/home2/mshostin/mail/new/1775705273.M602873P1023325.s21.hosterpk.com,S=13036,W=13251
Return-Path: <takedown-response+82350791@netcraft.com>
Delivered-To: mshostin@s21.hosterpk.com
Received: from s21.hosterpk.com
	by s21.hosterpk.com with LMTP
	id CmYDIbkc12ldnQ8ArcgM2A
	(envelope-from <takedown-response+82350791@netcraft.com>)
	for <mshostin@s21.hosterpk.com>; Thu, 09 Apr 2026 03:27:53 +0000
Return-path: <takedown-response+82350791@netcraft.com>
Envelope-to: webmaster@ms-hostingladz.com
Delivery-date: Thu, 09 Apr 2026 03:27:53 +0000
Received: from mail-1c.netcraft.com ([52.31.138.216]:46441)
	by s21.hosterpk.com with esmtps  (TLS1.3) tls TLS_AES_256_GCM_SHA384
	(Exim 4.99.1)
	(envelope-from <takedown-response+82350791@netcraft.com>)
	id 1wAg3a-00000004Hbi-1XxT
	for webmaster@ms-hostingladz.com;
	Thu, 09 Apr 2026 03:27:53 +0000
Received: from walleye.netcraft.com (unknown [10.9.0.81])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mail-1c.netcraft.com (Postfix) with ESMTPS id E534B4D97
	for <webmaster@ms-hostingladz.com>; Thu,  9 Apr 2026 03:27:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netcraft.com;
	s=default202405-yu9bqteb95aqcfpg; t=1775705226;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=xNDABeZFPQfj4Bow6reb06YidwlvW2eTBtt9Z9J3lD8=;
	b=pAMB+B2r+03ir26rvUfpqzeKiOfreYa/SHKH3uOvmmV42/QeiDgPg/CZAtCuG9Pnmu/4k4
	9HeJwrEJNDB++ICgEaCbRfeP9dRt+ix6v5d3AnK95WA0ivD+Aq2i/FWIw4JjW8ibSyy7cu
	35DkOuCBvcQscMHuD72xsMtC1XG0/C53ATibwKDkrzwFxKSFNclCbDGYHZy5gGsbDt4ocj
	EFXe5On2By8lNvo6tj/qC6hXJzANOpdA09IjIDNyBQ0IID1/RbDOLaPwbOrxrQxoPvNMFG
	BqWf5oYn1K3gvYQ7tQXavwu5XxXhFlo7O6taOe8ecbzhCU5LCtaXuV1kT8Mzaw==
Received: by walleye.netcraft.com (Postfix, from userid 507)
	id E21FB1E40; Thu,  9 Apr 2026 03:27:06 +0000 (UTC)
Content-Transfer-Encoding: 8bit
Content-Type: multipart/report; boundary="_----------=_1775705226246351674"; report-type="feedback-report"
MIME-Version: 1.0
Date: Thu, 9 Apr 2026 03:27:06 +0000
From: Netcraft Takedown Service <takedown-response+82350791@netcraft.com>
Subject: Issue 82350791: Malicious web shell at hxxp://mail.ms-hostingladz[.]com/gh/hh.php
To: webmaster@ms-hostingladz.com
Message-Id: <69b936828160082429dae499ff138436@takedown.netcraft.com>
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
X-Spam-Status: No, score=-0.2
X-Spam-Score: -1
X-Spam-Bar: /
X-Ham-Report: Spam detection software, running on the system "s21.hosterpk.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  _____ __ __ ______ ___ __ __ __ __
    ___ ___ __ ___ ______ __ ____ ___ ___ ____
    ___ __ ___ __: hxxp://mail.ms-hostingladz[.]com/gh/hh.php [64.31.22.34]
    hxxp://recovery.meta.verify.ms-hostingladz[.]com/gh/ [64.31.22.34] hxxps://verify.netflix.ms-hostingladz[.]com/gh/
    [64.31.22.34] hxxps://recove [...] 
 Content analysis details:   (-0.2 points, 5.0 required)
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE: The query to
                             zen.spamhaus.org was blocked due to usage of an
                              open resolver. See
                             https://www.spamhaus.org/returnc/pub/
                             [52.31.138.216 listed in zen.spamhaus.org]
  0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to
                              Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                             [52.31.138.216 listed in sa-accredit.habeas.com]
  0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to
                              Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                             [52.31.138.216 listed in bl.score.senderscore.com]
  0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The
                             query to Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                          [52.31.138.216 listed in sa-trusted.bondedsender.org]
  0.0 RCVD_IN_DNSWL_BLOCKED  RBL: ADMINISTRATOR NOTICE: The query to DNSWL
                             was blocked.  See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block
                              for more information.
                             [52.31.138.216 listed in list.dnswl.org]
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                             See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URI: netcraft.com]
                             [URI: xarf.org]
  0.0 URIBL_DBL_BLOCKED_OPENDNS ADMINISTRATOR NOTICE: The query to
                             dbl.spamhaus.org was blocked due to usage of an
                              open resolver. See
                             https://www.spamhaus.org/returnc/pub/
                             [URI: netcraft.com]
                             [URI: www.xarf.org]
                             [URI: incident.netcraft.com]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
                             domain
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
X-Spam-Flag: NO

