Insight into a Spam Network


Posted on May 31st in Uncategorized. No Comments

While browsing around the net I often run into websites that have been compromised. I recently discovered a website that was hosting the filesman backdoor, redirecting users to malicious sites, and allowing spammers to send mail from the web server. I thought it might be fun to take a look around and see if I could find anything interesting.

Identifying the infected site

The website that I investigated was running a WordPress blog. Directory indexing was enabled on the website and it was possible to see the contents of the uploads directory.

uploads directory

Anytime you see a php script in the uploads directory of a WordPress site it is probably a bad sign. Clicking on the info.php file loads a page that requests a password to log in. This was definitely a good indicator that the site was hosting a backdoor shell.

Another interesting thing in the uploads directory was the toolbox.zip file. I downloaded the zip found and at first glance it appeared to be a free WordPress theme. Further inspection of the contents led me to a copy of the info.php file that was requesting the password.

The filesman backdoor

Looking through the source of the info.php file you can clearly see that it is a backdoor. The script tries to avoid getting indexed by crawlers and contains an MD5 hash of the password required to gain access.

Bypassing the shell password protection

I was able to google for the hash value to determine that the plaintext password was ‘nhzgrf’. What I find amusing is that you can completely bypass the authentication by creating your own cookie :D

Take a look at the line that generates the cookie value

It creates a cookie where the name is the MD5 value of $_SERVER[‘HTTP_HOST’] and the value is the password hash. So if the name of the website was example.com our cookie would look like this:

5ababd603b22780302dd8d83498e5172=866fd58d77526c1bda8771b5b21d5b11

Nice try on the authentication! Maybe next time you should look at using the built in session management in PHP. Of course this required that I have access to the source of the shell to get the MD5 hash of the password.

Finding the spam script

Reviewing the Apache logs revealed a ton of requests for a functions.php file that is in the uploads directory. The requests were showing up on a regular basis from a number of different IP addresses. External addresses should not be making POST requests to any scripts in this directory!

The script was obfuscated using a few simple techniques but nothing really fancy. After de-obfuscating the script and renaming most of the variables to something more meaningful it was easy to see what the script does.

Collecting information on the bots

I thought it would be fun to spy on the messages that were being sent from this compromised machine. What IP’s are posting to the script? Who are the messages going to? What types of spam are being sent?

In order to collect this information I made some modifications to the spam script. I added some code to collect the IP of the system that makes the POST request. A copy of each message sent along with the originating IP was sent to an email address that I created to monitor the spam.

After collecting over 38,000 spam emails here is what I was able to find:

  • 37,914 Unique Email Addresses
  • 1,219 Unique Bot IP’s (The IP addresses posting to the compromised server)
  • 3,139 Unique Malicious Links

Using MaxMind’s GeoIP database I was able to create a nifty chart showing where the majority of the bots are located that are generating and posting the spam messages.





Comments are closed.