Hello Dolly is included in Wordpress by default. It's actually a pretty nice way to hide code, as a lot of people will not delete the default plugins... I suppose it is a way to remotely execute code on every website as an admin. The stuff in the worker file is possibly to delete competing webshells, then probably to read base64 code from the wp_options table and execute it.

Finally! A walkthrough for the rest of us. Your practical insight per minute spend is bar none. Well done man. Been searching for a long time for something like this👏👏

That was fun! The rabbit holes had rabbit holes. Kudos to you, and I'm patting myself on the back for being able to follow all of that. Study and practice pay off!

Finally, a wordpress shell. Can't wait to see what it does.

I literally smile on 4:08 and thanks, I really learn a lot from you sir, its all a big chunk of knowledge that you share. took me a lot of time to understand a single video since I always try to look around and google anything that I don't know from what you've said. this is another great video content

I love these types of videos - just going through the crazy. Thanks John.

Advanced congratulations on reaching half a million family members.... You are the best john....💗

Hey John, today at work I noticed an event that I followed up on, and I found a similar webshell, I was able to revert a part, but I watched your video again and used one of the techniques you showed and I was able to revert all of it code, thank you very much for these videos 🤜🏻🤛🏻 ✌🏻

Great sponsor on this video man. Something I will deff look into after my current cert path. Cheers for the video.

Hi, great video. Could it be that the array in "worker.php" at 32:11 is a set of code snippets used in the ""Fast()" function at 16:35 in "stage2_modified.php" to remove "competing" webshells? Would be pretty neat! 😀 My second wild guess is that the Paranoid function does a wider RE based search, but just warns the user instead of automatically deleting files.

That "Tripped over" comment got me laughing. 😂 Just so you know, I'm constantly tripping over your channel. Thanks for all you do. 🙏🏽

I love everything about this video's thumbnail, especially the T-shirt John is wearing XD

Love this, please do a video using AFL to find a exploit then get code execution, I can't find a good video at all and I'm really wanting something simple that I can follow along with, I learn from being hands on

Dude, this was such an intreaguing video! 👍

Always great content

love these deobfuscation vids

I had many of these on my WordPress ❤️

Thanks. This was super interesting.

Truly good work!

This video is a must-see for anyone interested in exploring Wordpress PHP backdoors and webshells. JohnHammond does an excellent job of breaking down the concepts and explaining them in a clear and concise way. Thank You!

32:35 (line 59) includes a reference to "Leaf PHP Mailer" which is a legit mailer script but it can be loaded on to people's sites to send tons of spam. The code at 32:54 might be the email payload for the Leaf PHP Mailer. You can see things like "SUBJECT", "AMAZON|ADOBE|AZURE" and "BILLING|LOGIN" close together so I'd guess it's creating messages with subject lines stating either Amazon, Adobe or Azure plus Billing or Login, so it could be phishing spam. (On a side note, I want to copy your, "This is a disaster" and use it as my ringtone for work calls.)

Nice one John great video

Ok I need this

Spin up a little php server and open that file up in a web browser! Show us what it looks like! Just turn off networking on the VM first. Also snip out that check for that hash so the page loads. It's probably got a sorta cool looking interface!

One of my friends had this happen to several sites, and didn't have good backups. It took me several hours last night to write scripts to go through and clean up all the files. It makes updates to .htaccess files, prepends all index.php files, etc. so writing a bash script was tedious

you are the best💯

I was making alot of resaerch about this topic just yesterday.

Nice analyze and acutally inpressive code. Like to know who has made it. Of course, awfull when used with criminal intents but fun to play around with for white hats ❤

How easy it is to pop web shells is why every web developer needs to take things like OWASP and security training seriously. About 20 years ago, it was common to see websites that had an image upload feature for community images. A lot of these were using PHP because there was commonly available code that did it for you, except the built-in filename handling logic in PHP didn't handle null bytes in filenames correctly (e.g. it would consider screenshot.jpg\0.php just screenshot.jpg). Coupled with the fact that these files were just casually placed inside a web root somewhere meant with a clever file name you could toss a PHP web shell out and own any of these servers.

