There are many variations to the Counter.php malware floating around the interwebs. This is a malicious redirect that sends your readers to a known bad site, that site houses a payload that responds based on the incoming user-agent.
- Malicious Site: natbushing.com
- Payload: counter.php
Check out Sucuri Labs for more variations of Counter.php
If you use our free SiteCheck Scanner you might see a display like this:
We often recommend using a number of terminal commands to identify and remove the infection, here is a scenario where you can’t do that. The reason is because the redirect is actually encoded and what you’re seeing above is the display on the browser, not how it’s encased in the files.
If you look on your server it actually looks something like this:
#c3284d#
echo(gzinflate(base64_decode(“VVHLboMwELxHyj/4ZlBTnhL0QSKlVQ899QOaChl7AU
vEduyFJP36Aomi9LizszOzu4XjVhrcLBcDs6Q8kDURmvd7UBhwCwzho4Op8qisLdsD9VfLRa
lGHnWAW0Qrqx6Bvo7o4btUP
What we can tell you is that when you scan your site you might see every page is infected with this issue. In those cases, that’s a good sign that its likely embedded within one of your core PHP files. Files that are more commonly impacted are within all theme directories on the server:
- index.php
- footer.php
- function.php
- header.php
Happy Hunting!!
If you have any questions or would prefer we get this taken care of for you simple let us know info@sucuri.net.
5 comments
I keep getting this Malware again and again. I’m using latest version of WordPress on my sites. Do I need to change all the passwords as well? WordPress login passwords, ftp passwords? It seems to copy the files wp-apps.php and wp-count.php in folders with WordPress (folders that don’t have .com/.org in the name don’t get affected) Also one of the theme files gets modified.
This is the code that is added to the theme file.
I keep getting the same issue have you found a solution ?
Disable FTP. Proftpd/Pureftpd have a big
bug
“>
Comments are closed.