Spam is nothing new, but a recent site we were reviewing was a bit different. After a bit of analysis, we found a file called tracks.php that was generating spam with the following code on it:
<?php // Any reproduction of this document in part or in whole is strictly prohibited. For educational purposes only. 1993-2011 (c)
error_reporting(0) ;eval ( base64_decode("JGxMOXdGMWFZNHpYNmpUMWdUNmdRN2xPMG..
See the nice eval line? This eval line hides multiple calls to generate spammy content. The spammers even added a nice disclaimer to help discourage the site owner from analyzing the malware, very nice of them we thought.
Technical analysis
We did a bit more research on this type of spam and we found a bunch of other sites with the same content. However, the use of tracks.php was not consistant. The attackers were using random names across sites (paypal.php, content.php, possible.php, original.php, counter.php, packs.php, etc). They all perform very similar actions, they just use different names.
It seems that quite a few university sites are infected with this malware:
http://www.physics.hmc.edu/courses/p057/pmwiki/uploads/original.php?cpq=8548&KEV=1324630801
http://sustainabilitystudies.gmu.edu/wp-content/uploads/2011/09/original.php?rbb=8410&WFR=1321164001
http://iml.usc.edu/wp-content/uploads/2011/09/original.php?kex=31192&XAW=1319432401
http://www.cs.lamar.edu/upload/original.php?prv=39367&DAC=1324018801
http://financialaid.gmu.edu/wp-content/uploads/2011/11/original.php?mip=17989&ZRP=1320876002
http://www.rio.edu/chemistry/images/paypal.php?tyi=11921&XAN=1319922001
http://oceanai.mit.edu/kfisher/prices.php?zof=28644&GYC=1322848802
http://globalchange.umich.edu/gctext/paypal.php?dmh=18852&OOB=1323802801
http://schorr.edu.pl/296530829installation/tablets.php?q809=257
http://summer.gmu.edu/wp-content/uploads/2010/tablets.php?rtu=35250&TJI=1322301601
http://www.tekim.undip.ac.id/original.php?wmy=7611&UPO=1325300401
http://www.ise.gmu.edu/alumni/possible.php?jnx=44623&TWF=1325822401
http://sacs.tfc.edu/possible.php?rce=5245&LZB=1319709601
http://www.cibt.net/possible.php?dgo=23988&ZHJ=1326150001
http://iam.unh.edu/iam/possible.php?rzn=33811&VYF=1325570401
http://convivencia.uniminuto.edu/dmdocuments/democracy.php?uwd=25793&JKL=1318748401
http://snapi2011.cs.fiu.edu/cookbook/brand.php?ehp=17578&OPS=1324339201
http://www.chemistry.sdsu.edu/TheVolumeSettingsFolder/order.php?ehk=12187&PAE=1325854801
http://ifi.edu.mx/suspended.page/prices.php?l678=218
http://www.bio.sdsu.edu/pub/spiders/Dunes/Images/prices.php?wnv=14632&EVP=1325941201
http://www.garamond.ca/wp-content/plugins/democracy/democracy.php?dem_action=view&
If you click on any of those links you would get a Viagra ad(or pharmacy shop), or other pharmaceutical related spam:
Most of those seem to be caused by outdated installs of WordPress. As we always recommend, update your site if you don’t want to end up in a compromised list like this one.
If you need assistance, or a site cleaned, check out the Sucuri service plans.
Leave a reply
