PHP/WebShell [Threat Name] go to Threat
PHP/WebShell.NEA [Threat Variant Name]
Category | trojan |
Size | 57758 B |
Aliases | Backdoor:PHP/WebShell.A (Microsoft) |
PHP:BackDoor-AR.{Trj] (Avast) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
The trojan does not create any copies of itself.
The trojan is usually found in the following folder:
- %webserverdocumentsrootfolder%
Information stealing
The trojan collects the following information:
- hardware information
- operating system version
- user name
- information about the operating system and system settings
- computer IP address
- list of files/folders on a specific drive
- list of installed applications
- opened port number
Payload information
The trojan acquires data and commands from a remote computer or the Internet. The HTTP protocol is used.
It may perform the following actions:
- execute shell commands
- execute SQL commands
- download files from a remote computer and/or the Internet
- run executable files
- various filesystem operations
- open ports
- brute-force logins for FTP, MySql, PostgreSql
- send gathered information
Other information
The trojan doesn't perform any action if user agent contains any of these strings:
- Slurp
- MSNBot
- ia_archiver
- Yandex
- Rambler
The trojan may execute the following commands:
- dir
- dir /s /w /b index.php
- dir /s /w /b *config*.php
- netstat -an
- net start
- net user
- net view
- arp -a
- ipconfig /all
- ls -lha
- lsattr -va
- netstat -an | grep -i listen
- ps aux
- find / -type f -perm -04000 -ls
- find . -type f -perm -04000 -ls
- find / -type f -perm -02000 -ls
- find . -type f -perm -02000 -ls
- find / -type f -name config.inc.php
- find / -type f -name\"config*\"
- find . -type f -name\"config*\"
- find / -perm -2 -ls
- find . -perm -2 -ls
- find / -type f -name service.pwd
- find . -type f -name service.pwd
- find / -type f -name .htpasswd
- find . -type f -name .htpasswd
- find / -type f -name .bash_history
- find . -type f -name .bash_history
- find / -type f -name .fetchmailrc
- find . -type f -name .fetchmailrc
- locate httpd.conf
- locate vhosts.conf
- locate proftpd.conf
- locate psybnc.conf
- locate my.conf
- locate admin.php
- locate cfg.php
- locate conf.php
- locate config.dat
- locate config.php
- locate config.inc
- locate config.inc.php
- locate config.default.php
- locate config
- locate '.conf'
- locate '.pwd'
- locate '.sql'
- locate '.htpasswd'
- locate '.bash_history'
- locate '.mysql_history'
- locate '.fetchmailrc'
- locate backup
- locate dump
- locate priv
Trojan detects the presence of the following applications:
- kav
- nod32
- bdcored
- uvscan
- sav
- drwebd
- clamd
- rkhunter
- chkrootkit
- iptables
- ipfw
- tripwire
- shieldcc
- portsentry
- snort
- ossec
- lidsadm
- tcplodg
- sxid
- logcheck
- logwatch
- sysmask
- zmbscap
- sawmill
- wormscan
- ninja