Salut,
Encore moi.
J'ai fait un relevé d'une de mes adresse mail qui contient beaucoup de junk (over 11k+ mails and counting !)
![[Image: ykcB6HK.png]](ykcb6hk.png)
Bref, vous avez vu, y'en a un qui revient assez souvent dans la listes des objets.
les médicaments. ☤
J'ai commencé a collecté leur courriels depuis septembre 2015.
Exemple typique d'un sample:
Code :
Return-path: <qrcxhemni@chtudvypy.nyeyou.com>
Envelope-to: **************
Delivery-date: Wed, 30 Dec 2015 02:24:52 -0300
Received: from [78.189.138.89] (port=61470 helo=chtudvypy.nyeyou.com)
by cpanel7.wnpower.com with esmtp (Exim 4.86)
(envelope-from <qrcxhemni@chtudvypy.nyeyou.com>)
id 1aE9Fb-0002U7-Jl
for **************; Wed, 30 Dec 2015 02:24:52 -0300
Received: from localhost (127.0.0.1) by chtudvypy.nyeyou.com id h65l5p68aax for <**************>; Wed, 30 Dec 2015 06:24:58 +0100 (envelope-from <qrcxhemni@chtudvypy.nyeyou.com>)
From: "ViagraNowCanadianaaaaaaaaaeeww" <qrcxhemni@chtudvypy.nyeyou.com>
Precedence: Normal
To: <xylitol@malwareint.com>
Date: Wed, 30 Dec 2015 06:24:58 +0100
MIME-version: 1.0
Content-Type: text/html
X-Spam-Status: Yes, score=12.5
X-Spam-Score: 125
X-Spam-Bar: ++++++++++++
X-Spam-Report: Spam detection software, running on the system "cpanel7.wnpower.com",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: click heres [...]
Content analysis details: (12.5 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.6 HK_NAME_DRUGS From name contains drugs
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: thehenkka.com]
0.0 T_SPF_HELO_TEMPERROR SPF: test of HELO record failed (temperror)
0.0 HTML_MESSAGE BODY: HTML included in message
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5707]
0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
1.6 MISSING_MID Missing Message-Id: header
2.0 RDNS_NONE Delivered to internal network by a host with no rDNS
1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
anti-forgery methods
2.5 KAM_LINKBAIT Short messages containing little more than a link, from
a domain with no security in place
X-Spam-Flag: YES
Subject: ***SPAM*** Special prices
<html>
<body>
<br>
<a href="http://thehenkka.com/skin/frontend/default/grayscale/images/slider/join.html">
click heres
</a><p>
</body>
</html>
Les mails que je capte ressemble a peut près tous à ça, le Return-path et l'expéditeur sont randomisé, les serveurs d’envois sont grillé partout, c'est vraiment du spam low quality envoyé par million, les gars font dans le volume.
![[Image: eh6jT8v.png]](eh6jt8v.png)
Concernant le contenu du message c'est tout le temps la même chose, juste un lien vers un site compromis qui sert de passerelle vers des pharmacies.
parfois le message change un peut avec un footer avast.
Code :
<html>
<body>
<a href="http://iriosystems.com/phpMyAdmin/libraries/plugins/import/upload/w1.html">
clicks here
</a>
<br><br>
<br /><br />
<hr style='border:none; color:#909090; background-color:#B0B0B0; height: 1px; width: 99%;' />
<table style='border-collapse:collapse;border:none;'>
<tr>
<td style='border:none;padding:0px 15px 0px 8px'>
<a href="http://www.avast.com/">
<img border=0 src="http://static.avast.com/emails/avast-mail-stamp.png" alt="Avast logo" />
</a>
</td>
<td>
<p style='color:#3d4d5a; font-family:"Calibri","Verdana","Arial","Helvetica"; font-size:12pt;'>
This email has been checked for viruses by Avast antivirus software.
<br><a href="http://www.avast.com/">www.avast.com</a>
</p>
</td>
</tr>
</table>
<br />
</body>
</html>
ou YAC:
Code :
<html>
<body><p></p>
<a href="http://guarantee-travel.com/wp-content/plugins/envato-wordpress-toolkit-master/assets/js/s1.html">
click here#
</a>
<div style=3D"position:absolute;margin:15px 0 0 0px; =
padding-top:10px;padding-right:15px;min-width:350px; =
border-top:1px solid #ccc;font-size:12px; color: #333; =
font-family:arial,'Hiragino Sans GB',Tahoma,Helvetica,STHeiti; =
">This email has been protected by YAC (Yet Another Cleaner) =
<a href=3D"http://www.yac.mx?source=3Demail" style=3D"display:block;padding-top:5px; =
color:#2bafed;text-decoration:none;">www.yac.mx</a></div></body>
</html>
Pour le lien qu'il essaye de vous faire cliqué c'est juste une page HTML de redirection:
Code :
<META HTTP-EQUIV="REFRESH" CONTENT="0;URL=http://familydrugsreward.ru">
Quelle est le points commun de tout ses sites ?
généralement se sont des cms outdated de type wordpress, une backdoor et également présente.
