Top

Tag Archives | malware

Marvins.php webshell

The malware is a PHP webshell – a script, which when installed on a compromised system, presents a sophisticated administration platform allowing the attacker to browse the filesystem of the compromised server to upload, create, edit, download or delete files. Today we found this new PHP webshell from one of client server, which we have […]

Continue Reading

Decode signatures with Sigtool

When you are scanning malware example ClamAV or Maldet from files in server and get positive hit, you may difficult find where has injected code in the file. For decoding signature you can use ClamAV sigtool command line tool. This will help you find the right position from infected file and remove malware code. Positive […]

Continue Reading

styles.php malware

Again, we found interesting malware (styles.php), which try to add more backdoor files to the web server. This file is just copied from the original file: load-styles.php. If you look fast this file, it’s look normal PHP file, but there is a modification of the begin (comments not finished line 6): It self hidden malware […]

Continue Reading

Pure-FTPd with ClamAV at Directadmin Custombuild

This tutorial we integrate ClamAV into Pure-FTPd for virus scanning in Directadmin server with Custombuild. Whenever a file gets uploaded through Pure-FTPd, ClamAV will check the file and delete it if it is malware. Installing Pure-FTPd & ClamAV First we need change custom build options.conf setting Check options.conf #ClamAV-related Settings clamav=yes pureftpd_uploadscan=yes Building software Building […]

Continue Reading

WordPress Hidden Include

Today we found undetected malware, which keep it hidden and try loading again if it deleted. We generated Signatures to Detect these hidden includes: /index.php: {HEX}Malware.Expert.wordpress.hidden.include.0.UNOFFICIAL FOUND /wp-load.php: {HEX}Malware.Expert.wordpress.hidden.include.1.UNOFFICIAL FOUND /wp-includes/template.php: {HEX}Malware.Expert.malware.url.7od.info.0.UNOFFICIAL FOUND /wp-includes/Requests/IPconfig.ini: {HEX}Malware.Expert.generic.malware.39.UNOFFICIAL FOUND /wp-includes/js/utilities.js: {HEX}Malware.Expert.generic.malware.39.UNOFFICIAL FOUND WordPress index.php wp-load.php End of file: template.php IPconfig.ini Remove file utilities.js Remove file Final Words Use […]

Continue Reading

xo.php

This malware trying write another malware to server, it’s using old cherry-plugin import/export file upload vulnerability. Here source code to malware: Source of xo.php Details $uri is infected server address. $url is base64 encoded remote server address, where trying download more malware and put server to remote access: http://fastwealthformula.online/callback/shell Remote file Final Words Use Malware […]

Continue Reading

Cryptonight

This again new malware which we call cryptonight, what we haven’t seen before. It’s downloads executable Linux program and hides that http daemon in background, which is difficult find process list at first glance. Manual remove process You can search if there running process httpd, which start cryptonight parameter: ps aux | grep cryptonight Then […]

Continue Reading

load_all.jar

Today we found Java based malware. If attacker found File Upload vulnerability on the server, then it upload manual.php based malware, which trying load load_all.jar to server and running it background. Manual.php $out = shell_exec(“java -version 2>&1”); preg_match(“/version\s+\”1\.(\d+)\./”,$out,$matches); $ver = 0; if($matches)$ver = (int)$matches[1]; This manual.php uses lot off shell_exec function, but if you have […]

Continue Reading

bunglon m1n1 sHeLL

Again new web shell (bunglon m1n1 sHeLL), what we have not seen this and signatures don’t detect this before. To beginning of file are introduced php shell maker. /* # bunglon m1n1 sHeLL # version 1.0 # Jayalah indonesiaku # thx to : sohai, budz story zz, b374k, 1n73ct10n, HNc, Dc & all member indoxploit […]

Continue Reading

Proc.php trying injecting header.php files

When this malware successful uploaded customer website and access it GET request, it’s trying search backward files and folder, searching header.php files. indexEditor When all folders and files searched and header.php files founded, it tries the patch malicious code to header.php file. Malicious code In begin this malware have CODE which added wanted file’s: Final […]

Continue Reading