Ask HN: Traced spam back to script on a pwned server, but then it gets weird

1 points by DanOWar 13 years ago · 0 comments · 1 min read

Odd email spam: Followed IP from Received headers to a PHP mailer script on some random server. Googled some text from the form and found similar sites. Are these pwned servers hacked, or dedicated spam servers?

The email in question included an odd detail:

  Received: (qmail 28723 invoked from network); 5 Feb 2013 01:56:56 -0800
  Received: from m81.ninthapple.com (HELO vmi10541.localdomain) (79.143.178.81)
  by [mydomain.net] with SMTP; 5 Feb 2013 01:56:55 -0800
  Received: by vmi10541.localdomain (Postfix, from userid 48)
	id A90CB2D80478; Tue,  5 Feb 2013 09:56:53 +0100 (CET)
  To: support@[mydomain.com]
  Subject: teste
  X-PHP-Originating-Script: 0:thumb.php
  MIME-Version: 1.0
  Content-type: text/html; charset=iso-8859-1
  X-Mailer: Microsoft Office Outlook, Build 17.551210
  From: support@[mydomain.com]
  Message-Id: <20130205085653.A90CB2D80478@vmi10541.localdomain>
  Date: Tue,  5 Feb 2013 09:56:53 +0100 (CET)
  
  amo

See the "X-PHP-Originating-Script"? Well, if you navigate to 79.143.178.81/thumb.php you will find a spam PHP script.

Googling some text from this script produces other servers running it (http://www.google.com/search?q=MortoLino+-+mode*SPAMMER)

  http://avpv.com.br/
  http://www.ovelar.com.br/xp.php
  http://teste.originalsites.net/xp.php
  http://www.malys-et-delys.com/fag.php

Take a look around the last domain. In addition to fake banking websites, it has this gem: http://www.malys-et-delys.com/index.html

Do you think these servers have simply been compromised, or are they dedicated spamming machines?

Also, anyone understand why the Received headers mention "m81.ninthapple.com", when ninthapple.com is not even a registered domain?

No comments yet.

Settings

Ask HN: Traced spam back to script on a pwned server, but then it gets weird

Keyboard Shortcuts