Deobfuscation and analysis of PHP malware captured by a WordPress honey pot
Switch branches/tags
Nothing to show
Clone or download
Failed to load latest commit information. niladd.php email spamming tool Sep 21, 2018
1.php Add section on further accesses Jul 7, 2018 Add materials Dec 7, 2017 zzz.php email recon program material May 22, 2018 More confusion Oct 16, 2018 Fix some usage problems. Jan 4, 2018 Misspellings Nov 13, 2018 Add file editor materials and blurb Nov 4, 2018 Try to fix markdown Nov 4, 2018 Fix URL to pastebin ancient version, add authorship note. Aug 12, 2018 Material about a recon program Mar 8, 2018 Note about newer version Oct 20, 2018 and contents, note Jan 3, 2018 Fix markup Jan 17, 2018 Add turkish language file manager blurb and materials. Jun 11, 2018 Initial check in of 10 directories full of candidate goodies Nov 29, 2017 Initial check in of 10 directories full of candidate goodies Nov 29, 2017 Another old reference to ".suspected" filename changes Aug 21, 2018 Some misspellings Nov 13, 2018 Add link to another instance of analysis of this code. Mar 18, 2018 Add and materials Jan 9, 2018 More text. May 5, 2018 Add speculation on why file manager downloaded via more capable WSO May 3, 2018 Materials for Aug 21, 2018 Add material and references for WSO with novel encoding. Mar 19, 2018 Initial check in of 10 directories full of candidate goodies Nov 29, 2017 Proofreading Oct 20, 2018 Add some analysis of the 2 other spams I caught. Apr 7, 2018 Initial check in of 10 directories full of candidate goodies Nov 29, 2017 Add material and link from Mar 7, 2018 Add + contents and updated for … Dec 28, 2017 Fix markup. Jan 27, 2018 Add htaccess reditor materials, note and link Aug 4, 2018
Aslan_Neferler_Tim Add comparison to a later download Oct 19, 2018
GetDomains More about frequency of download. Jan 30, 2018
IndoXploit Another IndoXploit variant Nov 14, 2018
NxAcGg Add htaccess reditor materials, note and link Aug 4, 2018
WSO-htaccess.php Add a '$' to a php variable. Dec 28, 2017
activex Kinked theme and webroot.php materials Aug 2, 2018
apikey.php Fix misspellings Feb 5, 2018
archive.php Apache access_log entries for access of archive.php URLs Dec 30, 2017
b374k_3.2.3.php Add link to github repo of maybe the original May 3, 2018
calculation.php Add some material Mar 20, 2018
campaign1 Add fUUPd decoder. Mar 22, 2018
campaignA Spelling problem, markdown table Nov 13, 2018
campaignE Return it to a less manipulated state Nov 13, 2018
campaignX Add a newly received instance of SuperFetchExec Aug 14, 2018
cgi-telnet Move cgitelnet.txt into cgi-telnet/ May 6, 2018 Better understanding Jul 10, 2018
claw.php Fix misspelling Jan 4, 2018
cscript Add ref to campaignE/ as an extension or continuation Nov 12, 2018
customizer-ui-experimenks.php Markdown cleanups Mar 20, 2018
db-config.php Fix poor usage. Dec 19, 2017
fUUPd Add fUUPd decoder. Mar 22, 2018
general.php Markdown cleanups Mar 20, 2018
kaylin Fix misspelling and markdown mistakes. Jan 11, 2018
leafmailer Change alt text on screenshot of leafmailer Sep 16, 2018
monero.php Add material and link from Mar 7, 2018
mumblehard Fix some english usage issues. Sep 2, 2018
nptzow WSO 2.5 installation campaign materials Sep 7, 2018
php.backdoor.vpsp.001 Markdown cleanups Mar 20, 2018
phpd.local Markdown cleanups Mar 20, 2018
promos.php Change "RBL" jargon to simpler phrase "spam blacklist". Mar 8, 2018
ricches.php Fix inevitable misspelling Oct 20, 2018
sockets.php Add sockets.php/ materials and blurb May 6, 2018
syslib.php Add a newly received instance of SuperFetchExec Aug 14, 2018
wew.php Team Egypt Hacker file manager materials. Apr 18, 2018
wp-newsletter Add customizer-ui-experimenks.php/ and campaign1/ files. Mar 18, 2018 backdoor installation campaign blurb Nov 12, 2018

