Hello Dolly is included in Wordpress by default. It's actually a pretty nice way to hide code, as a lot of people will not delete the default plugins... I suppose it is a way to remotely execute code on every website as an admin. The stuff in the worker file is possibly to delete competing webshells, then probably to read base64 code from the wp_options table and execute it.
A decent security plugin will check the hash of the plugin files to note changed files A decent developer removes those plugins altogether, they're bloat.
A few weeks ago I've deleted webshell from the dolly plugin. The operator of that webshell also uploaded a fake template with some more code. He forgot to attach the screen shot to that fake template.
I literally smile on 4:08 and thanks, I really learn a lot from you sir, its all a big chunk of knowledge that you share. took me a lot of time to understand a single video since I always try to look around and google anything that I don't know from what you've said. this is another great video content
That was fun! The rabbit holes had rabbit holes. Kudos to you, and I'm patting myself on the back for being able to follow all of that. Study and practice pay off!
Hi, great video. Could it be that the array in "worker.php" at 32:11 is a set of code snippets used in the ""Fast()" function at 16:35 in "stage2_modified.php" to remove "competing" webshells? Would be pretty neat! 😀 My second wild guess is that the Paranoid function does a wider RE based search, but just warns the user instead of automatically deleting files.
Finally! A walkthrough for the rest of us. Your practical insight per minute spend is bar none. Well done man. Been searching for a long time for something like this👏👏
This video is a must-see for anyone interested in exploring Wordpress PHP backdoors and webshells. JohnHammond does an excellent job of breaking down the concepts and explaining them in a clear and concise way. Thank You!
32:35 (line 59) includes a reference to "Leaf PHP Mailer" which is a legit mailer script but it can be loaded on to people's sites to send tons of spam. The code at 32:54 might be the email payload for the Leaf PHP Mailer. You can see things like "SUBJECT", "AMAZON|ADOBE|AZURE" and "BILLING|LOGIN" close together so I'd guess it's creating messages with subject lines stating either Amazon, Adobe or Azure plus Billing or Login, so it could be phishing spam. (On a side note, I want to copy your, "This is a disaster" and use it as my ringtone for work calls.)
Hey John, today at work I noticed an event that I followed up on, and I found a similar webshell, I was able to revert a part, but I watched your video again and used one of the techniques you showed and I was able to revert all of it code, thank you very much for these videos 🤜🏻🤛🏻 ✌🏻
When attempted to CURL some of the URL and got redirects, it occoured to me that they are already using user agent detection and that my be implemented on these urls as well. @40:00
One of my friends had this happen to several sites, and didn't have good backups. It took me several hours last night to write scripts to go through and clean up all the files. It makes updates to .htaccess files, prepends all index.php files, etc. so writing a bash script was tedious
Love this, please do a video using AFL to find a exploit then get code execution, I can't find a good video at all and I'm really wanting something simple that I can follow along with, I learn from being hands on
How easy it is to pop web shells is why every web developer needs to take things like OWASP and security training seriously. About 20 years ago, it was common to see websites that had an image upload feature for community images. A lot of these were using PHP because there was commonly available code that did it for you, except the built-in filename handling logic in PHP didn't handle null bytes in filenames correctly (e.g. it would consider screenshot.jpg\0.php just screenshot.jpg). Coupled with the fact that these files were just casually placed inside a web root somewhere meant with a clever file name you could toss a PHP web shell out and own any of these servers.
Spin up a little php server and open that file up in a web browser! Show us what it looks like! Just turn off networking on the VM first. Also snip out that check for that hash so the page loads. It's probably got a sorta cool looking interface!
Network Chuck, Black Hat keynotes on YT, w3, and PC Security Channel all have great beginner content or advanced topics explained in simple to understand terms. I think John does a great job for entry level to intermediate, but may be hard to understand sometimes if you're a total beginner. Check them out.
