HTTP 404 Error To Generate And Serve Custom SPAM Pages

25-12-2016-SPAM

Background

One of the most recognizable errors encountered on the Internet is the “404 Not Found” page. The website hosting server usually generates such error when a visitor attempts to access a page that does not exist (broken or dead link). Webmasters can configure the servers to display a customized and more user-friendly 404 error page offering the sitemap, branding or other helpful information. This post shows how the hackers that broke into the web server through the compromised website exploited this mechanism to serve SPAM.

Malware Investigation

  1. As in most of the cases with the CMS (Content Management System) -based websites, the infection occurred due to outdated WordPress installation
  2. Hackers uploaded huge amount of PHP templates to generate spam pages targeting visitor’s geo location
  3. All the main WP folders contained .htaccess file which upon access generated error 404
  4. Hackers planted the malware code into all themes that had separate 404 handlers (.php page to configure the custom 404 page) replacing the customized 404 error page with SPAM

The infected .htaccess:

25-12-2016-SPAM

How It Worked?

  1. Visitor accessed a website
  2. Infected .htaccess generated error 404
  3. Configured theme tried to show particular page for error 404 but due to infection it presented custom SPAM page

Is your website flagged for malware, blocked by the search engines or disabled by the host?

As usual, we are here to clean up any malware from your sites and remove false-positives, blacklisting and other kinds of alerts by any security vendor and search engines. Just select from suitable ThreatSign! Anti-Malware Plan and get back online.

For other issues and help: Quttera's help-desk