Jun 29, 2016
PermaNulled

Your mail box is getting full… Story of a phisher.

Your mail box is full

So,

I had recently been inspired by a video from a man who goes by the alias “Scamalot” in this video series he responds to spam emails and simply “trolls” the scammers, phishers, or spammers the series is great, and I highly recommend checking it out if you haven’t ( https://www.youtube.com/watch?v=dSoXEtFPTfI ).

Well due to being inspired by this I decided to take it upon myself to start attempting to “troll” or annoy these spammers, scammers, and phishers myself as it seemed to be my duty at this point considering the amount of spam I regularly receive it was a great idea.

Coming into this the last thing that I expected to do is take over a phish page and leave a warning for those who clicked on it in the future but, that’s exactly what I ended up doing….

The following is a bit of information on how I did it and what I did to stop it, this post contains information which should be used for educational purposes only and should not be used to create or maintain your own phish page, I do not suggest anyone else goes and compromises phish pages as legally this is a questionable practice and you could be impeding on an active investigation that being said I proceeded anyway due to the fact I had permission.

 

Lets take a look at the where the phish email sends you to,
Now of course Gmail being as great as it is had originally blocked the email and I didn’t feel like helping these people by marking as “not spam” so went to the source to determine the page it was sending me to… quickly realizing it was a gov domain I had originally had no intent in messing with the server the page was hosted on.

og_email_source

It just so happens however, the gov page I’m assuming is being used as a white-listing technique (hoping to have better reputation with spam filters if the link is from a gov TLD I would assume) as it simply redirects to a privately owned server with the phisher’s page on it you can see here.

PhishPage

It’s a pretty simple setup, I didn’t do my research on whether or not it was some generic page posted on a black-hat/criminal forum but the way it was written I would assume it could be obtained from one of those dark/stupid circles.

Basically the idea of the page is to collect as much information as possible it begins by asking you for your email and password, effectively collecting those then for recovery purposes I would assume in-case they flag your gmail or such by logging in from a different then intended location they also request your phone number and other details.

Any who the first thing noticed is the directory of course you quickly notice this phisher has compromised someones website and decided to setup shop on their web hosting account or server,
From here the first thing I wanted to do was determine how the hacker breached the website and managed to get their phish page up.

So looking at the obvious the URL doesn’t seem to be any CMS or Platform that I’m inherently familiar with or have worked with, and the second thing I’ve noticed is that it’s placed in an admin directory… within that happened to be an admin panel with enough probing I eventually come to the conclusion that the hacker had breached the website through means of SQL injection and used a file upload system within the admin panel in order to upload malicious PHP code which allowed them access to the server under the web user.

There were restrictions in place on the file upload system preventing the uploading of anything other then images as that’s what it was intended to be used for, however the code which actually checked the file extension was written in java-script meaning it could be controlled and modified by the client, word of advice when doing input validation always double check against the server don’t rely on the user-end at all.

Now that I knew how the attacker gained access to the server it was time to take a peek for myself, I found their web-shell (A variation of the commonly deployed “WSO Shell”) and I had also obtained their password and login method… what the attacker had done is required that you post a password without including the field where you would enter said password, once entered though the password was stored in a session variable and you were “logged-in”.

At this point I had already had the attackers code to their shell so I had cracked the password (these shells store the password in a variable as a md5) which was “Heavensgate1”, I had now successfully logged into the attacker’s backdoor and could conduct further research.

I decided I wanted to see exactly what the pish page’s intentions were and what I could find about our attacker… After a bit of looking through the code I found that the last page the information was being posted to would be “connectID.php” and that this page would email our attacker with the phished credentials at the following email “[email protected]”.

phishersemail

Now that I had the attackers email I figured I’d look a bit deeper into it and see if I could find any additional information about them sadly with the time I was willing to spend doing this I didn’t really find much information about our attacker, but I did discover a few things.

The attacker also owned “[email protected]”, I wasn’t able to get access to either of these emails.

phishergmail phishergmail3

 

 

 

 

 

 

 

 

phishergmail_og_phone_partial

 

 

 

 

 

 

 

 

 

 

Now the little research I conducted resulted in me discovering that “Naira” is actually the currency of Nigeria so at this point I’ve identified our attacker as being a Nigerian scammer/spammer, with this there are plenty of different websites and forums using the “nairamoney” alias so it’s quite difficult to find any other info about our attacker, I did search for an IP address or such for the attacker but they surprisingly cleaned up after them selves.

So now the question was are they using this system for anything else?,
Are they sending spam email from it?…

I wanted to know more about our attacker and what kind of things they were doing while on this machine, looking at bash_history I managed to find out that they had attempted to root the system… no 0days here though just your public stuff wouldn’t expect much more from this kind of attacker.

rootattempts

Apparently the attacker didn’t want people following in their foot steps as they soon after patched the kernel up to the latest version all without the owner of this VPS realizing,
From my analysis however the attacker did not deploy a rootkit and instead decided it would be easier to simply make all shadow files world readable in-case they had lost their root access.
shadow3

At this point I had gotten tired / bored and decided it was time to put an end to our new friend, this was done in two ways…

#1 Was in the mean time we’d simply deface his phishing page and make sure people understood they had just done something dangerous by clicking his link,
aftermath
#2 Of course was doing the appropriate thing and reporting not only the phish page but our attacker to the hosting company “inmotionhosting” as it is apparent the owner of the VPS in question had no idea any of this was going on and would not have handled it appropriately in order to stop the phisher from abusing the server… and I have to give it to InMotionHosting while I had not received a reply from them they did seem to deal with the matter quite quickly as the phishing page, shell and etc are no longer present on the server.

In closing I’m considering looking back at the gov redirect to see if our phisher/attacker has setup shop on a new server now that the one he had is gone, I figure he’ll repeat himself and use the same shell same password and etc.

These attackers do appear to be creatures of repetition and with this research I’ve conducted I’ve found nothing original or interesting to myself other then the fact the owner of the VPS had this attacker there for quite awhile without ever noticing it, another surprising thing is that there are still systems out there which are relying on the client side for input validation in terms of file uploads.

Also when reporting this to In Motion Hosting I made sure to cover all bases I had deleted all of the attackers back doors ahead of time which seemed to be placed randomly most likely by an automated script of some sort.

finaltouch
backdoor3

shel_bdoor1bdoor2

morebackdoors
A full set of the attackers scripts can be found here: http://www52.zippyshare.com/v/k9xc0e0b/file.html

Additional analysis of the found back door files that had the following function

function Qbmx($VhBw)
{
$VhBw=gzinflate(base64_decode($VhBw));
for($i=0;$i<strlen($VhBw);$i++)
{
$VhBw[$i] = chr(ord($VhBw[$i])-1);
}
return $VhBw;

Revealed that they were simply encoded versions of the WSO shell with the default password of “root”.

In closing while I didn’t find anything super cool or original it was still fun to do and I get the general good feeling inside knowing that this is a scammer/spammer/phisher stopped from attacking other people before they were even able to log any credentials ( I can confirm via access logs I was the only one to access the page )…

Lets hope all scammers / phishers / and spammers start to have harder days to come as technology evolves and computer users are properly educated in information security practices, while that may never happen one can dream ;).

Leave a comment