Paid Advertising is
ha.ckers sla.cking
Ways to stop spam, detect robotic activity, and actually harm the spam trade, as well as how it works, how to circumvent filters, etc. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Found some spammer files on my web server
Posted by: Royal2000H
Date: October 02, 2012 05:05PM

I've been getting some failed mail delivery reports at my catch-all email address on my server. Finding this weird, I had a feeling there was spam coming out of it.

Connecting through FTP, I found some definitely odd files.

1. A file violin.php which let the spammers send mail out of my server and domain through POST parameters.

2. Three obscure, randomly named html files which were empty except for small obfuscated javascript that redirected to spam/adult websites and pop ups.

3. One file in cgi-bin, "mhstchk.cgi" which seems to be the first file they put on the server. It seems to gather information about the server in order for them to decide whether it'll work for their spammer needs. Here's a few lines from the beginning:

my $smtp = '';

my $dns = '';

my $fpart = "hello_my_little_friend._You_have_download_this_page_and_see_this_source.";

my $lpart = "_We_do_not_delete_anything_only_upload_change_your_passwords_and_do_not_say_it_to_anybody";

And then it goes on to print "uname -a", test Perl modules, the SMTP server, some DNS tests, etc.

Now I'm wondering how they got the files on the server. Exploit of apache? Do I need to tell my hosting company to check for cracks in this shared server? Brute forcing my PHP password? Exploit in wordpress?

Anyone see this before?

EDIT: Just found them in my FTP access logs. So did they just brute force my password? It seems there were more files they put in my cgi folder that they since deleted. Also it seems that cgi file was there for a long time.

Edited 1 time(s). Last edit at 10/02/2012 05:15PM by Royal2000H.

Options: ReplyQuote

Sorry, only registered users may post in this forum.