explore a Wordpress PHP BACKDOOR webshell

Hello Dolly is included in Wordpress by default. It's actually a pretty nice way to hide code, as a lot of people will not delete the default plugins... I suppose it is a way to remotely execute code on every website as an admin. The stuff in the worker file is possibly to delete competing webshells, then probably to read base64 code from the wp_options table and execute it.

Finally! A walkthrough for the rest of us. Your practical insight per minute spend is bar none. Well done man. Been searching for a long time for something like this👏👏

That was fun! The rabbit holes had rabbit holes. Kudos to you, and I'm patting myself on the back for being able to follow all of that. Study and practice pay off!

I literally smile on 4:08 and thanks, I really learn a lot from you sir, its all a big chunk of knowledge that you share. took me a lot of time to understand a single video since I always try to look around and google anything that I don't know from what you've said. this is another great video content

I love these types of videos - just going through the crazy. Thanks John.

Advanced congratulations on reaching half a million family members.... You are the best john....💗

Great sponsor on this video man. Something I will deff look into after my current cert path. Cheers for the video.

Hey John, today at work I noticed an event that I followed up on, and I found a similar webshell, I was able to revert a part, but I watched your video again and used one of the techniques you showed and I was able to revert all of it code, thank you very much for these videos 🤜🏻🤛🏻 ✌🏻

Finally, a wordpress shell. Can't wait to see what it does.

That "Tripped over" comment got me laughing. 😂 Just so you know, I'm constantly tripping over your channel. Thanks for all you do. 🙏🏽

Hi, great video. Could it be that the array in "worker.php" at 32:11 is a set of code snippets used in the ""Fast()" function at 16:35 in "stage2_modified.php" to remove "competing" webshells? Would be pretty neat! 😀 My second wild guess is that the Paranoid function does a wider RE based search, but just warns the user instead of automatically deleting files.

I love everything about this video's thumbnail, especially the T-shirt John is wearing XD

Dude, this was such an intreaguing video! 👍

This video is a must-see for anyone interested in exploring Wordpress PHP backdoors and webshells. JohnHammond does an excellent job of breaking down the concepts and explaining them in a clear and concise way. Thank You!

Always great content

love these deobfuscation vids

Thanks. This was super interesting.

Nice one John great video

Truly good work!

Love this, please do a video using AFL to find a exploit then get code execution, I can't find a good video at all and I'm really wanting something simple that I can follow along with, I learn from being hands on

32:35 (line 59) includes a reference to "Leaf PHP Mailer" which is a legit mailer script but it can be loaded on to people's sites to send tons of spam. The code at 32:54 might be the email payload for the Leaf PHP Mailer. You can see things like "SUBJECT", "AMAZON|ADOBE|AZURE" and "BILLING|LOGIN" close together so I'd guess it's creating messages with subject lines stating either Amazon, Adobe or Azure plus Billing or Login, so it could be phishing spam. (On a side note, I want to copy your, "This is a disaster" and use it as my ringtone for work calls.)

I had many of these on my WordPress ❤️

You are my “IT Seth Rogan” !

Ok I need this

you are the best💯

One of my friends had this happen to several sites, and didn't have good backups. It took me several hours last night to write scripts to go through and clean up all the files. It makes updates to .htaccess files, prepends all index.php files, etc. so writing a bash script was tedious

