Backdoor.PHP.C99Shell.an

Backdoor.PHP.C99Shell.an



Detection added Jun 16 2008 02:05 GMT
Update released Jun 16 2008 06:12 GMT
Description added Oct 20 2008
Behavior Backdoor
Technical details
This Trojan provides a remote malicious user with access to the victim machine. It is a PHP script. It is 149170 bytes in size.

Installation

This backdoor can be installed on a web server by a remote malicious user by uploading it via FTP, using the administrator's log-in details which have already been stolen. It can also be used to exploit a range of web site vulnerabilities which make it possible to upload a random file to the directory which contains the site scripts. Once this has been done, a hidden page appears on the site. Opening this page makes it possible for the malicious user to launch the backdoor and make use of its malicious functionality.

Payload
This backdoor is designed to provide remote, unauthorised administration of web servers. When the backdoor is launched, the malicious user is shown the backdoor interface:

The backdoor is able to conduct the following actions on the remote server:

  1. provide full access to files on the hard disk
  2. calculate a range of hashes for strings
  3. launch the command interpreter and bind its standard input/ output to a specific TCP port
  4. bind the standard input/ output of the command interpreter to data from the IRC server (datapipe)
  5. View the list of processes launched on the server
  6. execute random PHP code
  7. download/ upload files from/to the server
  8. search the server's hard disk for files with specific content
  9. manage mysql databases (view/ create/ edit databases/ tables)
  10. run shell commands
  11. scan FTP server accounts for weak passwords (e.g. where the account name and password co-incide)
  12. delete the copy of itself from the server hard disk on command
  13. create a user account without password
  14. view active users in the system
  15. delete records of its own activity from Apache server logs
Patches
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Delete the original backdoor file (the location will depend on how the program originally penetrated the victim machine).
  2. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Posted by
Labels: