Backdoor.PHP.WEBSHELL.SBJSRMUAI

This Backdoor may be hosted on a website and run when a user accesses the said website.

Arrival Details

This Backdoor may be hosted on a website and run when a user accesses the said website.

Information Theft

This Backdoor gathers the following data:

• Operating System
• Server
• Server IP
• User IP
• Kernel Version
• Software
• Storage Space
• User/Group
• Time on Server
• PHP Version
• Safe Mode Status
• MySQL Version
• MSSQL Version
• PostgreSQL Version
• Perl Version
• Python Version
• Ruby Version
• WGET Version
• cURL Version
• Magic Quotes Version
• SSH2 Version
• Oracle Version
• UID
• GID
• Group
• HDD Free space
• HDD Used space
• HDD Total space

Other Details

This Backdoor does the following:

• Checks for the status of these PHP configurations and set it to 'ON':
  • Safe mode
  • Disable functions
  • Basedir
  • MySQL
  • curl
  • wget
  • perl
  • ruby
  • mssql
  • pgsql
  • python
  • magicquotes
  • ssh2
  • oracle
• Enumerates available drives in the system and creates a link for a malicious actor to access it
• This backdoor has a control panel that has the following functions:
  • Info
  • Mass deface
  • Symlink
  • Config
  • Cpanel
  • All_tools
  • Upload files
  • command
  • bikinfile
  • Logout
• Grants full read, write, and execute privileges to the malicious actor
• Bypass Symlink protections giving unauthorized access, privilege escalation, data manipulation, code injection, lateral movement, and persistence in the affected system.
• Bind connect to systems running Perl and C servers using Netsploit which has the following functionalities:
  • Port Binding
  • Connect Back
  • Load and Exploit
• It shows the following string to indicate that the website has been hacked:
  • Hacked by D7net

It requires being hosted on a web server in order to proceed with its intended routine.