• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

ASP Backdoors? Sure! It’s not just about PHP

October 27, 2014Peter Gramantik

FacebookTwitterSubscribe

I recently came to the realization that it might appear that we’re partial to PHP and WordPress. This realization has brought about an overwhelming need to correct that perception. While they do make up an interesting percentage, there are various other platforms and languages that have similar if not more devastating implications.

Take into consideration Microsoft ASP and Windows IIS Web Servers. They too share their burden of infections, yet we don’t give it, rather share, as much as we probably should.

Windows IIS Server Infections

The attack vectors for Windows IIS servers are the same as what you would expect on Linux Apache servers:

  • Vulnerable software, both server-side and client-side.
  • Vulnerabilities in plugins and content management systems.
  • Outdated software.
  • Insecure server configurations.
  • Old, externally accessible backups or staging sites stored in the root directory.
  • Weak or inadequate access controls

The result? Infected websites or web servers.

Analyzing an ASP Backdoor Sample

Now let’s take a moment to analyze an ASP backdoor and dive into the different elements of the payload.

Here is one I had the joy of diving deep into recently:

Sucuri - ASP Backdoor 1

I removed 99% of the encoded stuff to make a nice screenshot, however, it was a 73.5 KB file – pretty big for a script. Notice the decoding function at the end of the code? To decode it I rewrote it in PHP:

VBScript:
Sucuri - VBScript Backdoor

PHP:
Sucuri - PHP Backdoor

After decoding the encoded data I managed to find a pretty big backdoor. I’ve seen thousands like this written in PHP. I’ve seen fewer written in other languages (e.g. Python, Perl) but I assure you, the programming language doesn’t matter. If a piece of malware can be written in one language, it will be written in others, sooner or later.

Back to our good old absolutely common piece of malware. What did I get after decoding it?

Sucuri - ASP Backdoor 3

A simple backdoor – webshell. These are the first 40 lines out of 800. It even included custom functions with friendly names to help me understand the purpose of the script really quickly!

Sucuri - ASP Backdoor 4

Nothing new, just written in ASP (VBScript). Also, my decoding function didn’t work 100%, so all the unicode characters were lost (status messages, etc):

Sucuri - ASP Backdoor 5

But that doesn’t matter. The meaning of this piece of code was pretty straightforward, retain full control to your environment.

Morale of the story is simple, Websites, regardless of technology and platform they reside on all serve a purpose to bad actors, crackers. Keep an eye out, remember, what you see is often but a fraction of the problem. The question you must continuously ask yourself is, what am I not seeing?

FacebookTwitterSubscribe

Categories: Website Security, WordPress SecurityTags: Webserver Infections, Website Backdoor

About Peter Gramantik

Peter Gramantik is Sucuri’s Sr. Malware Researcher who joined the company in 2013. Peter’s main responsibilities include crafting signatures for new malware, and improving existing and researching new detection techniques. His professional experience covers 15 years of fighting malware. When Peter isn’t researching malware, you might find him doing technical and cave dives, riding his Harley Davidson, playing the guitar and singing in a band, or cooking BBQ for his family and friends. Connect with Peter on Twitter.

Reader Interactions

Comments

  1. Amanda Cline

    March 10, 2015

    Thanks for sharing useful information.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

WordPress Security Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.