Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.backdoor.hex_xor.001

php.backdoor.hex_xor.001

This is generic signature. Using the strings in form of hex code combined with using the XOR operation is a common way to obfuscate the malicious code.

Affecting

Any PHP based web site (often through outdated WordPress, Joomla, osCommerce, Magento, Drupal and stolen passwords).

Cleanup

Cleanup is done by deleting the malicious file, which can be found in your system by searching for the dump code below inside your files. Reviewing access logs for non-expected HTTP POSTs can point out the possible infected files.
You can also sign up with us and let our team remove the malware for you.

Dump

Part of a malicious script using the hex -> xor function:

$smnYTuP($yvtEM, "iBKGGYNUoRSNmZWLwUTGaiWeExCnuZ7TbGZhfn3K5KXgkurXEBdek10onCSXbOq3VGa2tSBndZKDJ2bO46sdvsIZubwLpdEBje4Tw67QVGUe9vt3qcWbKe157nFmHJnrohAac8qxEASDwB6cdR5nwvisYnUgx9NbgO39LjwPkFTWHOzlgtP"^"\x0c4\x2a\x2bo\x7b\x273G\x3b\x20\x3d\x08\x2e