The link on the email resolved to "http://www.backrite.com/cw3/assets/product_small/Westpac.com.au/Westpac/index.htm", I very crude attempt I thought, the least they could have done was attempt to get a domain that at least appears slightly legitimate or use a URL shortening service at least.
I fired up my debuggig VM and opened up Firefox and pasted the URL in, the site appeared to be down. This was going to be quicker than I thought. Next I examined the e-mail headers and found a number of interesting things;
iX-Apparently-To: me@me.com via 76.13.9.102; Mon, 12 Sep 2011 17:35:43 -0700
X-YahooFilteredBulk: 72.52.199.90
Received-SPF: none (domain of server22.01domain.net does not designate permitted sender hosts)
X-YMailISG: uqaL3oQWLDupZk39g7NZ_d1X.jvu2AiRfqDcSAS5WI1yggQj
qKsr_wBhJ6fOB576uyrk3sOva0uAvBRbH2D9buWQ2RMJpgB.gBvrBbexkVVz
XhkFvqbM2oAMn_GHLmNEOUb_wcs6rU031UCGN0Gc8InmvAhB8wE6ua0shbqw
gqobfvaLzFTrjLeJ03BlqKdv3L_RDh4xyyLL2saipKDl7XkbKwLizqsr4c6R
X-Originating-IP: [72.52.199.90]
Authentication-Results: mail.me.com from=westpac.com.au; domainkeys=neutral (no sig); from=westpac.com.au; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO server22.01domain.net) (72.52.199.90)
by mail.me.com with SMTP; Mon, 12 Sep 2011 17:35:42 -0700
Received: from nobody by server22.01domain.net with local (Exim 4.69)
(envelope-from
id 1R3GyS-0001kr-68
for me@me.com; Mon, 12 Sep 2011 20:35:40 -0400
To: me@me.com
Subject: [Bulk] Westpac Notice
X-PHP-Script: proteinat.com/store/images/tmp/z.php for 41.184.112.91
From:
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id:
Date: Mon, 12 Sep 2011 20:35:40 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server22.01domain.net
X-AntiAbuse: Original Domain - me.com
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - server22.01domain.net
Firstly, the originating IP did not match the server in the URL. Next the X-PHP-Script header gave an interesting clue, a copy and paste revealed another downed script, but this time the response from the server was more promising, a quick fuzz and I found "http://proteinat.com/store/images/cookie_load.php"
Which is a PHP shell called Web Shell by oRb or WSO. The running version was 2.5 which was released in June of 2011. The attacker must have exploited PHP and uploaded the file. The PHP shell allows for a console which is useful for work, e.g. creating a backdoor, as well as running exploits to escalate privileges to get root access. I have not had the chance to investigate further, but it would be interesting to determine how the hacker got in in the first place.
No comments:
Post a Comment