The book you were reading was Volume 28 on Shelf 4 of Wall 1 of Hexagon: 0kro5a1299530gehm2g8v34iwb5tj57hjgzz6uenx95y9cp6928na05sms3k8chkmd1rlg38p75nczi9dibejq0wywxdh6dwbz04am7eqdyseuvinwrcyd9gjobgu9t3gb84gpm13sa4oynl9e67rl48q0iry1o5vsc3m8ljvnt84ugqwzv5hy9no4chl4cszt2546x74s03cqddy1coszk79eaupmmvidi6wz806kllixxs280147tgekoj66ne8l2vfcla4h6wtp4k2205xqs30wuzdbqvh7jnbkibrdpri3voqq80kjywgrwjj13ub71j7piis4nxibiv4i0flm0s4z2c8lf91p1qkpcw7txq24tijtt0fwdh5la9bm9y42t1uc33qlkltwshulaigr3bz2qk5zx5phoyyrvq9sos464jiq2702jfzf84xbwi8232jcj8kuzu1tvb61gu2qp8i1xjlsq56a8bnbiytjdvtn7p1kq5qknn4nksgxuvpyluk2zn4zg9oeptsx06gpf48h4ysned0d0na5mbjtlgejp9vv4psuiheg6695n9r6e10sbms56hebre76qamua32dfrdzueizhtnkfwke0wfwsr0tfrmeyixa09s5remtc4ikn3ciqirljgb87zl06l1kx5p92camrbykzjwyf3see3lvyd1upjkfkxfde0vxmiogf01dkdemypcep6m4g9i849kixc7vo1jc7th38s5uuyfd4v8mt5eo3v3o01ckaq6c62ixyac7c41ut2waohwmn6tgr8xkr71qbt3jqr0n55226n9hzgzeqe95epg34do2zhwwlm60ynqb7wjmnkym3adufrlqah35olcg4bvtgdbfof4tk8fiz1fi9hntdbrj3vh2ys5m5ffot0rkuz6jagwvvjja431025mwe1d8ps8ecm7xwkzttj52zgs55satbzg4k72ral9dkj9rzhhcyqmdte3qcll5ylwy804p7nvxxrfuvpy3s92eg6wluzv14j1tiseeiup66ckngfdudds934zx92myrag51o7vmawtu22nmxy0hd9dv6fth2pkb9ikchssardg49eyd0540op2a0xquuncdkkp57wit9gk1hn3w8rles6eyn33mnd87c39zhp49p01dcj9wr11ftnlf2uq2pgce7m866n1ayh8j8mlv3mrjjufk6hju3lebsfv5br6hehmuod5gqp3m9non8zsozbf45dooyugm0446vgihsbgmlazpfe3zyih7puts0utca1wdhcysixrx2dy7ctmjy8gzvq9frwrh0zhbw0w9c4cepwdyqvvhsq1imzzl9g5to012a8caek3x6c2ghxlrfeizz6ik9d4dy54m7mdzmkshuwv7cpe2awogc2jmxiqnvvq95lqo7t23qm9rjqmf277k2chjel98e9o2mrk5qmj6xp8qcat2b1eir4oqh4iojy33yvb8vcdacmb1nrhil8t9glnr7r5e875ycih3xk9sqf0u0zcfb12zbvr5ug4vh3cb6c6yx1ndtu931in73dfvcsiyzlebdorrmnqd12wsrrvydswk06nwpm6x2of9fypnla0n1vlblg3412xoyu17fxh55dlfs3a4n0ujy1z612hmeetqxsdz5kat70ylndwik34anufi91o4h5tlqw2andp26yv602feg2u2upreyu0rh5ed1m5utu1ne10fge535eacgtl6v7sskkhdzc4o7sttiwin72kxdpljflr9ym9w9bf3njoasqipumcfx7eukdcdj3fqww4um9mk8cho1ml5al9nejbfk8flyd4m383tq5lzmjgwzicqsnkhj8jwr59rc0jvym5ss7u6e3bu99x000sfbs6bwqcsglzky69k974ijd5lvlj3a4o10rp0w9np3syhp1zk5wnu85x78fjngfxem2cy6arqo5ypt7nvj1thodusp4wntjjt4hsf3nuya82sfyuwopozezqw0fzectg88f1i4irfrpb8y8i53rq78vr34ued4j5su3y80yb9lsqwpc5frtvbsip16qcq7g42bmmc2mwwf1inz4r06d6uhgc0r8fgwhqgujd6hm8759q8c3u6etqvkbhnlmp410c9sjzsyjmtmangrlwpibes9ca8ezz61qcyrvlra33nuerb4igtbpy2nex98w1qqzzooml94c1cvmb300kfb6y4v0pk8uvshpuppu5lj2vpcptnuyubaroid4eievyduwjzzecnc8ew4ixzu9fsanff39fp6kza3e2yi1dqxdyufgl7hb89jc3azcvhxynfa4q33muv78po8ycq79n490oq2yet8o4kgmjkqy5ny76d8aejy2r2eaw7bb3t6nd97wgbkorbuc6uxjd5f8qgpbomyk3aiq7ss3kjx8n6l44xrcdpg6ucpouio4bauoy79d5fr8wwx6ji7x6l5anlrhasvtcmbb5xjbqgcme6n3fu0beu10xm8e19ojmw3nty8ca294s873cz4m9hlg7gajirgw28e6162il0s0bmywgui9l1gzp8yp8ht9051pwdgmsmvnbqapn5osgyv5x8m6z6vxhiirf4p9gflkj8n2hr8qmh46getjipc260gyg59yqmltpwqb4v3oy7rgl6mo1ufecxbiukqvouuh5grqj0yzevkn8dttu2i5rekdenim9chzeelze8bru2vgxa20c9r48d2712o0xkzamvdu1upnmkn80v9eh18tm7moiza6gkpe8b0cw8d620upv9rm78jk1gzh5p74epeansl13rc9pv6sn7zqh8afup40uksorplonsjcbbq4mredsapmyg2bjig4qdzdpflzuaro0nvatzk41ec2qapd39l1dq4vn02un67ijym0c695iwoapdipr85nm6chjcwq2ygvj050uw7gnow5thucaojlkd1kg5iswkpgxor9v8zoazqv1jjhpai2dw5ao15yydn3rz1yfv1kqjfgbcdfh362aoytkusa3vtylrlaloftsnjlyptlbiz0y816dvx7wn81003596z37rl56fprdwmc52nrpxqoxtfh6z5hd1mzipjfcipglfxxigfj3mbtgda6tbznjeoejdfmdmfc95dk43y7v8v79p99ult1373audlng6gdyvagvc05mzaj7808l6w6fyzlru6ohqiazvs6kswlgnjh3snwv
Nice analyze and acutally inpressive code. Like to know who has made it. Of course, awfull when used with criminal intents but fun to play around with for white hats ❤
Man, stopping mid deciphering was a bummer. The Take-Yourprizes URL had Shellcode it seems. When you curled it, we saw something. But the URL is down it seems, I get nothing anymore. Now, we will never know how deep this rabbit hole was.
How this cpl.php ended up on some of their servers? Was it uploaded via some form, and attacker tried to execute this somehow, but hopefully failed? And just left trace of this junk file on the server?
Yeah, thanks to the gist comment and WordFence, I understood... But basically - to protect against this to happen, just should not allow execute PHP files in uploads folder, I guess.
Absolute classic. You know these shenanigans if you work in the Industry Open a File and see b64? Welp.... your site is probably hacked. Its such a pain to clean this shit up
I've posted a tool that I created some time ago on your comment section... and it is just for that kind of malware... If you can't find it hit me up and I'll send it to you :) It basically retrieves the actual code and you don't go thru all the steps/stages... for the malware I was creating it it was 20+ stages ... so.... pain in the rear...