PHP Malware Analysis

Rough cut analysis of PHP source code that I got via running a WordPress honey pot

This illustrates what I think the bottom feeders who hack WordPress sites do, once they have illegitimate access to a new WordPress instance or host. It's not scientific in any way. I'm only decoding the pieces of malware that arrive at one honey pot, and I'm only decoding those pieces that seem interesting because of method of download, obfuscation or unique content. Oddities are over-represented because of that.

Broad malware categories

This collection of PHP malware, all found in the wild, fits into a number of categories:

  • Email spamming tools
  • Access verification
  • Reconnaisance, which has subcategories
  • Web shells
  • Backdoors
  • SOCKS servers
  • HTTP redirectors
  • File Managers
  • Password guessers

Some combinations occur: web shells, particularly WSO, often get used as a backdoor (Php action, RC action). Access verification is a form of reconnaisance.

Recon sometimes just looks at what CMS/frameworks are present, but other times collects information about user ID, type and version of OS, file system hints, useful only for potential lateral moves. GetDomains recon seems like something of both, though.

Broad meta-malware categories

It seems to me that there are "cross cutting" aspects of this kind of collection and analysis.

  • Password guessing campaigns
  • Methods of download, commonality with other malware
  • Common "dropper" code usage
  • Common phone-home code
  • Common back-connect shell code (usually Perl)
  • Methods of encoding/encryption (e.g. FOPO)
  • Geolocation of attacking IP
  • Campaign(s) associated with a specific malware
  • subsequent access(es) of downloaded code
  • previous access(es) of downloaded code
  • common password lists used for guessing

Vigilante Malware Cleaner

Code that tries to identify 56 fragments of PHP that indicate files containing them are probably malware, including itself. Renames suspect files, which probably renders them inoperative. This seems like a very unique effort.

Python password guesser

A PHP manager that downloads, runs, then deletes, a Python program that downloads a list of domain names, enumerates users of WordPress blogs on those domain names, and tries to guess working passwords. Guesses passwords using xmlrpc.php calls, not through the WordPress login page.

Thoroughly kinked WSO 2.1 web shell

The most backdoored download I've ever seen. A WSO 2.1 web shell, with two phone-homes It also downloads the LeafMail mailing tool, and a WSO 2.6 web shell.

Crouching JPEG, Hidden PHP - web shell

An instance of b374k Web Shell, which gets some code from EXIF data of a JPEG image.

WSO 4.1.1 Encrypted Malware

A batch of malware received between 2017-11-23 and 2018-05-03 sharing a common method of encryption. The encryption appears to be from WSO 4.x series of web shells, but it has a much shorter key (8 vs 44 bytes). At least 52 different downloads, including 4 instances of mumblehard It's refreshing to see someone using non-trivial encryption.

CGI-Telnet web shell

b374k has a link to download this moderately capable web shell from pastebin.

Mumblehard deep dive

Mumblehard botnet: a server that relays TCP/IP connections, and a persistent payload, executed by cron, that can download code from a command and control server, then start it running.

Mumblehard campaign

Examination of the 44 Mumblehard instances I caught, to see how the code and methods progress as time goes by.

Extendable back door

A password-protected, plugin-extendable back door.

Kinked theme and webroot

A fake-ish theme, complete with a WSO web shell that phones home, and an earlier version of webroot.php.

Kinked theme simppeli

Another compromised WordPress theme, containing a seemingly random complement of malware.

