We received a report from Hugh Brower that there is a spammed email destined for whois contacts that contains a malicious php attachment. The email is spoofed to look like it's from the domain's hosting provider. The email attempts to trick the recipient into executing the attachment. Currently the attachment information is;
Attachment Name webguard.php
File size: 130990 bytes
The email says;
"Subject: Hosting Regular Security Maintenance
Dear yourdomainhost valued Members
Regarding our new security regulations, as a part of our yearly maintenance we have provided a security guard script in the attachment.
So, to secure your websites, please use the attached file and (for UNIX/Linux Based servers) upload the file "webguard.php" in:
"./public_html" or (for Windows Based servers) in: "./wwwroot" in your site.
If you do not know how to use it, you can use the following instruction:
For Unix/Linux or Windows based websites that use PHP/CGI/PERL/ASP:
1) Download the attachment named "webguard.php"
2) Login to your site Control panel.
3) Open "File Manager" window.
4) Go through "Public_html" or "htdocs" (for UNIX/Linux Based servers),
but for Windows Based server, please Go through "wwwroot" directory.
5) Choose "Upload Files"
6) Upload the file "webguard.php"
7) Check its URL too "http://www.yoursite.com/webguard.php", if it is ok
Thank you for using our services and products. We look forward to providing you with a unique and high quality service.
The attack has targeted more than one domain but does not appear to be widespread at the moment. Additional details will be posted as they develop.