Home / malware Backdoor:PHP/WebShell.A
First posted on 22 March 2012.
Source: MicrosoftAliases :
Backdoor:PHP/WebShell.A is also known as PHP/WebShell.A.1 (Avira), PHP.Backdoor.Trojan (Symantec).
Explanation :
Backdoor:PHP/WebShell.A is a backdoor trojan that allows unauthorized access and control of an affected computer by a remote attacker. The backdoor is written in PHP format and can affect both Windows and Linux operating systems.
Top
Backdoor:PHP/WebShell.A is a backdoor trojan that allows unauthorized access and control of an affected computer by a remote attacker. The backdoor is written in PHP format and can affect both Windows and Linux operating systems.
Installation
Backdoor:PHP/WebShell.A drops following files:
- <root folder>/tmp/bp.pl - used to listen for shell commands
- <root folder>/tmp/bc.pl - used to send shell commands
Payload
Sends email
Backdoor:PHP/WebShell.A sends an email that contains the IP address of the affected computer and report its installation to the Yahoo! account "freedom20900".
Allows backdoor access and control
Backdoor:PHP/WebShell.A may allow a remote attacker to perform the following actions:
- Archive or extract files
- Brute-force logins for FTP, MySQL, pgsql
- Create or delete folders
- Download files
- Encode or decode files
- Open a bash shell command, which allows the remote attacker to execute remote commands
- Open files
- Rename files
- Run SQL commands
- Search folders
- Show active connections
- Show computers the infected computer had access to
- Show running services
- Show user accounts
- Show IP configuration
Connects to certain servers
Backdoor:PHP/WebShell.A connects to the following servers for the purpose of receiving arbitrary information, sent by an attacker, about the affected computer:
- crackfor.me
- hashcracking.info
- hashcracking.ru
- md5.rednoize.com
- www.hashcrack.com
- www.md5decrypter.com
- www.milw0rm.com
Analysis by Hyun Choi
Last update 22 March 2012