Voici une petite liste de sites compromis utilisé dans les spams qui on répondu HTTP 200.
Code :
aljourani.com/mm/fonts/_assets/js/update.php
sushinamipa.com/js/libs/update.php
adventuresdubai.com/wp-content/themes/Adventuresdubai/woocommerce/shop/update.php
iriosystems.com/phpMyAdmin/libraries/plugins/import/upload/update.php
integritasca.com/wp-content/plugins/simple-tags/inc/js/update.php
store.metascrape.com/skin/frontend/default/blue/css/update.php
colakailedinlenmetesisi.com/medyalp/tiny_mce/plugins/media/css/update.php
learnersvillage.com/wp-includes/js/tinymce/plugins/wordpress/update.php
tiaraleenclub.com/htmlver/wp-content/uploads/2014/09/update.php
mugeltravel.com/wp-content/plugins/newsletter/images/popup/update.php
askyourlocaldentist.com/wp-content/plugins/font-awesome-more-icons/assets/js/update.php
catpawcino.com/wp-content/plugins/LayerSlider/skins/borderlessdark3d/update.php
kafeijiweixiu.com/wp-content/upgrade/wordpress-3.tmp/wordpress/wp-admin/update.php
gpsinstallation.com/wp-content/plugins/cherry-plugin/admin/css/update.php
joesearch.com/images/_notes.sav/_notes/update.php
2gvision.com/wp-content/plugins/paid-memberships-pro/adminpages/addons/update.php
montessoriseminerleri.com/wp-includes/js/tinymce/plugins/lists/update.php
wbs.wbs-france.com/wbsGed/modules/advanced_physical_archive/xml/.svn/tmp/update.php
mudwetandbeers.com/wp-content/themes/mwab-dev/css/images/update.php
dansbandsmusik.com/wp-content/plugins/w3-total-cache/inc/options/pro/update.php
connorwelch.com/images/portfolio/thumbs/update.php
text100digitalhub.com/folio2go/wp-content/plugins/wp-pagenavi/lang/update.php
fireprodura.com/wp-includes/js/tinymce/plugins/charmap/update.php
andrewmaguireplumbing.com/wp-includes/js/tinymce/plugins/wpview/update.php
masvector.com/tribu/assets/globals/plugins/bootstrap/update.php
210main.com/administrator/components/com_akeeba/language/ru-RU/update.php
drinkspank.com/AT/wp-content/themes/delight/WPAlchemy/update.php
iteo.com.ua/wp-content/themes/jarida/panel/js/update.php
webpseo.com/wp-content/plugins/wordpress-database-reset/assets/images/update.php
europharma-us.com/modlogan/images/update.php
avtoprokat.com.ua/function/slow/update.php
amztechnology.com/wp-contentbk/plugins/smart-slider-2/nextend/ajax/update.php
giraffe360.com/2015-11-30-backup/components/com_users/views/remind/update.php
mbidata.net/crm/fckeditor/editor/dialog/fck_link/update.php
artistsmojo.com/wp-content/themes/viduze/stylesheet/images/update.php
sushidelmar.net/gushev/administrator/components/com_jevents/libraries/update.php
advance-waterproofing.com/wp-content/uploads/visual-lightbox-plugin/6/images/update.php
bigbossmanagement.com/wp-includes/js/tinymce/plugins/wplink/update.php
valenciasoft.com/OLD/wp-content/uploads/2014/05/update.php
www.93521.net/static/image/seccode/gif/Small_Fonts/update.php
www.osgdigital.com/sites/all/libraries/flexslider/theme/update.php
insertcoinslv.com/forms/wp-admin/css/colors/blue/update.php
ivoryfitness.com/wp-content/plugins/LayerSlider/static/css/update.php
4f1kja.com/pukiwiki/wiki/wp-content/upgrade/theme-compat/update.php
fdgkzy.com/static/js/DatePicker/skin/default/update.php
feriasmerecidas.com/administrator/components/com_content/models/forms/update.php
www.oanfotograf.com/wp-content/themes/twentythirteen/genericons/font/update.php
placesofsolitude.com/wp-content/uploads/wpsc/product_images/thumbnails/update.php
allbizclub.com/wp-content/uploads/2015/12/update.php
flashforchild.com/wp-content/cache/hyper-cache/flashforchild.com/talking-tom/update.php
