A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17593  by Xylitol
 Fri Jan 04, 2013 2:20 pm
Hello, dumped a PHP Shell from an infected server, WSO is used mainly to lead on phishings.
https://www.virustotal.com/file/48e112f ... 357306542/ 25/46
Phishing rotator (have a look on comments): https://www.virustotal.com/url/9238bac1 ... 357302288/
Pics:
Image Image
The shell can also have a password protection sometime:
Image
Safe mode off and outdated wordpress they don't need more...
Image
Got the log file also i hope i will find something cool :)
Attachments
infected
(18.18 KiB) Downloaded 113 times
 #17603  by Xylitol
 Fri Jan 04, 2013 6:08 pm
Dunno, logs don't really talk about how, here are some connections i suspect 88.198.254.193
Code: Select all
Hacker (Behind a Germany proxy)

28 Nov:
88.198.254.193 - - [28/Nov/2012:12:22:57 +0000] "GET /.idx.php HTTP/1.0" 200 896 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [28/Nov/2012:12:48:05 +0000] "POST /.idx.php HTTP/1.0" 200 862 "http://fluidsurveys.si/.idx.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [28/Nov/2012:12:48:20 +0000] "GET /tump.php HTTP/1.0" 200 5214 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [28/Nov/2012:12:49:52 +0000] "GET /.index1.php HTTP/1.0" 200 1216 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [28/Nov/2012:12:50:44 +0000] "GET /index.php HTTP/1.0" 302 352 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [28/Nov/2012:12:50:46 +0000] "POST /accounts/checklogin/ HTTP/1.0" 200 494 "http://fluidsurveys.si/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [28/Nov/2012:12:53:25 +0000] "POST /tump.php HTTP/1.0" 200 6971 "http://fluidsurveys.si/tump.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [28/Nov/2012:12:57:42 +0000] "GET /wp-admin/new.php HTTP/1.0" 200 6996 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [28/Nov/2012:13:04:15 +0000] "POST /wp-admin/includes/wpupdate.php HTTP/1.0" 200 5690 "http://fluidsurveys.si/wp-admin/includes/wpupdate.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [28/Nov/2012:13:04:41 +0000] "GET /wp-admin/js.php HTTP/1.0" 404 594 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [28/Nov/2012:13:09:09 +0000] "POST /wp-includes/js/js.php HTTP/1.0" 200 3735 "http://fluidsurveys.si/wp-includes/js/js.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [28/Nov/2012:13:09:32 +0000] "GET /wp-includes/pomo/co.php HTTP/1.0" 200 3724 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [28/Nov/2012:13:09:57 +0000] "POST /wp-includes/pomo/co.php HTTP/1.0" 200 6713 "http://fluidsurveys.si/wp-includes/pomo/co.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [28/Nov/2012:13:10:59 +0000] "POST /wp-includes/Text/Diff/Renderer/online.php HTTP/1.0" 200 6724 "http://fluidsurveys.si/wp-includes/Text/Diff/Renderer/online.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [28/Nov/2012:13:12:20 +0000] "GET /load.php HTTP/1.0" 200 5035 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [28/Nov/2012:13:47:27 +0000] "POST /wp-includes/js/send.php HTTP/1.0" 302 288 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"

29 Nov:
88.198.254.193 - - [29/Nov/2012:06:42:18 +0000] "POST /1.php HTTP/1.0" 200 2086 "http://fluidsurveys.si/1.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [29/Nov/2012:06:46:04 +0000] "GET /c99.php HTTP/1.0" 200 7109 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [29/Nov/2012:06:48:48 +0000] "POST /2.php HTTP/1.0" 200 1063 "http://fluidsurveys.si/2.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [29/Nov/2012:06:50:05 +0000] "POST /load.php HTTP/1.0" 200 5125 "http://fluidsurveys.si/load.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"

5Dec:
88.198.254.193 - - [05/Dec/2012:06:03:44 +0000] "GET /wp-includes/Text/Diff/Renderer/online.php HTTP/1.0" 200 3640 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"

26 Dec:
88.198.254.193 - - [26/Dec/2012:15:35:44 +0000] "GET /load.php HTTP/1.0" 200 5121 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [26/Dec/2012:15:40:55 +0000] "GET /wp-content/themes/default/update.php HTTP/1.0" 302 285 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"

