For a few months now, we have been actively monitoring a spambot named Stealrat, which primarily uses compromised websites and systems in its operations. We have continuously monitored its operations and identified about 195,000 thousand domains and IPs that have been compromised. The common denominator among these compromised sites is that they are running vulnerable CMS software such as WordPress, Joomla and Drupal.
In this entry, we will discuss how website administrators can check if their website is compromised and part of the Stealrat botnet.
The first step is to check for the spammer scripts that are commonly found namely sm13e.php or sm14e.php. But note that these scripts may change in terms of file name, so it would be better to check for any unfamiliar PHP file.
Spamming scripts inside a compromised website
Another way to check for the presence of the malicious PHP file is to search for any of the following strings in the codes:
- die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321)
- die(PHP_OS.chr(49).chr(49).chr(43).md5(0987654321)
For those running on Linux, you can search for the string using the grep command grep “die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321” /path/to/www/folder/, while for Windows it’s content:”die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321″.
The mentioned strings in the PHP file
These strings are part of the “die” code of the PHP file (e.g. when certain parameters are not met). Our colleagues at DeepEnd Research have already posted a copy of sm14e.php. As far as we know, this is the latest version of the script in the wild and compared to sm13e.php, sm14e.php now supports multiple email addresses to send spam to. Other than that, it is still the same PHP file that accepts the following parameters:
- l → email address (to send spam to)
- e → nine randomly generated characters
- m → mail server (ie. googlemail)
- d → mail template
Its response varies depending on the parameters supplied, as well as the result of the spamming routine:
Script responses based on results
For website admins, we recommend the deletion of the files resembling those described above, and the updating of their content management systems – especially WordPress, Joomla or Drupal. More information on this threat, as well as the other components that need to be taken note of are available in our paper, Stealrat: An In-Depth Look at an Emerging Spambot.
