For a few months now, we have been actively monitoring a spambot named Stealrat, which primarily uses compromised websites and systems in its operations. We have continuously monitored its operations and identified about 195,000 thousand domains and IPs that have been compromised. The common denominator among these compromised sites is that they are running vulnerable CMS software such as Wordpress, Joomla and Drupal. In this entry, we will discuss how website administrators can check if their website is compromised and part of the Stealrat botnet. The first step is to check for the spammer scripts that are commonly found namely sm13e.php or sm14e.php. But note that these scripts may change in terms of file name, so it would be better to check for any unfamiliar PHP file.
- l → email address (to send spam to)
- e → nine randomly generated characters
- m → mail server (ie. googlemail)
- d → mail template