I was checking the logs of all my sites recently and found some really interesting things. Apart from the normal stuff like where visitors was coming from and the most requested pages, I found some high traffic to a website that I am still developing!
Upon further, investigation I found that it looked like a URL from a PHPProjek install I did a while back to test the project management features required on the site. It was some poll.php page that was requested almost daily and it received over 2000 hits a week. Now normally when I look at my logs and I see over 2000 page hits and a couple of unique visits on a site I am over joyed this means that my SEO skills was paying off. This site however was, still in development and there was nothing really on it, so where was all this traffic coming from. I fired up my ftp client and opened up the file in question and found a few lines of code that was to say the least a bit surprising, it only contained the php mail function, which would send mail using the post variables. It had a very strange vulnerability, which I didn’t know of, and because the site was still in development I didn’t even check for known exploits…
I decided I want to know who hacked me, once again!?! 
and to whom all the mail was being sent… So I edited the page to take out the mail function and added some logging code logging the remote ip address and the message info.
This is what a typical log entry looked like:
June 2, 2008, 2:24 am: 201.83.214.203from : $Vítima BANK$
FromMail : fc2008@fcorp2008.com
destino : infects08@gmail.com
assunto : [Informação]: BRUNO Pode ter conta em BANCO!
mensagem : Está Vítima possui 1 conta no BANCO HSBC BRASIL
The messages are always sent to infects08@gmail.com and the text seams to be Spanish and have some Brazilian connection.
Now I am trying to find out if I can use this information to stop them or inform some authorities of this, but I have read that it is almost impossible to get the information needed to prosecute.
Here is what I believe they are doing:
- Search the web for vulnerable sites, this can be done easily using google if you know the correct way of searching.
- Exploit the webpage, but rather than defacing or replacing the entire site, add some functionality to it, by uploading the “poll_css.php” file in an obscure location somewhere on my webserver, I never even noticed it was there…
- Next start sending mail, uhum SPAM, by using a bot, or even an html form and sending it via the newly created php script.
- Then regarding the infects08@gmail.com address, it is probably a GMAIL, gateway mail forwarder, what on earth is that, well I just made up the name. Google makes it very very easy to spam someone… You see in gmail you can setup an account to automatically forward mail matching certain filters, this can be sent to several accounts, there is no checking to see if the address forwarded to is one of your accounts or someone that wants to receive it. hence the spam gateway.
So they could just setup a forwarding filter via the gmail account et violas.
I want to toy with them for a while but I am still trying to find creative ways in which to irritate them…
Pleas post comments if you have any ideas or if you know of a way to report them to someone…
Bookmark me: 
Recent Comments