This case.php malware uses Obfuscation PHP code. Decoding Obfuscation There is tools to Decoding ObfuscatePHP code: https://www.unphp.net http://ddecode.com/phpdecoder/ http://lombokcyber.com/en/detools/decode-fopo ,but they don’t always work as except. That’s why we decrypted this manually. Source case.php Again, this malware tries load more backdoor files to the server to get full control. plug.php FilesMan Shell FilesMan Shell crypted … Read more
Today we found cache.php malware, which uses server old backdoor to get more malware to the server. The server is compromised before and it uses hidden file Silence is golden – Malware to POST Payload more data to the server. POST Payload – cache.php If we look better POST Payload, which trying upload cache.php, execute … Read more
The malware is a PHP webshell – a script, which when installed on a compromised system, presents a sophisticated administration platform allowing the attacker to browse the filesystem of the compromised server, upload, create, edit, download, or delete files. filebox.php login screen Today we found a new PHP webshell, which we have not seen before … Read more
In this article I’m going to discuss how to find and Whitelist specific ModSecurity rules that might be causing 406 errors on your websites on either your VPS (Virtual Private Server) or dedicated server. The rules that ModSecurity uses can help block potential attack attempts from malicious users upload malware to servers, but sometimes it … Read more
In WordPress themes there are lots of file upload vulnerabilities. This trying upload embrace.php file to server and execute it embrace.php wp-info.php This malware can infect more and more malwares to server and get full control it. Final words Websites that using Malware Expert – ModSecurity rules are protected against this attack. Use Malware Expert … Read more
Again we found new malware, that trying using php shell_exec function to download and include more malware to server. POST Payload This looks like joomla file upload vulnerability: Payload trying upload proc.php file to server and execute it: proc.php p.sh It’s trying download p.sh bash script and execute it. When it executed it remove itself … Read more
This malware try upload db.php to WordPress clickjacking vulnerability. Clickjacking is an attack that places an invisible iframe containing a webpage over top of another, visible webpage. The victim user is lured into clicking on the invisible iframe to perform an action when they think they are clicking on the webpage they can see. The … Read more
Today we found new malware WP-Zipp.zip which is a WordPress plugin. The attacker is somehow before with another vulnerability created a user account with WordPress and it uploads own malware plugin, which contains a FilesMan remote shell. Access log As we see, just direct access to WordPress and install WP-Zipp plugin: WP-Zipp.zip If we extracted … Read more
Today we are very happy new distribution channel. Sanesecurity started sharing our Malware signatures via their distribution channels worldwide to new servers. Sanesecurity signatures Sanesecurity produces add-ons signatures to help improve the ClamAV detection rate on Zero-Day malware and even on Zero-Hour malware. Also add-on signatures provide enhanced email security against the following email types: … Read more
Today we looked server’s logs and we found very active Bot network that trying use old malware and upload more PHP code files to servers. Malware files If we look access logs, we found many files which tried access, but they not are normal WordPress, Joomla etc. files. /Abbrevsprl.php /administrator/administrator.php /administrator/dbconfig.php /administrator/includes/readmy.php /administrator/webconfig.txt.php /al277.php /authenticating.php … Read more