What is a web shell?

Web Shell

A web shell or backdoor shell is a script written in the supported language of a target web server to be uploaded to enable remote access and administration of the machine. Shells are able to infect servers that may not necessarily be internet-facing, servers for hosting of internal resources are also subject to web shell … Read more

bunglon m1n1 sHeLL

Malware details

Again a new web shell (bunglon m1n1 sHeLL), which we have not seen and signatures don’t detect this before. At the beginning of the file are introduced php shell maker. /* # bunglon m1n1 sHeLL # version 1.0 # Jayalah indonesiaku # thx to : sohai, budz story zz, b374k, 1n73ct10n, HNc, Dc & all … Read more

Thumbs.php

Malware details

Today we found new Thumbs.php encoded malware, which trying to hide PHP code to unreadable. This technique is not nothing new, so this is very easy de-obfuscate PHP code and make it readable again. After we manually decoded this PHP malware, we found again FilesMan backdoor which is PHP command shell. Decoded Thumbs.php FilesMan – … Read more

CowoKerensTeam File Manager

CowoKerensTeam File Manager

The malware is a PHP File Manager – a script, which when installed on a compromised system, presents a sophisticated administration platform allowing the attacker to browse the filesystem of the compromised server, upload, create, edit, download or delete files. CowoKerensTeam File Manager Today we found new PHP webshell, what we have not seen before … Read more

WordPress backdoor cache.php

Today we found cache.php malware, which uses server old backdoor to get more malware to the server. The server is compromised before and it uses hidden file Silence is golden – Malware to POST Payload more data to the server. POST Payload – cache.php If we look better POST Payload, which trying upload cache.php, execute … Read more

filebox.php webshell

The malware is a PHP webshell – a script, which when installed on a compromised system, presents a sophisticated administration platform allowing the attacker to browse the filesystem of the compromised server, upload, create, edit, download, or delete files. filebox.php login screen Today we found a new PHP webshell, which we have not seen before … Read more

WordPress Plugin – wp-zipp.php

Today we found new malware WP-Zipp.zip which is a WordPress plugin. The attacker is somehow before with another vulnerability created a user account with WordPress and it uploads own malware plugin, which contains a FilesMan remote shell. Access log As we see, just direct access to WordPress and install WP-Zipp plugin: WP-Zipp.zip If we extracted … Read more

sql_dump.php – Bot network

malware botnetwork

Today we looked server’s logs and we found very active Bot network that trying use old malware and upload more PHP code files to servers. Malware files If we look access logs, we found many files which tried access, but they not are normal WordPress, Joomla etc. files. /Abbrevsprl.php /administrator/administrator.php /administrator/dbconfig.php /administrator/includes/readmy.php /administrator/webconfig.txt.php /al277.php /authenticating.php … Read more