Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: WHOIS contact spam with malicious security maintenance script attachment - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
WHOIS contact spam with malicious security maintenance script attachment

We received a report from Hugh Brower that there is a spammed email destined for whois contacts that contains a malicious php attachment. The email is spoofed to look like it's from the domain's hosting provider. The email attempts to trick the recipient into executing the attachment. Currently the attachment information is;

Attachment Name webguard.php
File size: 130990 bytes
MD5: 1071956063131f0fd178ace92ab526bb
SHA1: c47dd28e336030e3d940b66e2884aba91124a831

The email says;

"Subject: Hosting Regular Security Maintenance

Dear yourdomainhost valued Members

Regarding our new security regulations, as a part of our yearly maintenance we have provided a security guard script in the attachment.

So, to secure your websites, please use the attached file and (for UNIX/Linux Based servers) upload the file "webguard.php" in:

"./public_html" or (for Windows Based servers) in: "./wwwroot" in your site.

If you do not know how to use it, you can use the following instruction:

For Unix/Linux or Windows based websites that use PHP/CGI/PERL/ASP:

1) Download the attachment named "webguard.php"

2) Login to your site Control panel.

3) Open "File Manager" window.

4) Go through "Public_html" or "htdocs" (for UNIX/Linux Based servers),

but for Windows Based server, please Go through "wwwroot" directory.

5) Choose "Upload Files"

6) Upload the file "webguard.php"

7) Check its URL too "", if it is ok

Thank you for using our services and products. We look forward to providing you with a unique and high quality service.

Best Regards"

The attack has targeted more than one domain but does not appear to be widespread at the moment. Additional details will be posted as they develop.

Thanks Hugh!


193 Posts
Feb 19th 2007

Sign Up for Free or Log In to start participating in the conversation!