MalwareGone Threat Analysis – WSO FilesMan Backdoor

Note: This is the first post in a series of in-depth investigations into threats that have been detected by the CodeGuard MalwareGone tool. In each post, we will pick a specific kind of malware, trojan, virus, backdoor, rootkit, etc. to dissect and discuss. We will also provide manual removal instructions at the end, just in case you’re not yet using CodeGuard.

For this inaugural post, we will be looking at a modified version of the WSO FilesMan backdoor, which is a PHP webshell designed to control the whole system. Here is just a piece of the PHP file that was named prbnts.php and located in the /wp-includes/js/jquery/ui/ folder, which usually only holds JavaScript files (.js):


As you can see, the file is encoded in base64 and compressed with the PHP core gzdeflate function. When we decode and decompress the file we get something more readable:

$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';

if(!empty($_SERVER['HTTP_USER_AGENT'])) {
  $userAgents = array("nouseragenthere");
  if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
    header('HTTP/1.0 404 Not Found');


This gives us some clues that file is malicious and shouldn’t be there. Even if you aren’t tech savvy, just searching for the first four lines on Google will show you some hints that this file is a backdoor and the first findings date back to the end of 2010. More specifically, the malicious file is a PHP Web Shell, or just PHP Shell, which is a shell wrapped in a PHP script and it uses built-in PHP functions to execute commands on the system. With it, we can do basically anything on the server where it is located like upload or download files, install, run or delete programs and sometimes even create or delete users, depending on the web server’s user permissions. It is a bit similar to having an SSH (Secure SHell) connection to the server. Can you imagine the damage this could do? If you have your web shell on a server you literally “own” it. Now you know why people say someone got owned when their site gets hacked!

Here are some functions used to execute commands in PHP:

  • system() – Execute an external program and display the output
  • exec() – Execute an external program
  • shell_exec() – Execute command via shell and return the complete output as a string
  • passthru() – Execute an external program and display raw output

You may be asking – why would someone want to put a webshell and control my server? That is a great question! An attacker might need your server for many different reasons. First and foremost, a web shell is a backdoor. It gives them direct access to your server without having to exploit a vulnerability over and over, so it gives them a persistent way to access the server (unless you find and remove the file). Another reason would be to use your server as a zombie in a botnet, and make it execute attacks along with other infected machines. Some attackers also use infected machines to hide themselves from the police by pivoting their connection through these servers and making it harder for the law enforcement to investigate and detect the source of the attacks.


This brings us the question that any CodeGuard customer would ask themselves – why was my website hacked? How did it get infected? Well, just like viruses, web malware has variations as well. Malware developers might change a thing or two to avoid detection from pattern based tools. In this particular case, our client had the WordPress version 4.4.2 which is 7 months old already and might be one of the causes of the infection. But let’s dig deeper before jumping to conclusions.

Looking to find the source of the hack on WordPress websites, we usually look first at the themes and plugins folders since those are the most common way to exploit a vulnerability and place a web shell or some other kind of malware. The WordPress development team has done a great job at hardening the WordPress core (which includes wp-admin and wp-includes folders, and root files), but themes and plugins are mostly third-party code.

The contents of /wp-content/themes


As we can see the themes folder has only default WordPress themes. The first thing we recommend is removing anything from the website that you are not using. In any event, if someone finds a vulnerability in a plugin or theme that you have on your website but aren’t using it, they might still be able to exploit the vulnerability and compromise your site. Removing unused themes and plugins reduces the attack surface a malicious user has on your website.

The contents of /wp-content/plugins

Now, the plugins folder has something that caught our attention: the jetpack plugin. This plugin is made by the team and it is widely used on many WordPress websites. It is well maintained and updated very often by their development team. The problem is that Jetpack has multiple public vulnerabilities as we can see at


Can you guess what version of the Jetpack plugin was on the website? Congratulations if you guessed version 2.5.2 (released on September 2013). While it is hard to detect the exact flaw a hacker was able to exploit on your website without going through all the logs (if you have access to them), I’m pretty sure this three-year-old version of the plugin was probably the cause of the compromise.

What could you do if your site is infected? Well, if you’d like to check if your website might have one of these malicious files you can do this:

  1. Sign into your server using SSH (Secure Shell)
  2. Go to your WordPress folder
  3. Run this command: “grep -r eval(gzinflate(base64_decode *”
  4. If any of the results have a long encoded string after this code, then you’re probably infected.

If you already infected, but don’t have access to your server via SSH or don’t know how to that, you can start by doing this:

  1. Download the same version of WordPress you use on your site via
  2. Remove the wp-admin and wp-includes folder from your site (either using SSH or SFTP/S)
  3. Extract the zip file and upload only the new wp-admin and wp-includes folders to your website (Don’t just replace the folders as it may have new files in there, and they won’t be removed!)
  4. If that didn’t fix your site at least now you have narrowed the problem down to the wp-content folder and can start looking for suspicious files. Check your plugins and themes folder. Remove anything that you are not currently using on your site.
  5. Most FTP clients have search mechanisms that you can use to look for strings like “base64_decode”.

If you have any questions or comments please don’t hesitate to contact us!


Zero Day Vulnerability in many WordPress Themes

CodeGuard Launches Sandbox Staging™: Staging Servers for WordPress Developers

ATLANTA, GA. (September 13, 2016) – CodeGuard, Inc. (, the global leader in cloud website backup services announced today a new feature, Sandbox Staging™, which instantly creates test environments for customers with WordPress websites.

