Highly flexible email spamming tool. All parameters arrive in the HTTP "cookie". This probably conceals the spamming slightly, as cookies are normally not logged.
This arrived 2017-12-12. Another version arrived 2018-09-25. Some aspects have changed, it's probably a feature upgrade and bug fix release.
Logged in to emulated WSO web shell directly, with a password. This IP address did not try to log in to WordPress.
Code moved to honey pot via the FilesMan action, uploadFile
sub-action of WSO. A real WSO web shell would have created a
file named ricches.php.
nslookup says: 176-123-10-248.alexhost.md
whois alexhost.md says:
organisation: ORG-ALEX2-RIPE
org-name: ALEXHOST SRL
org-type: OTHER
address: str. 31 August 1989, 127, Chisinau, Moldova
Moldova. The proximal hop of traceroute goes through 87.255.71.238,
which is also registered to a Moldavan address, and apparently actually
near downtown Chisinau, 47°00'20.2"N 28°51'27.
No real decoding necessary, pretty-printing just to make it readable helps a little.
The spamming parameters arrive in an HTTP cookie, set by the client calling the tool's URL.
a - control letter, one of [rpcbldmsL]
at - URL to contact with completion stats of spam run
bc - Bc: addresses
bo - email body text
cc - Cc: addresses
cd, cp - list of domains and TCP port numbers for ???
ch - character set to specify in HTML email
cm - if set, use ch character set in email address encoding
dl - user ID for "From:" email address, may be overriden if "ma" is set.
eh - hostname to use in "EHLO" SMTP command
fn - email address in "From:" SMTP header
ho - host name for some conditions
ht - if value is "1", send HTML email
lo - Login name for SMTP servers that require it.
ma - "From:" email address domain
mt - "To:" email address
mx - SMTP server DNS name
or - "Organization:" SMTP header
pa - password for SMTP servers that require a login
po - TCP port for SMTP server
rt - PHP `fsockopen()` timeout, seconds
sc, sl - user ID/password for login to a SOCKS server
sd - URL to post success/error codes and info back to.
sh, sp - SOCKS server hostname, port
sm - "Reply-To:" email address domain
st - controls how "From:" and "Reply-To:" addresses get constructed
su - "Subject:" line and title of HTML email
A fairly versatile tool, just based on the parameters alone.
It can send email via PHP mail() builtin, or it can speak a subset of
SMTP by itself. It can send text or HTML email. It can pass through a SOCKS
server. It uses an elaborate system of 2-character codes to communicate
the spam's status to the sender.