Identifying website backdoors is not always an easy task. Since a backdoors primary function is to conceal itself while providing unauthorized access, they are often developed using a variety of techniques that can make it challenging to detect. For example, an attacker can inject a single line of code containing less than 130 characters into […]
Tag Archives: Website Backdoor
Why You Should Monitor Your Website
In an effort to maintain unauthorized access or profit off a website’s environment long after an initial compromise, attackers commonly leverage a variety of different techniques and tactics. These techniques range from adding backdoors, stealing sensitive data, redirecting the site to other third-party resources, or even injecting specially crafted links to give their own sites […]
Fake WordPress Functions Conceal assert() Backdoor
A few weeks ago, I was manually inspecting some files on a compromised website. While checking on a specific WooCommerce file, I noticed something interesting. Among 246 other lines, this very specific part stood out to me: $config = wp_dbase_config_init(‘_as_sert’); For those readers familiar with PHP functions commonly misused by hackers, you may have already […]
Obfuscation Techniques in MARIJUANA Shell “Bypass”
Attackers are always trying to come up with new ways to evade detection from the wide range of security controls available for web applications. This also extends to malware like PHP shells, which are typically left on compromised websites as a backdoor to maintain unauthorized access. MARIJUANA is the name of a PHP shell that […]
“Free” Symchanger Malware Tricks Users Into Installing Backdoor
In a previous post, I discussed how attackers can trick website owners into installing malware onto a website — granting the attacker the same unauthorized access as if they had exploited a vulnerability or compromised login details for the website. But did you know attackers use the same tactic against other bad actors? They do […]
Code Comments Reveal SCP-173 Malware
We sometimes find malware code injections that contain strange code comments, which are normally used by programmers to annotate a section of code — for example, a short description of a feature or functionality for other developers to reference. Oftentimes, hackers aren’t interested in leaving comments describing how their injected malware works. Instead, they use […]
P.A.S. Fork v. 1.0 — A Web Shell Revival
A PHP shell containing multiple functions can easily consist of thousands of lines of code, so it’s no surprise that attackers often reuse the code from some of the most popular PHP web shells, like WSO or b374k. After all, if these popular (and readily available) PHP web shells do the job, there’s no need […]
Backdoor Shell Dropper Deploys CMS-Specific Malware
A large majority of the malware we find on compromised websites are backdoors that allow an attacker to maintain unauthorized access to the site and execute whatever commands they want. Another common scenario includes malware which is directly injected into a website’s files and used to redirect traffic, steal credit cards and other sensitive information, […]
Backdoor Obfuscation: tempnam & URL Encoding
In an attempt to avoid detection, attackers and malware authors are always experimenting with different methods to obfuscate their malicious code. During a recent investigation, we came across an interesting backdoor that was leveraging encoding along with common PHP functions to conceal its operations from any active security systems on the host. This PHP web […]
The Hidden PHP Malware that Reinfects Cleaned Files
Website reinfections are a serious problem for website owners, and it can often be difficult to determine the cause behind the reinfection — especially if you lack access to necessary logs, which is usually the case for shared hosting services. Some of the more common causes of reinfections are issues like cross- site contamination or […]
