000 (UTC)
Content-Transfer-Encoding: 8bit
Content-Type: multipart/report; boundary="_----------=_17690806461497525508"; report-type="feedback-report"
MIME-Version: 1.0
Date: Thu, 22 Jan 2026 11:17:26 +0000
From: Netcraft Takedown Service <takedown-response+81455276@netcraft.com>
Subject: Issue 81455276: Malicious web shell at hxxps://recovery.meta.verify.ms-hostingladz[.]com/hindberry.php
To: support@ms-hostingladz.com
Message-Id: <e0bc8d2e16116e8b2dc2cf4d591f75f1@takedown.netcraft.com>
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
X-Spam-Status: No, score=3.7
X-Spam-Score: 37
X-Spam-Bar: +++
X-Ham-Report: Spam detection software, running on the system "s21.hosterpk.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: _____ __ __ ______ ___ __ __ __ __
___ ___ __ ___ ______ __ ____ ___ ___ ____
___ __ ___ __: hxxps://recovery.meta.verify.ms-hostingladz[.]com/hindberry.php
[64.31.22.34]
Content analysis details: (3.7 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The
query to Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243
for more information.
[52.31.138.216 listed in sa-trusted.bondedsender.org]
0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243
for more information.
[52.31.138.216 listed in bl.score.senderscore.com]
0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243
for more information.
[52.31.138.216 listed in sa-accredit.habeas.com]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URI: xarf.org]
[URI: netcraft.com]
0.0 URIBL_DBL_BLOCKED_OPENDNS ADMINISTRATOR NOTICE: The query to
dbl.spamhaus.org was blocked due to usage of an
open resolver. See
https://www.spamhaus.org/returnc/pub/
[URI: netcraft.com]
[URI: incident.netcraft.com]
[URI: www.xarf.org]
0.0 RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE: The query to
zen.spamhaus.org was blocked due to usage of an
open resolver. See
https://www.spamhaus.org/returnc/pub/
[52.31.138.216 listed in zen.spamhaus.org]
6.2 RCVD_IN_MSPIKE_L5 RBL: Very bad reputation (-5)
[52.31.138.216 listed in bl.mailspike.net]
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/,
medium trust
[52.31.138.216 listed in list.dnswl.org]
-0.0 SPF_PASS SPF: sender matches SPF record
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
0.0 RCVD_IN_MSPIKE_BL Mailspike blocklisted
X-Spam-Flag: NO
This is a multi-part message in MIME format.
--_----------=_17690806461497525508
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
ہیلو،
ہم نے دریافت کیا ہے کہ آپ کے نیٹ ورک پر ایک بدنیتی پر مبنی ویب شیل ہوسٹ کیا جا رہا ہے:
hxxps://recovery.meta.verify.ms-hostingladz[.]com/hindberry.php [64.31.22.34]
ویب شیل اسکرپٹ ہیں جو حملہ آوروں کو ریموٹ رسائی حاصل کرنے کے لیے سمجھوتہ کرنے والے ویب سرورز پر اپ لوڈ کرتے ہیں۔ جب ویب براؤزر کا استعمال کرتے ہوئے رسائی حاصل کی جاتی ہے تو، ویب شیل حملہ آوروں کو فائلیں اپ لوڈ کرنے، سرور پر من مانی احکامات پر عمل درآمد کرنے اور سپیم بھیجنے کی اجازت دے سکتے ہیں۔ ویب شیل اکثر سمجھوتہ شدہ سرور پر فشنگ یا میلویئر اٹیک بنانے کے لیے استعمال ہوتے ہیں۔
حملہ آور اکثر ویب شیل کو سومی صفحات کے طور پر چھپانے کی کوشش کرتے ہیں۔ عام تکنیکوں میں جعلی 404 صفحہ واپس کرنا اور صفحہ پر موجود ویب شیل ان پٹ فیلڈز کو پوشیدہ بنانا شامل ہے۔ براہ کرم چیک کریں کہ حملہ آور اس رپورٹ کو مسترد کرنے سے پہلے ویب شیل کو چھپانے کی کوشش نہیں کر رہا ہے۔
پتہ چلا مسئلہ کے بارے میں مزید معلومات پر فراہم کی گئی ہے۔ https://incident.netcraft.com/reports/e36ix277usbaurcoj2xjfv
API ﺱپﻭﺭٹ ﺱﻡیﺕ ﻡﺯیﺩ ﺕﻑﺹیﻻﺕ کے ﻝیے https://incident.netcraft.com/about ﺩیکھیں۔
آداب،
Netcraft
فون: +44(0)1225 447500
فیکس: +44(0)1225 448600
نیٹ کرافٹ کا شمارہ نمبر: 81455276
اس حملے سے متعلق اپ ڈیٹس کے بارے میں ہم سے رابطہ کرنے کے لیے، براہ کرم اس ای میل کا جواب دیں۔ براہ کرم نوٹ کریں: اس پتے کے جوابات لاگ کیے جائیں گے، لیکن ہمیشہ پڑھے نہیں جاتے۔ اگر آپ کو لگتا ہے کہ آپ کو یہ ای میل غلطی سے موصول ہوئی ہے، یا آپ کو مزید تعاون کی ضرورت ہے، تو براہ کرم رابطہ کریں: support@netcraft.com۔
اس میل کو x-arf ٹولز سے پارس کیا جا سکتا ہے۔ x-arf کے بارے میں مزید معلومات کے لیے http://www.xarf.org/ پر جائیں۔
-------------------
Hello,
We have discovered a malicious web shell being hosted on your network:
hxxps://recovery.meta.verify.ms-hostingladz[.]com/hindberry.php [64.31.22.34]
Web shells are scripts that attackers upload to compromised web-servers in order to gain remote access. When accessed using a web browser, web shells can allow attackers to upload files, execute arbitrary commands on the server, and send spam. Web shells are often used to create phishing or malware attacks on the compromised server.