Sandbox Staging

“Developers and designers know that they should be using a staging environment for the websites and applications they manage, update, or otherwise contribute to. It’s a widely accepted best practice”, says CTO Jonathan Manuzak. “The reason that many do not is that it’s a time-consuming and technically complex process to set up and maintain one of these environments. We saw an opportunity to simplify this for customers by leveraging our technical expertise and unique position in the market.”

CodeGuard manages a dynamic fleet of servers that perform more than 11 million backups per month and process 450 million API requests over the same time period. 260 Terabytes (TB) are transferred daily, and nearly 100 Petabytes (PB) are transferred annually. Operating at this scale in a reliable, performant and cost-effective way has forced the company to develop industry-leading practices for infrastructure container management and automation. “Combining our world-class infrastructure expertise with the foundational CodeGuard backup product to create a feature that allows our customers to work faster, reduce risk and adhere to best practices? That’s a winning proposition for everyone involved”, says Manuzak.

Sandbox Staging™ will allow customers to test work on a staging site and utilize CodeGuard’s backups to create the staging environment almost instantly. With the click of a button, a new server will be provisioned to host the content stored in the backup repository. Now customers can experiment away from production, test new versions of WordPress safely, explore new plugins, and do all of this without downtime or risk to the production site.

CodeGuard Launches Automated Plugin Updates for WordPress

New Solution for Leading Cause of WordPress Site Hacks

ATLANTA, GA. (September 8, 2016) – CodeGuard, Inc. (, the global leader in cloud website backup services announced today a new feature, SiteUpdator™, which provides automated plugin updates for customers with WordPress websites.


“Customers have been asking us for years to update their plugins for them – so that when vulnerabilities are found in a plugin, and if they don’t have time to manually update their plugins, or if their hosting provider doesn’t do it for them, they won’t be victimized due to outdated plugins and end up with a site hosting malware or compromised for use by miscreants”, says CTO Jonathan Manuzak.

SiteUpdator™ will update all of the customer’s WordPress plugins on a daily basis that CodeGuard has access to and that need updating. The updates will take occur after the daily file scans take place. CodeGuard hopes to prevent many of the malware infections from taking place with SiteUpdator™, since the primary reason for site infection is unpatched plugin vulnerabilities. And for zero-day attacks, CodeGuard’s ChangeAlert™ monitoring coupled with the newly released MalwareGone™ have the potential to transform website protection by immediately identifying new threats and then remediating them automatically.

Briefly, the plugin works by backing up the plugins, checking the WP catalog for available updates, and applying the updates one by one. It analyzes the website after each update, and if anything looks broken, it will roll back to a known good state. Only plugins in the WordPress catalog are updated.

CodeGuard Launches Patented Malware Monitoring and Remediation Service: MalwareGone™

ATLANTA, GA. (August 18, 2016) – CodeGuard, Inc. (, the global leader in cloud website backup services announced today the release of patented technology which utilizes website backups for automated site remediation in the event of malware.

Coupled with CodeGuard’s ChangeAlert™ monitoring, which provides insight into new zero-day attacks, MalwareGone™ has the potential to transform website protection. Until now, companies have struggled in fixing sites infected with malware, with many relying on humans to provide fixes, while others with clunky automated technology end up causing more damage to sites than help.

“MalwareGone™ has been a long time coming – we have been waiting for years to release this product”, says David Moeller, CEO of CodeGuard. “The reason there isn’t a product like this on the market is that its foundation is our patented backup technology, which obviously no one else possesses.”


This isn’t your average malware cleanup tool. Instead of relying on just signatures, MalwareGone™ utilizes actionable intelligence from ChangeAlerts™ and examines the collected information. This approach allows the scanner to discover which files act and look like malware.

It’s designed to discover viruses, trojans, rootkits, spyware and other malware on any websites. It searches for early-life and next-generation malware; the kind of malware that doesn’t yet have a detection signature.

MalwareGone™ removes persistent threats from within the operating system by utilizing prior backups stored in CodeGuard’s cloud. This ensures that remediation happens as quickly, efficiently, and accurately as possible – no more destroyed websites from a “fixing” service.

CodeGuard uses a virtual version control system and stores site data in the cloud. Backups are stored as the differential between each daily scan of the site, providing visibility for users into what has changed along with the ability to undo any changes. Restoring a previous version is as easy as pressing a button.

For additional information regarding this new product, you visit

CodeGuard Website Backup and Group Announce New Partnership

ATLANTA, GA. (August 8, 2016) – CodeGuard, Inc. (, the global leader in cloud website backup services announced today a partnership with (NASDAQ: WEB) who will now offer CodeGuard’s suite of website backup services to customers who sign up for their hosting plans.

Hosting customers will be offered options for bundled packages of CodeGuard’s backup services – which include daily website monitoring for changes with ChangeAlert™ email notifications, differential backup to the cloud, 1-click restore, automated plugin updates for WordPress, and newly released malware monitoring and remediation.

Read More “CodeGuard Website Backup and Group Announce New Partnership”

Backing up Databases Just Got Easier

For websites using a content management system (CMS), backing up the database is crucial. In fact, database content such as posts, comments, and users is often more important to website owners than the file content (e.g. themes and plugins). That’s why CodeGuard now automatically detects and adds databases for websites built with WordPress, Drupal, and Joomla.


Read More “Backing up Databases Just Got Easier”