PHP_BACKSHELL.Y

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

NOTES:

Once installed in the compromised web server, remote attackers can access it via the Internet.

Upon access, it displays the following information about the infected machine:

• Operating system
• Processor
• User Name
• Group
• PHP version and Safe mode status
• System's current date and time
• Hard Disk free space
• Read/Write/Execute permissions to current directory
• Enumerates drives

It has the following backdoor capabilities:

• Display Server Security Information
• File Manager - traverse and list all files and directories in all available drives
  • read, create, upload and execute files
  • copy, move, delete, compress and uncompress existing files
• Console - list directories
  • find index.php in current directory
  • find config.php in current directory
  • show active connections
  • show running services
  • show user accounts
  • show computers in the network
  • show ARP Table
  • show IP configuration
• Access database (MySQL and PostgreSql) *authentication required
• Execute user-input PHP code
• Bypass safe mode
• String tools - encoders, decoders, hash, crypt, converters, etc.
  • search text in files
  • search hash in various sites
• Brute force FTP, SQL, Postgresql using custom password dictionary
• Launch remote shell to user-input host and port
• Remove self