SBM Labs

Cyber Security Collaboration Project

Spam-Infected Website
08 Jun 2017

Suddenly your monitoring system has detected a lot of messages in mail service queue. Possible your host is spam-infected. First of all check who initiates sending of e-mails. In our case it was unknown script error2.php.

Let's check script content.

As you see script error2.php was obfuscated. It was used associated array and base64 decoder in order to get decoded string that will be passed to eval function. Let's replace eval to echo and look at decoded string content.

In web server logs we have found POST requests to script error2.php.

Let's check suspected script on VirusTotal.

Then let's check malicious scripts against AI-Bolit. It is Antivirus / Malware Scanner For Websites and Hosting.

$ php ai-bolit.php --help

$ php ai-bolit.php -j /PATH/TO/FILE

There are not any detections. Ok, let's try to use paranoic mode.

$ php ai-bolit.php -x 2 -j /PATH/TO/FILE

Success! Malicious code was detected.

Simple PHP Backdoor
Skype Account Compromise
Protection of CMS Joomla administration panel
Theft of American Express, Visa and MasterCard card data