Spamhuntress

I’ve received copies of what appear to be files placed on a website without the owner’s knowledge. Presumably the site was hacked.

The spammer was Asiawood.

The code looks encrypted to me, so I’ll need some help in deciphering what it does.

Any takers?

Update: I’ve confirmed hacking from Scrimak as well. And I have code samples. There’s also a possible third and fourth hacker. Either that or the same spammers, different MO.

Several people have had a look at the code. One described it as quite sloppy. The spammer is using the PHP files to pull in files from his own site. The location of that file remains invisible until you figure out the code - which you can only do by looking at the raw code. Since webhosts don’t log outgoing connections, there are no signs in the logs except for the requests by visitors - you’d catch it by looking at the files requested. One site owner compared what he found on the server with the files he had in his backup. He found even the root index.php had been altered. Some sites have alien files added in several directories - usually pre-existing directories. I found two sites that looked like a default index page, except it had spammy links on it (probably added by the owner of the site - the domain name was spammy). The sites had also been hacked - serving up files belonging to someone else!

This entry was posted on Friday, September 8th, 2006 at 10:08 am and is filed under Redirects. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.