Spam is nothing new, but a recent site we were reviewing was a bit different. After a bit of analysis, we found a file called tracks.php that was generating spam with the following code on it:
<?php // Any reproduction of this document in part or in whole is strictly prohibited. For educational purposes only. 1993-2011 (c)
error_reporting(0) ;eval ( base64_decode("JGxMOXdGMWFZNHpYNmpUMWdUNmdRN2xPMG..
See the nice eval line? This eval line hides multiple calls to generate spammy content. The spammers even added a nice disclaimer to help discourage the site owner from analyzing the malware, very nice of them we thought.
We did a bit more research on this type of spam and we found a bunch of other sites with the same content. However, the use of tracks.php was not consistant. The attackers were using random names across sites (paypal.php, content.php, possible.php, original.php, counter.php, packs.php, etc). They all perform very similar actions, they just use different names.
It seems that quite a few university sites are infected with this malware:
If you click on any of those links you would get a Viagra ad(or pharmacy shop), or other pharmaceutical related spam:
Most of those seem to be caused by outdated installs of WordPress. As we always recommend, update your site if you don’t want to end up in a compromised list like this one.
If you need assistance, or a site cleaned, check out the Sucuri service plans.