FORENSIC CASE STUDY

//ANATOMY OF A BREACH

When a client came for help with her website, she noticed it was acting strangely and was redirecting to all sorts of placesβ€”that's where the discovery started. This case study details our forensic analysis of the attack, showcasing the precise tools and evasion techniques employed by the adversaries.

The Threat: The design, features, and specifically the v3.0.1 version badge discovered during our investigation strongly align with a notorious real-world malware known as the ALFA TEaM Shell (often just called Alfa Shell). Alfa Shell is one of the most advanced, premium-looking, and widely distributed PHP web shells on the internet. It is heavily used by various threat actor groups (historically linked to Iranian hacker groups, but now used globally by many cybercriminals) to manage compromised web servers.

01

Discovery & Initial Access

The investigation commenced with a deep-dive analysis of the server access logs. We quickly determined that the initial entry point was not an exotic zero-day vulnerability, but rather a persistent and aggressive credential brute-force attack targeting the WordPress admin portal (/wp-login.php).

The threat actors utilized a distributed botnet, cycling through various IP addresses to test common username and password combinations. Interestingly, the attacker's automated script contained a critical operational security flaw: the password being tested was incorrectly sent in the HTTP User-Agent header.

This forensic artifact allowed us to pinpoint the exact moment of successful authentication and identify the compromised password from the raw access logs:

167.100.106.54 - - [31/May/2026:20:05:47 +0100] "POST /wp-login.php HTTP/1.1" 302 0 "https://target-site.com//wp-login.php" "[REDACTED_PASSWORD]"
167.100.106.54 - - [31/May/2026:20:05:48 +0100] "GET /wp-admin/ HTTP/1.1" 200 89192 "https://target-site.com//wp-login.php" "[REDACTED_PASSWORD]"

Forensic Finding: The attack succeeded due to a weak, reused password. Implementing Multi-Factor Authentication (MFA) and login rate-limiting drops this entire class of attack at the perimeter.

02

The Malware Artifact

Once authenticated as an administrator, the attacker abused the plugin installation feature to upload multiple ZIP files masquerading as legitimate tools. These directories contained deeply nested PHP web shells designed to blend seamlessly with normal core files.

During our forensic extraction, we isolated the primary backdoor. To demonstrate the severe capabilities of this malware, we have safely rendered the exact graphical interface extracted from the backup below. This is not an approximationβ€”this is the actual tool the attackers used to navigate the compromised server.

Note: All malicious functionality has been entirely stripped. This is a defanged educational demonstration.

πŸ” Web Shell Analysis

v3.0.1
πŸ”¬ SAFE DEMONSTRATION β€” NO CODE EXECUTES β€’ All interactions are simulated
πŸ“Š System Information DEMO
Server IP: 192.168.1.100
Hostname: demo-site.local
OS: Linux 5.15.0-86-generic
Web Server: Apache/2.4.54
PHP Version: 8.2.12
User: www-data (UID: 33)
Memory: 1.2GB / 2.0GB (60%)
Disk: 18GB / 25GB (72%)
πŸ“ File Manager LIVE ARTIFACT Path: /var/www/html/demo/
Name Size Permissions Modified Actions
πŸ“ wp-admin/ 4.2 MB 755 2026-07-04 12:34
πŸ“ wp-content/ 128 MB 755 2026-07-04 12:34
πŸ“„ wp-config.php 1.2 KB 644 2026-07-04 12:34
πŸ“„ gfGujO2Lndefault.php πŸ”΄ 12.5 KB 666 2026-06-29 01:20
πŸ“„ wp-conffg.php πŸ”΄ 8.2 KB 666 2026-06-28 14:20
Showing 4 of 156 files
πŸ”¬ DEMO: Files shown are simulated. No actual filesystem access occurs.
πŸ’» Terminal Emulator DEMO
www-data@demo:~$ whoami
www-data
www-data@demo:~$ ls -la /var/www/html/
total 124
drwxr-xr-x 5 www-data www-data 4096 Jul 4 12:34 .
-rw-r--r-- 1 www-data www-data 12500 Jun 29 01:20 gfGujO2Lndefault.php
-rw-r--r-- 1 www-data www-data 1245 Jul 4 12:34 wp-config.php
www-data@demo:~$
πŸ”¬ DEMO: Commands are simulated. No actual system commands are executed.
πŸ—„οΈ Database Manager DEMO
● Connected user_wp938 (MySQL 8.0.35) 12 tables | 1,247 rows
Table Rows Size Actions
wpm_users 15 64 KB
wpm_posts 1,247 18 MB
wpm_options 456 2 MB
πŸ”¬ DEMO: Database queries are simulated. No actual database access occurs.
⚑ Quick Actions DEMO
πŸ”¬ DEMO: All actions are simulated. No actual changes are made to any system.
πŸ” Obfuscation Technique: str_rot13 Educational

What is ROT13? A Caesar cipher that shifts letters by 13 positions. Used by this web shell to hide file paths from security tools.

// What the attacker's browser sends
path=ubzr/ryvgfrpb/choyvp_ugzy/jc-nqzva/

// What the server decodes it to
path=/home/target/public_html/wp-admin/
Encoded: /rgp/cnffjq
Decoded: /etc/passwd
Encoded: /ebbg/.ffu/vq_efn
Decoded: /root/.ssh/id_rsa
03

Evasion & Obfuscation Analysis

The most sophisticated aspect of this attack was the "listener script" hidden deep within the fake plugin architecture. This script served as an advanced loader engineered explicitly to bypass static Antivirus signatures and Web Application Firewalls (WAF).

Dynamic Function Resolution

To avoid triggering alarms, the script abstained from using recognizable, highly-flagged PHP function names like eval, base64_decode, or gzuncompress. Instead, it dynamically constructed these names at runtime using XOR mathematics and character concatenation.

// Reconstructing 'base64_decode' in memory to bypass static scanning
// The malware used complex XOR math and additions so strings never appear in plaintext
$func = chr(138^249) . chr(36-36+116) . chr(214^185) . chr(112+(93^93)) /* ... */ ;
// Ultimately resolving to:
$func($payload);

The Decryption Pipeline

The primary web shell payload was hidden within a massive Base64 string. Before execution, it passed through a rigorous, multi-stage decoding pipeline designed to frustrate security analysts:

  1. Base64 Decode: Unpacking the initial transport layer.
  2. XOR Decryption: XOR'ing the data against a hardcoded key (STREAM_INIT).
  3. Hex to Binary: Converting the resulting hexadecimal string.
  4. Character Rotation: Applying a str_rot13 Caesar cipher.
  5. Decompression: Expanding the payload via gzuncompress.
  6. Execution: The fully unpacked payload is passed into a hidden @eval().
04

Actions on Objective & Remediation

Using the terminal emulator within their web shell, the attacker launched an interactive bash session directly on the server. Our analysis of the recovered .bash_history file revealed their exact movements.

They performed brief reconnaissance, verifying their user privileges and checking the filesystem for competing backdoors installed by other threat actors. Finally, they executed a destructive command to recursively delete the entire web root (rm -rf public_html/*), taking the client's site offline and replacing the homepage with a simplistic defacement message.

The Mitigation Strategy: By identifying the precise timeline of the initial breach through log analysis, we were able to restore a pristine backup predating the first successful login. We subsequently purged compromised database credentials, enforced strict MFA, and deployed a Web Application Firewall to secure the perimeter.

Require Forensic Incident Response? Or just help with your website?

If your digital infrastructure has been compromised, or if you need expert analysis to secure your assets against advanced persistent threats, I am ready to deploy. I also make awesome websites and help save your brand in less than a day!