The malware is a PHP File Manager – a script, which when installed on a compromised system, presents a sophisticated administration platform allowing the attacker to browse the filesystem of the compromised server, upload, create, edit, download or delete files. CowoKerensTeam File Manager Today we found new PHP webshell, what we have not seen before … Read more
There are many examples where you may need to have a specific subdomain’s DNS be managed by a different nameserver. The example we want delegate rbl.malware.expert another Bind DNS server for RBL database queries. First we need Primary Domain (malware.expert) add new NS Records rbl.malware.expert: Then we need also A-Record rbl2.malware.expert to point BIND-DNS server … Read more
The vulnerability is caused by a new component, com_fields, which was introduced Joomla in version 3.7. If you use this version, you are affected and should update as soon as possible. This vulnerable component is publicly accessible, which means this issue can be exploited by any malicious individual visiting your site. Given the nature of … Read more
This case.php malware uses Obfuscation PHP code. Decoding Obfuscation There is tools to Decoding ObfuscatePHP code: https://www.unphp.net http://ddecode.com/phpdecoder/ http://lombokcyber.com/en/detools/decode-fopo ,but they don’t always work as except. That’s why we decrypted this manually. Source case.php Again, this malware tries load more backdoor files to the server to get full control. plug.php FilesMan Shell FilesMan Shell crypted … Read more
Today we found cache.php malware, which uses server old backdoor to get more malware to the server. The server is compromised before and it uses hidden file Silence is golden – Malware to POST Payload more data to the server. POST Payload – cache.php If we look better POST Payload, which trying upload cache.php, execute … Read more
The malware is a PHP webshell – a script, which when installed on a compromised system, presents a sophisticated administration platform allowing the attacker to browse the filesystem of the compromised server, upload, create, edit, download, or delete files. filebox.php login screen Today we found a new PHP webshell, which we have not seen before … Read more
In this article I’m going to discuss how to find and Whitelist specific ModSecurity rules that might be causing 406 errors on your websites on either your VPS (Virtual Private Server) or dedicated server. The rules that ModSecurity uses can help block potential attack attempts from malicious users upload malware to servers, but sometimes it … Read more
In WordPress themes there are lots of file upload vulnerabilities. This trying upload embrace.php file to server and execute it embrace.php wp-info.php This malware can infect more and more malwares to server and get full control it. Final words Websites that using Malware Expert – ModSecurity rules are protected against this attack. Use Malware Expert … Read more
Again we found new malware, that trying using php shell_exec function to download and include more malware to server. POST Payload This looks like joomla file upload vulnerability: Payload trying upload proc.php file to server and execute it: proc.php p.sh It’s trying download p.sh bash script and execute it. When it executed it remove itself … Read more
This malware try upload db.php to WordPress clickjacking vulnerability. Clickjacking is an attack that places an invisible iframe containing a webpage over top of another, visible webpage. The victim user is lured into clicking on the invisible iframe to perform an action when they think they are clicking on the webpage they can see. The … Read more