This is a multi-part message in MIME format.

--_----------=_1775705226246351674
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"

ہیلو،

ہم نے دریافت کیا ہے کہ آپ کے نیٹ ورک پر ایک بدنیتی پر مبنی ویب شیل ہوسٹ کیا جا رہا ہے:

hxxp://mail.ms-hostingladz[.]com/gh/hh.php [64.31.22.34]
hxxp://recovery.meta.verify.ms-hostingladz[.]com/gh/ [64.31.22.34]
hxxps://verify.netflix.ms-hostingladz[.]com/gh/ [64.31.22.34]
hxxps://recovery.meta.verify.ms-hostingladz[.]com/gh/ [64.31.22.34]
hxxps://recovery.meta.verify.ms-hostingladz[.]com/gh/hh.php [64.31.22.34]
hxxps://verify.netflix.ms-hostingladz[.]com/gh/hh.php [64.31.22.34]

ویب شیل اسکرپٹ ہیں جو حملہ آوروں کو ریموٹ رسائی حاصل کرنے کے لیے سمجھوتہ کرنے والے ویب سرورز پر اپ لوڈ کرتے ہیں۔ جب ویب براؤزر کا استعمال کرتے ہوئے رسائی حاصل کی جاتی ہے تو، ویب شیل حملہ آوروں کو فائلیں اپ لوڈ کرنے، سرور پر من مانی احکامات پر عمل درآمد کرنے اور سپیم بھیجنے کی اجازت دے سکتے ہیں۔ ویب شیل اکثر سمجھوتہ شدہ سرور پر فشنگ یا میلویئر اٹیک بنانے کے لیے استعمال ہوتے ہیں۔

حملہ آور اکثر ویب شیل کو سومی صفحات کے طور پر چھپانے کی کوشش کرتے ہیں۔ عام تکنیکوں میں جعلی 404 صفحہ واپس کرنا اور صفحہ پر موجود ویب شیل ان پٹ فیلڈز کو پوشیدہ بنانا شامل ہے۔ براہ کرم چیک کریں کہ حملہ آور اس رپورٹ کو مسترد کرنے سے پہلے ویب شیل کو چھپانے کی کوشش نہیں کر رہا ہے۔

اس مسئلے کے بارے میں ہم نے پہلے آپ سے 2026-02-10 06:52:27 (UTC) پر رابطہ کیا تھا۔
ہماری آخری اطلاع کے بعد سے، درج ذیل اضافی URL(ز) کا پتہ چلا ہے:

hxxp://mail.ms-hostingladz[.]com/gh/hh.php

پتہ چلا مسئلہ کے بارے میں مزید معلومات پر فراہم کی گئی ہے۔ https://incident.netcraft.com/reports/4k37lytsjqhytdlcb5jjuw
API ﺱپﻭﺭٹ ﺱﻡیﺕ ﻡﺯیﺩ ﺕﻑﺹیﻻﺕ کے ﻝیے https://incident.netcraft.com/about ﺩیکھیں۔

آداب،

Netcraft

فون: +44(0)1225 447500
فیکس: +44(0)1225 448600
نیٹ کرافٹ کا شمارہ نمبر: 85568927

اس حملے سے متعلق اپ ڈیٹس کے بارے میں ہم سے رابطہ کرنے کے لیے، براہ کرم اس ای میل کا جواب دیں۔ براہ کرم نوٹ کریں: اس پتے کے جوابات لاگ کیے جائیں گے، لیکن ہمیشہ پڑھے نہیں جاتے۔ اگر آپ کو لگتا ہے کہ آپ کو یہ ای میل غلطی سے موصول ہوئی ہے، یا آپ کو مزید تعاون کی ضرورت ہے، تو براہ کرم رابطہ کریں: support@netcraft.com۔

اس میل کو x-arf ٹولز سے پارس کیا جا سکتا ہے۔ x-arf کے بارے میں مزید معلومات کے لیے http://www.xarf.org/ پر جائیں۔
-------------------
Hello,

We have discovered a malicious web shell being hosted on your network:

hxxp://mail.ms-hostingladz[.]com/gh/hh.php [64.31.22.34]
hxxp://recovery.meta.verify.ms-hostingladz[.]com/gh/ [64.31.22.34]
hxxps://verify.netflix.ms-hostingladz[.]com/gh/ [64.31.22.34]
hxxps://recovery.meta.verify.ms-hostingladz[.]com/gh/ [64.31.22.34]
hxxps://recovery.meta.verify.ms-hostingladz[.]com/gh/hh.php [64.31.22.34]
hxxps://verify.netflix.ms-hostingladz[.]com/gh/hh.php [64.31.22.34]

Web shells are scripts that attackers upload to compromised web-servers in order to gain remote access. When accessed using a web browser, web shells can allow attackers to upload files, execute arbitrary commands on the server, and send spam. Web shells are often used to create phishing or malware attacks on the compromised server.

Attackers often attempt to disguise web shells as benign pages. Common techniques include returning a fake 404 page and making the web shell input fields on the page invisible. Please check the attacker is not attempting to hide the web shell before dismissing this report.

We previously contacted you about this issue on 2026-02-10 06:52:27 (UTC).
Since our last notification, the following additional URL(s) have been detected:

hxxp://mail.ms-hostingladz[.]com/gh/hh.php

More information about the detected issue is provided at https://incident.netcraft.com/reports/4k37lytsjqhytdlcb5jjuw
See https://incident.netcraft.com/about for more details including API support.

Kind regards,

Netcraft

Phone: +44(0)1225 447500
Fax: +44(0)1225 448600
Netcraft Issue Number: 85568927

To contact us about updates regarding this attack, please respond to this email. Please note: replies to this address will be logged, but aren't always read. If you believe you have received this email in error, or you require further support, please contact: support@netcraft.com.

This mail can be parsed with x-arf tools. Visit http://www.xarf.org/ for more information about x-arf.
--_----------=_1775705226246351674
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: message/feedback-report
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
Date: Thu, 9 Apr 2026 03:27:06 +0000

Feedback-Type: xarf
User-Agent: Netcraft
Version: 1
--_----------=_1775705226246351674
Content-Disposition: attachment; filename="xarf.json"
Content-Transfer-Encoding: base64
Content-Type: application/json; charset=utf-8; name="xarf.json"
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
Date: Thu, 9 Apr 2026 03:27:06 +0000

eyJEaXNjbG9zdXJlIjp0cnVlLCJSZXBvcnQiOnsiUmVwb3J0VHlwZSI6Ik1hbHdhcmUiLCJSZXBv
cnRlck5vdGVzIjoiU2VlIGh0dHBzOi8vaW5jaWRlbnQubmV0Y3JhZnQuY29tL3JlcG9ydHMvNGsz
N2x5dHNqcWh5dGRsY2I1amp1dyBmb3IgbW9yZSBpbmZvcm1hdGlvbiIsIlNvdXJjZVVybCI6Imh0
dHA6Ly9tYWlsLm1zLWhvc3RpbmdsYWR6LmNvbS9naC9oaC5waHAiLCJSZXBvcnRlckNhc2VJRCI6
Ijg1NTY4OTI3IiwiU291cmNlSXAiOiI2NC4zMS4yMi4zNCIsIkRhdGUiOiIyMDI2LTA0LTA5VDAz
OjIyOjM1WiIsIlJlcG9ydENsYXNzIjoiQ29udGVudCIsIkZpcnN0U2VlbiI6IjIwMjYtMDQtMDlU
MDM6MDU6NTZaIn0sIlJlcG9ydGVySW5mbyI6eyJSZXBvcnRlck9yZ0VtYWlsIjoidGFrZWRvd24t
cmVzcG9uc2UrODIzNTA3OTFAbmV0Y3JhZnQuY29tIiwiUmVwb3J0ZXJPcmdEb21haW4iOiJuZXRj
cmFmdC5jb20iLCJSZXBvcnRlck9yZyI6Ik5ldGNyYWZ0In0sIlZlcnNpb24iOiIxIn0=

--_----------=_1775705226246351674--
Path: home2/mshostin/mail/new