PHP_SIMPLESHELL.G
Backdoor:PHP/SimpleShell.A(Microsoft)
Windows,Linux
Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This malware may be uploaded and installed on a web server by a remote malicious user after gaining access to the server.
Once this PHP script is installed, the remote user may then launch a backdoor on the affected system. Opening the page, the malicious user is shown a user interface.
This backdoor does not have any propagation routine.
TECHNICAL DETAILS
Arrival Details
This malware arrives via the following means:
- May be uploaded and installed on a web server by a remote malicious user after gaining access to the server.
Installation
This backdoor drops a copy of itself in the following folders using different file names:
- {PHP server document root}/en.php
- {PHP server document root}/info.php
Other System Modifications
This backdoor deletes the following files:
- {malware parent directory}/revslider.zip
Propagation
This backdoor does not have any propagation routine.
Dropping Routine
This backdoor drops the following files:
- {PHP server document root}/wp-includes/routing.php-also detected by TrendMicro as PHP_SIMPLESHELL.G
- {PHP server document root}/wp-indeks.php-also detected by TrendMicro as PHP_SIMPLESHELL.G
NOTES:
This malware modifies, if the files are existing, or creates the following files:
- {PHP server document root}/wp-content/plugins/revslider/temp/.htaccess
- {PHP server document root}/wp-content/themes/Avada/framework/plugins/revslider/temp/.htaccess
- {malware current directory}/.htaccess
- {malware current directory}/cgi-bin.pl-detected by Trend Micro as PERL_SIMPLESHELL.A
- {malware current directory}/cgi-bin/cgi-bin.pl-detected by Trend Micro as PERL_SIMPLESHELL.A
It sends an email to the malicious remote user with the following server information:
- host URI
- PHP safemode status
- server name
- remote user's IP address
This backdoor has the following backdoor capabilities:
- Receives a command/function using shell from a remote user
- Receive files from the remote user
- List all files
Once this PHP script is installed, the remote user may then launch a backdoor on the affected system. Opening the page, the malicious user is shown the following user interface:
It does not have rootkit capabilities.
It does not exploit any vulnerability.
SOLUTION
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Scan your computer with your Trend Micro product to delete files detected as PHP_SIMPLESHELL.G. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 4
Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.
- {PHP server document root}/wp-content/plugins/revslider/temp/.htaccess
- {PHP server document root}/wp-content/themes/Avada/framework/plugins/revslider/temp/.htaccess
- {malware current directory}/.htaccess
- {malware parent directory}/revslider.zip
- {malware current directory}/cgi-bin.pl
- {malware current directory}/cgi-bin/cgi-bin
Did this description help? Tell us how we did.