The last few days we’ve been tracking a large number of sites infected with a very interesting piece of malware.
All the sites hacked so far contain the following in their .htaccess file (PEcasas.php could be many names like PEtherm.php, PEmerle.php, PEirade.php, PEdropt.php, PErodeo.php, etc):
Those PE*.php files have a very long piece of code:
When decoded, it tries the following: First, it connects to publifacil.org (18.104.22.168) to get a piece/command to be executed –Note that publifacil.org is not blacklisted anywhere.
Cleaning it up: To clean up the mess, you have to delete those PE*.php file, put the .htaccess back in place, search for new files added (generally backdoors) and find out how they hacked you in the first place (old version of a web application? wrong permissions?)
We will post more details as we learn more about this attack.
Need help getting your site cleaned up? Contact us at http://sucuri.net and we will get your site malware-free and blacklist-free.