Backdoors are pieces of code that allow attackers to bypass authentication, maintain their access to the server and reinfect files. Some of those malicious files can be as simple as a single line of code, allowing the execution of remote code, or complex algorithms, providing different functions to the attacker.
php.backdoor.rssinit is a kind of simple webshell allowing the attacker to manipulate files on the compromised system (including downloading them and uploading other files). It targets only WordPress and Joomla installations where it hides itself as a custom plugin (WordPress) or component (Joomla). It's also capable of manipulating the posts on site by accessing the database using CMS specific commands.
Cleanup
Complex scan and removal of several files is necessary. You can sign up with us and let our team remove the malware for you.
Dump
Part of the code responsible for checking which CMS is installed on the server (WordpPress / Joomla):
private function getCMS()
{
if (!is_null($this->_cms)) {
return $this->_cms;
}
$dir = dirname(__FILE__);
do {
if (($res = @opendir($dir)) === FALSE) {
break;
}
@closedir($res);
$tmp = $dir;
if (@file_exists($dir . '/wp-config.php')) {
$this->_cms = 'WP';
$this->_path = $dir;
break;
} elseif (@file_exists($dir . '/configuration.php')) {
$this->_cms = 'JOOMLA';
$this->_path = $dir;
break;