People of the comments inform me. ALL of the random emails that I get with PDFs. I'd like to tear into them and see what's inside. Please suggest a starting point.
Hello Dolly is included in Wordpress by default. It's actually a pretty nice way to hide code, as a lot of people will not delete the default plugins... I suppose it is a way to remotely execute code on every website as an admin. The stuff in the worker file is possibly to delete competing webshells, then probably to read base64 code from the wp_options table and execute it.
A decent security plugin will check the hash of the plugin files to note changed files
A decent developer removes those plugins altogether, they're bloat.
I was just about to write this.
A few weeks ago I've deleted webshell from the dolly plugin. The operator of that webshell also uploaded a fake template with some more code. He forgot to attach the screen shot to that fake template.
So in this case it has been repurposed into a trojan, rather than just being one by itself (my guess). Good to know!
@@Xewl someone ordered the bloat? *laughs in node modules*
Finally, a wordpress shell. Can't wait to see what it does.
I literally smile on 4:08 and thanks, I really learn a lot from you sir, its all a big chunk of knowledge that you share. took me a lot of time to understand a single video since I always try to look around and google anything that I don't know from what you've said. this is another great video content
That was fun! The rabbit holes had rabbit holes. Kudos to you, and I'm patting myself on the back for being able to follow all of that. Study and practice pay off!
Hi, great video. Could it be that the array in "worker.php" at 32:11 is a set of code snippets used in the ""Fast()" function at 16:35 in "stage2_modified.php" to remove "competing" webshells? Would be pretty neat! 😀 My second wild guess is that the Paranoid function does a wider RE based search, but just warns the user instead of automatically deleting files.
Finally! A walkthrough for the rest of us. Your practical insight per minute spend is bar none. Well done man. Been searching for a long time for something like this👏👏
I love these types of videos - just going through the crazy. Thanks John.
This video is a must-see for anyone interested in exploring Wordpress PHP backdoors and webshells. JohnHammond does an excellent job of breaking down the concepts and explaining them in a clear and concise way. Thank You!
Advanced congratulations on reaching half a million family members.... You are the best john....💗
That "Tripped over" comment got me laughing. 😂 Just so you know, I'm constantly tripping over your channel. Thanks for all you do. 🙏🏽
Great sponsor on this video man. Something I will deff look into after my current cert path. Cheers for the video.
32:35 (line 59) includes a reference to "Leaf PHP Mailer" which is a legit mailer script but it can be loaded on to people's sites to send tons of spam. The code at 32:54 might be the email payload for the Leaf PHP Mailer. You can see things like "SUBJECT", "AMAZON|ADOBE|AZURE" and "BILLING|LOGIN" close together so I'd guess it's creating messages with subject lines stating either Amazon, Adobe or Azure plus Billing or Login, so it could be phishing spam. (On a side note, I want to copy your, "This is a disaster" and use it as my ringtone for work calls.)
I love everything about this video's thumbnail, especially the T-shirt John is wearing XD
You are my “IT Seth Rogan” !
Always great content
I had many of these on my WordPress ❤️
Hey John, today at work I noticed an event that I followed up on, and I found a similar webshell, I was able to revert a part, but I watched your video again and used one of the techniques you showed and I was able to revert all of it code, thank you very much for these videos 🤜🏻🤛🏻 ✌🏻
Nice one John great video
I'd like to have the source to play with myself. I am a PHP dev. Edit: wow, at around 33:00 he references the b374k shell... that's about 8 years old!
