I published the following diary on isc.sans.org: “Another webshell, another backdoor!“.
Iâ€™m still busy to follow how webshells are evolvingâ€¦ I recently found another backdoor in another webshell called â€œcor0.idâ€. The best place to find webshells remind pastebin.com. When Iâ€™m testing a webshell, I copy it in a VM located on a “wild Internet” VLAN in my home lab with, amongst other controls, full packet capture enabled. This way, I can spot immediately is the VM is trying to â€œphone homeâ€ to some external hosts. This was the case this time! [Read more]