Skip to content

Latest commit

 

History

History

sockets.php

README.md

Origin

Email spamming program: send emails as a cut-out, allowing original sender to hide identity.

IP Address 207.154.233.143

207.154.233.143 does not match any DNS names.

207.154.233.143 is a Digital Ocean IP address

Download

The attacker tried to use the "FilesMan" action, "uploadFile" sub-action of a Web Shell by oRb (WSO) web shell. My fake WSO received it instead.

Analysis

All email spam related values arrive as Base64-encoded text as values for HTTP POST parameters.

Parameter
mailto
msgbody
msgheader
msgsubject

Ultimately calls PHP mail() builtin. It's a very thin wrapper.

Can return 3 strings: "indata_error" "sent_ok" "sent_error"

Coding style is consistent, if a bit peculiar for PHP. The author indented the '{' and '}' characters at the same indentation as the code the delimit.

sockets.php not accessed yet (Sat May 5 20:48:23 MDT 2018)

-rw-r--r-- 1 http http 1955 Feb 23 05:59 207.154.233.143WpAQSFEQG6BopUFgN-IFWgAAAAk.wso.scans -rw-r--r-- 1 http http 2407 Feb 23 05:59 207.154.233.143WpAQSVEQG6BopUFgN-IFWwAAAAk.wso.scans -rw-rw-rw- 1 http http 96 Feb 23 05:59 207.154.233.143WpAQSVEQG6BopUFgN-IFWwAAAAk.php.file -rw-r--r-- 1 http http 2223 Feb 23 05:59 207.154.233.143WpAQSVEQG6BopUFgN-IFXAAAAAk.wso.scans -rw-r--r-- 1 http http 2208 Feb 23 05:59 207.154.233.143WpAQSVEQG6BopUFgN-IFXQAAAAk.wso.scans -rw-r--r-- 1 http http 2197 Feb 23 05:59 207.154.233.143WpAQSlEQG6BopUFgN-IFXgAAAAk.wso.scans -rw-r--r-- 1 http http 2225 Feb 23 05:59 207.154.233.143WpAQSlEQG6BopUFgN-IFXwAAAAk.wso.scans -rw-r--r-- 1 http http 2248 Feb 23 05:59 207.154.233.143WpAQSlEQG6BopUFgN-IFYAAAAAk.wso.scans -rw-rw-rw- 1 http http 14 Feb 23 05:59 207.154.233.143WpAQSlEQG6BopUFgN-IFYAAAAAk.php.file -rw-r--r-- 1 http http 2530 Feb 23 05:59 207.154.233.143WpAQS1EQG6BopUFgN-IFYQAAAAk.wso.scans -rw-rw-rw- 1 http http 657 Feb 23 05:59 207.154.233.143WpAQS1EQG6BopUFgN-IFYQAAAAk.0.file -rw-r--r-- 1 http http 2278 Feb 23 05:59 207.154.233.143WpAQS1EQG6BopUFgN-IFYgAAAAk.wso.scans -rw-rw-rw- 1 http http 11 Feb 23 05:59 207.154.233.143WpAQS1EQG6BopUFgN-IFYgAAAAk.php.file -rw-r--r-- 1 http http 2242 Feb 23 05:59 207.154.233.143WpAQS1EQG6BopUFgN-IFYwAAAAk.wso.scans -rw-r--r-- 1 http http 2250 Feb 23 05:59 207.154.233.143WpAQTFEQG6BopUFgN-IFZAAAAAk.wso.scans -rw-rw-rw- 1 http http 1 Feb 23 05:59 207.154.233.143WpAQTFEQG6BopUFgN-IFZAAAAAk.php.file -rw-r--r-- 1 http http 2252 Feb 23 05:59 207.154.233.143WpAQTFEQG6BopUFgN-IFZQAAAAk.wso.scans -rw-rw-rw- 1 http http 2 Feb 23 05:59 207.154.233.143WpAQTFEQG6BopUFgN-IFZQAAAAk.php.file -rw-r--r-- 1 http http 2270 Feb 23 05:59 207.154.233.143WpAQTVEQG6BopUFgN-IFZgAAAAk.wso.scans -rw-rw-rw- 1 http http 11 Feb 23 05:59 207.154.233.143WpAQTVEQG6BopUFgN-IFZgAAAAk.php.file -rw-r--r-- 1 http http 2270 Feb 23 05:59 207.154.233.143WpAQTVEQG6BopUFgN-IFZwAAAAk.wso.scans -rw-rw-rw- 1 http http 25 Feb 23 05:59 207.154.233.143WpAQTVEQG6BopUFgN-IFZwAAAAk.php.file -rw-r--r-- 1 