Home / malware Backdoor:PHP/Shell.O
First posted on 02 April 2016.
Source: MicrosoftAliases :
There are no other names known for Backdoor:PHP/Shell.O.
Explanation :
Installation
The threat disables PHP Safe Mode on your web server by using the following command in the PHP server configuration file (php.ini):
- safe_mode = off
It creates an active TCP connection that listens on port 70 for incoming communication from a remote attacker.
It drops the following files into folders on the server's root drive:
- /dkcgi/.htaccess
- /dkcgi/cgi.pl
- /dkcgi/dz.sa
- /dkchi/back2.php
- /tmp/bc.pl
- /tmp/bp.pl
The server typically runs the malware while the remote attacker is accessing the server through the backdoor; this allows the attacker to control the PC.
Payload
Changes passwords for website admin tools
The backdoor will change the MySQL password for accounts called "admin" that are used in the following web server content management systems (CMS):
- Joomla
- VBulletin
- Wordpress
Connects to remote server to send information
The threat can postsinformation about its infection (such as an MD5 hash) to the following sites:
- https://hashcracking.info/index.php
- md5.rednoize.com/?q='+document.hf.hash.value+'&s=md5
- www.hashcrack.com/index.php
- www.md5decrypter.com/
- www.milw0rm.com/cracker/search.php
Allows backdoor access and control
The threat listens on TCP port 70 for any incoming instructions from a remote attacker from any remote server. The attacker can perform the following actions:
- Open a bash shell command which allows the remote attacker to transfer and run remote files
- Brute force logins for MySQL and PGSQ
- See server information such as the active connections on the server and user accounts
Analysis by Mihai CalotaLast update 02 April 2016
