phpwordpresssecuritymalware

Backdoor:PHP/webshell Malware


I have this website which i want to replace because its outdated, we made a new website. But as always before uploading the new website to the live environment i make a backup of the current live website. While i was downloading the Wordpress installation my windows defender popped up with the following message. Malware found:

Backdoor:PHP/webshell

What exactly is this? Is it dangerous for my computer or is it a backdoor for the website. How did this happen. Anything would be really helpful on this matter. Should i run a scan on my whole computer?

Thanks in advance.


Solution

  • Backdoor:PHP/WebShell.A drops following files:

    <root folder>/tmp/bp.pl - used to listen for shell commands
    <root folder>/tmp/bc.pl - used to send shell commands
    

    Sends email

    Backdoor:PHP/WebShell.A sends an email that contains your IP address and reportsits installation to the Yahoo! account "freedom20900".

    Allows backdoor access and control

    Backdoor:PHP/WebShell.A can give a malicious hackers access to perform the following actions:

    Archive or extract files
    Brute-force logins for FTP, MySQL, pgsql
    Create or delete folders
    Download files
    Encode or decode files
    Open a bash shell command, which allows the remote attacker to execute remote commands
    Open files
    Rename files
    Run SQL commands
    Search folders
    Show active connections
    Show computers the infected computer had access to
    Show running services
    Show user accounts
    Show IP configuration
    

    Connects to certain servers

    Backdoor:PHP/WebShell.A connects to the following servers for the purpose of receiving arbitrary information, sent by a malicious hacker, about your PC:

    crackfor.me
    hashcracking.info
    hashcracking.ru
    md5.rednoize.com
    www.hashcrack.com
    www.md5decrypter.com
    www.milw0rm.com
    

    In normal terms

    Your site has been hacked and perhaps been manipulated in a way that will be a risk if you try to use it. Do not use this source and remove / delete from your machine. I would suggest doing a major browse / scan for any more potential viruses and change your user information such as passwords and emails on the server (Since they may know these by now).

    Reference: https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor:PHP/WebShell.A