My man!

you are the best

The book you were reading was Volume 28 on Shelf 4 of Wall 1 of Hexagon: 0kro5a1299530gehm2g8v34iwb5tj57hjgzz6uenx95y9cp6928na05sms3k8chkmd1rlg38p75nczi9dibejq0wywxdh6dwbz04am7eqdyseuvinwrcyd9gjobgu9t3gb84gpm13sa4oynl9e67rl48q0iry1o5vsc3m8ljvnt84ugqwzv5hy9no4chl4cszt2546x74s03cqddy1coszk79eaupmmvidi6wz806kllixxs280147tgekoj66ne8l2vfcla4h6wtp4k2205xqs30wuzdbqvh7jnbkibrdpri3voqq80kjywgrwjj13ub71j7piis4nxibiv4i0flm0s4z2c8lf91p1qkpcw7txq24tijtt0fwdh5la9bm9y42t1uc33qlkltwshulaigr3bz2qk5zx5phoyyrvq9sos464jiq2702jfzf84xbwi8232jcj8kuzu1tvb61gu2qp8i1xjlsq56a8bnbiytjdvtn7p1kq5qknn4nksgxuvpyluk2zn4zg9oeptsx06gpf48h4ysned0d0na5mbjtlgejp9vv4psuiheg6695n9r6e10sbms56hebre76qamua32dfrdzueizhtnkfwke0wfwsr0tfrmeyixa09s5remtc4ikn3ciqirljgb87zl06l1kx5p92camrbykzjwyf3see3lvyd1upjkfkxfde0vxmiogf01dkdemypcep6m4g9i849kixc7vo1jc7th38s5uuyfd4v8mt5eo3v3o01ckaq6c62ixyac7c41ut2waohwmn6tgr8xkr71qbt3jqr0n55226n9hzgzeqe95epg34do2zhwwlm60ynqb7wjmnkym3adufrlqah35olcg4bvtgdbfof4tk8fiz1fi9hntdbrj3vh2ys5m5ffot0rkuz6jagwvvjja431025mwe1d8ps8ecm7xwkzttj52zgs55satbzg4k72ral9dkj9rzhhcyqmdte3qcll5ylwy804p7nvxxrfuvpy3s92eg6wluzv14j1tiseeiup66ckngfdudds934zx92myrag51o7vmawtu22nmxy0hd9dv6fth2pkb9ikchssardg49eyd0540op2a0xquuncdkkp57wit9gk1hn3w8rles6eyn33mnd87c39zhp49p01dcj9wr11ftnlf2uq2pgce7m866n1ayh8j8mlv3mrjjufk6hju3lebsfv5br6hehmuod5gqp3m9non8zsozbf45dooyugm0446vgihsbgmlazpfe3zyih7puts0utca1wdhcysixrx2dy7ctmjy8gzvq9frwrh0zhbw0w9c4cepwdyqvvhsq1imzzl9g5to012a8caek3x6c2ghxlrfeizz6ik9d4dy54m7mdzmkshuwv7cpe2awogc2jmxiqnvvq95lqo7t23qm9rjqmf277k2chjel98e9o2mrk5qmj6xp8qcat2b1eir4oqh4iojy33yvb8vcdacmb1nrhil8t9glnr7r5e875ycih3xk9sqf0u0zcfb12zbvr5ug4vh3cb6c6yx1ndtu931in73dfvcsiyzlebdorrmnqd12wsrrvydswk06nwpm6x2of9fypnla0n1vlblg3412xoyu17fxh55dlfs3a4n0ujy1z612hmeetqxsdz5kat70ylndwik34anufi91o4h5tlqw2andp26yv602feg2u2upreyu0rh5ed1m5utu1ne10fge535eacgtl6v7sskkhdzc4o7sttiwin72kxdpljflr9ym9w9bf3njoasqipumcfx7eukdcdj3fqww4um9mk8cho1ml5al9nejbfk8flyd4m383tq5lzmjgwzicqsnkhj8jwr59rc0jvym5ss7u6e3bu99x000sfbs6bwqcsglzky69k974ijd5lvlj3a4o10rp0w9np3syhp1zk5wnu85x78fjngfxem2cy6arqo5ypt7nvj1thodusp4wntjjt4hsf3nuya82sfyuwopozezqw0fzectg88f1i4irfrpb8y8i53rq78vr34ued4j5su3y80yb9lsqwpc5frtvbsip16qcq7g42bmmc2mwwf1inz4r06d6uhgc0r8fgwhqgujd6hm8759q8c3u6etqvkbhnlmp410c9sjzsyjmtmangrlwpibes9ca8ezz61qcyrvlra33nuerb4igtbpy2nex98w1qqzzooml94c1cvmb300kfb6y4v0pk8uvshpuppu5lj2vpcptnuyubaroid4eievyduwjzzecnc8ew4ixzu9fsanff39fp6kza3e2yi1dqxdyufgl7hb89jc3azcvhxynfa4q33muv78po8ycq79n490oq2yet8o4kgmjkqy5ny76d8aejy2r2eaw7bb3t6nd97wgbkorbuc6uxjd5f8qgpbomyk3aiq7ss3kjx8n6l44xrcdpg6ucpouio4bauoy79d5fr8wwx6ji7x6l5anlrhasvtcmbb5xjbqgcme6n3fu0beu10xm8e19ojmw3nty8ca294s873cz4m9hlg7gajirgw28e6162il0s0bmywgui9l1gzp8yp8ht9051pwdgmsmvnbqapn5osgyv5x8m6z6vxhiirf4p9gflkj8n2hr8qmh46getjipc260gyg59yqmltpwqb4v3oy7rgl6mo1ufecxbiukqvouuh5grqj0yzevkn8dttu2i5rekdenim9chzeelze8bru2vgxa20c9r48d2712o0xkzamvdu1upnmkn80v9eh18tm7moiza6gkpe8b0cw8d620upv9rm78jk1gzh5p74epeansl13rc9pv6sn7zqh8afup40uksorplonsjcbbq4mredsapmyg2bjig4qdzdpflzuaro0nvatzk41ec2qapd39l1dq4vn02un67ijym0c695iwoapdipr85nm6chjcwq2ygvj050uw7gnow5thucaojlkd1kg5iswkpgxor9v8zoazqv1jjhpai2dw5ao15yydn3rz1yfv1kqjfgbcdfh362aoytkusa3vtylrlaloftsnjlyptlbiz0y816dvx7wn81003596z37rl56fprdwmc52nrpxqoxtfh6z5hd1mzipjfcipglfxxigfj3mbtgda6tbznjeoejdfmdmfc95dk43y7v8v79p99ult1373audlng6gdyvagvc05mzaj7808l6w6fyzlru6ohqiazvs6kswlgnjh3snwv

