Type: WebShell
Destruction Level: High
Prevalence: Moderate


Malware names

  • Backdoor.PHP.WebShell.Indosec (Padvish)
  • PHP / Webshell.NHE (ESET-NOD32)
  • HEUR:Backdoor.PHP.WebShell.gen (Kaspersky)


What is WebShell?

WebShell is a malicious script written in scripting languages such as ASP, Python, PHP, or JSP. When injected onto the victim’s web server, these webshells grant the attacker complete control over the website. These attacks typically exploit security vulnerabilities in vulnerable web servers.
Attackers easily discover and target servers accessible on the Internet. By injecting the web shell into the web server, organizations face serious and sometimes irreparable risks. Therefore, organizations must prioritize these warnings and implement robust security measures.


What is Backdoor.PHP.WebShell.Indosec?

This report discusses a sample from the Indosec family of web shells. Using this webshell, intruders can execute a range of malicious actions on the victim’s server.


The capabilities of this malware:

  • Uploading files to specific paths
  • Encrypting files and demanding ransom
  • Defacing the victim’s website
  • Creating files and folders, and modifying them


Technical Review

Performance Description

To access the Webshell admin panel, the attacker creates a login page with the username admin, as depicted in the image below the login page.

 صفحه login

Figure 1-  login Page

Upon successful login, the following page is displayed. As illustrated, the IndoSec Shell equips attackers with various capabilities.

نمایی از سربرگ home

Figure 2 – A view of  home tab

  • Within the terminal section, as shown in the subsequent figures, this webshell can execute Windows and Linux commands based on the victim’s server’s operating system.
    In the following two figures, you can observe a command executed under the Windows terminal while the web shell operates in the Windows environment, and a command executed under the Linux terminal while the web shell operates in the Linux environment:

▫️Result of executing ipconfig in a Windows environment:

اجرای دستور ویندوزی در ترمینال

Figure 3 – Executing a Windows command in the terminal


▫️Result of executing uname -a command in a Linux environment:

اجرای دستور لینوکسی در ترمینال

Figure 4: Executing a Linux command in the terminal


  • The informasi section displays details about the current system.

اطلاعات مربوط به سیستم

Figure 5 – System Information


  • In the subsequent section, the outcomes of each action are displayed. For instance, in the initial login mode, details such as files in the current directory, access types, and actions on the files are displayed, or after running commands in the terminal, the outputs are shown in this field.

نمایش دایرکتوری جاری

Figure 6 – Displaying the current directory


The various capabilities of the malware are outlined in the table below:

Feature Name Feature Description
upload Enables file uploads to desired paths.
Bautfile Enables creating new files and adding content to it.
Bautfolder Enables creating new folders in desired paths.
Mass deface Enables the attacker to batch changes index files, resulting in defaced websites on the victim’s server. This section enables simultaneous content changes to multiple files, so that the target path and file name determined by the attacker. As a result, the content of all files with the specified name (by default index.php ) located in the corresponding path will be changed.
Mass delete  Deletes multiple files simultaneously.
jumping Checks for the existence of host management control panels in the system and displays files in associated paths.

Put path configuration files of various content management systems (CMS) into a file named ‘$user_con-$nama_config.txt,’ providing critical information to the attacker including database name and password. Reviewed CMS platforms:

Hostbills, Zencart, BoxBilling, WHMCS, Joomla, WordPress, IPB, OsCommerce, MyBB, Vbulletin, Ellislab, OpenCart, Magento, PrestaShop, Drupal, phpBB, Lokomedia, cPanel.

adminer Opens the database management page if an ‘adminer’ file is present, allowing viewing and modification of databases using the username and password.
symlink In this part of the code, the contents of the file named.conf or named.txt name are displayed as a table consisting of Domains, Users, and symlink columns, and three different links are created, each of which is for a specific application that will be mentioned in Further Details.
Auto reset cPanel Resets the password for cPanel in the case that it is used in managing the targeted website.
ransomware This module encrypts files in desired directories, appending ‘.indsc’ extension to file names and adding a payment-related ‘index.php’ file next to the files. Encryption currently inactive due to the unavailability of the encryption address:
smtpgrabber Displays SMTP information such as SMTP Host, Port, User, Pass, Auth, Secure.
Bypass cloud flare If the website is equipped with cdn cloudflare, different parts of this could be bypassed and the actual IP of each of the webmail, ftp, cpanel and other servers can be obtained.
keluar Exit the program and returns to the login page.

