Backdoor.PHP.C99Shell.w
| Detection added | Sep 12 2007 10:29 GMT |
| Description added | Aug 04 2008 |
| Behavior | Backdoor |
- Technical details
- Payload
- Removal instructions
| Technical details |
Installation
This backdoor can be installed on a web server by a remote malicious user by uploading it via FTP, using the administrator's log-in details which have already been stolen. It can also be used to exploit a range of web site vulnerabilities which make it possible to upload a random file to the directory which contains the site scripts. Once this has been done, a hidden page appears on the site. Opening this page makes it possible for the malicious user to launch the backdoor and make use of its malicious functionality.| Payload |
- provide full access to files on the hard disk
- Calculate a range of hashes for strings
- launch the command interpreter and bind its standard input/ output to a specific TCP port
- bind the standard input/ output of the command interpreter to data from the IRC server (datapipe)
- view a list of processes launched on the server
- execute random PHP code
- download/ upload files from/to the server
- search the server's hard disk for files with specific content
- manage mysql databases (view/ create/ edit databases/tables)
- run shell commands
- scan FTP server accounts for weak passwords (e.g. where the account name and password co-incide)
- delete the copy of itself from the server hard disk on command
- create a user account without password
- view active users in the system
- delete records of its own activity from Apache server logs
- exploit a range of Linux kernel and bash command interpreter vulnerabilies
- run via the proxy server shown below
http://*****faced.org/proxy/index.php?q=
| Removal instructions |
- Delete the original backdoor file (the location will depend on how the program originally penetrated the victim machine).
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
