uawdijnntqw1x1x1
IP : 216.73.216.26
Hostname : server.wtmmart.in
Kernel : Linux server.wtmmart.in 4.18.0-553.45.1.el8_10.x86_64 #1 SMP Wed Mar 19 09:44:46 EDT 2025 x86_64
Disable Function : exec,passthru,shell_exec,system
OS : Linux
PATH:
/
home2
/
wtmwscom
/
mail
/
.spam
/
cur
/
1767026754.M475792P3125473.server.wtmmart.in,S=8667,W=8826:2,a
/
/
Return-Path: <takedown-response+80201260@netcraft.com> Delivered-To: wtmwscom+spam@server.wtmmart.in Received: from server.wtmmart.in by server.wtmmart.in with LMTP id JbgtHEKwUmnhsC8As1bmeQ (envelope-from <takedown-response+80201260@netcraft.com>) for <wtmwscom+spam@server.wtmmart.in>; Mon, 29 Dec 2025 22:15:54 +0530 Return-path: <takedown-response+80201260@netcraft.com> Envelope-to: webmaster@wtmwebshop.com Delivery-date: Mon, 29 Dec 2025 22:15:54 +0530 Received: from mail-1c.netcraft.com ([52.31.138.216]:39197) by server.wtmmart.in with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.99) (envelope-from <takedown-response+80201260@netcraft.com>) id 1vaGNV-0000000D5cx-1pSk for webmaster@wtmwebshop.com; Mon, 29 Dec 2025 22:15:54 +0530 Received: from walleye.netcraft.com (unknown [10.9.0.81]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail-1c.netcraft.com (Postfix) with ESMTPS id 49ED64027 for <webmaster@wtmwebshop.com>; Mon, 29 Dec 2025 16:38:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netcraft.com; s=default202405-yu9bqteb95aqcfpg; t=1767026308; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ykaF9DbMCNb15vHwkExabryDkks6mT8rxx1zUwcH+E4=; b=ErVWTW9ebF8+2rQnGIiL7hmfpdkNsgyazi4MHin3IwbhiHyphcRi72yxP7100eTQYbM+ka jHONoQF8+UG798P5oJlMvch5CKGgnAu6dtI1KZoYHd5k4jVGtadW4Dfsod85svSawu74M9 kSQ9dRhq94Z0tjqahFqLMdjG0Fg2HyWR9QXyByGKXHjtyIN8Wj+MviUQ6A07K7lo2sGnyL BPA7/cJ07dsl1oOWzEEwyGjXWC0i7JJESAGPsyjXKwLuW66Y2cXhmRpVI7CIuwost/2PLP M9OYv6m7Y+sybnK11P23tzcuyHIWh1gdvDMPZMhJNAMUn3JH67A9ygnxjeiTgQ== Received: by walleye.netcraft.com (Postfix, from userid 507) id 46931D54; Mon, 29 Dec 2025 16:38:28 +0000 (UTC) Content-Transfer-Encoding: 8bit Content-Type: multipart/report; boundary="_----------=_17670263087422819499"; report-type="feedback-report" MIME-Version: 1.0 Date: Mon, 29 Dec 2025 16:38:28 +0000 From: Netcraft Takedown Service <takedown-response+80201260@netcraft.com> To: webmaster@wtmwebshop.com Message-Id: <9f86709f4d3aab456fbaa2cc18e4aae5@takedown.netcraft.com> X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13) X-Spam-Status: Yes, score=8.5 X-Spam-Score: 85 X-Spam-Bar: ++++++++ X-Spam-Report: Spam detection software, running on the system "server.wtmmart.in", has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: Hello, We have discovered a malicious web shell being hosted on your network: hxxp://themes3927.wtmwebshop[.]com/assets/images/km2.php [23.111.182.98] Content analysis details: (8.5 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [52.31.138.216 listed in list.dnswl.org] 4.5 RCVD_IN_MSPIKE_L4 RBL: Bad reputation (-4) [52.31.138.216 listed in bl.mailspike.net] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [52.31.138.216 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [52.31.138.216 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [52.31.138.216 listed in sa-trusted.bondedsender.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 RCVD_IN_MSPIKE_BL Mailspike blocklisted 1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 2.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] X-Spam-Flag: YES Subject: ***SPAM*** Issue 80201260: Malicious web shell at hxxp://themes3927.wtmwebshop[.]com/assets/images/km2.php This is a multi-part message in MIME format. --_----------=_17670263087422819499 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="UTF-8" Hello, We have discovered a malicious web shell being hosted on your network: hxxp://themes3927.wtmwebshop[.]com/assets/images/km2.php [23.111.182.98] Web shells are scripts that attackers upload to compromised web-servers in order to gain remote access. When accessed using a web browser, web shells can allow attackers to upload files, execute arbitrary commands on the server, and send spam. Web shells are often used to create phishing or malware attacks on the compromised server. Attackers often attempt to disguise web shells as benign pages. Common techniques include returning a fake 404 page and making the web shell input fields on the page invisible. Please check the attacker is not attempting to hide the web shell before dismissing this report. More information about the detected issue is provided at https://incident.netcraft.com/reports/4wblbixbsnudsqcjxjb6xy See https://incident.netcraft.com/about for more details including API support. Kind regards, Netcraft Phone: +44(0)1225 447500 Fax: +44(0)1225 448600 Netcraft Issue Number: 80201260 To contact us about updates regarding this attack, please respond to this email. Please note: replies to this address will be logged, but aren't always read. If you believe you have received this email in error, or you require further support, please contact: support@netcraft.com. This mail can be parsed with x-arf tools. Visit http://www.xarf.org/ for more information about x-arf. --_----------=_17670263087422819499 Content-Disposition: inline Content-Transfer-Encoding: 7bit Content-Type: message/feedback-report MIME-Version: 1.0 X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13) Date: Mon, 29 Dec 2025 16:38:28 +0000 Feedback-Type: xarf User-Agent: Netcraft Version: 1 --_----------=_17670263087422819499 Content-Disposition: attachment; filename="xarf.json" Content-Transfer-Encoding: base64 Content-Type: application/json; charset=utf-8; name="xarf.json" MIME-Version: 1.0 X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13) Date: Mon, 29 Dec 2025 16:38:28 +0000 eyJEaXNjbG9zdXJlIjp0cnVlLCJSZXBvcnQiOnsiU291cmNlVXJsIjoiaHR0cDovL3RoZW1lczM5 Mjcud3Rtd2Vic2hvcC5jb20vYXNzZXRzL2ltYWdlcy9rbTIucGhwIiwiUmVwb3J0Q2xhc3MiOiJD b250ZW50IiwiU291cmNlSXAiOiIyMy4xMTEuMTgyLjk4IiwiUmVwb3J0ZXJOb3RlcyI6IlNlZSBo dHRwczovL2luY2lkZW50Lm5ldGNyYWZ0LmNvbS9yZXBvcnRzLzR3YmxiaXhic251ZHNxY2p4amI2 eHkgZm9yIG1vcmUgaW5mb3JtYXRpb24iLCJEYXRlIjoiMjAyNS0xMi0yOVQxNjozMzozOFoiLCJS ZXBvcnRUeXBlIjoiTWFsd2FyZSIsIlJlcG9ydGVyQ2FzZUlEIjoiODAyMDEyNjAifSwiUmVwb3J0 ZXJJbmZvIjp7IlJlcG9ydGVyT3JnRW1haWwiOiJ0YWtlZG93bi1yZXNwb25zZSs4MDIwMTI2MEBu ZXRjcmFmdC5jb20iLCJSZXBvcnRlck9yZ0RvbWFpbiI6Im5ldGNyYWZ0LmNvbSIsIlJlcG9ydGVy T3JnIjoiTmV0Y3JhZnQifSwiT25CZWhhbGZPZiI6eyJDb21wbGFpbmFudE9yZyI6IlZpcmdpbiBN b25leSIsIkNvbXBsYWluYW50T3JnRG9tYWluIjoid3d3LnZpcmdpbm1vbmV5LmNvbSIsIkNvbXBs YWluYW50T3JnRW1haWwiOiJ0YWtlZG93bi1yZXNwb25zZSs4MDIwMTI2MEBuZXRjcmFmdC5jb20i fSwiVmVyc2lvbiI6IjEifQ== --_----------=_17670263087422819499--
/home2/wtmwscom/mail/.spam/cur/1767026754.M475792P3125473.server.wtmmart.in,S=8667,W=8826:2,a