explore a Wordpress PHP BACKDOOR webshell 

Hello Dolly is included in Wordpress by default. It's actually a pretty nice way to hide code, as a lot of people will not delete the default plugins... I suppose it is a way to remotely execute code on every website as an admin. The stuff in the worker file is possibly to delete competing webshells, then probably to read base64 code from the wp_options table and execute it.

Hi, great video. Could it be that the array in "worker.php" at 32:11 is a set of code snippets used in the ""Fast()" function at 16:35 in "stage2_modified.php" to remove "competing" webshells? Would be pretty neat! 😀 My second wild guess is that the Paranoid function does a wider RE based search, but just warns the user instead of automatically deleting files.

Wtf is with the "Hey you won a price" in the comments section The malware author looking at this like 👁️👄👁️

Have You Never Heard About Internet Archive (The WayBack Machine)? 😅

I'd like to have the source to play with myself. I am a PHP dev. Edit: wow, at around 33:00 he references the b374k shell... that's about 8 years old!

That was fun! The rabbit holes had rabbit holes. Kudos to you, and I'm patting myself on the back for being able to follow all of that. Study and practice pay off!

Finally, a wordpress shell. Can't wait to see what it does.

I literally smile on 4:08 and thanks, I really learn a lot from you sir, its all a big chunk of knowledge that you share. took me a lot of time to understand a single video since I always try to look around and google anything that I don't know from what you've said. this is another great video content

32:35 (line 59) includes a reference to "Leaf PHP Mailer" which is a legit mailer script but it can be loaded on to people's sites to send tons of spam. The code at 32:54 might be the email payload for the Leaf PHP Mailer. You can see things like "SUBJECT", "AMAZON|ADOBE|AZURE" and "BILLING|LOGIN" close together so I'd guess it's creating messages with subject lines stating either Amazon, Adobe or Azure plus Billing or Login, so it could be phishing spam. (On a side note, I want to copy your, "This is a disaster" and use it as my ringtone for work calls.)

One of my friends had this happen to several sites, and didn't have good backups. It took me several hours last night to write scripts to go through and clean up all the files. It makes updates to .htaccess files, prepends all index.php files, etc. so writing a bash script was tedious

I had many of these on my WordPress ❤️

I love these types of videos - just going through the crazy. Thanks John.

at around 30 minutes in, i think the malware was looking for other webshells in the system to maybe remove them? quite confusing

Advanced congratulations on reaching half a million family members.... You are the best john....💗

hey john, i watched the malware analysis videos for you but its so complex ... can you make video about simple malware for begineres

Spin up a little php server and open that file up in a web browser! Show us what it looks like! Just turn off networking on the VM first. Also snip out that check for that hash so the page loads. It's probably got a sorta cool looking interface!

Ok I need this

Keep sending me malware is not something you hear everyday lol 😂

My question is how does the hacker put this shell in the server without access???? That's the only question...who has the answer??

When attempted to CURL some of the URL and got redirects, it occoured to me that they are already using user agent detection and that my be implemented on these urls as well. @40:00

The Hello Dolly plugin is included by default in WordPress for some reason.

Love this, please do a video using AFL to find a exploit then get code execution, I can't find a good video at all and I'm really wanting something simple that I can follow along with, I learn from being hands on