Yeah m2 😊
love these deobfuscation vids
When attempted to CURL some of the URL and got redirects, it occoured to me that they are already using user agent detection and that my be implemented on these urls as well. @40:00
Ok I need this
One of my friends had this happen to several sites, and didn't have good backups. It took me several hours last night to write scripts to go through and clean up all the files. It makes updates to .htaccess files, prepends all index.php files, etc. so writing a bash script was tedious
Love this, please do a video using AFL to find a exploit then get code execution, I can't find a good video at all and I'm really wanting something simple that I can follow along with, I learn from being hands on
How easy it is to pop web shells is why every web developer needs to take things like OWASP and security training seriously. About 20 years ago, it was common to see websites that had an image upload feature for community images. A lot of these were using PHP because there was commonly available code that did it for you, except the built-in filename handling logic in PHP didn't handle null bytes in filenames correctly (e.g. it would consider screenshot.jpg\0.php just screenshot.jpg). Coupled with the fact that these files were just casually placed inside a web root somewhere meant with a clever file name you could toss a PHP web shell out and own any of these servers.
Dude, this was such an intreaguing video! 👍
Spin up a little php server and open that file up in a web browser! Show us what it looks like! Just turn off networking on the VM first. Also snip out that check for that hash so the page loads. It's probably got a sorta cool looking interface!
hey john, i watched the malware analysis videos for you but its so complex ...
can you make video about simple malware for begineres
Network Chuck, Black Hat keynotes on YT, w3, and PC Security Channel all have great beginner content or advanced topics explained in simple to understand terms. I think John does a great job for entry level to intermediate, but may be hard to understand sometimes if you're a total beginner. Check them out.
8:34 - I am not any good at coding, but why is the malware trying to switch sperms on line 24 in stage2_modified.php? 🧐
Truly good work!
The book you were reading was Volume 28 on Shelf 4 of Wall 1 of Hexagon: 0kro5a1299530gehm2g8v34iwb5tj57hjgzz6uenx95y9cp6928na05sms3k8chkmd1rlg38p75nczi9dibejq0wywxdh6dwbz04am7eqdyseuvinwrcyd9gjobgu9t3gb84gpm13sa4oynl9e67rl48q0iry1o5vsc3m8ljvnt84ugqwzv5hy9no4chl4cszt2546x74s03cqddy1coszk79eaupmmvidi6wz806kllixxs280147tgekoj66ne8l2vfcla4h6wtp4k2205xqs30wuzdbqvh7jnbkibrdpri3voqq80kjywgrwjj13ub71j7piis4nxibiv4i0flm0s4z2c8lf91p1qkpcw7txq24tijtt0fwdh5la9bm9y42t1uc33qlkltwshulaigr3bz2qk5zx5phoyyrvq9sos464jiq2702jfzf84xbwi8232jcj8kuzu1tvb61gu2qp8i1xjlsq56a8bnbiytjdvtn7p1kq5qknn4nksgxuvpyluk2zn4zg9oeptsx06gpf48h4ysned0d0na5mbjtlgejp9vv4psuiheg6695n9r6e10sbms56hebre76qamua32dfrdzueizhtnkfwke0wfwsr0tfrmeyixa09s5remtc4ikn3ciqirljgb87zl06l1kx5p92camrbykzjwyf3see3lvyd1upjkfkxfde0vxmiogf01dkdemypcep6m4g9i849kixc7vo1jc7th38s5uuyfd4v8mt5eo3v3o01ckaq6c62ixyac7c41ut2waohwmn6tgr8xkr71qbt3jqr0n55226n9hzgzeqe95epg34do2zhwwlm60ynqb7wjmnkym3adufrlqah35olcg4bvtgdbfof4tk8fiz1fi9hntdbrj3vh2ys5m5ffot0rkuz6jagwvvjja431025mwe1d8ps8ecm7xwkzttj52zgs55satbzg4k72ral9dkj9rzhhcyqmdte3qcll5ylwy804p7nvxxrfuvpy3s92eg6wluzv14j1tiseeiup66ckngfdudds934zx92myrag51o7vmawtu22nmxy0hd9dv6fth2pkb9ikchssardg49eyd0540op2a0xquuncdkkp57wit9gk1hn3w8rles6eyn33mnd87c39zhp49p01dcj9wr11ftnlf2uq2pgce7m866n1ayh8j8mlv3mrjjufk6hju3lebsfv5br6hehmuod5gqp3m9non8zsozbf45dooyugm0446vgihsbgmlazpfe3zyih7puts0utca1wdhcysixrx2dy7ctmjy8gzvq9frwrh0zhbw0w9c4cepwdyqvvhsq1imzzl9g5to012a8caek3x6c2ghxlrfeizz6ik9d4dy54m7mdzmkshuwv7cpe2awogc2jmxiqnvvq95lqo7t23qm9rjqmf277k2chjel98e9o2mrk5qmj6xp8qcat2b1eir4oqh4iojy33yvb8vcdacmb1nrhil8t9glnr7r5e875ycih3xk9sqf0u0zcfb12zbvr5ug4vh3cb6c6yx1ndtu931in73dfvcsiyzlebdorrmnqd12wsrrvydswk06nwpm6x2of9fypnla0n1vlblg3412xoyu17fxh55dlfs3a4n0ujy1z612hmeetqxsdz5kat70ylndwik34anufi91o4h5tlqw2andp26yv602feg2u2upreyu0rh5ed1m5utu1ne10fge535eacgtl6v7sskkhdzc4o7sttiwin72kxdpljflr9ym9w9bf3njoasqipumcfx7eukdcdj3fqww4um9mk8cho1ml5al9nejbfk8flyd4m383tq5lzmjgwzicqsnkhj8jwr59rc0jvym5ss7u6e3bu99x000sfbs6bwqcsglzky69k974ijd5lvlj3a4o10rp0w9np3syhp1zk5wnu85x78fjngfxem2cy6arqo5ypt7nvj1thodusp4wntjjt4hsf3nuya82sfyuwopozezqw0fzectg88f1i4irfrpb8y8i53rq78vr34ued4j5su3y80yb9lsqwpc5frtvbsip16qcq7g42bmmc2mwwf1inz4r06d6uhgc0r8fgwhqgujd6hm8759q8c3u6etqvkbhnlmp410c9sjzsyjmtmangrlwpibes9ca8ezz61qcyrvlra33nuerb4igtbpy2nex98w1qqzzooml94c1cvmb300kfb6y4v0pk8uvshpuppu5lj2vpcptnuyubaroid4eievyduwjzzecnc8ew4ixzu9fsanff39fp6kza3e2yi1dqxdyufgl7hb89jc3azcvhxynfa4q33muv78po8ycq79n490oq2yet8o4kgmjkqy5ny76d8aejy2r2eaw7bb3t6nd97wgbkorbuc6uxjd5f8qgpbomyk3aiq7ss3kjx8n6l44xrcdpg6ucpouio4bauoy79d5fr8wwx6ji7x6l5anlrhasvtcmbb5xjbqgcme6n3fu0beu10xm8e19ojmw3nty8ca294s873cz4m9hlg7gajirgw28e6162il0s0bmywgui9l1gzp8yp8ht9051pwdgmsmvnbqapn5osgyv5x8m6z6vxhiirf4p9gflkj8n2hr8qmh46getjipc260gyg59yqmltpwqb4v3oy7rgl6mo1ufecxbiukqvouuh5grqj0yzevkn8dttu2i5rekdenim9chzeelze8bru2vgxa20c9r48d2712o0xkzamvdu1upnmkn80v9eh18tm7moiza6gkpe8b0cw8d620upv9rm78jk1gzh5p74epeansl13rc9pv6sn7zqh8afup40uksorplonsjcbbq4mredsapmyg2bjig4qdzdpflzuaro0nvatzk41ec2qapd39l1dq4vn02un67ijym0c695iwoapdipr85nm6chjcwq2ygvj050uw7gnow5thucaojlkd1kg5iswkpgxor9v8zoazqv1jjhpai2dw5ao15yydn3rz1yfv1kqjfgbcdfh362aoytkusa3vtylrlaloftsnjlyptlbiz0y816dvx7wn81003596z37rl56fprdwmc52nrpxqoxtfh6z5hd1mzipjfcipglfxxigfj3mbtgda6tbznjeoejdfmdmfc95dk43y7v8v79p99ult1373audlng6gdyvagvc05mzaj7808l6w6fyzlru6ohqiazvs6kswlgnjh3snwv
30:42, why not, you don't want aLLLL the prizes? :D
Keep sending me malware is not something you hear everyday lol 😂
you are the best
The Hello Dolly plugin is included by default in WordPress for some reason.