Attackers often attempt to disguise web shells as benign pages. Common techniques include returning a fake 404 page and making the web shell input fields on the page invisible. Please check the attacker is not attempting to hide the web shell before dismissing this report.
More information about the detected issue is provided at https://incident.netcraft.com/reports/e36ix277usbaurcoj2xjfv
See https://incident.netcraft.com/about for more details including API support.
Kind regards,
Netcraft
Phone: +44(0)1225 447500
Fax: +44(0)1225 448600
Netcraft Issue Number: 81455276
To contact us about updates regarding this attack, please respond to this email. Please note: replies to this address will be logged, but aren't always read. If you believe you have received this email in error, or you require further support, please contact: support@netcraft.com.
This mail can be parsed with x-arf tools. Visit http://www.xarf.org/ for more information about x-arf.
--_----------=_17690806461497525508
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: message/feedback-report
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
Date: Thu, 22 Jan 2026 11:17:26 +0000
Feedback-Type: xarf
User-Agent: Netcraft
Version: 1
--_----------=_17690806461497525508
Content-Disposition: attachment; filename="xarf.json"
Content-Transfer-Encoding: base64
Content-Type: application/json; charset=utf-8; name="xarf.json"
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
Date: Thu, 22 Jan 2026 11:17:26 +0000
eyJWZXJzaW9uIjoiMSIsIkRpc2Nsb3N1cmUiOnRydWUsIlJlcG9ydGVySW5mbyI6eyJSZXBvcnRl
ck9yZyI6Ik5ldGNyYWZ0IiwiUmVwb3J0ZXJPcmdEb21haW4iOiJuZXRjcmFmdC5jb20iLCJSZXBv
cnRlck9yZ0VtYWlsIjoidGFrZWRvd24tcmVzcG9uc2UrODE0NTUyNzZAbmV0Y3JhZnQuY29tIn0s
IlJlcG9ydCI6eyJTb3VyY2VJcCI6IjY0LjMxLjIyLjM0IiwiUmVwb3J0Q2xhc3MiOiJDb250ZW50
IiwiRGF0ZSI6IjIwMjYtMDEtMjJUMTE6MTY6NTRaIiwiU291cmNlVXJsIjoiaHR0cHM6Ly9yZWNv
dmVyeS5tZXRhLnZlcmlmeS5tcy1ob3N0aW5nbGFkei5jb20vaGluZGJlcnJ5LnBocCIsIlJlcG9y
dGVyQ2FzZUlEIjoiODE0NTUyNzYiLCJSZXBvcnRUeXBlIjoiTWFsd2FyZSIsIlJlcG9ydGVyTm90
ZXMiOiJTZWUgaHR0cHM6Ly9pbmNpZGVudC5uZXRjcmFmdC5jb20vcmVwb3J0cy9lMzZpeDI3N3Vz
YmF1cmNvajJ4amZ2IGZvciBtb3JlIGluZm9ybWF0aW9uIn0sIk9uQmVoYWxmT2YiOnsiQ29tcGxh
aW5hbnRPcmdEb21haW4iOiJ3d3cubWFzdGVyY2FyZC5jb20iLCJDb21wbGFpbmFudE9yZyI6Ik1h
c3RlckNhcmQiLCJDb21wbGFpbmFudE9yZ0VtYWlsIjoidGFrZWRvd24tcmVzcG9uc2UrODE0NTUy
NzZAbmV0Y3JhZnQuY29tIn19
--_----------=_17690806461497525508--