Backdoor using RC4 encryption

A moderately capable backdoor: saves and executes files, as well as immediate PHP eval. Uses native PHP RC4 encryption for password and data transfered.

.htaccess redirector with un-vigilante

Creates a .htaccess file that redirects users to, googlebot, bingbot and Baiduspider get a 404.

Undoes any file name changes that an invocation of the Vigilante Malware Cleaner might make, too. That just seems weird, since ".suspected" file name complaints are around, but not overwhelming. Maybe inter-spamgang warfare?

Jijle3, WSO 2.5 variant web shell

A WSO 2.5 web shell heavily modified by adding code from various other hacking tools.

WSO 2.5 installation

3.993 second WSO (Web Shell by oRb, a.k.a. "FilesMan") installation, only eight HTTP requests, including a cold WordPress login.

Link Injector

Apparently an attempt to direct Chinese web traffic to a Macau casino by means of link spamming. Aren't search engines too sophisticated for this to work?

Edit ASP, PHP, JSP, ASPX files

Modifies all .asp, .aspx, .php and .jsp file that have an assignment to a variable name remote_server to assign "" to that variable.

Two Plugin Zip files - web shell

Uploads of two Zip-format-files, one of which is WSO 2.5 with some camoflaging code. The other Zip file has an ELF-format executable and a small piece of PHP to run that executable in the background.

nptzow and nowir - SEO tool

Seems to be some kind of search engine optimization thing. It serves up different results for "human" or "bot" invokers. When it decides you're a "bot" it asks a server for text to fill out template HTML. Failing that, it gets text from or

SEO tool related to nptzow

Dropper that leaves a PHP file behind, which in turn injects PHP code into every theme's header.php file. If the theme injection determines that an access is from a "bot" (basically every search engine that ever was, plus lots of crawler libraries), it gets HTML from to pass back to the "bot".

Backdoor installation campaign

A 12-access campaign to install a backdoor. Accesses from 12 different IP addresses within 20 seconds, attempting to download one of 2, individually-obfuscated backdoors.

phpd.local - Native PHP SOCKS server

Native PHP SOCKS server. I often see Perl and even compiled ("bouncer") SOCKS servers downloaded. Can you sell SOCKS servers on some underground markets? Is there value in having a cut-out like this?

Simple SOCKS server installation campaign

A short (11 second, 17 HTTP request) campaign that wanted to install Perl Simple SOCKS Server code, but failed, probably because my WSO emulation is not accurate enough.

Email spamming tool

Three attempts to install an email spamming tool, featuring attempts to invoke the tool 34 seconds later.


Two versions of something.

claw.php - web shell

c99 web shell inside 10-12 levels of obfuscation.

IndoXploit - web shell

Simple web shell, credits itself to an Indonesian URL.

Simple web shell/backdoor

A simple backdoor, with just enough features to allow a human to use it without too much automation. Use could easily be automated. May be kinked, in that it has a backdoor itself, if you know the magic HTTP parameter.

promos.php - Email spamming tool

Email spamming tool, explodes a single POST request into multiple emails. Has "check" function that looks up compromised machine's IP address in various email black lists.

htaccess.php - web shell

WSO "Web Shell by oRb", downloaded by a previously-installed instance of WSO.

db-config.php - Email spamming tool

An email spamming tool, with WSO web shell appended. Complete with "phone home" code to notify a Ukrainian web site that someone invoked the program.

CMS Recon tool

Knows how to recognize 24 different CMS systems and frameworks. Responds to an HTTP POST with a serialized summary of what CMS and framework(s) it found.

kaylin web shell

Full-featured, Chinese language web shell, with a modern webapp look to it.

mobile phone browser redirector

Redirects mobile phone browsers to some other URL via mod_rewrite comands in document root .htaccess file.

Access verification

Downloads PHP code that when executed, creates an HTML file. The downloading IP address immediately attempted to access the HTML file, so this is probably just access verification.

