After we had determined the source of the malicious scripts, we conducted a thorough investigation of their website. Once we did, we uncovered a general phishing kit implemented during an attack.
This phishing kit was collecting login credentials for multiple platforms and services. This compromised site visitor data, which could have led to an erosion of trust between those visitors and the website.
We evaluated the comments of each malicious script found within the directory. Based on the review, we were able to ascertain that the infection was from a phishing kit known as "X-Phisher."
The script was located here:
/public_html/amigo /general domains/v2/. Below is a summary of the malicious files:
- index.php
- login.php
- signin.php
- submit.php
- success.php
- verify.php
- visitors.txt
- Your_email.php
- antibots.txt
- antibots1.php
- antibots2.php
- antibots3.php
- antibots4.php
- authenticator.php
- get_browser.php
- get_ip.php
- index.php
- logs.txt
- newips.php
Within the directory, there was an archive file containing the malicious script in a zip file titled "general domains.zip." This alerted us that the zip file was uploaded to the website owner's device as an archived file.
Now we had the location and the list. It was time to figure out exactly how the phishing kit was able to operate and do so much damage to the sites it corrupted.