Spam Botnet Tracked Down to Malicious PHP Script Found on 5,000 Hacked Sites

PHP Script

Spam Botnet Tracked Down to Malicious PHP Script Found on 5,000 Hacked Sites

Category : Blog

PHP Script (Malicious) Found on 5,000 Hacked Sites

PHP scripts can be created using any basic text editor or HTML editing software tool. Each PHP file must be saved with a .php file extension in order to be recognized as a functioning PHP script. When the Apache server has the appropriate settings, PHP code can be recognized also in .html files. This can also be achieved by adding an additional handler in the .htaccess file of a Linux based web server.

A malicious PHP script found on over 5,000 compromised websites has been fingered as the source of a large-scale spam campaign that has been silently redirecting users to web pages hosting diet and intelligence boosting pills.

The purpose of this script is to keep hacked sites under the control of a group of cyber-criminals, and manage dynamic redirections to various spam campaigns.


PHP Script


Script is part of “Brain Food” botnet

The script is part of the infrastructure of a voracious spam botnet named “Brain Food.” The spam campaigns pushed by this botnet have been spotted as far as March 2017, but its operations were dissected last week by Proofpoint researcher Andrew Conway.

Brain Food is a PHP script that we have found on over 5,000 compromised websites over the past four months. Over 2,400 of those have shown activity in the past 7 days. Nearly 40% of the compromised sites are hosted on five platforms.

Brain Food botnet admins operate by sending email spam to victims containing short links to these PHP scripts on various hacked sites.

If a user clicks on the short links, they arrive on the PHP script, which redirects the user to another hacked site hosting web pages for diet and intelligence-boosting pills, usually containing fake branding.

The PHP scripts are capable of receiving new “redirection targets” from the Brain Food operators based on the most recent spam campaign they are pushing. The scripts also collect click-through statistics for each campaign.


Brain Food


Over 2,400 sites active in the past seven days alone

Conway says he’s been tracking over 5,000 sites containing copies of these PHP scripts, with the vast majority found on GoDaddy’s network. Over 2,400 were active last week, according to Conway.

The botnet doesn’t seem to be living off specific vulnerabilities on certain CMS platforms. Conway says Brain Food is comprised of hacked sites running on a multitude of platforms, such as WordPress, Joomla, and others.

The script’s code is also polymorphic and obfuscated with multiple layers of base64 encoding. Furthermore, it also includes protection against automatic Google indexing, responding to Google’s search crawler with a 404 code “page not found” error.

While the botnet is harmless for end users, pushing only spammy content, it is dangerous for infected sites, mainly because of its backdoor-like capabilities that allow the botnet operators to execute any code they want at any time.





Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Certified Ethical Hacker Certification – C | EH v10

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Python Programming training

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 


Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


Other Location for Online Courses:





Leave a Reply