Tuesday, August 18, 2020

How Hackers Be Victim: Backdoor in PHP web shells

I decided to decode a PHP web shell that encoded by Fopo online encoder, it called "ATTACK SHELL PRiV9" or "K2ll33d Shell 2019" belong to "r00t.info".

PHP web shell:

Encoded source:

it might be interesting to you what we encounter!?

as you see it contains backdoor malware that copies itself with newsr.php in all directory of the website and sends a location and info to the address "http://r00t.info/ccb.js" and the mail: "byhero44@gmail.com" with the password "a4cd2905b660e8b1bc73a7c4571252da" that encrypted with the MD5 algorithm.

ccb.js contain:


I changed all Http to Hxxp to prevent execute and harm your system, so if you want to run you need to back values to the original.

another name and address are: 

Turkey Cyber Army team




Indoxploit Shell

Sym Bypass 403 Shell

Berandal Indoxploit Shell V2.1

Premium Wso Shell

Whmcs Killer

Mobile Shell V.05 2018 Private

K2ll33d Shell

3turr ~ Sh311

Server V-8 Attack Shell

Bypass shell

Wordpress Mass Change Password 2019

Smevk_pathan Shell V3 Bypass Shell

Leaf Php Mailer V.2.7

Bloodsecurity Bypass Shell

Anon Priv9 Shell

Wso Shell

R00t.info Priv7 Shell New 2016

Wso Shell 4.2.2

G5 Private Bypass Shell


If you have used it, You need to know that your entire website is infected.

the solution to clean:

Look for "newsr.php" files on all of your directory website to remove it.

if you are using Linux use this command:

find / -name newsr.php -exec rm -rf {} \;

Also, if you have uploaded the file, delete it completely.

And even delete the CGI shell files that it created by the PHP web shell.

you can find full source code at https://pastebin.com/bmrrDeAb

Sunday, June 7, 2020

OWASP JoomScan Project in Pentestmag

our article published in Pentestmag

OWASP JoomScan Project
by Mohammad Reza Espargham, Ali Razmjoo, and Ehsan Nezami
JoomScan is not aiming just at testing different vulnerabilities and trying to simulate attacks, the process always begins with information gathering and it proceeds step by step following ethical hacking techniques. The information-gathering phase is not limited to the web application but also the webserver and domain, also misconfigurations, human-errors, and different possible risks on the product.

other contributors Valerio Alessandroni, Marlene Ladendorff, PhD, Dr. Chuck Easttom, Daniel Benicio F Alves, LPIC, SUSE SCA, FORTINET NSE3, Kavya Pearlman ⚠️ Safety First ⚠️, Alex Halfin, Vinícius Vieira, Mostafa Mahmoud, Mohammad Reza Espargham, Ali Razmjoo, Ehsan Nezami, Ofer Tirosh, and Franciny S. hashtagpentest hashtagmagazine hashtagpentestmag hashtagActiveDirectory hashtagAD hashtagpentesting hashtagDDoS hashtagMachineLearning hashtagSplunk hashtagengineering hashtagnew hashtagedition hashtagcybersecurity hashtaginfosecurity hashtaginfosec