-
Fake Joomla Plugin Backdoor
The following code was located within /plugins/.joomla.system.php on a compromised site: The file was only noteworthy in that it was the only hidden file in the directory where it was located. At first glance, this looks like the code for a small Joomla Plugin. Upon closer inspection, however, it’s revealed to be a backdoor that…
-
Backdoors in Hacking Tools – Pt. 2: Javascript Phone Home
I was recently taking a look at some PHP shell code I found in a repository on github (link) and saw something that caught my eye. Near the bottom of the code we find these two blocks, not far apart: 1. 2. Hmmm, it looks like the javascript is trying to decode and execute something…
-
Backdoors in Hacking Tools – Pt. 1: Pacman
I was recently taking a look at the code of a version of the IndoXploit web shell that I located while investigating a compromised server (full source here) when I noticed this line: Curious, I decoded the contents of the pastebin URL that was being executed via the eval function: As usual, more encoding. The code…
-
Malware Scanner/Spreader Targeting PHP Shells
A while back an abuse complaint was forwarded to me by someone requesting information about the HTTP requests contained in the complaint. Below is a select sample of the values from the requests outlined in the complaint: So what’s it doing? Let’s start by analyzing the above strings: This string is base64 encoded, and decodes…
-
Hiding Malicious Code in Compromised Databases
Malicious code is often stored in compromised databases, and referenced later for execution. This is a common method by which potentially dangerous PHP functions such as eval(); are hidden from automated and manual file contents searches. An example of one implementation of this can be seen here: In this example, a value is retrieved from…
-
A PHP Shell? In MY .htaccess? It’s More Likely Than You think!
On servers running Apache, .htaccess files can be an extremely useful tool, allowing clients to modify the behavior of of their web environment from a file on their site, rather than requiring modifications to the server’s underlying configurations. Because .htaccess is so powerful in this way, it is often abused by malicious parties. While I’ll…
-
WAF Evasion Using HTTP User Agent String
Web application firewalls are often a first line of defense for protecting web sites from malicious actors. Unfortunately, they are not a silver bullet, and in many cases won’t prevent a site from being compromised if the site contains underlying vulnerabilities. In the case I will describe in this post, an attacker was able to…