31:01 It could be a fake 404 to hide a webshell's presence

The book you were reading was Volume 28 on Shelf 4 of Wall 1 of Hexagon: 0kro5a1299530gehm2g8v34iwb5tj57hjgzz6uenx95y9cp6928na05sms3k8chkmd1rlg38p75nczi9dibejq0wywxdh6dwbz04am7eqdyseuvinwrcyd9gjobgu9t3gb84gpm13sa4oynl9e67rl48q0iry1o5vsc3m8ljvnt84ugqwzv5hy9no4chl4cszt2546x74s03cqddy1coszk79eaupmmvidi6wz806kllixxs280147tgekoj66ne8l2vfcla4h6wtp4k2205xqs30wuzdbqvh7jnbkibrdpri3voqq80kjywgrwjj13ub71j7piis4nxibiv4i0flm0s4z2c8lf91p1qkpcw7txq24tijtt0fwdh5la9bm9y42t1uc33qlkltwshulaigr3bz2qk5zx5phoyyrvq9sos464jiq2702jfzf84xbwi8232jcj8kuzu1tvb61gu2qp8i1xjlsq56a8bnbiytjdvtn7p1kq5qknn4nksgxuvpyluk2zn4zg9oeptsx06gpf48h4ysned0d0na5mbjtlgejp9vv4psuiheg6695n9r6e10sbms56hebre76qamua32dfrdzueizhtnkfwke0wfwsr0tfrmeyixa09s5remtc4ikn3ciqirljgb87zl06l1kx5p92camrbykzjwyf3see3lvyd1upjkfkxfde0vxmiogf01dkdemypcep6m4g9i849kixc7vo1jc7th38s5uuyfd4v8mt5eo3v3o01ckaq6c62ixyac7c41ut2waohwmn6tgr8xkr71qbt3jqr0n55226n9hzgzeqe95epg34do2zhwwlm60ynqb7wjmnkym3adufrlqah35olcg4bvtgdbfof4tk8fiz1fi9hntdbrj3vh2ys5m5ffot0rkuz6jagwvvjja431025mwe1d8ps8ecm7xwkzttj52zgs55satbzg4k72ral9dkj9rzhhcyqmdte3qcll5ylwy804p7nvxxrfuvpy3s92eg6wluzv14j1tiseeiup66ckngfdudds934zx92myrag51o7vmawtu22nmxy0hd9dv6fth2pkb9ikchssardg49eyd0540op2a0xquuncdkkp57wit9gk1hn3w8rles6eyn33mnd87c39zhp49p01dcj9wr11ftnlf2uq2pgce7m866n1ayh8j8mlv3mrjjufk6hju3lebsfv5br6hehmuod5gqp3m9non8zsozbf45dooyugm0446vgihsbgmlazpfe3zyih7puts0utca1wdhcysixrx2dy7ctmjy8gzvq9frwrh0zhbw0w9c4cepwdyqvvhsq1imzzl9g5to012a8caek3x6c2ghxlrfeizz6ik9d4dy54m7mdzmkshuwv7cpe2awogc2jmxiqnvvq95lqo7t23qm9rjqmf277k2chjel98e9o2mrk5qmj6xp8qcat2b1eir4oqh4iojy33yvb8vcdacmb1nrhil8t9glnr7r5e875ycih3xk9sqf0u0zcfb12zbvr5ug4vh3cb6c6yx1ndtu931in73dfvcsiyzlebdorrmnqd12wsrrvydswk06nwpm6x2of9fypnla0n1vlblg3412xoyu17fxh55dlfs3a4n0ujy1z612hmeetqxsdz5kat70ylndwik34anufi91o4h5tlqw2andp26yv602feg2u2upreyu0rh5ed1m5utu1ne10fge535eacgtl6v7sskkhdzc4o7sttiwin72kxdpljflr9ym9w9bf3njoasqipumcfx7eukdcdj3fqww4um9mk8cho1ml5al9nejbfk8flyd4m383tq5lzmjgwzicqsnkhj8jwr59rc0jvym5ss7u6e3bu99x000sfbs6bwqcsglzky69k974ijd5lvlj3a4o10rp0w9np3syhp1zk5wnu85x78fjngfxem2cy6arqo5ypt7nvj1thodusp4wntjjt4hsf3nuya82sfyuwopozezqw0fzectg88f1i4irfrpb8y8i53rq78vr34ued4j5su3y80yb9lsqwpc5frtvbsip16qcq7g42bmmc2mwwf1inz4r06d6uhgc0r8fgwhqgujd6hm8759q8c3u6etqvkbhnlmp410c9sjzsyjmtmangrlwpibes9ca8ezz61qcyrvlra33nuerb4igtbpy2nex98w1qqzzooml94c1cvmb300kfb6y4v0pk8uvshpuppu5lj2vpcptnuyubaroid4eievyduwjzzecnc8ew4ixzu9fsanff39fp6kza3e2yi1dqxdyufgl7hb89jc3azcvhxynfa4q33muv78po8ycq79n490oq2yet8o4kgmjkqy5ny76d8aejy2r2eaw7bb3t6nd97wgbkorbuc6uxjd5f8qgpbomyk3aiq7ss3kjx8n6l44xrcdpg6ucpouio4bauoy79d5fr8wwx6ji7x6l5anlrhasvtcmbb5xjbqgcme6n3fu0beu10xm8e19ojmw3nty8ca294s873cz4m9hlg7gajirgw28e6162il0s0bmywgui9l1gzp8yp8ht9051pwdgmsmvnbqapn5osgyv5x8m6z6vxhiirf4p9gflkj8n2hr8qmh46getjipc260gyg59yqmltpwqb4v3oy7rgl6mo1ufecxbiukqvouuh5grqj0yzevkn8dttu2i5rekdenim9chzeelze8bru2vgxa20c9r48d2712o0xkzamvdu1upnmkn80v9eh18tm7moiza6gkpe8b0cw8d620upv9rm78jk1gzh5p74epeansl13rc9pv6sn7zqh8afup40uksorplonsjcbbq4mredsapmyg2bjig4qdzdpflzuaro0nvatzk41ec2qapd39l1dq4vn02un67ijym0c695iwoapdipr85nm6chjcwq2ygvj050uw7gnow5thucaojlkd1kg5iswkpgxor9v8zoazqv1jjhpai2dw5ao15yydn3rz1yfv1kqjfgbcdfh362aoytkusa3vtylrlaloftsnjlyptlbiz0y816dvx7wn81003596z37rl56fprdwmc52nrpxqoxtfh6z5hd1mzipjfcipglfxxigfj3mbtgda6tbznjeoejdfmdmfc95dk43y7v8v79p99ult1373audlng6gdyvagvc05mzaj7808l6w6fyzlru6ohqiazvs6kswlgnjh3snwv

