Backdoor.PHP.WEBSHELL.SBJSRMTZR

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Find index.php in current directory
• Find config.php in current directory
• Show active connection
• Show running services
• Show user accounts
• Show computer name
• Show ARP table
• Show IP Configuration
• Execute PHP Code
• Execute Arbitrary Code
• Manage Files (Change Access Permissions, Delete, Copy, Rename, Move, Read and Execute Files)
• Extract Zip Files
• Archive Files
• Upload/Download Files
• Display Current Working Directory
• Display Available Drives
• Create Files and Directories
• String Conversion
• Hash Searching
• Bruteforce Passwords (FTP, MySQL, PostgreSql)
• Connects to Specified Database
• Bind Port
• Delete Itself

Rootkit Capabilities

This Backdoor does not have rootkit capabilities.

Information Theft

This Backdoor gathers the following data:

• Username
• Computer Name
• PHP Information
• OS Description
• Server Security Information
  • Server Software
  • Loaded Apached Modules
  • Disabled PHP Functions
  • cURL Support
  • Password Age
  • Minimum Password Length
  • Computer Role
  • User Accounts

Other Details

This Backdoor does not exploit any vulnerability.

It requires being hosted on a web server in order to proceed with its intended routine.