SiteCheck Signatures

  1. Home
  2. Docs
  3. SiteCheck Signatures
  4. malware-entry-mwspamph23

malware-entry-mwspamph23

Description Malware used on a large scale SEO SPAM work:
http://blog.sucuri.net/2010/05/seo-spam-network-code-used-and-more.html
http://blog.sucuri.net/2010/05/seo-spam-network-details-of-wp-includes.html
http://blog.sucuri.net/2010/05/it-is-not-over-seo-spam-on-sites.html

It has a random name and is generally hidden at the top directory of a site (kip.php,
fwwkd.php, mrsk.php, .data.php, etc), inside the wp-content/uploads directory
(fonction.php, wp-links.php, etc) and inside a random directory on the wp-includes.

It is also at the wp-includes/index.php.

In some of the variations it loads the spam links from: http://dvc44ftgr.com/

Affecting: Any WordPress hacked during Feb/Mar/Apr/May 2010

Malware dump: