Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.hacktool.SAPE.001.03

php.hacktool.SAPE.001.03

SAPE is a Russian service that allows to sell and buys links on websites. While this practice is legitimate, it is frown upon by major search engines as paid for links are used to manipulate search engine results. In most caseSape links are not relevevant to content of sites they are placed one. Such links are not marked as "nofollow", which contradicts guidelines of search engines. Still quite a few webmasters install SAPE code in hope to make some money even when they know that this may incur penalties from search engines.

SAPE provides scripts for various CMS, hosting platforms and programming languages. They load links from SAPE servers and make them look as natural as possible to fool search engines.

We realize that installing SAPE scripts is a choice of a webmaster, but we observe a pure malicious practice when hackers install SAPE code on hacked sites. They make money at expense of real owner of websites.

That why we detect SAPE code during server-side inspections and investigate whether they are legitimate or not.

Affecting

Any servers with enabled PHP

Cleanup

If Sape code was not installed be a webmaster, delete it and scan your server for other types of malware and specifically for backdoors.
You can also sign up with us and let our team remove the malware for you.

Dump

  ... typical excerpts from Sape code ...
...
class SAPE_base {
    var $_version = '1.1.7';
    var $_verbose = false;
    var $_charset = ''; // http://www.php.net/manual/en/function.iconv.php
    var $_sape_charset = '';
    var $_server_list = array('dispenser-01.sape.ru', 'dispenser-02.sape.ru');
    var $_cache_lifetime = 3600;
    var $_cache_reloadtime = 600;
    var $_error = '';
    var $_host = '';
...
/**
 * Класс для работы со статьями articles.sape.ru показывает анонсы и статьи
 */
class SAPE_articles extends SAPE_base {
    var $_request_mode;
    var $_server_list             = array('dispenser.articles.sape.ru');
    var $_data                    = array();
    var $_article_id;
    var $_save_file_name;
    var $_announcements_delimiter = '';
    var $_images_path;
    var $_template_error = false;
    var $_noindex_code = '';
    var $_headers_enabled = false;
    var $_mask_code;
    var $_real_host;
    var $_user_agent = 'SAPE_Articles_Client PHP';
...
>
...