The IndoXploitPHP web shell provides remote access to allow for other files and content to be uploaded to a compromised web server. The uploading of files is only one feature of this toolset. The developers of the code look to be based in Indonesia and specialize in PHP hacks.
- The malicious user exploits an attack vector, such as outdated software or a misconfigured server to install the web shell.
- The malicious user interacts with the web shell and allows the attacker to upload other files and content to the compromised web server.
- A status is returned from the web shell indicating that the upload attempt was a success or a failure.
The web shell must have been uploaded to the victim via a file upload vulnerability or other vector.
This PHP web shell provides remote access to allow for other files and content to be uploaded to a compromised web server. It looks to be a small part of the IndoXploit shell suite of tools used to compromise Content Management Systems running LAMP stacks. The uploading of files is only one feature of this toolset.
Other parts of the toolset not seen in this code include OS Commanding, Mass Defacement, Search for Configuration Files, Jumping to Different User Accounts, Crack Cpanel Passwords, grab SMTP Logins, automatically submit the defaced site to Zone-H, add or edit usernames on various CMSs, and more.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Customers are advised to activate internal remediation for malware or web shell infections.