3 Jan:
88.198.254.193 - - [03/Jan/2013:18:28:24 +0000] "GET /load.php HTTP/1.0" 200 5101 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [03/Jan/2013:18:29:24 +0000] "POST /load.php HTTP/1.0" 200 5042 "http://fluidsurveys.si/load.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [03/Jan/2013:18:31:44 +0000] "POST /wp-admin/new.php HTTP/1.0" 200 5042 "http://fluidsurveys.si/wp-admin/new.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [03/Jan/2013:18:37:01 +0000] "GET /wp-includes/js/tinymce/themes/advanced/skins/default/img/load.php HTTP/1.0" 301 742 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [03/Jan/2013:18:37:02 +0000] "GET /wp-includes/js/tinymce/themes/advanced/skins/default/img/load.php HTTP/1.0" 200 495 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [03/Jan/2013:18:37:13 +0000] "POST /wp-admin/new.php HTTP/1.0" 200 3469 "http://fluidsurveys.si/wp-admin/new.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [03/Jan/2013:18:38:00 +0000] "GET /wp-includes/js/js.php HTTP/1.0" 200 4493 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [03/Jan/2013:18:38:07 +0000] "POST /wp-includes/js/js.php HTTP/1.0" 200 21148 "http://fluidsurveys.si/wp-includes/js/js.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [03/Jan/2013:18:38:23 +0000] "POST /wp-admin/new.php HTTP/1.0" 200 3721 "http://fluidsurveys.si/wp-admin/new.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [03/Jan/2013:18:40:19 +0000] "GET /wp-includes/js/tinymce/themes/advanced/skins/default/img/index.php HTTP/1.0" 301 744 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"

4 Jan:
88.198.254.193 - - [04/Jan/2013:01:14:40 +0000] "GET /wp-includes/js/tinymce/themes/advanced/skins/default/img/index.php HTTP/1.0" 200 3978 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
After i found the backdoor:
88.198.254.193 - - [04/Jan/2013:13:22:15 +0000] "GET /wp-includes/js/tinymce/themes/advanced/skins/default/img/load.php HTTP/1.0" 200 542 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
88.198.254.193 - - [04/Jan/2013:13:42:36 +0000] "GET /wp-includes/js/tinymce/themes/advanced/skins/default/img/wp.php HTTP/1.0" 200 3922 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 (.NET CLR 3.5.30729)"
Server is full of shells.
Code: Select all
htxp://fluidsurveys.si/wp-includes/js/js.php
htxp://fluidsurveys.si/wp-includes/js/tinymce/themes/advanced/skins/default/img/wp.php
htxp://fluidsurveys.si/wp-includes/Text/Diff/Renderer/online.php
htxp://fluidsurveys.si/wp-admin/new.php
htxp://fluidsurveys.si/wp-includes/pomo/co.php
htxp://fluidsurveys.si/wp-includes/js/tinymce/themes/advanced/skins/default/img/index.php
htxp://fluidsurveys.si/wp-admin/import/import.php
htxp://fluidsurveys.si/wp-admin/includes/wpupdate.php
htxp://fluidsurveys.si/wp-content/plugins/akismet/hello.php
Another backdoor in attach.
https://www.virustotal.com/file/99dd56b ... 357326492/ 5/45
Pic:
Image
Logs:
Code: Select all
217.6.0.99 - - [03/Jul/2012:15:02:54 +0000] "POST /wp-admin/plugin-editor.php HTTP/1.1" 302 512 "http://fluidsurveys.si/wp-admin/plugin-editor.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11"
217.6.0.99 - - [03/Jul/2012:15:02:55 +0000] "GET /wp-admin/plugin-editor.php?file=akismet%2Fakismet.php&liveupdate=1&_wpnonce=c0fd1484fb HTTP/1.1" 500 1613 "http://fluidsurveys.si/wp-admin/plugin-editor.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11"
217.6.0.99 - - [03/Jul/2012:15:02:55 +0000] "GET /wp-admin/css/install.css HTTP/1.1" 200 1153 "http://fluidsurveys.si/wp-admin/plugin-editor.php?file=akismet%2Fakismet.php&liveupdate=1&_wpnonce=c0fd1484fb" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11"
217.6.0.99 - - [03/Jul/2012:15:02:56 +0000] "GET /favicon.ico HTTP/1.1" 404 13336 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11"
217.6.0.99 - - [03/Jul/2012:15:12:52 +0000] "GET /wp-content/plugins/akismet/akismet.php HTTP/1.1" 200 988 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11"
Attachments
infected
(7.12 KiB) Downloaded 83 times
 #17612  by unixfreaxjp
 Sat Jan 05, 2013 5:02 am
I'm @unixfreaxjp of MalwareMustDie,
Hi Xylit0l, thank's for the kindly invite.
Yesterday I found your finding's server was cleaned up, so this is the only reference I got.
Code: Select all
FINISHED --01:45:58--
Downloaded: 488,513 bytes in 122 files

