![]() When a visitor is logged in as an administrator or has visited an infected site within the past two or six hours, the redirections are suspended. The malware takes pains to hide its presence from operators. This ensures that the environment remains infected until all traces of the malware are dealt with.” Sneaky and determined “Since the additional malware injection is lodged within the wp-blog-header.php file it will execute whenever the website is loaded and reinfect the website. “These backdoors download additional shells and a Leaf PHP mailer script from a remote domain filestacklive and place them in files with random names in wp-includes, wp-admin and wp-content directories,” Sucuri researcher Ben Martin wrote. The additional injected code works as a backdoor that’s designed to ensure the malware will survive disinfection attempts by loading itself in files that run whenever the targeted server is restarted. Some infected sites also inject obfuscated code into wp-blog-header.php and other files. ![]() ![]() Such files include “index.php,” “wp-signup.php,” “wp-activate.php,” “wp-cron.php,” and many more. Nearly 11,000 websites in recent months have been infected with a backdoor that redirects visitors to sites that rack up fraudulent views of ads provided by Google Adsense, researchers said.Īll 10,890 infected sites, found by security firm Sucuri, run the WordPress content management system and have an obfuscated PHP script that has been injected into legitimate files powering the websites.
0 Comments
Leave a Reply. |