Friday, April 1, 2016

FilesMan Backdoor Malware On Your Computer

FilesMan is being abused in the wild

What is FilesMan? It is a File Manager used to explore the files in a computer. It is the most basic malware tool that attackers upload to your website as a form of backdoor to browse your files. Some of these File Managers are sophisticated and has their own GUI (Graphical User Interface), some are capable of uploading and downloading files from your website as if the attackers were in front of your computer browsing it personally.

Do I have this malware on my website?

So how do you spot if your website has it? A string search for "FilesMan" would actually do the trick. However, most of the attackers use heavy obfuscation so that you can't detect it by simple string searching. You may also want to look for split strings. This technique is also widely used to outsmart string searching by site owners.

This is an example of an ordinary FilesMan that can be searched throughout your system:
FilesMan backdoor malware

While this one has been concatenated and can still be searched by using regular expression:
FilesMan obfuscated with string split applied.


Other well known File Managers that are being abused in the wild has GUI and can be found mostly anywhere on the internet:

C99 Madshell:
C99 Madshell


b374k-shell:
b374k


How to prevent the infection

Everyday, attackers find new ways to hide backdoors so it is safe to follow there rules to improve your protection:
  1. Backup your site.
  2. Keep your CMS version up to date.
  3. Change you passwords periodically. Most hackers try to brute force the credentials.
  4. Change Table Prefix of database. This will avoid SQL injections.
  5. Add additional security by modifying .htaccess.
  6. In case of WordPress it is recommended to run periodically both internal and external scans with our plugin.
  7. Always keep plugins and themes updated to latest version.

Still got infected and/or blacklisted?

No worries. There are no bulletproof websites. Here at Quttera we're cleaning this and other kinds of malware on a daily basis. If you'd like our malware analysts to help you, just select appropriate ThreatSign! anti-malware plan and get back online.

For other issues and help: Quttera's help-desk