• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

B374k Web Shell Packer

May 13, 2020Luke Leal

0
SHARES
FacebookTwitterSubscribe

PHP web shells are a type of backdoor which, when left on compromised websites, allow attackers to maintain unauthorized access after initial compromise.

To further evade detection, attackers may also choose to keep a packer script on a compromised website instead of the actual PHP web shell. They can then use this script to generate the PHP web shell on an as-needed basis.

One of the more common PHP web shells is b374k.php. It’s popular with bad actors because it offers a lot of features including a file manager, database connect, various text conversions, and email via PHP.

Let’s take a look at how attackers can load b374k.php with a packing script, seen below.

unknown shell packer

This unknown shell packer offers a few different options to the attacker:

  • Output – Defines the filename of the PHP web shell to be created
  • Password – Sets a password used to limit access to the PHP web shell
  • Module – Optional features that can be enabled: convert, database, info, mail, network, processes
  • Theme – Optional color theme
  • Strip Comments and Whitespaces – Removes unneeded code comments and whitespaces
  • Base64 Encode – encodes the PHP web shell’s code with base64
  • Compress – Compresses the PHP code with various PHP functions like gzdeflate, gzencode, gzcompress. This feature requires the code to have already been base64 encoded.

Attackers can also run the packer by submitting the parameters through PHP CLI, if available.

cli for b374k packer

Regardless of whether the attacker opts for the PHP CLI or the browser GUI, the result is a generated PHP shell with the chosen filename — in this case unknown.php — which is dropped in the current directory.

interface for b374k packer

These types of malicious scripts can be found planted anywhere within a website’s environment, so the best way to mitigate threat is to prevent unauthorized access to your website in the first place. Practice strong password security principles and use a firewall to prevent a password from brute force.

0
SHARES
FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Malware Infections, Website SecurityTags: Black Hat Tactics, Hacked Websites, Labs Note, Malware Dropper

About Luke Leal

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

2019 Threat Report

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.