This known malicious web shell is in the first stage of an attack that will later upload and install the second stage malware to the compromised web server. When executed, the web shell will make upwards of three requests to download malicious content from a host service.
- The attacker successfully uploads the PHP web shell via HTTP POST to a server that is vulnerable to arbitrary file upload.
- The attacker accesses and executes the PHP web shell with an HTTP GET request.
- The web shell sends the HTTP GET to download the second stage from the hosting services. The web shell attempts to install the second stage to the server file system.
- The server responds to the attacker with an HTTP 200 OK response with text to indicate success or failure.
The attacker must be able to inject the malicious code onto the web server through another vulnerability or exploit.
A PHP web shell was discovered using a common format as the first stage of post-compromise activity. Multiple campaigns/actors appear to be using this shell for various remits, such as a stager for downloading further web shells or simple defacement. Among the samples, WordPress appears to be targeted in some attempts with this shell.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upgrade to a non-vulnerable version to mitigate this vulnerability.