Thanks. This was super interesting.
Nice analyze and acutally inpressive code. Like to know who has made it. Of course, awfull when used with criminal intents but fun to play around with for white hats ❤
My man!
Its time for some 4k videos John! :)
you are the best💯
Have You Never Heard About Internet Archive (The WayBack Machine)? 😅
I'd love to see it in action :D
Would have been cool if you showed us the interface
I was making alot of resaerch about this topic just yesterday.
Man, stopping mid deciphering was a bummer. The Take-Yourprizes URL had Shellcode it seems. When you curled it, we saw something. But the URL is down it seems, I get nothing anymore. Now, we will never know how deep this rabbit hole was.
how to send you malware? I Found upl.php and index.php named files on linux servers. I need help because i want to know from where they are coming
How this cpl.php ended up on some of their servers? Was it uploaded via some form, and attacker tried to execute this somehow, but hopefully failed? And just left trace of this junk file on the server?
Yeah, thanks to the gist comment and WordFence, I understood...
But basically - to protect against this to happen, just should not allow execute PHP files in uploads folder, I guess.
Hello santa where is Cyber of Advent day 2 video ?
@@axelvirtus2514 i like john hammond video 😌
31:01 It could be a fake 404 to hide a webshell's presence
Look up Fishpig Magento 2 supply chain attack.
How can I find bug in a webs' which using php old version (a website use php v5 🤩)
"how to hack website pls I am script kiddie"
@@lunafoxfiresure, ping me.
i will guide you😊
The hello dolly plugin is part of WordPress
I'm pretty sure it's included for new wordpress developers to learn about how to develop plugins. it's expected to be removed on a production site.
Wtf is with the "Hey you won a price" in the comments section
The malware author looking at this like 👁️👄👁️
at around 30 minutes in, i think the malware was looking for other webshells in the system to maybe remove them? quite confusing
Yep, just wrote it too, but you were first! 😀 Totally agree with you.
@@pinobeppo9287 👍
Ok.. I'll follow you on Twitter
Absolute classic. You know these shenanigans if you work in the Industry
Open a File and see b64? Welp.... your site is probably hacked.
Its such a pain to clean this shit up
Damnit, my phone listens my conversations
I've posted a tool that I created some time ago on your comment section... and it is just for that kind of malware... If you can't find it hit me up and I'll send it to you :) It basically retrieves the actual code and you don't go thru all the steps/stages... for the malware I was creating it it was 20+ stages ... so.... pain in the rear...
Biks maga biks ?
People of the comments inform me. ALL of the random emails that I get with PDFs. I'd like to tear into them and see what's inside. Please suggest a starting point.
My question is how does the hacker put this shell in the server without access???? That's the only question...who has the answer??
Php : No plz No
WordPress*
RIP VK.
👍
Contact Form 7 is worst in security.
thats was indonesian hacker
Yep
God Job hahahaha
$perms
ada indonesia coyyy
🤣🤣🤣
first
please john click on this it is totally not malwareand you will totally not get infect coz of this
People use microsoft, OMG dont they know linux is the go in 2022 and beyond!
Wordpress sucks!
great video 👍
I founded another one of these things in a website. What's your mail? I'll send you the files
@@PR2000 man that's obviously a scam comment
@@maksymilianlewinski8619 I know
@@maksymilianlewinski8619 I only wanted to see if he replies
@CalebHammer608 Wow. What a cool scam comment. Haha
fikker有漏洞吗??