28 Mar, 2022

FilesMan Malware - Why it Still Poses a Significant Threat to Your Website Security

The FilesMan malware still poses an incredible security threat. Here, we'll tell you what you can do to prevent infections and improve your overall website security.
While you can successfully manage some cyber threats as one-off annoyances, others can linger or return. An example of one such threat is the case of the backdoor "FilesMan." It's an older threat that still poses a significant threat to your website security.

We discussed this threat in a 2016 blog post. We're unhappy to report that FilesMan is still being used in the wild, manipulating the content of its victims' websites.

In this post, we'll talk about what the threat is, its extended functions, and what you can do to prevent infections - and improve your website security - going forward.
What is "FilesMan?"
This Joomla malware is caused by an improper access check within the Joomla! API. Rather than validate the requestor's credentials, the check provides API access for anyone - no authentication is needed. This leaves the system open to potential hackers.

So what can the hackers do from there? Any number of things, including:
What Causes the CVE-2023-23752 Vulnerability?
FilesMan is a File Manager webshell with the ability to upload, download, and edit files found on the infected victim's server, creating a backdoor. This provides the hacker with countless options on how they can then use the victimized website. They can promote their own scam site or use it as a botnet for further malware distribution.

Listed below are some of the extended functions of FilesMan:

  • Console. To investigate and extract data from the infected server, FilesMan has predefined terminal commands. Some of these include "list dir," "show running process," and "show open ports." Additionally, it has commands to assist in locating config files and .htpasswd.

  • SQL access. Hackers can edit and make changes to the website's database. They can then perform anything they want onto the infected site, editing page content with malicious JavaScript code. This allows them to redirect to other nefarious websites.

  • FTP Bruteforce. Malicious actors can also access Bruteforce FTP credentials using /etc/passwd or by using dictionary(passwd.dic).

  • Infect. FilesMan also has a "ready function" in its listing PHP file to help infect a site with writing permission.

As you can see, there is no shortage of functions with which a hacker can help compromise an otherwise healthy website. Now that you understand what it can do, it's important to also understand where you can look for it.
Where to Locate the FilesMan Infection
In our investigations, we've encountered FilesMan backdoor locations in several areas. There are three we've noticed and highlighted here:

  • Public_html/2index.php
  • Public_html/wpp/[random].php
  • Public_html/wp_content/themes/[theme name]/404.php

Do any of those look vaguely familiar? The most noticeable location on the list is likely the theme path with 404.php. Hackers love themes, seeing them as a hot target to deploy malicious scripts. The reason for this is that many website owners tend to download themes from unknown sources. Some of these themes are then prone to vulnerability.

As we mentioned in our previous blog post on this topic, a quick search string of "FilesMan" would help you determine where the backdoor files are on your website. The problem with this, however, is that many of the malicious scripts use string manipulation. This capability enables the scripts to evade detection via simple string searching.

It's a sign of the threat's sophistication. That's one of the most frustrating aspects of the infection - not only is it comprehensive in the damage it can do, but it's consistently hard to pin down and eliminate.
So, what action can you, as a website owner, take to mitigate the risk you expose yourself to with this problem?
How to Prevent Infection
Hackers are relentless in finding new ways to exploit vulnerabilities and gain access to compromised systems and websites. They're constantly looking for new methods for hiding backdoors. That makes it more important than ever for website owners to remain vigilant, they'll also have to get creative and proactive in their approach to risk management.

First thing's first: here are some basic website security steps you can take to help prevent your site from being infected.
  • Backup your site. True, this won't exactly prevent infection - but it will certainly make it a lot easier to return to your normal operations after you experience an infection.
  • Keep your CMS version up to date.
  • Change passwords periodically, as many hackers will try to brute force your credentials. Make sure the passwords are unverifiable and impossible to guess. Opt for randomly generated passwords over words that can be tied back to you or easily guessed.
  • Avoid SQL injections by changing the table prefix of your database.
  • Modify .htaccess to add an additional layer of security.
  • If you're using WordPress, use our plugin to periodically scan both internally and externally. Don't subscribe to the "no news is good news" approach - stay watchful and cognizant of potential threats.
  • No matter what themes or plugins you're using on your site, you should be operating with the latest versions.
All these steps represent proper cyber hygiene. But often, even these preventative (and reactive) measures aren't enough. That's why it's prudent to partner with an IT provider who can keep your websites fortified from threats such as FilesMan. At Quttera, we have just the solution for this problem.
How Quttera's ThreatSign! Can Help Protect You From FilesMan
Enter Quttera's ThreatSign Website Protection Platform. We equip our customers with a rich, comprehensive arsenal of fully automated tools to optimize website protection.

While the services rendered help ensure maximal protection, the automation capabilities provide you with all the functions of the software without the hassle of manually performing the duties yourself.
Our Web Application Firewall (WAF) stops attacked websites cold. It prevents them from downloading malicious PHP files that will inflict further damage on that site and potentially others.

What if your site has been compromised but you don't know it yet? With our continuous server-side scan, ThreatSign! automatically detects and cures the injected FilesMan infection for malware cleanup. It stops the threat from spreading any further, putting an end to the damage.

If there's an infection written into your website's HTML code, our external website monitor can detect that, taking action to remove it.

Simply put, Quttera's ThreatSign! helps give you a fighting chance against FilesMan, a devastating and complex threat. With ThreatSign! you have the tools needed to stay prepared and be able to react effectively. Use ThreatSign to protect your website from FilesMan and other malware.