Here's the full path I flushed:
Image

I am not going to promote anything, just an additional information related to this case,
it is similar of what we found in November 4, 2012,
that findings was using Webshell WSO 2.3 to spread malware infector/redirectors + pharmacy/adult sites redirectors.
I captured almost everything too,it was posted in here: http://malwaremustdie.blogspot.jp/2012/ ... -pack.html might be good for reference. That site was even using webalizer to monitor traffic, practically want to make it as close as possible to an Exploit Kit.

The similarities between these 2(two) cases is, both cases use WordPress with activate Plugin with vulnerability/flaw on it. The plugin was having flaw of CVE-2012-3577 in my spotted case (we contacted to the user and he doesn't have FTP account & everything was managed via web browser/http so there was no chance to have FTP account leaks by i.e. "pony" infection).
In what Xylit0l found was the TinyMCE plugin flaw was detected, this flaw that I heard about a year ago or so,
links of the flaw is: http://wordpress.org/support/topic/warn ... ce-exploit
Another PoC exploit for the arbitrary execution of other TinyMCE plugin flaw is shared publicly like this link: http://www.exploit-db.com/exploits/19022/ , and there are many more way to inject the code into it.

By the way, would you please kindly share me the log?
I'd like to try to make this moronz who hacked got nailed for good.
 #17618  by Xylitol
 Sat Jan 05, 2013 12:24 pm
Hi unixfreaxjp,
The log file is really huge in size... where can i host more than 2gb for free ?

HS:
I just checked my honeypots and got a weird phish "Carrefour Banque" Carrefour is a French retail corporation who runs chains of large discount department stores.
On the mail there is even a footer of 'Torrent411' (a French torrent tracker) this phish is really bad made :!:
Image

There is the same rotation system: htxp://www.jaxdance.com/signup.php > https://www.virustotal.com/url/f7304d2c ... 357377089/ 0/33
They blacklisted phishtank (403 Forbidden code): http://www.phishtank.com/phish_detail.p ... id=1684010
Image
Web-sniffer same:
Image
Urlquery same: http://urlquery.net/report.php?id=608614
Wepawet same: http://wepawet.iseclab.org/view.php?has ... 60&type=js
There is also a blacklist on the rotator: http://urlquery.net/report.php?id=608612
Mail Source:
Code: Select all
x-store-info:J++/JTCzmObr++wNraA4Pa4f5Xd6uensydyekesGC2M=
Authentication-Results: hotmail.com; spf=none (sender IP is 209.236.116.226) smtp.mailfrom=inmobil2@flash.servidorlinux6.com; dkim=none header.d=flash.servidorlinux6.com; x-hmca=none
X-SID-PRA: supports@flash.servidorlinux6.com
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0xO0Q9MTtHRD0xO1NDTD0y
X-Message-Info: HY0JcSSCx0r9ix2ecVvfwC+J7wb0qYtDsLSxs114KwyClQHPuQLgPEDecW61+dDOIJ448b3WZ+eAZW64Nh2yUjtgpHZz8haNXoUtJCN3qIo1Ea7nCK+m6Y41uHnkf4jch9YvDoOugJK4JDFvNL/l8moeA0UHjcu3
Received: from flash.servidorlinux6.com ([209.236.116.226]) by SNT0-MC1-F32.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
	 Sat, 5 Jan 2013 00:45:10 -0800
Received: from inmobil2 by flash.servidorlinux6.com with local (Exim 4.80)
	(envelope-from <inmobil2@flash.servidorlinux6.com>)
	id 1TrPNO-0001yn-4b
	for *********@******.**; Sat, 05 Jan 2013 06:45:10 -0200
Date: Sat, 5 Jan 2013 06:45:10 -0200
To:*********@******.**
From: Carrefour Banque <supports@flash.servidorlinux6.com>
Reply-to: noreply@flash.servidorlinux6.com
Subject: =?iso-8859-1?Q?Carrefour_-_S=E9curiser_vos_transactions_en_ligne?=
Message-ID: <ca5306a755c489ffe85a78d84cdad822@www.centershop.com.uy>
X-Priority: 3
X-Mailer: PHPMailer [version ]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - flash.servidorlinux6.com
X-AntiAbuse: Original Domain - hotmail.fr
X-AntiAbuse: Originator/Caller UID/GID - [640 639] / [47 12]
X-AntiAbuse: Sender Address Domain - flash.servidorlinux6.com
X-Get-Message-Sender-Via: flash.servidorlinux6.com: authenticated_id: inmobil2/primary_hostname/system user
Return-Path: inmobil2@flash.servidorlinux6.com
X-OriginalArrivalTime: 05 Jan 2013 08:45:10.0649 (UTC) FILETIME=[F8A27690:01CDEB20]

<html><body><TABLE border=0 cellSpacing=0 cellPadding=0 width=700 align=center height=255 DESIGNTIMESP="30933">
<TBODY DESIGNTIMESP="30934">
<TR DESIGNTIMESP="30935">
<TD height=85 vAlign=top colSpan=3 DESIGNTIMESP="30936"></TD></TR>
<TR DESIGNTIMESP="30937">
<TD width=1 DESIGNTIMESP="30938"><IMG src="http://img3.free.fr/im/im_mails/dotgrey.png" width=1 height="100%" DESIGNTIMESP="30939"></TD>
<TD bgColor=#ffffff DESIGNTIMESP="30940">
<TABLE border=0 cellSpacing=10 cellPadding=0 width="100%" DESIGNTIMESP="30941">
<TBODY DESIGNTIMESP="30942">
<TR DESIGNTIMESP="30943">
<TD colSpan=2 DESIGNTIMESP="30944">
<P DESIGNTIMESP="30945"><FONT color=#ffffff size=1 DESIGNTIMESP="30946">--------originale message--- </FONT></P>
<HR color=#dfdfdf SIZE=1 noShade DESIGNTIMESP="30947">
<IMG border=0 src="http://data.imagup.com/10/1171921323.png" width=835 height=606 useMap=#Map DESIGNTIMESP="30948"> <MAP id=Map name=Map DESIGNTIMESP="30949"><AREA href="http://www.jaxdance.com/signup.php" shape=rect coords=256,392,591,446 DESIGNTIMESP="30950">
</MAP>
<P DESIGNTIMESP="30951"></P>
<P DESIGNTIMESP="30952"><FONT color=#939393 size=3 face="Lucida Grande, Helvetica, Arial,sans-serif" DESIGNTIMESP="30953">Sincères salutations, <BR DESIGNTIMESP="30954">L'équipe Carrefour</FONT></P>
<P DESIGNTIMESP="30955"><IMG src="http://img3.free.fr/im/im_mails/footer2.png" width=700 height=29 DESIGNTIMESP="30956"></P>
<P DESIGNTIMESP="30957"> </P>
<P DESIGNTIMESP="30958"> </P>
<P DESIGNTIMESP="30959"> </P>
<P DESIGNTIMESP="30960"> </P>
<P DESIGNTIMESP="30961"> </P>
<P DESIGNTIMESP="30962"> </P>
<P DESIGNTIMESP="30963"> </P>
<P DESIGNTIMESP="30964"> </P>
<P DESIGNTIMESP="30965"> </P>
<P DESIGNTIMESP="30966"> </P>
<P DESIGNTIMESP="30967"> </P>
<P DESIGNTIMESP="30968"> </P>
<P DESIGNTIMESP="30969"> </P>
<P DESIGNTIMESP="30970"> </P>
<P DESIGNTIMESP="30971"> </P>
<P DESIGNTIMESP="30972"> </P>
<P DESIGNTIMESP="30973"> </P>
<P DESIGNTIMESP="30974"> </P>
<P DESIGNTIMESP="30975"> </P></TD></TR>
<TR DESIGNTIMESP="30976">
<TD colSpan=2 DESIGNTIMESP="30977"><FONT size=1 DESIGNTIMESP="30978">messager</FONT></TD></TR>
<TR DESIGNTIMESP="30979">
<TD width=368 DESIGNTIMESP="30980"><PRE DESIGNTIMESP="30981"><FONT size=1 DESIGNTIMESP="30982"><BR DESIGNTIMESP="30983">IMPORTANT! Vous devez conserver un ratio minimum de 0.75 en tout temps afin de ne pas être banni!<BR DESIGNTIMESP="30984"> <BR DESIGNTIMESP="30985">-----<BR DESIGNTIMESP="30986">T411 - Torrent 411 - Tracker Torrent Français - French Torrent Tracker - Tracker Torrent Fr</FONT></PRE></TD>
<TD vAlign=bottom width=269 align=right DESIGNTIMESP="30987">
<TABLE border=0 cellSpacing=3 cellPadding=0 width="76%" DESIGNTIMESP="30988">
<TBODY DESIGNTIMESP="30989">
<TR DESIGNTIMESP="30990">
<TD vAlign=top width="92%" align=right DESIGNTIMESP="30991"> </TD>
<TD vAlign=middle width="8%" DESIGNTIMESP="30992"> </TD></TR></TBODY></TABLE></TD></TR>
<TR DESIGNTIMESP="30993">
<TD colSpan=2 DESIGNTIMESP="30994">
<HR color=#dfdfdf SIZE=1 noShade DESIGNTIMESP="30995">
</TD></TR>
