PHP/WebShell [Threat Name] go to Threat

PHP/WebShell.NEA [Threat Variant Name]

Category trojan
Size 57758 B
Detection created Aug 03, 2017
Detection database version 15856
Aliases Backdoor:PHP/WebShell.A (Microsoft)
  PHP:BackDoor-AR.{Trj] (Avast)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

The trojan does not create any copies of itself.


The trojan is usually found in the following folder:

  • %webserverdocumentsrootfolder%
Information stealing

The trojan collects the following information:

  • hardware information
  • operating system version
  • user name
  • information about the operating system and system settings
  • computer IP address
  • list of files/folders on a specific drive
  • list of installed applications
  • opened port number
Payload information

The trojan acquires data and commands from a remote computer or the Internet. The HTTP protocol is used.


It may perform the following actions:

  • execute shell commands
  • execute SQL commands
  • download files from a remote computer and/or the Internet
  • run executable files
  • various filesystem operations
  • open ports
  • brute-force logins for          FTP, MySql, PostgreSql
  • send gathered information
Other information

The trojan doesn't perform any action if user agent contains any of these strings:

  • Google
  • Slurp
  • MSNBot
  • ia_archiver
  • Yandex
  • Rambler

The trojan may execute the following commands:

  • dir
  • dir /s /w /b index.php
  • dir /s /w /b *config*.php
  • netstat -an
  • net start
  • net user
  • net view
  • arp -a
  • ipconfig /all
  • ls -lha
  • lsattr -va
  • netstat -an | grep -i listen
  • ps aux
  • find / -type f -perm -04000 -ls
  • find . -type f -perm -04000 -ls
  • find / -type f -perm -02000 -ls
  • find . -type f -perm -02000 -ls
  • find / -type f -name config.inc.php
  • find / -type f -name\­"config*\­"
  • find . -type f -name\­"config*\­"
  • find / -perm -2 -ls
  • find . -perm -2 -ls
  • find / -type f -name service.pwd
  • find . -type f -name service.pwd
  • find / -type f -name .htpasswd
  • find . -type f -name .htpasswd
  • find / -type f -name .bash_history
  • find . -type f -name .bash_history
  • find / -type f -name .fetchmailrc
  • find . -type f -name .fetchmailrc
  • locate httpd.conf
  • locate vhosts.conf
  • locate proftpd.conf
  • locate psybnc.conf
  • locate my.conf
  • locate admin.php
  • locate cfg.php
  • locate conf.php
  • locate config.dat
  • locate config.php
  • locate config.inc
  • locate config.inc.php
  • locate config.default.php
  • locate config
  • locate '.conf'
  • locate '.pwd'
  • locate '.sql'
  • locate '.htpasswd'
  • locate '.bash_history'
  • locate '.mysql_history'
  • locate '.fetchmailrc'
  • locate backup
  • locate dump
  • locate priv

Trojan detects the presence of the following applications:

  • kav
  • nod32
  • bdcored
  • uvscan
  • sav
  • drwebd
  • clamd
  • rkhunter
  • chkrootkit
  • iptables
  • ipfw
  • tripwire
  • shieldcc
  • portsentry
  • snort
  • ossec
  • lidsadm
  • tcplodg
  • sxid
  • logcheck
  • logwatch
  • sysmask
  • zmbscap
  • sawmill
  • wormscan
  • ninja

Please enable Javascript to ensure correct displaying of this content and refresh this page.