There is a very prominent backdoor being used extensively across a lot of the sites we are working on these days. This backdoor is giving the attacker[s] full control of your server.
File to be on the look out for:
Once in your environment, it’s replicated and being embedded deep within your file directories making it difficult to detect. It’s important to remove it completely from your server as soon as possible.
Utf8gat is the more popular filename is we’re seeing right now, it’ll most likely evolve with time. If you do not feel comfortable deleting the files, change file permissions to 000 so it can’t be accessed or executed.
If you’re not concerned with understanding what the payload is, you can use FIND or GREP command via terminal to quickly find and remove the file:
If you’re searching for the file name use ‘find’:
find ./ -name utf8gat.php
A better approach may be to search for content of the file and you do that by using ‘grep’:
grep -r ‘\x63\x72\x65\x61\x74\x65\x5f\x66′.
Here is a snippet of the utf8gat.php payload:
If you try decoding this you see it outputs yet another encoded payload:
Once this is decoded this is what you fine (only a snippet) (see full payload here):
If you’re wondering what this is doing and why its dangerous, the answer is EVERYTHING. The entire script allows the hacker to upload files and execute whatever they want. This backdoor is giving your attacker full-control of your site / server.
Please take the time to scan your servers and remove these files IMMEDIATELY.
Leave a reply