<TR DESIGNTIMESP="30996">
<TD height=24 colSpan=2 DESIGNTIMESP="30997">
<TABLE border=0 cellSpacing=0 cellPadding=0 width=640 DESIGNTIMESP="30998">
<TBODY DESIGNTIMESP="30999">
<TR DESIGNTIMESP="31000">
<TD width=610 DESIGNTIMESP="31001"><BR DESIGNTIMESP="31002"><FONT size=1 DESIGNTIMESP="31003">Si vous ne recevez pas votre confirmation de réservation, veuillez vérifier que celle-ci n'a pas été considérée comme courrier indésirable ou spam par votre messagerie. Il est donc IMPERATIF de consulter votre boîte e-mail jusqu'à la veille de votre départ. Toutes informations, modifications ou documents nécessaires à votre voyage vous seront envoyés à cette adresse.<BR DESIGNTIMESP="31004"><BR DESIGNTIMESP="31005">Afin de vous assurer de recevoir nos futurs mails, merci d'ajouter notre adresse mail dans la liste de vos expéditeurs autorisés.<BR DESIGNTIMESP="31006"><BR DESIGNTIMESP="31007"></FONT></TD></TR></TBODY></TABLE>
<TABLE border=0 cellSpacing=0 cellPadding=0 width=640 DESIGNTIMESP="31008">
<TBODY DESIGNTIMESP="31009">
<TR vAlign=top DESIGNTIMESP="31010">
<TD width=30 DESIGNTIMESP="31011"><IMG alt="" src="http://docs.travel-agency.travel/img/spacer.gif" width=30 height=1 DESIGNTIMESP="31012"></TD>
<TD width=610 DESIGNTIMESP="31013"><BR DESIGNTIMESP="31014">
<CENTER DESIGNTIMESP="31015"><FONT size=-7 DESIGNTIMESP="31016"><STRONG DESIGNTIMESP="31017">Nous vous remercions de votre confiance et vous souhaitons bon journee</STRONG> </FONT></CENTER></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD>
<TD width=1 DESIGNTIMESP="31018"><IMG src="http://img3.free.fr/im/im_mails/dotgrey.png" width=1 height="100%" DESIGNTIMESP="31019"></TD></TR>
<TR DESIGNTIMESP="31020">
<TD height=29 colSpan=3 DESIGNTIMESP="31021"> </TD></TR></TBODY></TABLE></body></html>
Also i got phishs of "EDF" (a French electric utility company) same with a rotator: htxp://sendmaui.net/templates/ja_purity/js/index.htm > https://www.virustotal.com/url/3f7c2362 ... /analysis/ 1/31
Unlike others who don't host redirect system and phishs page on the same server this one do and create a new folders with phishings pages for each clicks on the rotator (https://www.virustotal.com/url/6ec9531f ... 357381049/)
I've coded a VB6 utils to retrieve URLS generated (source code and phishing urls list in attach)
Image
I even satured the server :)
Image
As you can see they use copy() & mkdir() in PHP each time someone click on the rotator to make different dirs and evade antivirus
Open dir:
Image
Attachments
infected
(17.66 KiB) Downloaded 82 times
no password
(38.34 KiB) Downloaded 90 times
 #17625  by unixfreaxjp
 Sat Jan 05, 2013 11:54 pm
You'll see more of it, friend. yes there are all WordPress, that's why I wrote & exposed it openly in MMD blog.
PS, back to the first case, here's the hint to find the IP who hacked it, please grep the access log the below GET/POST command
Code: Select all
/wp-includes/js/tinymce/themes/advanced/skins/default/img/load.php
↑The site you mentioned had the vulnerability to upload file by using it.

