Malware update: publifacil.org – htaccess changes and PE*.php

The last few days we’ve been tracking a large number of sites infected with a very interesting piece of malware.

All the sites hacked so far contain the following in their .htaccess file (PEcasas.php could be many names like PEtherm.php, PEmerle.php, PEirade.php, PEdropt.php, PErodeo.php, etc):

Those PE*.php files have a very long piece of code:

When decoded, it tries the following: First, it connects to publifacil.org (69.13.181.190) to get a piece/command to be executed -Note that publifacil.org is not blacklisted anywhere.

This request will return a long base64 encoded string to be appended to the web site content (generally a javascript that hides a call to load a malicious iframe from http://pie.goldmonatomic.com/in.cgi?2). Some details here: http://sucuri.net/malware/entry/MW:JS:457.

This is how the javascript looks like on a web site:

Cleaning it up: To clean up the mess, you have to delete those PE*.php file, put the .htaccess back in place, search for new files added (generally backdoors) and find out how they hacked you in the first place (old version of a web application? wrong permissions?)

We will post more details as we learn more about this attack.


Need help getting your site cleaned up? Contact us at http://sucuri.net and we will get your site malware-free and blacklist-free.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.