{
	"id": "464fbbfb-403b-4127-86d9-579031aa88e9",
	"created_at": "2026-04-06T00:09:24.840035Z",
	"updated_at": "2026-04-10T03:21:01.888893Z",
	"deleted_at": null,
	"sha1_hash": "e5d56a835c48c18daa2aa1b19e35896e568f1e24",
	"title": "Finding Neutrino",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 704932,
	"plain_text": "Finding Neutrino\r\nArchived: 2026-04-05 22:24:52 UTC\r\nIn August 2018, PT Network Attack Discovery and our honeypots began to record mass scans of phpMyAdmin systems.\r\nScans were accompanied by bruteforcing of 159 various web shells with the command die(md5(Ch3ck1ng)). This\r\ninformation became the starting point of our investigation. Step by step, we have uncovered the whole chain of events and\r\nultimately discovered a large malware campaign ongoing since 2013. Here we will give the details and the whole story, from\r\nstart to finish.\r\nWe got scanned!\r\nInfected bots from all over the world were randomly scanning IP addresses on the Internet. In doing so, they scanned PT\r\nNAD networks and diverse honeypots.\r\nRequest as viewed in the PT NAD interface\r\nScanning happened as follows:\r\nFirst, the bot bruteforced the path to phpMyAdmin by moving down a list. \r\nOnce it found phpMyAdmin, the bot started bruteforcing the password for the root account. The dictionary contained\r\nabout 500 passwords, the first guess of the attackers being \"root\" (the default password). \r\nNext, after the password was successfully bruteforced, nothing happened. The bot did not exploit vulnerabilities and\r\ndid not execute code in any other way.\r\nIn addition to phpMyAdmin, the bot bruteforced paths to web shells, also by moving down a list, and tried executing\r\nsimple PHP commands. The dictionary contained 159 shell names, and this was the stage that left us wondering the\r\nmost.\r\nhttps://web.archive.org/web/20191223034907/http://blog.ptsecurity.com/2019/08/finding-neutrino.html\r\nPage 1 of 10\n\nRequest to the web shell with a command. If the response contains a correct MD5 value, the server is infected.\r\nSuch scans were noted and described many times in summer 2018 by other researchers (isc.sans.edu/diary/rss/23860). But\r\nnobody tried to discover their source and purpose.\r\nTo get the answers, we prepared honeypots posing as vulnerable servers. They were phpMyAdmin installations with\r\nroot:root credentials and web shells responding with the correct MD5 hash. For instance, in the previous screenshot, this was\r\na hash value of 6c87b559084c419dfe0a7c8e688a4239.\r\nAfter a while, our honeypots brought their first results.\r\nThe payload\r\nThe honeypot with web shell started to receive commands containing a payload. This payload, for instance, instructed to\r\nsave a new shell named images.php and execute commands in it:\r\nAfter we decoded the base64 commands, it became clear that the first two requests find out the computer's configuration,\r\nand the third request executes a PowerShell script to download external components. Base64 commands are transmitted in\r\nthe \"code\" parameter. For authorization it uses the SHA1 hash from MD5 parameter \"a\". For the string \"just for fun\" the\r\nhash will be 49843c6580a0abc8aa4576e6d14afe3d94e3222f; only the last two bytes are checked.\r\nIn most cases, the external component is a Monero cryptocurrency miner. In Windows it gets installed in the %TEMP%\r\nfolder under the name lsass.exe. The miner version may vary. Some versions function without arguments and have a hard-coded wallet address. Most likely, this was done to reduce the risk of detection.\r\nThe second potential component is a PowerShell script with DLL library inside. It is downloaded from the server by another\r\nPowerShell script. The library code is executed in memory, so it is not stored on disk. The DLL library is responsible for\r\nspreading the malware and adding to the botnet.\r\nhttps://web.archive.org/web/20191223034907/http://blog.ptsecurity.com/2019/08/finding-neutrino.html\r\nPage 2 of 10\n\nA similar case, Ghostminer, was already described by researchers from Minerva Labs in March 2018 (bit.ly/2XwjSxO). But\r\nit derives from Neutrino, which dates back to 2013. Neutrino is also known as Kasidet. It was previously distributed via\r\nemails and various exploit kits. Its functionality changed, but the protocol for communicating with the command and control\r\nserver and other artifacts remain unchanged. For instance, the string \"just for fun\" was used for authentication in samples as\r\nold as January 2017. Nine reports on Neutrino from 2014 can be found in Malpedia (bit.ly/2VrRJpG). The details of the last\r\nreport from Minerva Labs enabled us to spot changes in the ways this malware is distributed.\r\nThe second component is the one that interests us, because it searches for new hosts to infect.