Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.spam-seo.xviewstate.002

php.spam-seo.xviewstate.002

Blackhat SEO is a malicious technique used to manipulate the search engine results in order to benefit a website in terms of relevance. The payload is PHP based, thus intended for server-side use and the payload is executed directly on the server, while the site is loaded. Only the payload result (such as malicious iframe, or redirect) is visible in the browser, not the malicious code itself.
xViewState hides itself from the user using a paragraph style, which is created by a JavaScript function, which can also be found obfuscated by PHP functions. The, the style is used to hide the malicious content. It was first saw inside Joomla extensions and more details can be found in this article.

Affecting

Any vulnerable PHP based website. Outdated software or compromised passwords can act as an infection vector.

Cleanup

Inspect your files looking for the code in the dump below. Also, you can contact Sucuri to help you with the infection removal.

Dump


<script language="JavaScript">

function dnnViewState()

{

var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','778787','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];

t=z='';

for(v=0;v<m.length;){t+=m.charAt(v++);

if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);

t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();

</script>

By A Website Design