Further Details

🔺 Mass deface

Upon selection of this option, the replacement content intended for the original file will be written in the respective directory files. Subsequently, the contents of all files with the specified name in the NamaFile section within the directory will be altered.

محتوای صفحه Mass deface

Figure 7 – Contents of Mass Deface page


لیست فایل‌های تغییر داده شده به وسیله Mass deface

Figure 8 – List of files changed by Mass deface


صفحه deface شده

Figure 9 – The defaced page


🔺 Jumping

In the Jumping section, the presence of host management control panels in the system is checked, and the associated path files are displayed. This section operates as follows:
• If an H-sphere control panel exists on the system, a jump link will be established for the following path based on system user numbers and existing URLs:


• If H-sphere is not present on the system, it will navigate to the vhosts directory and create a jump link for different URLs for the following path:


• Lastly, a jump link is created for each user for home/$user_pro_jump/public_html/. The executed sample displayed below, highlighted in green, has read-only access type.


خروجی jumping

Figure 10 – Jump Output


🔺 Adminer

Adminer is a database management tool. The malware checks for its presence on the system and, if present, it displays the database login page. In this section, the attacker gains easy access to the database if login credentials are obtained:

نمایش صفحه adminer

Figure 11 – Displaying the Adminer Page


🔺 Symlink

Symlinks are files that act as pointers to other files, containing no content of their own but pointing to the original files. Deleting the original file renders the symlink unusable.

ماژول Symlink این بدافزار شامل موارد فوق است:

Figure 12: Malware Symlink Module

According to the above figure the Symlink module of this malware includes:

1️⃣ Bypass Read: Selecting this option displays named.conf file contents with read access in the output. Pressing save key, saves this content in named.txt in the path to execute the original file.

 Bypass Read

Figure 13: Bypass Read in the Symlink module

2️⃣ Symlink404:  A symlink file can be created from the target file in the indosec_sym404 directory with the desired name. To Test the path one of the WordPress files entered as the Target file and txt.12 as the symlink file name and is displayed upon clicking on the link >>Sukses<<.


بخش Symlink404

Figure 14- Symlink404 Section


امکان نمایش محتوای فایل Target

Figure 15 – Ability to display the contents of the Target file


3️⃣ Symlink Bypass: This displays etc/passwd file contents, containing system account information. Choosing Symlink saves its content as passwd.txt in the current path.

Symlink Bypass

Figure 16 – Symlink Bypass


🔺 Ransomware:

This refers to the ability to execute ransomware. for this section, as depicted in the red box 1 below, the target file is read from the chosen path, encoded with the base64 algorithm, and sent to the attacker’s server. The returned packet includes an encrypted file, decoded and placed in $_ENC variable.

Following this step, the INDSC. extension is added to the file name, and a SUCCESS message appears in the output. However, actual encryption and extension changes were not performed during malware analysis due to server unavailability.

In box 2, the operation related to displaying the PAYMENT page is preformed, and an INDEX.HTML file is created as PAYMENT, with the content displayed below.

محتوایHTML مربوط صفحه payment


محتوایHTML مربوط صفحه payment

Figure 17: The HTML content of the payment page


صفحه payment

Figure 18 – The payment page


How to deal with and clean the system?

Padvish Antivirus detects this malware. To avoid infection by such malware, it is recommended to:

✅ Fully and securely configure your web server.

✅ Block unused ports and services.

✅ Use complex passwords and change them regularly.

✅ Consistently apply security updates.

✅ Considering the escalating cyber threats, for network and system security against advanced persistent threats and cyber-attacks, alongside adhering to security recommendations, use Padvish Managed Detection and Response (Padvish MDR).

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>