Backdoor:PHP/WebShell.A drops following files:
<root folder>/tmp/bp.pl - used to listen for shell commands
<root folder>/tmp/bc.pl - used to send shell commands
Sends email
Backdoor:PHP/WebShell.A sends an email that contains your IP address and reportsits installation to the Yahoo! account "freedom20900".
Allows backdoor access and control
Backdoor:PHP/WebShell.A can give a malicious hackers access to perform the following actions:
Archive or extract files
Brute-force logins for FTP, MySQL, pgsql
Create or delete folders
Download files
Encode or decode files
Open a bash shell command, which allows the remote attacker to execute remote commands
Open files
Rename files
Run SQL commands
Search folders
Show active connections
Show computers the infected computer had access to
Show running services
Show user accounts
Show IP configuration
Connects to certain servers
Backdoor:PHP/WebShell.A connects to the following servers for the purpose of receiving arbitrary information, sent by a malicious hacker, about your PC:
crackfor.me
hashcracking.info
hashcracking.ru
md5.rednoize.com
www.hashcrack.com
www.md5decrypter.com
www.milw0rm.com
In normal terms
Your site has been hacked and perhaps been manipulated in a way that will be a risk if you try to use it. Do not use this source and remove / delete from your machine. I would suggest doing a major browse / scan for any more potential viruses and change your user information such as passwords and emails on the server (Since they may know these by now).
Reference: https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor:PHP/WebShell.A
