Spam-Attacks (possibly Dark Mailer) through abused FTP account within 1s

Written by Claudio Kuenzler - 0 comments

Published on September 3rd 2012 - Listed in Internet PHP Linux Hacks Mail

This weekend I came across a rather new method to send spam e-mails, at least new to me so far. 

A shared hosting ftp account was abused (password probably gotten through a trojan) to send spam e-mails. That wouldn't be something surprising new, but the timely manner in which the script was uploaded and executed, is definitely worth mentioning it.

In the FTP logs I found the following entries:

Sat Sep 01 01:12:49 2012 0 195.7.104.233 408 /var/www/someweb/html/chk_mailto.php a _ i r someweb ftp 0 * c
Sat Sep 01 01:12:49 2012 0 195.7.104.233 408 /var/www/someweb/html/chk_mailto.php a _ d r someweb ftp 0 * c

Note that the file chk_mailto.php was uploaded AND deleted within the same second!

But before the file was deleted, it was executed by browser:

195.7.104.233 - - [01/Sep/2012:01:12:49 +0200] "GET /chk_mailto.php HTTP/1.1" 200 2 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"

Due to the very short living time of the script, it is nearly impossible to find it. Additionally only a few spams are sent out (or are sent through open relay servers) which makes it difficult to trace it in the mail logs as well.

Update September 4th 2012:
Each time such an uploaded file was executed in browser, a new process called 'perl' was started on the server which created smtp connections to foreign webservers and continued to run in the background.

Add a comment

Comments (newest first)

No comments yet.