Backdoor.PHP.WEBSHELL.SBJKXR

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• List directory
• Find index.php in current directory
• Find config.php in current directory
• Show active connection
• Show running services
• Show user accounts
• Show computer name
• Show ARP table
• Show IP Configuration
• Infect webserver
• Execute PHP code
• Execute arbitrary commands
• Execute specific command line commands
• Execute SQL Commands
• Download/Upload Files
• Manage Files(Create directory, Change directory, Create, Read, Move, Copy , Archive)
• String Conversion
• FTP Brute force
• Bind port
• Delete itself
• Search for hash

Information Theft

This Backdoor gathers the following data:

• Server Security Information
  • Server software
  • Loaded Apache modules
  • Disabled PHP Functions
  • cURL support
  • Supported databases
• OS Version
• OS build number
• User Accounts
• Account Settings
• Datetime
• HDD Disk space
• Current Working Directory
• Server IP
• Client IP
• Available Drives

Other Details

This Backdoor requires being hosted on a web server in order to proceed with its intended routine.

NOTES:

This Backdoor does the following:

• It requires the following password to be accessed by users:
  • xleet
• It connects to the following URLs to send the hashes it searches.
  • http://{BLOCKED}acking.ru
  • http://md5.{BLOCKED}ze.com/
  • http://www.{BLOCKED}megenerator.com/
  • http://www.{BLOCKED}ack.com/index.php
  • http://{BLOCKED}i.com/
  • http://{BLOCKED}o.com.ar/
  • http://www.{BLOCKED}rypter.com/