SANS ISC

[SANS ISC] Another webshell, another backdoor!

I published the following diary on isc.sans.org: “Another webshell, another backdoor!“.

I’m still busy to follow how webshells are evolving… I recently found another backdoor in another webshell called “cor0.id”. The best place to find webshells remind pastebin.com[1]. When I’m testing a webshell, I copy it in a VM located on a “wild Internet” VLAN in my home lab with, amongst other controls, full packet capture enabled. This way, I can spot immediately is the VM is trying to “phone home” to some external hosts. This was the case this time! [Read more]

 

3 comments

  1. Interesting read. I’m using the fuzzy command from the Viper framework for this purpose (based on ssdeep)
    Example:

    Webshells viper sZY0idJH.php > fuzzy
    [*] 2 relevant matches found
    +——-+————–+——————————————————————+
    | Score | Name | SHA256 |
    +——-+————–+——————————————————————+
    | 99% | xNqNpLkP.php | f5a967bf43068c3d34cbbe0a3e16fe33c634b0bbdb0da284b5952d8696f21cac |
    | 97% | kiFHSP2j.php | cf11418cf32b7be0b2f16887f9aa56498f6aec2d743867818f1a45e474dac853 |
    +——-+————–+——————————————————————+

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.