SPAM - Westpac Notice

I recently got an email with the subject "[Bulk] Westpac Notice" claiming to be from "notice@westpac.com.au". I knew this was SPAM, but was curious none the less, I felt like investigating further, but didn't have much time... my curiosity got the better of me, and I decided to do some quick digging anyway.

The link on the email resolved to "http://www.backrite.com/cw3/assets/product_small/Westpac.com.au/Westpac/index.htm", I very crude attempt I thought, the least they could have done was attempt to get a domain that at least appears slightly legitimate or use a URL shortening service at least.

I fired up my debuggig VM and opened up Firefox and pasted the URL in, the site appeared to be down. This was going to be quicker than I thought. Next I examined the e-mail headers and found a number of interesting things;

iX-Apparently-To: me@me.com via; Mon, 12 Sep 2011 17:35:43 -0700
Received-SPF: none (domain of server22.01domain.net does not designate permitted sender hosts)
X-YMailISG: uqaL3oQWLDupZk39g7NZ_d1X.jvu2AiRfqDcSAS5WI1yggQj
X-Originating-IP: []
Authentication-Results: mail.me.com  from=westpac.com.au; domainkeys=neutral (no sig);  from=westpac.com.au; dkim=neutral (no sig)
Received: from  (EHLO server22.01domain.net) (
  by mail.me.com with SMTP; Mon, 12 Sep 2011 17:35:42 -0700
Received: from nobody by server22.01domain.net with local (Exim 4.69)
(envelope-from )
id 1R3GyS-0001kr-68
for me@me.com; Mon, 12 Sep 2011 20:35:40 -0400
To: me@me.com
Subject: [Bulk] Westpac Notice
X-PHP-Script: proteinat.com/store/images/tmp/z.php for
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Date: Mon, 12 Sep 2011 20:35:40 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server22.01domain.net
X-AntiAbuse: Original Domain - me.com
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - server22.01domain.net

Firstly, the originating IP did not match the server in the URL. Next the X-PHP-Script header gave an interesting clue, a copy and paste revealed another downed script, but this time the response from the server was more promising, a quick fuzz and I found "http://proteinat.com/store/images/cookie_load.php"

Which is a PHP shell called Web Shell by oRb or WSO. The running version was 2.5 which was released in June of 2011. The attacker must have exploited PHP and uploaded the file. The PHP shell allows for a console which is useful for work, e.g. creating a backdoor, as well as running exploits to escalate privileges to get root access. I have not had the chance to investigate further, but it would be interesting to determine how the hacker got in in the first place.

No comments:

Post a Comment