Speeding up indexing of SPAM files via sitemap.xml

Remember the wave of HTML files infection back in 2015 affecting outdated WordPress sites? Now it came back more powerful, with more files uploaded via a PHP backdoor.

We have found large number of created folders in the root folder of a website.

The naming convention of the SPAM files was different from the previous infections, and the uploader backdoor script was located in the wp-content folder.

The obfuscation had this string:

eval(fUUPd("jbvnzvTQep53AAZ8Dhs7BiKFjlmGFYISsAx772QUCKzD3nuQYw8/SY71x95+AWJAcnGVZz...

where fUUPd was a custom decryption function based on gzinflate/base64_decode and character code shift.

function fUUPd($NVAR) { 	$NVAR=gzinflate(base64_decode($NVAR)); 	for($i=0;$i<strlen($NVAR);$i++) { 		$NVAR[$i] = chr(ord($NVAR[$i])-1); 	} 	return $NVAR; }

After decoding, it was easy to recognize the most popular WSO/FilesMan web shell.

The interesting part was the sitemap.xml files in all SPAM folders that clearly speeded up indexing of the malicious pages in popular search engines.

Keep an eye on your Search Console reports and notifications – you may find early signs of the compromise there. Act before it’s too late and Google places embarrassing “This site may be hacked” label on your search results. Website security monitoring will help you stay on top of things.