Page 1 of 1

Spam/Virus/Hijack combi attack - April 2016

Posted: Wed Apr 27, 2016 1:03 am
by ^rooker
WARNING:
There seems to be a new virus+spam combi worm attack going on at the moment.

It sends out mails to users in ones email address book (that it somehow stole).
The content of the mail always looks like this (very spam-like):

Code: Select all

Hello!


You have a new message, please read <http://somehackedserver.com/stress.php?80sc5>


<Sender Name>
I've seen similar things like this, especially strange PHP files appearing on unrelated (usually hacked/infected) servers.
These files either contain malicious code that try to do something to the browser-client (if it can), and/or contains backdoors for running arbitrary code on the infected host.

According to other postings found on the web, the PHP file it points to in the URL disguises itself under different names.
Here's a list of names I collected so far:
  • stress.php
  • neighboring.php
  • struck.php
  • skirt.php
  • management.php
  • separate.php
  • mainstream.php
  • summary.php
  • sacred.php
  • ...
The PHP file is always followed by a short string of usually 3-4 alphanumerical characters.

Collecting other's findings:
https://answers.launchpad.net/launchpad ... ion/292170
http://discard.email/en/pillory/fw-new- ... 787dc5.htm
http://readlist.com/lists/lists.digium. ... 56371.html
http://www.ietf.org/mail-archive/web/v6 ... 24655.html
http://digest.sialia.com/?rm=message;id=1174544