Top

Archive | backdoor

WordPress Hidden Include

Today we found undetected malware, which keep it hidden and try loading again if it deleted. We generated Signatures to Detect these hidden includes: /index.php: {HEX}Malware.Expert.wordpress.hidden.include.0.UNOFFICIAL FOUND /wp-load.php: {HEX}Malware.Expert.wordpress.hidden.include.1.UNOFFICIAL FOUND /wp-includes/template.php: {HEX}Malware.Expert.malware.url.7od.info.0.UNOFFICIAL FOUND /wp-includes/Requests/IPconfig.ini: {HEX}Malware.Expert.generic.malware.39.UNOFFICIAL FOUND /wp-includes/js/utilities.js: {HEX}Malware.Expert.generic.malware.39.UNOFFICIAL FOUND WordPress index.php wp-load.php End of file: template.php IPconfig.ini Remove file utilities.js Remove file Final Words Use […]

Continue Reading

Phoenix WebShell

New web shell (PHOENIX SHELL), what we have not seen this this before. This is typical webshell, except there are a lot of extra features: Upload Command Execute Mass Deface cPanel crack CGI Telnet WordPress auto Deface Fake root Etc … In the action Final words Use Malware Expert – Signatures detect this Web shell […]

Continue Reading

bunglon m1n1 sHeLL

Again new web shell (bunglon m1n1 sHeLL), what we have not seen this and signatures don’t detect this before. To beginning of file are introduced php shell maker. /* # bunglon m1n1 sHeLL # version 1.0 # Jayalah indonesiaku # thx to : sohai, budz story zz, b374k, 1n73ct10n, HNc, Dc & all member indoxploit […]

Continue Reading

WordPress hidden cookie (wp_cookie)

We found very old and hidden WordPress cookie, which named wp_cookie. This allows an attacker to run anything on the compromised user website with user permissions. wp_cookie This is a very clever attack method that allows arbitrary commands to run on a server with ignoring any server security software, just like normal PHP code. Also, […]

Continue Reading

Thumbs.php

Today we found new Thumbs.php encoded malware, which trying to hide PHP code to unreadable. This technique is not nothing new, so this is very easy de-obfuscate PHP code and make it readable again. After we manually decoded this PHP malware, we found again FilesMan backdoor which is PHP command shell. Decoded Thumbs.php FilesMan – […]

Continue Reading

CowoKerensTeam File Manager

The malware is a PHP File Manager – a script, which when installed on a compromised system, presents a sophisticated administration platform allowing the attacker to browse the filesystem of the compromised server, upload, create, edit, download or delete files. CowoKerensTeam File Manager Today we found new PHP webshell, what we have not seen before […]

Continue Reading

case.php malware

This case.php malware uses Obfuscation PHP code. Decoding Obfuscation There is tools to Decoding ObfuscatePHP code: https://www.unphp.net http://ddecode.com/phpdecoder/ http://lombokcyber.com/en/detools/decode-fopo ,but they don’t always work as except. That’s why we decrypted this manually. Source case.php Again, this malware tries load more backdoor files to the server to get full control. plug.php FilesMan Shell FilesMan Shell crypted […]

Continue Reading

WordPress backdoor cache.php

Today we found cache.php malware, which uses server old backdoor to get more malware to the server. The server is compromised before and it uses hidden file Silence is golden – Malware to POST Payload more data to the server. POST Payload – cache.php If we look better POST Payload, which trying upload cache.php, execute […]

Continue Reading

filebox.php webshell

The malware is a PHP webshell – a script, which when installed on a compromised system, presents a sophisticated administration platform allowing the attacker to browse the filesystem of the compromised server, upload, create, edit, download or delete files. filebox.php login screen Today we found new PHP webshell, what we have not seen before anywhere. […]

Continue Reading

WordPress Plugin – wp-zipp.php

Today we found new malware WP-Zipp.zip which is a WordPress plugin. The attacker is somehow before with another vulnerability created a user account with WordPress and it uploads own malware plugin, which contains a FilesMan remote shell. Access log As we see, just direct access to WordPress and install WP-Zipp plugin: WP-Zipp.zip If we extracted […]

Continue Reading