Funny Spammers: Any Reproduction of This Document in Part or in Whole is Strictly Prohibited

Spam is nothing new, but a recent site we were reviewing was a bit different. After a bit of analysis, we found a file called tracks.php that was generating spam with the following code on it:

<?php // Any reproduction of this document in part or in whole is strictly prohibited. For educational purposes only. 1993-2011 (c)
error_reporting(0) ;eval ( base64_decode("JGxMOXdGMWFZNHpYNmpUMWdUNmdRN2xPMG..

See the nice eval line? This eval line hides multiple calls to generate spammy content. The spammers even added a nice disclaimer to help discourage the site owner from analyzing the malware, very nice of them we thought.

Technical analysis

We did a bit more research on this type of spam and we found a bunch of other sites with the same content. However, the use of tracks.php was not consistant. The attackers were using random names across sites (paypal.php, content.php, possible.php, original.php, counter.php, packs.php, etc). They all perform very similar actions, they just use different names.

It seems that quite a few university sites are infected with this malware:

http://www.physics.hmc.edu/courses/p057/pmwiki/uploads/original.php?cpq=8548&KEV=1324630801

http://sustainabilitystudies.gmu.edu/wp-content/uploads/2011/09/original.php?rbb=8410&WFR=1321164001

http://iml.usc.edu/wp-content/uploads/2011/09/original.php?kex=31192&XAW=1319432401

http://www.cs.lamar.edu/upload/original.php?prv=39367&DAC=1324018801

http://financialaid.gmu.edu/wp-content/uploads/2011/11/original.php?mip=17989&ZRP=1320876002

http://www.rio.edu/chemistry/images/paypal.php?tyi=11921&XAN=1319922001

http://oceanai.mit.edu/kfisher/prices.php?zof=28644&GYC=1322848802

http://globalchange.umich.edu/gctext/paypal.php?dmh=18852&OOB=1323802801

http://schorr.edu.pl/296530829installation/tablets.php?q809=257

http://summer.gmu.edu/wp-content/uploads/2010/tablets.php?rtu=35250&TJI=1322301601

http://www.tekim.undip.ac.id/original.php?wmy=7611&UPO=1325300401

http://www.ise.gmu.edu/alumni/possible.php?jnx=44623&TWF=1325822401

http://sacs.tfc.edu/possible.php?rce=5245&LZB=1319709601

http://www.cibt.net/possible.php?dgo=23988&ZHJ=1326150001

http://iam.unh.edu/iam/possible.php?rzn=33811&VYF=1325570401

http://convivencia.uniminuto.edu/dmdocuments/democracy.php?uwd=25793&JKL=1318748401

http://snapi2011.cs.fiu.edu/cookbook/brand.php?ehp=17578&OPS=1324339201

http://www.chemistry.sdsu.edu/TheVolumeSettingsFolder/order.php?ehk=12187&PAE=1325854801

http://ifi.edu.mx/suspended.page/prices.php?l678=218

http://www.bio.sdsu.edu/pub/spiders/Dunes/Images/prices.php?wnv=14632&EVP=1325941201

http://www.garamond.ca/wp-content/plugins/democracy/democracy.php?dem_action=view&

If you click on any of those links you would get a Viagra ad(or pharmacy shop), or other pharmaceutical related spam:

Viagra spam

Most of those seem to be caused by outdated installs of WordPress. As we always recommend, update your site if you don’t want to end up in a compromised list like this one.

If you need assistance, or a site cleaned, check out the Sucuri service plans.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.