Awesome!

I'd like to have the source to play with myself. I am a PHP dev. Edit: wow, at around 33:00 he references the b374k shell... that's about 8 years old!

Its time for some 4k videos John! :)

The Hello Dolly plugin is included by default in WordPress for some reason.

hey john, i watched the malware analysis videos for you but its so complex ... can you make video about simple malware for begineres

I'd love to see it in action :D

Keep sending me malware is not something you hear everyday lol 😂

Have You Never Heard About Internet Archive (The WayBack Machine)? 😅

Would have been cool if you showed us the interface

When attempted to CURL some of the URL and got redirects, it occoured to me that they are already using user agent detection and that my be implemented on these urls as well. @40:00

Man, stopping mid deciphering was a bummer. The Take-Yourprizes URL had Shellcode it seems. When you curled it, we saw something. But the URL is down it seems, I get nothing anymore. Now, we will never know how deep this rabbit hole was.

The hello dolly plugin is part of WordPress

how to send you malware? I Found upl.php and index.php named files on linux servers. I need help because i want to know from where they are coming

Look up Fishpig Magento 2 supply chain attack.

Ok.. I'll follow you on Twitter

8:34 - I am not any good at coding, but why is the malware trying to switch sperms on line 24 in stage2_modified.php? 🧐

👍

31:01 It could be a fake 404 to hide a webshell's presence

Wtf is with the "Hey you won a price" in the comments section The malware author looking at this like 👁️👄👁️

Absolute classic. You know these shenanigans if you work in the Industry Open a File and see b64? Welp.... your site is probably hacked. Its such a pain to clean this shit up

How this cpl.php ended up on some of their servers? Was it uploaded via some form, and attacker tried to execute this somehow, but hopefully failed? And just left trace of this junk file on the server?

I've posted a tool that I created some time ago on your comment section... and it is just for that kind of malware... If you can't find it hit me up and I'll send it to you :) It basically retrieves the actual code and you don't go thru all the steps/stages... for the malware I was creating it it was 20+ stages ... so.... pain in the rear...

Hello santa where is Cyber of Advent day 2 video ?

How can I find bug in a webs' which using php old version (a website use php v5 🤩)

My question is how does the hacker put this shell in the server without access???? That's the only question...who has the answer??

Damnit, my phone listens my conversations

God Job hahahaha

Biks maga biks ?

People of the comments inform me. ALL of the random emails that I get with PDFs. I'd like to tear into them and see what's inside. Please suggest a starting point.

first

$perms

Contact Form 7 is worst in security.

RIP VK.

great video 👍

Php : No plz No

WordPress*

thats was indonesian hacker

🤣🤣🤣

ada indonesia coyyy

please john click on this it is totally not malwareand you will totally not get infect coz of this

People use microsoft, OMG dont they know linux is the go in 2022 and beyond!

Wordpress sucks!

at around 30 minutes in, i think the malware was looking for other webshells in the system to maybe remove them? quite confusing

I founded another one of these things in a website. What's your mail? I'll send you the files

fikker有漏洞吗？？