GetDomains - reconnaisance

I hypothesize this is an Apache virtual host directory reconnaisance tool. Looks for directory names with 150+ domain name appearing suffixes, seems to emphasize Russian and eastern European country codes.

archive.php - web shell

Modified PhpSpy web shell, disguised as a GIF file, downloaded as a theme update. Modifications are at least to change some labels to Turkish, and add "phone home" code that lets someone in Turkey know that the web shell has executed. Is there no honor among thieves!?!

SuperFetchExec - file gateway

Ancient SuperFetchExec PHP malware, still using the same old XOR string it was using in 2012.

Deeply obfuscated WSO web shell

Somewhat modified Web Shell by oRb, derived from version 2.5, or possibly 2.9. Many levels of obfuscation.

Legitimate File Manager Plugin

A real (albeit possibly off-license) file manager plugin, illegitimately installed. Interesting dual use of COTS technology.

Flexible email spamming tool

Email spamming tool, where all email/SOCKS/spam parameters are transmitted in an HTTP cookie.

Plausibly Deniable Blind SQL Injection

An intermediary, coded and obfuscated for my specific honey pot, that acts as a cut-out between the downloader, and another web site. Performs SQL injection testing on that other web site.

Busted Dropper - web shell

Dropper that relies on a WSO 2.9 variant to execute, except its Base64 encoding is messed up. Drops a PHP program that can (a) delete all .htaccess files up to document root, or (b) generate some underhanded JavaScript that redirects you to a scammy website.

Code-in-cookie back door

Small piece of obscured PHP that executes functions named in HTTP cookies on PHP code also named in HTTP cookies. Even more obfuscated than it sounds.

Trojaned theme - web shell

A WordPress theme containing two PhpSpy web shells, and a web-based file manager that phones home.


An encrypting back door.

apikey.php - file gateway

Access validation/PHP execution and file downloader.

LeafMailer - email spamming tool

A "COTS" email spamming tool. I'm not sure what LeafMail's business model is, however. Doesn't seem to be a way to pay for it.

Blacktools PHP Mailer - email spamming tool

Rebranded version of LeafMailer.

monero.php - backdoor

Simple, HTTP POST backdoor, with a suspicious file name.

Backdoor hidden in Akismet plugin update

A somewhate obfuscated backdoor that seems to use assert() to evaluate code passed in an HTTP POST request. Akismet plugin update extremely broken, uses an old version, but also got commented out.

OS, version and user ID recon

Composes and returns a machine-parseable string with information about web server's file system, user ID running PHP or the web server, and "uname" output. Nothing about the web server, which makes sense as this recon code was downloaded to what was believed to be a pre-existing backdoor.

WSO web shell with novel obfuscation

WSO 2.5 web shell, with a novel, 2-step obfuscation. Attacker also added some anti-search-discovery code. Most amusing.

Common Decoder #1 - fUUPd

PHP file downloaded via WSO that decodes and evals some encoded PHP. Some obfuscation of both encoded PHP payload and the decoding PHP.

Email spam sent through WSO Web Shell

Email spam, the download probably works in 3 different web shells or backdoors. Seems to be part of a spamming campaign, my honey pot has caught additional, slightly different, emails.

Rebels Mailer spamming tool

An instance of the "Rebels Mailer" web front end email spamming tool, immediate PHP evaluator, and local file inclusion backdoor.

Email Cut-out

Small PHP program that can use POST parameter values to send email from the compromised machine, concealing the email's true origin.

TeaM HacKer EgypT File Manager

An actual lightweight, fast file manager, Licensed under GNU GPL v2.

Small Turkish Language File Manager

Smallish, 297-line-of-code file manager, in Turkish.

Spam Blocklist Recon

PHP downloaded to WSO web shell. When invoked with proper GET parameter(s) it can check if the hostname it's on is in Google's safe browsing as unsafe, or in Spamhaus' block list.

Email access verification

Interactive web page that sends a test email to the invoker's choice of addresses.