Regarding to the phishing email, based on your hotmail email header. Hotmail auth has no mistake in detecting this email as suspicious, PoC:
Code: Select all
Authentication-Results: hotmail.com; spf=none (sender IP is 209.236.116.226) smtp.mailfrom=inmobil2@flash.servidorlinux6.com; dkim=none header.d=flash.servidorlinux6.com; x-hmca=none
X-SID-PRA: supports@flash.servidorlinux6.com
X-AUTH-Result: NONE
X-SID-Result: NONE
Yet I don't undersatand why the email went to the mailbox? Only the user's setting allows that to happen.
Code: Select all
Received: from flash.servidorlinux6.com ([209.236.116.226]) by SNT0-MC1-F32.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900); Sat, 5 Jan 2013 00:45:10 -0800
Btw, see the mailer type is a common script used by spambot:
Code: Select all
X-Mailer: PHPMailer (version)
Realizing the spam group is behind this, I checked down to the relay server too.
I investigated further to find that flash.servidorlinux6.com is an innocent MTA, but it has open relay flaw on Port 587, that the phisher knew about it and use it to relay this spam, below is the PoC: (just sent email to servidorlinux6.com about this)
Code: Select all
 @unixfreaxjp ~]$ telnet flash.servidorlinux6.com 587
Trying 209.236.116.226...
Connected to flash.servidorlinux6.com.
Escape character is '^]'.
220-flash.servidorlinux6.com ESMTP Exim 4.80 #2 Sat, 05 Jan 2013 21:26:49 -0200
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
helo servidorlinux6.com
250 flash.servidorlinux6.com Hello p6e5369.sitmnt01.ap.so-net.ne.jp [218.110.83.105]
mail from: support@servidorlinux6.com
250 OK
rcpt to: unixfreaxjp@checkingyourmta.com
250 OK
Regarding to the PHP rotator:
As you can see they use copy() & mkdir() in PHP each time
someone click on the rotator to make different dirs and evade antivirus
↑That's right (since you brought this up) :-) and imagine if this techies is used by Exploit Kit infector, and they know its advantages & made it as malware infector based on it.
What we found+post was an evidence of that act, "they" know this things for sure... Bad things happens..
 #17684  by Xylitol
 Sat Jan 12, 2013 9:50 am
WSO 2.4 obfuscated version found on a compromised server
https://www.virustotal.com/file/9233773 ... 357984158/ > 18/46

Another backdoor:
Image
https://www.virustotal.com/file/0d005c1 ... 357988126/ > 21/46

For additional fraud files view this thread: http://www.kernelmode.info/forum/viewto ... =16&t=2431
Attachments
infected
(5.93 KiB) Downloaded 75 times
infected
(18.55 KiB) Downloaded 76 times
 #17689  by Xylitol
 Sat Jan 12, 2013 4:46 pm
backdoor found on another compromised server.
https://www.virustotal.com/file/beb530e ... 358007616/ > 14/46
Image

Have also found a WSO 'edited shell'
Image
still not clear to get it i've tar.gz the whole server and wait to finish download the archive for the moment.
Gotcha !
https://www.virustotal.com/file/43f602d ... 358009819/ > 14/46
Attachments
infected
(18 KiB) Downloaded 79 times
infected
(87.47 KiB) Downloaded 79 times