A forum for reverse engineering, OS internals and malware analysis 

Trojan SpyEye (alias Pincav)

Forum for analysis and discussion about malware.

Re: Trojan SpyEye (alias Pincav)

 #9044  by lolwut
 Sun Oct 09, 2011 5:16 am
wayzoken wrote: "frm_findrep_sub2.php? id = 1" and this almost does not work.
only managed to see db "information_schema" and "frmcpviewer" and these do not have db access keys.
any help please
You're doing it wrong. Firstly you have to find the right folder where the php file is located. In most cases the C&Cs rename directories you you go on the hunt.
There is a far better query to use as well. Note that there are 7 columns and the second string column is vuln.

The thing is that there are thousands of Spyeye C&Cs running older versions that are not on any trackers (since they unfortunately buy installs and therefore prevent easy access to bins).

So if the above query doesn't work, more likely than not it is an older version of the panel OR you're in the wrong folder.

Re: Trojan SpyEye (alias Pincav)

 #9075  by wayzoken
 Mon Oct 10, 2011 5:51 pm
http://orumearchsdelaltruk.info/frmcp0/ ... 2.php?id=1

Table Name
ccs
cert
email
exceptions_
ftp
hostban
rep1
rep2_
rep2_20060829
rep2_20060830
rep2_20060831
rep2_20060901
rep2_20060902
rep2_20060903
rep2_20060904
rep2_20060905
rep2_20060906
rep2_20060907
rep2_20060908
rep2_20060909
rep2_20060910
rep2_20060911
rep2_20060912
rep2_20060913
rep2_20060914
rep2_20060915
rep2_20060916
rep2_20060917
rep2_20060918
rep2_20060919
rep2_20060920
rep2_20060921
rep2_20060922
rep2_20060923
rep2_20060924
rep2_20060925
rep2_20060926
rep2_20060927
rep2_20060928
rep2_20060929
rep2_20060930
rep2_20061001
rep2_20061002
rep2_20061003
rep2_20061004
rep2_20061005
rep2_20061006
rep2_20061007
rep2_20061008
rep2_20061009
rep2_20061010
rep2_20061011
rep2_20061012
rep2_20061013
rep2_20061014
rep2_20061015
rep2_20061016
rep2_20061017
rep2_20061018
rep2_20061019
rep2_20061020
rep2_20061021
rep2_20061022
rep2_20061023
rep2_20061024
rep2_20061025
rep2_20061106
rep2_20061107
rep2_20061108
rep2_20061109
rep2_20061110
rep2_20061111
rep2_20061112
rep2_20061113
rep2_20061114
rep2_20061115
rep2_20061116
rep2_20061117
rep2_20061118
rep2_20061119
rep2_20061120
rep2_20061121
rep2_20061122
rep2_20061123
rep2_20061124
rep2_20061125
rep2_20061126
rep2_20061127
rep2_20061128
rep2_20061129
rep2_20061130
rep2_20061201
rep2_20061202
rep2_20061203
scr_

assistance please do not how to exploit ¿¿¿¿

Re: Trojan SpyEye (alias Pincav)

 #9080  by Xylitol
 Tue Oct 11, 2011 7:15 am
wayzoken wrote:assistance please do not how to exploit ¿¿¿¿
I don't think someone will help you, personally i will not, i don't know you and this forum is public, take care of what you post.
btw your server is running DirectAdmin and user of database hasn't root permissions, so you can't execute LOAD_FILE.
For your SpyEye panel moded it's just a version 1.0
There is alot of tutorial about 'how to' exploit an sql injection, just google.

In attach, SpyEye 1.3.45 (26/43 >> 60.5%)
http://www.virustotal.com/file-scan/rep ... 1318281276

And SpyEye 1.3.48 (2/43 >> 4.7%)
http://www.virustotal.com/file-scan/rep ... 1318274711
Attachments
pwd: infected
(119.15 KiB) Downloaded 75 times
pwd: infected
(125.04 KiB) Downloaded 71 times

Re: Trojan SpyEye (alias Pincav)

 #9244  by EP_X0FF
 Tue Oct 18, 2011 3:44 pm
sugipula wrote:Any new samples?
How about go to hunt yourself?
  • 1
  • 28
  • 29
  • 30
  • 31
  • 32
  • 42
 Return to “Malware”