DECODING PHP HACK SCRIPTS AND ROOT SHELLS

Throughout my investigations into phishing & malicious scripts, I am constantly seeing the malicious actors uploading additional scripts such as the leaf mailer (will be an article on this later on) & web shells. One such web shell is the WSO or WebShell by Orb which is favorable by hackers new and old, This is due khổng lồ how easy và throughout the web shell is.

Bạn đang xem: Decoding php hack scripts and root shells

*

The website shell comes with all the tools a hacker wants khổng lồ use such as.– file manager– Brute force tool– Console khổng lồ run commands directly against the command line.– SQL browser– Suicide button (Deletes itself from the server)– Password protectedI have tracked the website shell being uploaded a few different ways either was straight PHP code or encoded via Base64 or using compression such as Gunzip (GZ), Below is a sample of code that is hiding WSO.

Xem thêm: Bí Quyết Cho Người Mới Tập Yoga Không Bị Mệt, 5 Bài Tập Yoga Cơ Bản Cho Người Mới Bắt Đầu

*
*

Once decoded some of the telltale signs you are working with WSO. Please lưu ý not all of the samples below exist in the same script.

*

Why many malicious actors lượt thích using WSO is the ability lớn password-protect their backdoor onto a victim’s server. You will find once a tin tặc has exploited a vulnerability & imbedded their own website shell they will go ahead and patch the vulnerability to lớn prevent others from following their steps

The password protection works by using a simple HTTP password authentication. Sometimes you’re lucky to lớn find the password is listed in the source code as you can see in the example below

*

As mentioned above the malicious action would use an existing vulnerability to lớn upload the source code of the shell khổng lồ an existing file. Once they have the code embedded they have full access khổng lồ the user that is running as the webserver.

WSO came on the scene around 2009 (Source: https://www.getastra.com/e/malware/infections/wso-shell-most-popular-malicious-tool-used-by-hackers) và was shared on a Russian forum since then there are a few variations of WSO being shared on the web. This is demonstrated by simply searching for ‘wso github’

*

WSO is also listed as a PHP backdoor in VirusTotal. If you also run ConfigServe Exploit scanner it is detected & quarantined before the script can be used to lớn exploit the environment. In the example below I was analyzing the zdb.php tệp tin which is one of the variants of the WSO script I discussed above. The source code was detected by 16 different Antivirus programs.

*

As more Antiviruses are detecting these back doors và are preventing them from being active. If you ever encounter a website shell on your environment it is recommended that you remove the shell as soon as possible and rotate any passwords such as database connection strings.