Akamai experts report a significant increase in cyberattacks targeting vulnerable instances of the Chinese PHP framework Thinkphp to install the dama web shell.
The dama web shell allows hackers to maintain control over compromised systems, integrating them into their infrastructure to avoid detection. The first signs of this activity were detected in October 2023, with a notable escalation in attack volume recently, according to Akamai.
These attackers exploit two old vulnerabilities in Thinkphp:
- CVE-2018-20062 (CVSS: 9.8 rating) associated with NoneCms 1.3, enabling remote attackers to execute arbitrary PHP code. Discovered in December 2018.
- CVE-2019-9082 (CVSS: 8.8) affecting Thinkphp 3.2.4 and older versions, used in Open Source BMS 1.1.1, allowing remote code execution (RCE). Discovered in February 2019.
Attackers leverage these vulnerabilities to execute remote code, impacting various CMS systems. By uploading a file named “Public.txt” disguised as the dama web shell and renamed to “Roeter.php”, hackers gain remote access to compromised servers in Hong Kong using the password “Admin”. Akamai observes infected servers distributing this file becoming additional nodes in the attackers’ infrastructure.
The dama web shell provides extensive capabilities, such as:
- Controlling the file system on compromised servers
- Uploading files
- Collecting system data
- Scanning network ports
- Accessing databases
- Bypassing disabled PHP functions to execute shell commands
Despite its functionalities, Dama lacks a command-line interface, limiting its practicality as a web shell.
Operating on outdated vulnerabilities underscores the importance of effective vulnerability management. Given the exploitation of long-patched vulnerabilities, timely updates are critical. Organizations are