Check this thread on WordPress.org forum. The topic starter found a suspicious PHP file and asked what it was doing.
The code analysis shows that it’s some sort of a spammy doorway. But it’s a very strange doorway and the way that it works doesn’t make sense to me.
Earlier this week, Sucuri wrote about auto generated iframes in hacked WordPress blogs. The malicious PHP code fetched the iframe URLs from a remote server (hxxp://82 .200 .204 .151/config.inc.php) on-the-fly every time someone loaded infected web pages. This trick helped regularly update the malicious URLs without having to change the code on each hacked site individually. All the URLs had the same format http://<domain-of-a-hacked -site.com>/news/faults-ending.php. For example, hxxp://brewerstire .com/news/faults-ending.php .
This reminded me of another ongoing attack that also rotates iframe URLs in a similar way. However it has some distinguishing features that make it worth it to describe it separately.
A few weeks ago I published an article about an attack that hosted malware on a fast flux network of infected PCs and used a clever algorithm based on Twitter trends to generate four new hard-to-predict domain names every day.
Shortly after that I was contacted by foks, who shared some interesting information. He conducted his own investigation and found out how hackers injected those scripts into legitimate web pages. He also found a new (buggy) version of the malicious script.
The other day I received an email from a webmaster whose site was blacklisted by Google. In Webmaster Tools, he found the following example of a malicious code detected on his site (domain changed):
<img src="http://example .net/images/logos/rssicon.png" />
So why did Google think this image tag was malicious? Can images be malicious? After all they are not scripts, iframes or embedded executable objects that that hackers use to attack web surfers.
After a series of posts about Google Image poisoning campaigns that used hot-linked images a main trick to get top positions in search results, I’d like to describe a different Google Image poisoning attack that affects WordPress blogs and uses self-hosted images.
Some webmasters have problems locating the rogue .htaccess files so I decided to address this issue again.
Continue (some new facts included) »»
Selected short messages and links you might have missed if you don’t follow me on Twitter.