Spam/Virus/Hijack combi attack - April 2016

Linux howto's, compile information, information on whatever we learned on working with linux, MACOs and - of course - Products of the big evil....
Post Reply
User avatar
^rooker
Site Admin
Posts: 1481
Joined: Fri Aug 29, 2003 8:39 pm

Spam/Virus/Hijack combi attack - April 2016

Post by ^rooker »

WARNING:
There seems to be a new virus+spam combi worm attack going on at the moment.

It sends out mails to users in ones email address book (that it somehow stole).
The content of the mail always looks like this (very spam-like):

Code: Select all

Hello!


You have a new message, please read <http://somehackedserver.com/stress.php?80sc5>


<Sender Name>
I've seen similar things like this, especially strange PHP files appearing on unrelated (usually hacked/infected) servers.
These files either contain malicious code that try to do something to the browser-client (if it can), and/or contains backdoors for running arbitrary code on the infected host.

According to other postings found on the web, the PHP file it points to in the URL disguises itself under different names.
Here's a list of names I collected so far:
  • stress.php
  • neighboring.php
  • struck.php
  • skirt.php
  • management.php
  • separate.php
  • mainstream.php
  • summary.php
  • sacred.php
  • ...
The PHP file is always followed by a short string of usually 3-4 alphanumerical characters.

Collecting other's findings:
https://answers.launchpad.net/launchpad ... ion/292170
http://discard.email/en/pillory/fw-new- ... 787dc5.htm
http://readlist.com/lists/lists.digium. ... 56371.html
http://www.ietf.org/mail-archive/web/v6 ... 24655.html
http://digest.sialia.com/?rm=message;id=1174544
Jumping out of an airplane is not a basic instinct. Neither is breathing underwater. But put the two together and you're traveling through space!
Post Reply