Malware update: – htaccess changes and PE*.php

The last few days we’ve been tracking a large number of sites infected with a very interesting piece of malware.

All the sites hacked so far contain the following in their .htaccess file (PEcasas.php could be many names like PEtherm.php, PEmerle.php, PEirade.php, PEdropt.php, PErodeo.php, etc):

Those PE*.php files have a very long piece of code:

When decoded, it tries the following: First, it connects to ( to get a piece/command to be executed -Note that is not blacklisted anywhere.

This request will return a long base64 encoded string to be appended to the web site content (generally a javascript that hides a call to load a malicious iframe from Some details here:

This is how the javascript looks like on a web site:

Cleaning it up: To clean up the mess, you have to delete those PE*.php file, put the .htaccess back in place, search for new files added (generally backdoors) and find out how they hacked you in the first place (old version of a web application? wrong permissions?)

We will post more details as we learn more about this attack.

Need help getting your site cleaned up? Contact us at and we will get your site malware-free and blacklist-free.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.