GetMama – Conditional malware affecting thousands of sites

We have been tracking an interesting malware that is affecting thousands of compromised sites. We call it GetMama!!

Why conditional? Because instead of just displaying the malicious code to all the visitors of the web site, it connects back to its command and control server to find out what to do. It also sends back to the attackers the IP address, user agent and referrer of the person visiting the compromised site, so the command and control can determine if it should display the malicious content or not.

It also only displays the malicious content once a day per IP address and only to Windows users.

Why GetMama? Well, that’s how the malware authors called their own function (see sample in the bottom of the post).


Those are the command and control IP addresses. I recommend checking for traffic to these IP addresses and blocking them if possible:

For every request to the compromised sites, there will also be a random call to one of those. The called URL would look something like


This is final decoded malware that gets executed on the compromised sites. For every request, it connects back to the attackers to determine what to do. The action could be to inject malware in the site, run a command in the server (it also acts as a backdoor) or to do nothing.


Note that the malware will not look like that (all pretty) on the compromised site. It can be encoded like this:

$VDNjO60q6FJNnaRjb6MS3d5d= array(‘7920′,’7937′,’7916′,’7927’);$eVlnlmOOZXsWOJTjjxwj=
$X7ry2SBupAHs89a1Fj06AYlUg2RO3VPSS6hKOI548Dm =

As you can see, its not using any of the normal “eval ( base64_decode” calls that webmasters are used to looking for. This malware has also evolved and it can be hidden in different ways.

We will post more details as we learn more about it.

Note that if your site is compromised, our free sitecheck scanner may miss this type of malware (because of the conditional way it works). If you think you are compromised, only our internal scans can find/clean it up.

    1. It depends, if you have it it’s likely injected itself in every PHP file. In this instance, replacing your core files won’t be enough. You’ll want to try and roll back to a previous version that is a known clean then go about hardening.

      1. i was wondering how did this malware infected our sites, considering all the best efforts of hardening the wordpress installs..

  1. I just found malicious code on my sites, after decoding it it did mention the get mama function but it have  “eval ( base64_decode” written with it. Some of the IP addresses you mention overlapped with the ones inside the code, mine also contained some new ones. I’ve blocked all of them just in case, hopefully that was the right thing to do.

    In my folders, I had a suspicious file called 22.php and it made a list of all the directories inside files called zaza_0, zaza_1 etc. However it didn’t infect any other php files, maybe I caught it just in time?

Comments are closed.

You May Also Like