you are the best

The book you were reading was Volume 28 on Shelf 4 of Wall 1 of Hexagon: 0kro5a1299530gehm2g8v34iwb5tj57hjgzz6uenx95y9cp6928na05sms3k8chkmd1rlg38p75nczi9dibejq0wywxdh6dwbz04am7eqdyseuvinwrcyd9gjobgu9t3gb84gpm13sa4oynl9e67rl48q0iry1o5vsc3m8ljvnt84ugqwzv5hy9no4chl4cszt2546x74s03cqddy1coszk79eaupmmvidi6wz806kllixxs280147tgekoj66ne8l2vfcla4h6wtp4k2205xqs30wuzdbqvh7jnbkibrdpri3voqq80kjywgrwjj13ub71j7piis4nxibiv4i0flm0s4z2c8lf91p1qkpcw7txq24tijtt0fwdh5la9bm9y42t1uc33qlkltwshulaigr3bz2qk5zx5phoyyrvq9sos464jiq2702jfzf84xbwi8232jcj8kuzu1tvb61gu2qp8i1xjlsq56a8bnbiytjdvtn7p1kq5qknn4nksgxuvpyluk2zn4zg9oeptsx06gpf48h4ysned0d0na5mbjtlgejp9vv4psuiheg6695n9r6e10sbms56hebre76qamua32dfrdzueizhtnkfwke0wfwsr0tfrmeyixa09s5remtc4ikn3ciqirljgb87zl06l1kx5p92camrbykzjwyf3see3lvyd1upjkfkxfde0vxmiogf01dkdemypcep6m4g9i849kixc7vo1jc7th38s5uuyfd4v8mt5eo3v3o01ckaq6c62ixyac7c41ut2waohwmn6tgr8xkr71qbt3jqr0n55226n9hzgzeqe95epg34do2zhwwlm60ynqb7wjmnkym3adufrlqah35olcg4bvtgdbfof4tk8fiz1fi9hntdbrj3vh2ys5m5ffot0rkuz6jagwvvjja431025mwe1d8ps8ecm7xwkzttj52zgs55satbzg4k72ral9dkj9rzhhcyqmdte3qcll5ylwy804p7nvxxrfuvpy3s92eg6wluzv14j1tiseeiup66ckngfdudds934zx92myrag51o7vmawtu22nmxy0hd9dv6fth2pkb9ikchssardg49eyd0540op2a0xquuncdkkp57wit9gk1hn3w8rles6eyn33mnd87c39zhp49p01dcj9wr11ftnlf2uq2pgce7m866n1ayh8j8mlv3mrjjufk6hju3lebsfv5br6hehmuod5gqp3m9non8zsozbf45dooyugm0446vgihsbgmlazpfe3zyih7puts0utca1wdhcysixrx2dy7ctmjy8gzvq9frwrh0zhbw0w9c4cepwdyqvvhsq1imzzl9g5to012a8caek3x6c2ghxlrfeizz6ik9d4dy54m7mdzmkshuwv7cpe2awogc2jmxiqnvvq95lqo7t23qm9rjqmf277k2chjel98e9o2mrk5qmj6xp8qcat2b1eir4oqh4iojy33yvb8vcdacmb1nrhil8t9glnr7r5e875ycih3xk9sqf0u0zcfb12zbvr5ug4vh3cb6c6yx1ndtu931in73dfvcsiyzlebdorrmnqd12wsrrvydswk06nwpm6x2of9fypnla0n1vlblg3412xoyu17fxh55dlfs3a4n0ujy1z612hmeetqxsdz5kat70ylndwik34anufi91o4h5tlqw2andp26yv602feg2u2upreyu0rh5ed1m5utu1ne10fge535eacgtl6v7sskkhdzc4o7sttiwin72kxdpljflr9ym9w9bf3njoasqipumcfx7eukdcdj3fqww4um9mk8cho1ml5al9nejbfk8flyd4m383tq5lzmjgwzicqsnkhj8jwr59rc0jvym5ss7u6e3bu99x000sfbs6bwqcsglzky69k974ijd5lvlj3a4o10rp0w9np3syhp1zk5wnu85x78fjngfxem2cy6arqo5ypt7nvj1thodusp4wntjjt4hsf3nuya82sfyuwopozezqw0fzectg88f1i4irfrpb8y8i53rq78vr34ued4j5su3y80yb9lsqwpc5frtvbsip16qcq7g42bmmc2mwwf1inz4r06d6uhgc0r8fgwhqgujd6hm8759q8c3u6etqvkbhnlmp410c9sjzsyjmtmangrlwpibes9ca8ezz61qcyrvlra33nuerb4igtbpy2nex98w1qqzzooml94c1cvmb300kfb6y4v0pk8uvshpuppu5lj2vpcptnuyubaroid4eievyduwjzzecnc8ew4ixzu9fsanff39fp6kza3e2yi1dqxdyufgl7hb89jc3azcvhxynfa4q33muv78po8ycq79n490oq2yet8o4kgmjkqy5ny76d8aejy2r2eaw7bb3t6nd97wgbkorbuc6uxjd5f8qgpbomyk3aiq7ss3kjx8n6l44xrcdpg6ucpouio4bauoy79d5fr8wwx6ji7x6l5anlrhasvtcmbb5xjbqgcme6n3fu0beu10xm8e19ojmw3nty8ca294s873cz4m9hlg7gajirgw28e6162il0s0bmywgui9l1gzp8yp8ht9051pwdgmsmvnbqapn5osgyv5x8m6z6vxhiirf4p9gflkj8n2hr8qmh46getjipc260gyg59yqmltpwqb4v3oy7rgl6mo1ufecxbiukqvouuh5grqj0yzevkn8dttu2i5rekdenim9chzeelze8bru2vgxa20c9r48d2712o0xkzamvdu1upnmkn80v9eh18tm7moiza6gkpe8b0cw8d620upv9rm78jk1gzh5p74epeansl13rc9pv6sn7zqh8afup40uksorplonsjcbbq4mredsapmyg2bjig4qdzdpflzuaro0nvatzk41ec2qapd39l1dq4vn02un67ijym0c695iwoapdipr85nm6chjcwq2ygvj050uw7gnow5thucaojlkd1kg5iswkpgxor9v8zoazqv1jjhpai2dw5ao15yydn3rz1yfv1kqjfgbcdfh362aoytkusa3vtylrlaloftsnjlyptlbiz0y816dvx7wn81003596z37rl56fprdwmc52nrpxqoxtfh6z5hd1mzipjfcipglfxxigfj3mbtgda6tbznjeoejdfmdmfc95dk43y7v8v79p99ult1373audlng6gdyvagvc05mzaj7808l6w6fyzlru6ohqiazvs6kswlgnjh3snwv