http http 2225 Feb 23 05:59 207.154.233.143WpAQTVEQG6BopUFgN-IFaAAAAAk.wso.scans -rw-r--r-- 1 http http 2248 Feb 23 05:59 207.154.233.143WpAQTlEQG6BopUFgN-IFaQAAAAk.wso.scans -rw-rw-rw- 1 http http 14 Feb 23 05:59 207.154.233.143WpAQTlEQG6BopUFgN-IFaQAAAAk.php.file -rw-r--r-- 1 http http 2530 Feb 23 05:59 207.154.233.143WpAQTlEQG6BopUFgN-IFagAAAAk.wso.scans -rw-rw-rw- 1 http http 657 Feb 23 05:59 207.154.233.143WpAQTlEQG6BopUFgN-IFagAAAAk.0.file -rw-r--r-- 1 http http 2278 Feb 23 05:59 207.154.233.143WpAQTlEQG6BopUFgN-IFawAAAAk.wso.scans -rw-rw-rw- 1 http http 11 Feb 23 05:59 207.154.233.143WpAQTlEQG6BopUFgN-IFawAAAAk.php.file -rw-r--r-- 1 http http 2242 Feb 23 05:59 207.154.233.143WpAQT1EQG6BopUFgN-IFbAAAAAk.wso.scans -rw-r--r-- 1 http http 2250 Feb 23 05:59 207.154.233.143WpAQT1EQG6BopUFgN-IFbQAAAAk.wso.scans -rw-rw-rw- 1 http http 1 Feb 23 05:59 207.154.233.143WpAQT1EQG6BopUFgN-IFbQAAAAk.php.file -rw-r--r-- 1 http http 2252 Feb 23 05:59 207.154.233.143WpAQT1EQG6BopUFgN-IFbgAAAAk.wso.scans -rw-rw-rw- 1 http http 2 Feb 23 05:59 207.154.233.143WpAQT1EQG6BopUFgN-IFbgAAAAk.php.file -rw-r--r-- 1 http http 2270 Feb 23 06:00 207.154.233.143WpAQUFEQG6BopUFgN-IFbwAAAAk.wso.scans -rw-rw-rw- 1 http http 11 Feb 23 06:00 207.154.233.143WpAQUFEQG6BopUFgN-IFbwAAAAk.php.file -rw-r--r-- 1 http http 2270 Feb 23 06:00 207.154.233.143WpAQUFEQG6BopUFgN-IFcAAAAAk.wso.scans -rw-rw-rw- 1 http http 25 Feb 23 06:00 207.154.233.143WpAQUFEQG6BopUFgN-IFcAAAAAk.php.file -rw-r--r-- 1 http http 2225 Feb 23 06:00 207.154.233.143WpAQUFEQG6BopUFgN-IFcQAAAAk.wso.scans -rw-r--r-- 1 http http 2248 Feb 23 06:00 207.154.233.143WpAQUVEQG6BopUFgN-IFcgAAAAk.wso.scans -rw-rw-rw- 1 http http 14 Feb 23 06:00 207.154.233.143WpAQUVEQG6BopUFgN-IFcgAAAAk.php.file -rw-r--r-- 1 http http 37915 Feb 23 06:00 wso.uploaded.files -rw-r--r-- 1 http http 2530 Feb 23 06:00 207.154.233.143WpAQUVEQG6BopUFgN-IFcwAAAAk.wso.scans -rw-rw-rw- 1 http http 657 Feb 23 06:00 207.154.233.143WpAQUVEQG6BopUFgN-IFcwAAAAk.0.file -rw-r--r-- 1 http http 2278 Feb 23 06:00 207.154.233.143WpAQUlEQG6BopUFgN-IFdAAAAAk.wso.scans -rw-rw-rw- 1 http http 11 Feb 23 06:00 207.154.233.143WpAQUlEQG6BopUFgN-IFdAAAAAk.php.file -rw-r--r-- 1 http http 2242 Feb 23 06:00 207.154.233.143WpAQUlEQG6BopUFgN-IFdQAAAAk.wso.scans -rw-r--r-- 1 http http 2250 Feb 23 06:00 207.154.233.143WpAQUlEQG6BopUFgN-IFdgAAAAk.wso.scans -rw-rw-rw- 1 http http 1 Feb 23 06:00 207.154.233.143WpAQUlEQG6BopUFgN-IFdgAAAAk.php.file -rw-r--r-- 1 http http 2252 Feb 23 06:00 207.154.233.143WpAQU1EQG6BopUFgN-IFdwAAAAk.wso.scans -rw-rw-rw- 1 http http 2 Feb 23 06:00 207.154.233.143WpAQU1EQG6BopUFgN-IFdwAAAAk.php.file -rw-r--r-- 1 http http 2270 Feb 23 06:00 207.154.233.143WpAQU1EQG6BopUFgN-IFeAAAAAk.wso.scans -rw-rw-rw- 1 http http 11 Feb 23 06:00 207.154.233.143WpAQU1EQG6BopUFgN-IFeAAAAAk.php.file -rw-r--r-- 1 http http 2270 Feb 23 06:00 207.154.233.143WpAQVFEQG6BopUFgN-IFeQAAAAk.wso.scans -rw-rw-rw- 1 http http 25 Feb 23 06:00 207.154.233.143WpAQVFEQG6BopUFgN-IFeQAAAAk.php.file