Advice Request Explain this malware please!

Please provide comments and solutions that are helpful to the author of this topic.

J

jamesdowallen

New Member
Thread author
Jul 30, 2019
4
I just discovered that my own website was infested with a malware, though I'd received no complaints. That's why I joined this forum just now: I wonder what this malware is.
The hacking is complex enough to make me think it was done manually, not by any bot.

The home page had been changed from 'htm' to 'phtml' with an include line added at the beginning. The include pointed to a file I've left intact for your inspection:
fabpedigree.com/scott/spinner.gif
Despite the '.gif', this is a php script, not a gif. What does the script do?

Please feel free to send answers to my personal Gmail account, same as my name:

jamesdowallen
 
J

jamesdowallen

New Member
Thread author
Jul 30, 2019
4
My hosting service (Lunarpages) is sending me helpful email. They recommend I download a malware scanner from https://housecall.trendmicro.com/
Yet when I click on that URL, Firefox says "Warning: Potential Security Risk Ahead ... Firefox does not trust this site because it uses a certificate that is not valid for housecall.trendmicro.com. The certificate is only valid for the following names: a248.e.akamai.net, *.akamaihd.net, *.akamaized-staging.net, *.akamaihd-staging.net, *.akamaized.net"

Probably no problem, but it seems odd a company specializing in security would have this flaw. So I've not gone to that page yet.

What is frightening about this hack is that it really looks like the hack was done manually. Did someone use a sniffer to get my password? What is their purpose? It would be really nice to get a report on what that malware file (scott/spinner.gif) is doing.
 
J

jamesdowallen

New Member
Thread author
Jul 30, 2019
4
UPDATE: My host admin pointed me to another malware file. I logged in to look around ... and immediately found that the index.phtm hijack had been reinstalled just a few hours ago! Still pointing to scott/spinner.gif. So I've removed that file. (Email me at Gmail to see its contents.)

The two different malware php scripts were different, but Googling their encrypted code led me to some answers. Below see the strings I searched for and some of the Google hits.

CQ9jnUNtDTIlpz9lK3WypT9lqTyhMluSK0IFHx9FXGgNnJ5cK3AyqPtaMTympTkurI9ypaWipaZaYPqCMzLaXGgN
Japanese Backdoor WordPress Hack | Astra Website Security

basename(trim(preg_replace(rawurldecode("%2F%5C%28.%2A%24%2F")
www.masswerk.at

(Now Go Bang!) Anatomy of a Wordpress Backdoor

Reverse engineering the command and control structure of a Wordpress attack.
www.masswerk.at www.masswerk.at

How do they get in? Just now I used another machine to change my passwords ...
 

Similar threads

randhamwii
    • Wow
  • Question
Advice Request malware types
Replies
14
Views
559
General Security Discussions
Victor M
Victor M
Templar
    • Like
Serious Discussion Passkeys actually useless at this time? Please clarify!!!
Replies
4
Views
920
Passwords and passkeys
Templar
Templar
Trident
    • Like
    • Applause
    • +Reputation
  • Poll
Serious Discussion Pre-execution vs post-execution protections explained
Replies
6
Views
1,068
General Security Discussions
Trident
Trident

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top