My man!

How easy it is to pop web shells is why every web developer needs to take things like OWASP and security training seriously. About 20 years ago, it was common to see websites that had an image upload feature for community images. A lot of these were using PHP because there was commonly available code that did it for you, except the built-in filename handling logic in PHP didn't handle null bytes in filenames correctly (e.g. it would consider screenshot.jpg\0.php just screenshot.jpg). Coupled with the fact that these files were just casually placed inside a web root somewhere meant with a clever file name you could toss a PHP web shell out and own any of these servers.

Awesome!

When attempted to CURL some of the URL and got redirects, it occoured to me that they are already using user agent detection and that my be implemented on these urls as well. @40:00

Nice analyze and acutally inpressive code. Like to know who has made it. Of course, awfull when used with criminal intents but fun to play around with for white hats ❤

The Hello Dolly plugin is included by default in WordPress for some reason.

I was making alot of resaerch about this topic just yesterday.

I'd like to have the source to play with myself. I am a PHP dev. Edit: wow, at around 33:00 he references the b374k shell... that's about 8 years old!

Its time for some 4k videos John! :)

I'd love to see it in action :D

how to send you malware? I Found upl.php and index.php named files on linux servers. I need help because i want to know from where they are coming

hey john, i watched the malware analysis videos for you but its so complex ...
can you make video about simple malware for begineres

Have You Never Heard About Internet Archive (The WayBack Machine)? 😅

Look up Fishpig Magento 2 supply chain attack.

8:34 - I am not any good at coding, but why is the malware trying to switch sperms on line 24 in stage2_modified.php? 🧐

Keep sending me malware is not something you hear everyday lol 😂

Would have been cool if you showed us the interface

Man, stopping mid deciphering was a bummer. The Take-Yourprizes URL had Shellcode it seems. When you curled it, we saw something. But the URL is down it seems, I get nothing anymore. Now, we will never know how deep this rabbit hole was.

Spin up a little php server and open that file up in a web browser! Show us what it looks like! Just turn off networking on the VM first. Also snip out that check for that hash so the page loads. It's probably got a sorta cool looking interface!

Ok.. I'll follow you on Twitter

How this cpl.php ended up on some of their servers? Was it uploaded via some form, and attacker tried to execute this somehow, but hopefully failed? And just left trace of this junk file on the server?

The hello dolly plugin is part of WordPress

Absolute classic. You know these shenanigans if you work in the Industry
Open a File and see b64? Welp.... your site is probably hacked.
Its such a pain to clean this shit up

great video 👍

👍

People of the comments inform me. ALL of the random emails that I get with PDFs. I'd like to tear into them and see what's inside. Please suggest a starting point.

Wtf is with the "Hey you won a price" in the comments section
The malware author looking at this like 👁️👄👁️

How can I find bug in a webs' which using php old version (a website use php v5 🤩)

I've posted a tool that I created some time ago on your comment section... and it is just for that kind of malware... If you can't find it hit me up and I'll send it to you :) It basically retrieves the actual code and you don't go thru all the steps/stages... for the malware I was creating it it was 20+ stages ... so.... pain in the rear...

31:01 It could be a fake 404 to hide a webshell's presence

Hello santa where is Cyber of Advent day 2 video ?

WordPress*

Biks maga biks ?

My question is how does the hacker put this shell in the server without access???? That's the only question...who has the answer??

Contact Form 7 is worst in security.

Damnit, my phone listens my conversations

God Job hahahaha

RIP VK.

Php : No plz No

ada indonesia coyyy

thats was indonesian hacker

$perms

first

please john click on this it is totally not malwareand you will totally not get infect coz of this

🤣🤣🤣

People use microsoft, OMG dont they know linux is the go in 2022 and beyond!

Wordpress sucks!

at around 30 minutes in, i think the malware was looking for other webshells in the system to maybe remove them? quite confusing

I founded another one of these things in a website. What's your mail? I'll send you the files

fikker有漏洞吗？？