A sophisticated cyber campaign targeting PHP-based web servers has been uncovered by cybersecurity researchers, primarily promoting gambling platforms in Indonesia. The attacks, observed over the past two months, involve Python-based bots conducting coordinated strikes on thousands of web applications.

The campaign utilizes GSocket (Global Socket), an open-source communication tool, to establish connections between compromised servers. Imperva researchers detected millions of requests from Python clients attempting to install GSocket, which has previously been linked to cryptojacking operations and malicious JavaScript code injection.

Key Features of the Attack:
– Targets pre-existing web shells on compromised servers
– Primarily focuses on Moodle learning management system
– Modifies bashrc and crontab files for persistence
– Deploys PHP files containing gambling-related content
– Implements selective bot access and user redirections

The attackers specifically target Indonesian users through strategic redirections to gambling services, particularly “pktoto.cc.” The PHP files are designed to allow access only to search bots while redirecting regular visitors to gambling domains.

In a parallel development, researchers identified another campaign affecting over 5,000 sites globally, creating unauthorized administrator accounts and installing malicious plugins to harvest credentials.

Recommended Security Measures:
– Keep WordPress plugins updated
– Implement firewall blocks for suspicious domains
– Regular scanning for unauthorized admin accounts
– Remove suspicious plugins promptly
– Monitor for unusual system modifications