Man, stopping mid deciphering was a bummer. The Take-Yourprizes URL had Shellcode it seems. When you curled it, we saw something. But the URL is down it seems, I get nothing anymore. Now, we will never know how deep this rabbit hole was.

I've posted a tool that I created some time ago on your comment section... and it is just for that kind of malware... If you can't find it hit me up and I'll send it to you :) It basically retrieves the actual code and you don't go thru all the steps/stages... for the malware I was creating it it was 20+ stages ... so.... pain in the rear...

You are my “IT Seth Rogan” !

Nice one John great video

Finally! A walkthrough for the rest of us. Your practical insight per minute spend is bar none. Well done man. Been searching for a long time for something like this👏👏

That "Tripped over" comment got me laughing. 😂 Just so you know, I'm constantly tripping over your channel. Thanks for all you do. 🙏🏽

you are the best

Absolute classic. You know these shenanigans if you work in the Industry Open a File and see b64? Welp.... your site is probably hacked. Its such a pain to clean this shit up

Nice analyze and acutally inpressive code. Like to know who has made it. Of course, awfull when used with criminal intents but fun to play around with for white hats ❤

8:34 - I am not any good at coding, but why is the malware trying to switch sperms on line 24 in stage2_modified.php? 🧐

🤣🤣🤣

ada indonesia coyyy

I love everything about this video's thumbnail, especially the T-shirt John is wearing XD

Wordpress sucks!

how to send you malware? I Found upl.php and index.php named files on linux servers. I need help because i want to know from where they are coming

Hello santa where is Cyber of Advent day 2 video ?

People use microsoft, OMG dont they know linux is the go in 2022 and beyond!

How easy it is to pop web shells is why every web developer needs to take things like OWASP and security training seriously. About 20 years ago, it was common to see websites that had an image upload feature for community images. A lot of these were using PHP because there was commonly available code that did it for you, except the built-in filename handling logic in PHP didn't handle null bytes in filenames correctly (e.g. it would consider screenshot.jpg\0.php just screenshot.jpg). Coupled with the fact that these files were just casually placed inside a web root somewhere meant with a clever file name you could toss a PHP web shell out and own any of these servers.

People of the comments inform me. ALL of the random emails that I get with PDFs. I'd like to tear into them and see what's inside. Please suggest a starting point.

Look up Fishpig Magento 2 supply chain attack.

Always great content

Great sponsor on this video man. Something I will deff look into after my current cert path. Cheers for the video.

My man!

please john click on this it is totally not malwareand you will totally not get infect coz of this

Hey John, today at work I noticed an event that I followed up on, and I found a similar webshell, I was able to revert a part, but I watched your video again and used one of the techniques you showed and I was able to revert all of it code, thank you very much for these videos 🤜🏻🤛🏻 ✌🏻

Biks maga biks ?

I was making alot of resaerch about this topic just yesterday.

Would have been cool if you showed us the interface

Damnit, my phone listens my conversations

thats was indonesian hacker

How this cpl.php ended up on some of their servers? Was it uploaded via some form, and attacker tried to execute this somehow, but hopefully failed? And just left trace of this junk file on the server?

Contact Form 7 is worst in security.

Php : No plz No

Ok.. I'll follow you on Twitter

love these deobfuscation vids

Its time for some 4k videos John! :)

👍

Dude, this was such an intreaguing video! 👍

God Job hahahaha

This video is a must-see for anyone interested in exploring Wordpress PHP backdoors and webshells. JohnHammond does an excellent job of breaking down the concepts and explaining them in a clear and concise way. Thank You!

Truly good work!

$perms

RIP VK.

WordPress*

Thanks. This was super interesting.

I'd love to see it in action :D

you are the best💯

The hello dolly plugin is part of WordPress

first

How can I find bug in a webs' which using php old version (a website use php v5 🤩)

Awesome!

fikker有漏洞吗？？

great video 👍

I founded another one of these things in a website. What's your mail? I'll send you the files