Again, we found interesting malware (styles.php), which try to add more backdoor files to the web server. This file is just copied from the original file: load-styles.php. If you look fast this file, it’s look normal PHP file, but there is a modification of the begin (comments not finished line 6): It self hidden malware … Read more
A web shell or backdoor shell is a script written in the supported language of a target web server to be uploaded to enable remote access and administration of the machine. Shells are able to infect servers that may not necessarily be internet-facing, servers for hosting of internal resources are also subject to web shell … Read more
Again a new web shell (bunglon m1n1 sHeLL), which we have not seen and signatures don’t detect this before. At the beginning of the file are introduced php shell maker. /* # bunglon m1n1 sHeLL # version 1.0 # Jayalah indonesiaku # thx to : sohai, budz story zz, b374k, 1n73ct10n, HNc, Dc & all … Read more
Today we found new Thumbs.php encoded malware, which trying to hide PHP code to unreadable. This technique is not nothing new, so this is very easy de-obfuscate PHP code and make it readable again. After we manually decoded this PHP malware, we found again FilesMan backdoor which is PHP command shell. Decoded Thumbs.php FilesMan – … Read more
cPanel Finder/Cracker This cPanel Finder malware look last updated at 01 June 2015, but Malware Signatures not detected this before today added our database. Final words Use Malware Expert – Signatures detect this backdoor malware from files for FREE!
The malware is a PHP File Manager – a script, which when installed on a compromised system, presents a sophisticated administration platform allowing the attacker to browse the filesystem of the compromised server, upload, create, edit, download or delete files. CowoKerensTeam File Manager Today we found new PHP webshell, what we have not seen before … Read more
Today we found cache.php malware, which uses server old backdoor to get more malware to the server. The server is compromised before and it uses hidden file Silence is golden – Malware to POST Payload more data to the server. POST Payload – cache.php If we look better POST Payload, which trying upload cache.php, execute … Read more
The malware is a PHP webshell – a script, which when installed on a compromised system, presents a sophisticated administration platform allowing the attacker to browse the filesystem of the compromised server, upload, create, edit, download, or delete files. filebox.php login screen Today we found a new PHP webshell, which we have not seen before … Read more
Today we found new malware WP-Zipp.zip which is a WordPress plugin. The attacker is somehow before with another vulnerability created a user account with WordPress and it uploads own malware plugin, which contains a FilesMan remote shell. Access log As we see, just direct access to WordPress and install WP-Zipp plugin: WP-Zipp.zip If we extracted … Read more
Today we looked server’s logs and we found very active Bot network that trying use old malware and upload more PHP code files to servers. Malware files If we look access logs, we found many files which tried access, but they not are normal WordPress, Joomla etc. files. /Abbrevsprl.php /administrator/administrator.php /administrator/dbconfig.php /administrator/includes/readmy.php /administrator/webconfig.txt.php /al277.php /authenticating.php … Read more