Unmasking Trojan.PHP.Webshell.Obfuscated, Backdoor.WordPress.FakePlugin.Injector, Exploit.Kit.CloudflareMimic.PowerShell, and Webshell.Priv8Uploader.Persistence in Website Attacks

During routine monitoring, we detected anomalous behavior on a WordPress site, including unexpected redirects to fake security verification pages, unauthorized file upload forms in the interface, and server resource spikes. Logs revealed persistent unauthorized access attempts, with modified files in key directories like wp-content/plugins. The infection caused temporary site instability, but no confirmed data loss was observed. This triggered a forensic investigation to identify the root cause and mitigate risks.

The malware primarily consisted of PHP webshells, flagged as trojans (e.g., trojan.webshell, trojan.php.agent) by scanners like VirusTotal. These enabled remote server control, file uploads, and command execution. Obfuscated JavaScript injections in theme files facilitated client-side attacks, while a rogue plugin supported authentication bypass and Remote File Inclusion (RFI). A fake CAPTCHA page aimed to trick users into running PowerShell scripts. This multi-vector attack combined server-side exploits with social engineering, indicative of a targeted campaign for persistence and escalation.

The malicious code was primarily PHP-based, using layered obfuscation (base64, str_rot13, gzinflate) within eval() statements to evade detection. Core files like index.php and wp-config.php contained injected backdoors triggered by specific query parameters. For example, files like hehe.php or xx.php used error suppression (@ operator) and session_start() for persistence. A typical pattern:

• Base64 decoding revealed compressed data.
• str_rot13 adjusted character offsets.
• gzinflate expanded to executable PHP, e.g., system($_GET[‘cmd’]) for command execution.

 

These scripts enabled file uploads, directory traversal, and server enumeration. JavaScript injections in header.php and functions.php loaded external scripts from suspicious domains, potentially for data exfiltration.

Malware Behavior / Actions

Below is a detailed breakdown of the malware’s behavior and impact on the compromised server:

5.1 Web Shells and Remote Command Execution

Purpose: Webshells provided remote server control via a web interface.

Files: Examples include add.php, hehe.php, radio.php, xx.php, wp-editor.php.

Actions:

• Command Execution: Used PHP functions (exec(), system(), shell_exec()) to run system commands like ls or whoami.
• File Management: Enabled uploading, deleting, renaming, and permission changes (chmod()) to escalate privileges.
• Directory Traversal: Navigated the filesystem to access sensitive files (e.g., /etc/named.conf).
• Persistent Backdoors: Uploaded additional malicious scripts to maintain access.

5.2 Persistence Mechanisms

File Creation: Scripts like add.php created directories (e.g., xl, lm) with base64-encoded payloads.

Encoded Payloads: Base64 hid malicious code, evading security scanners.

Re-entry: Encoded files (e.g., xl/index.php) ensured persistence post-cleanup.

5.3 Malicious File Uploaders

Uploaders: Files like up.php and xx.php facilitated arbitrary file uploads.

Features: Enabled execution of uploaded PHP webshells or backdoors for ongoing control.

5.4 Phishing and Spam Operations

Email Spamming: Files like lf.php acted as mailers for phishing campaigns.

• Email Harvesting: Extracted addresses for targeted phishing.
• Email Injection: Used local or SMTP servers to send malicious emails.
• Bypass Filters: Checked for blacklisted IPs and used MD5 hashes to evade anti-spam systems.

5.5 Sensitive Information Gathering

Server Enumeration: Files like hehe.php gathered PHP version, OS, and storage details.

• Disabled Functions: Checked for restricted functions (e.g., mail(), curl_version()) to tailor exploits.
• Config Files: Modified .htaccess and wp-config.php to manipulate settings or escalate privileges.

5.6 File and Permissions Manipulation

Permissions: Changed file/directory permissions via chmod() for unrestricted access.

Obfuscation: Used base64 and hexadecimal encoding to hide functionality from scanners.

5.7 Exploitation of Vulnerabilities

PHP Exploits: Targeted outdated libraries like PHPMailer for remote code execution.

Plugin Attacks: Modified plugins (e.g., jetpack, wordfence) to disable security or maintain access.

5.8 Additional Backdoors and Administrative Users

Admin Users: Created unauthorized WordPress admin accounts for full site control, enabling settings changes or code injection.

5.9 Security Evasion and Anti-Detection

Error Suppression: Used @ operator to hide errors.

Session Management: Maintained sessions via session_start() for persistent operations.

Post-cleanup, the site was restored with no residual issues. No sensitive data was compromised, and performance stabilized. Logs showed no further unauthorized access. The incident highlighted the need for strict upload validation and regular updates, now implemented to prevent recurrence.