Paste Site Used As Hosting Service For FilesMan Backdoor
(Sep 18, 2018)
Researcher Bruno Zanelato discovered a backdoor, called “FilesMan,” dropped into several websites due to a pre-existing PHP file placed into the website’s structure by threat actors. This PHP file contains a payload download code that grabs malware to download and install the backdoor. The PHP file “wp-content/themes/buildup/db.php” decrypts that specific payload code to the install the FilesMan backdoor that allows the threat actor to gain access to a website through their own machine.
Recommendation: To avoid threat actors installing malicious payloads into your website, monitor your file integrity to ensure it has not been tampered with, as well as using Website Application Firewalls to detect and report any malicious activity. Continually and frequently monitor your logs to ensure there is no suspicious activity.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.