• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Another Fake WordPress Plugin – And Yet Another SPAM Infection!

November 22, 2013Peter Gramantik

0
SHARES
FacebookTwitterSubscribe

We clean hundreds and thousands of infected websites, a lot of the cleanups can be considered to be somewhat “routine”. If you follow our blog, you often hear us say we’ve seen “this” numerous times, we’ve cleaned “that” numerous times.

In most cases when dealing with infected websites, we know where to look and what to remove, generally with a quick look we can determine what’s going. Despite our experience and passion for cleaning up a hacked website, there are always surprises lurking and waiting for us, almost every day.

Some of the most interesting routine cases we deal with are often websites with SPAM. SPAM is in the database, or the whole block of SPAM code is stored in some obscure file. We also deal with cases where the SPAM is loaded within the theme or template header, footer, index, etc. Sometimes these SPAM infections are conditional (e.g. They only appear once per IP), sometimes not.

More often than not however, these infections is not too difficult to identify and remove. In the case we’re writing about in this post, we were able not only to remove malware, but also take a look at what’s going on behind the curtain.

The General Picture:

We started to find malicious files with name consumer.php. Sites with this malware were flooded with spam. Simple removing of consumer.php caused the PHP error and the site didn’t load properly. Right, it has to be loaded somewhere. Based on the PHP warning and little effort, we found several files where the malicious code was included:

PHP File with SPAM Infection

Looks benign, right? Are you having a hard time spotting the offending code?

SPAM Infected File View with Word Wrap

Check it out again with word wrap enabled 🙂

Until now, it looks just like yet another regular old SPAM case. However, we still want to make sure nothing is missed, and that the site is properly cleared.

Behind the curtain:

In this case, we noticed an interesting WordPress plugin called Pingatorpin. As we dug in a bit, we found some interesting facts:

  • The plugin was not in the official repository
  • All of the plugin headers were fake
  • Searching for the plugin on Google returned a pretty large number of sites with this “plugin” installed
  • The sites using the plugin all had similar files
  • All of the sites using the plugin showed up infected with SPAM when scanned with Sucuri SiteCheck

We scanned quite a few sites that were using the plugin, the results were interesting. Here’s an example:

Sucuri SiteCheck Results

There’s a surprise – A ton of sites with same malicious WordPress plugin, all infected with SPAM. We just found the source of the SPAM.

All of the files in this plugins folder were actually malware.

  • config-generator.php – Creates the config file serializing the array.
  • executor.php – Responsible for injecting require_once() into the files and logging which file is infected into files.dat.
  • remover.php – Malware cleanup script which is pretty interesting.
  • consumer.php – The payload which will get the content from the config.db file, process the content, and echo it into the pages it wants to infect.

Yes, that stinks, but it’s pretty straight forward. I know, I know, yet another SPAM infection, this time with a pretty interesting composition using a fake WordPress plugin. Maybe another thing worth mentioning here is you need to make sure you’re checking your site to see what’s loaded and running. Our WordPress plugin included with our Malware Cleanup service would have notified you when this was added.

Beyond that, keep your software updated, use safe passwords and if you don’t know what to do.. Let us, Sucuri, take a look. It’s our passion 🙂

0
SHARES
FacebookTwitterSubscribe

Categories: Website Malware Infections, Website Security, WordPress SecurityTags: SEO Spam, WordPress Plugins and Themes

About Peter Gramantik

Peter Gramantik is Sucuri’s Sr. Malware Researcher who joined the company in 2013. Peter’s main responsibilities include crafting signatures for new malware, and improving existing and researching new detection techniques. His professional experience covers 15 years of fighting malware. When Peter isn’t researching malware, you might find him doing technical and cave dives, riding his Harley Davidson, playing the guitar and singing in a band, or cooking BBQ for his family and friends. Connect with Peter on Twitter.

Reader Interactions

Comments

  1. Julio Potier

    November 22, 2013

    Hello, please hide the excerpt of the post in the scanner screenshot, we can google it and finf the website (i did it …) Thank tou for this discover Peter 😉

  2. Adeel Sami

    November 23, 2013

    Just a great post I would say! I love Sucuri !!

  3. Gahe

    November 30, 2013

    Thanks for giving me the useful information. I think I need it. Thank you

  4. luke

    April 30, 2014

    Any info on how the wp-content/plugins/pingatorpin directory was uploaded? I’m assuming since you are specifically calling it a plugin that it must have been installed through the wp-admin interface which means their one of their admin user’s password was compromised. Were their signs of a bruteforce attack to wp-login.php or did they get in after their first POST to wp-login.php?

    I clean dozens of WP sites a week and thankfully haven’t run into this one yet. Currently still dealing with the wpppm plugin(loads spam ED page instead of a WP 404 page) and its variants along with the massive ED spam redirect injection that hits almost every index.php, wp-config.php, and header.php that it can find.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

The Anatomy of Website Malware Webinar

WordPress Security Guide

How to know you can trust a plugin

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.