We still don’t know if there is any relation between infections, but all of the examined websites contained numerous generic PHP shells and backdoors which names have the following format:
- footer[\d]{0,2}.php
- login[\d]{0,2}.php
- stats[\d]{0,2}.php
- user[\d]{0,2}.php
- gallery[\d]{0,2}.php
- sql[\d]{0,2}.php
- file[\d]{0,2}.php
- object[\d]{0,2}.php
- license[\d]{0,2}.php
- ferg[\d]{0,2}.php
- dirs[\d]{0,2}.php
- global[\d]{0,2}.php
- include[\d]{0,2}.php
For readers who are unfamiliar with the regular expression rules: [\d] means numeric symbol 0-9 and {0,2} mean that at most two consequent digits. For example “dirs12.php”
We assume that all these backdoors/shells are used for general management of the infected websites and didn’t handle any specific functionality.