Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

We found infected sites where malware created a fake WordPress plugin that generated pharma spam doorways.

Path: wp-content/plugins/social-share/wp-social-share.php

This file creates wp-content/plugins/social-share/share.php that calls itself WP Social Include File. It downloads doorway generator from hxxp://api-linux . net/json/json_01.txt, writes it into wp-content/mu-plugins/mu-plugin.png and then includes this file at the bottom of wp-includes/load.php

The doorway generator uses the following URLs:

Some of the above URLs should only be accessed using a special User Agent

If you are a hosting provider, we recommend blocking HTTP requests to these external sites, to stop the spam doorways from being distributed. We will share more details as we learn more about it.