yogalifestylist.com/wp-includes/js/tinymce/plugins/wpeditimage/update.php
note.coreicc.com/data/cache/HTML/update.php
maymayminhlochungyen.com/jscripts/FCKeditor/editor/css/images/update.php
orodellumbria.com/templates/yoo_tasty/styles/orange/images/tools/update.php
palaceforyou.com/media/update.php
solarrmax.com/js/contact_us/js/update.php
bstclair.com/wp-content/plugins/motopress-content-editor/jquery/controller/update.php
alsafwaumroh.com/wp-content/themes/exclusive/admin/widgets/update.php
sherryheart.com/wp-content/uploads/2013/03/update.php
warrantify.com/assets/ed9dbc9f/jquery/ui/i18n/update.php
visitpgr.com/media/gantry5/engines/nucleus/twig/update.php
wbs.zephirenr.com/google/includes/zendgdata/Zend/Gdata/Analytics/update.php
monstabody.com/deN2a/update.php
www.altipilates.com/wp-includes/js/tinymce/plugins/fullscreen/update.php
udachnozamug.com/wp-content/themes/twentyeleven/inc/images/update.php
www.theadviser.com.au/media/editors/codemirror/addon/wrap/update.php
www.karterastudios.com/wordpress/wp-content/themes/advertica-lite/images/update.php
qigong-zhen-pai.com/administrator/components/com_jckman/views/editplugin/update.php
blogajum.com/wp-content/themes/arjuna-x/images/bg/update.php
jabourrealty.com/wp-content/plugins/ninja-forms/includes/forms/update.php
akbarworld.com/administrator/components/com_weblinks/views/weblinks/update.php
westernbaysailing.com/wp-includes/js/tinymce/plugins/safari/update.php
matteolopiccolophoto.com/wp-content/plugins/wysija-newsletters/css/jquery/update.php
tratamentodosvicios.com/wp-content/plugins/unitegallery/helpers/templates/update.php
oregonwebworks.com/wp-content/plugins/jetpack/modules/widgets/update.php
chinadtt.gotoip2.com/tornado/3power_manage/xh/xheditor_emot/ipb/update.php
recruiters-edge.com/wp-includes/js/tinymce/plugins/wordpress/update.php
nanninghuayie.com/wp-includes/js/tinymce/plugins/directionality/update.php
ardentem.com/manager/media/browser/mcpuk/images/update.php
nashiokna.com/wp-content/plugins/theme-my-login/modules/user-moderation/update.php
intermarket.com/sidewalkk/cache/update.php
thebreakthroughapp.com/components/com_lovefactory/views/interactions/tmpl/update.php
ongtuyothuylucdaiduong.com/components/com_virtuemart/js/slimbox-1.71a/src/update.php
allenpropertyimprovement.com/aspnet_client/system_web/4_0_30319/update.php
altotajo.com/components/com_jce/editor/extensions/search/update.php
sizintitespit.com/administrator/components/com_extplorer/libraries/Console/update.php
85+ sites différents qui on répondu positif a une backdoors. la plupart étant des domaines utilisé dans du spam qui date de décembre.
Généralement les spammers utilise des softs du genre "shell enslaver"
ça ressemble a ça:
![[Image: QyQF6yM.png]](qyqf6ym.png)
C'est un gestionnaire de backdoor, ça permet d'uploadé massivement leur pages de redirection de pharmacie sur les sites compromis.
ça permet aussi de voir le pagerank des sites, si le shell et toujours en vie, faire des doorsway, ce genre de trucs.
Quelques domaines en vrac de pharmacie:
Code :
• dns: 1 ›› ip: 91.219.238.121 - adresse: FAMILYDRUGSREWARD.RU
• dns: 1 ›› ip: 94.185.83.101 - adresse: PUREPILLSPURCHASE.RU
• dns: 1 ›› ip: 94.185.83.101 - adresse: SAFENATURALSUPPLY.RU
• dns: 1 ›› ip: 89.26.243.30 - adresse: HERBALHOTOUTLET.RU
• dns: 1 ›› ip: 89.26.243.30 - adresse: NEWGENERICSMARKET.RU
• dns: 1 ›› ip: 89.26.243.30 - adresse: PERFECTAIDESHOP.RU
• dns: 1 ›› ip: 89.26.243.30 - adresse: BESTHEALINGREWARD.RU
• dns: 1 ›› ip: 89.26.243.30 - adresse: HOMEMEDICATIONVALUE.RU
• dns: 1 ›› ip: 89.26.243.30 - adresse: SAFEGENERICSSHOP.RU