While speaking with an industry friend recently, he mentioned that he had received some spam. When viewed in plain text, the spam looked like this (the filename has been changed to save the compromised):
Subject: You have received a greeting from a family member! You can pick up your postcard at the following web address http://62.75.XXX.XXX/~XXXXXXXX/XXXXXXXXXX.exe
However, if you remove the executable from the URL, you get a directory listing:
So, from this we can see the machine had been compromised for two months prior to the malicious code being placed upon the site (one day before my friend received the message). However, the individual in this case is obviously not the sharpest knife in the drawer – “file.php” was in actual fact “PHPShell – the attacker’s back door:
This would allow anyone to access the compromised host without prior authentication. Yep, you guessed it: it would also allow any other enterprising bot herder to replace the original malicious code with their own! What this demonstrates is that bot herders don't need to be ultra tech-savvy elite professionals to the core. This also demonstrates that just like any organized crime, there exists the potential for turf wars. *sigh* – 'til next time.