\r\nHow Neutrino searches for new servers\r\nAfter a server is infected, the first thing Neutrino does is change such TCP stack parameters as MaxUserPort and\r\nTcpFinWait2Delay. This is done to set up the infected host for the fastest scanning possible.\r\nCode for changing TCP stack parameters \r\nNext it contacts the command and control (C2) server, which oversees scanning on the infected computer. The C2 server\r\nsends a command to check random Internet servers for one of several vulnerabilities. The list of checks in the Neutrino\r\nversion from October 2018 was rather wide-ranging:\r\nSearch for XAMPP servers with WebDAV\r\nSearch for phpMyAdmin servers potentially vulnerable to CVE-2010-3055 (an error in the setup.php configuration\r\nscript)\r\nSearch for Cacti's Network Weathermap plug-ins vulnerable to CVE-2013-2618\r\nSearch for Oracle WebLogic vulnerable to CVE-2017-10271\r\nSearch for Oracle WebLogic vulnerable to CVE-2018-2628\r\nSearch for IIS 6.0 servers vulnerable to remote code execution via the HTTP PROPFIND method (CVE-2017-7269)\r\nSearch for and exploitation of the infamous hole in Apache Struts2\r\nSearch for exposed Ethereum nodes: in June 2018, attackers were able to steal $20 million in this way\r\nBruteforcing the \"sa\" account in Microsoft SQL: after successful bruteforcing, Neutrino tries to execute code via\r\nxp_cmdshell\r\nSearch for phpMyAdmin installations without credentials\r\nBruteforcing phpMyAdmin installations with credentials\r\nExtensive logic for searching for listed PHP web shells\r\nModules that appeared after the Minerva Labs report are shown in green. The last item on this list, the search for web shells,\r\nis the one responsible for the scans that caused us to start our investigation. The list included 159 addresses with unique\r\nparameters. For example:\r\nwuwu11.php:h\r\nweixiao.php:weixiao\r\nqwq.php:c\r\nhttps://web.archive.org/web/20191223034907/http://blog.ptsecurity.com/2019/08/finding-neutrino.html\r\nPage 3 of 10\n\nCode responsible for web shell scanning\r\nThe preceding screenshot illustrates the relevant Neutrino code.\r\nIn addition to scanning for vulnerabilities, Neutrino can execute arbitrary commands and take screenshots. In the version\r\nfrom December 2018, the authors added three more modules:\r\nSearch for exposed Hadoop servers\r\nBruteforcing credentials for TomCat servers\r\nSearch for JSP shells from a list\r\nWe have seen the names of these JSP shells before in the JexBoss (github.com/joaomatosf/jexboss) and JBoss worm\r\n(bit.ly/2UeM9H9).\r\nWhile studying this botnet, we have seen it change behavior several times. The first scans in summer contained the\r\n\"Ch3ck1ng\" check, but then moved on to \"F3bru4ry\" in february. These strings are stored inside the Neutrino module in\r\nstatic form. This indicates an update to Neutrino. For instance, the C2 address changed or a new module was added.\r\nC2 communication\r\nData exchange between the Neutrino bot and C2 server is encoded in base64. The Cookie and Referer headers are always\r\nthe same, and serve for authorization.\r\nhttps://web.archive.org/web/20191223034907/http://blog.ptsecurity.com/2019/08/finding-neutrino.html\r\nPage 4 of 10\n\nExchange of commands between Neutrino bot and C2 server\r\nIn the very beginning, the bot checks the C2 connection with a simple pair of messages: Enter–Success. Next it checks in by\r\nsending brief information on the system. This request is shown in the previous screenshot. The request provides data on\r\nRAM, CPU, and username. The serial number of the volume containing the system partition is used as a unique host-specific ID. The C2 server responds with a new task for the host. This could be a search for new vulnerable hosts or\r\nexecution of commands. For instance, the PMAFind command (in the screenshot) initiates a search for servers containing\r\nphpMyAdmin, Hadoop, Tomcat, listed shells, and WebDAV.\r\nIf Neutrino finds a vulnerable server, by bruteforcing the password for phpMyAdmin, for example, it informs the C2 server.\r\nData is exchanged with base64 encoding. For example:\r\nPMAFind\u0026XXXXXXXX\u0026TaskId\u0026[Crack:PMA] root/root\u0026http://11.22.33.44/phpmyadmin/index.php\r\nMiner\r\nUnlike the Neutrino module, the miner is stored on the disk and starts automatically. This is controlled by a service named\r\n\"Remote Procedure Call (RPC) Remote\" or the WindowsUpdate task, which run the PowerShell code. This code is stored in\r\nthe EnCommand field of the WMI space root\\cimv2:PowerShell_Command. The executable file of the miner itself occupies\r\nthe nearby EnMiner field. For operation, Neutrino and the miner write to certain fields of the same space, such as process ID\r\n(PID) and version number.\r\nThe script from the EnCommand field launches EnMiner in several steps.\r\n1. The KillFake function kills processes that imitate standard ones. One such process could be explorer.exe, if it is run\r\nfrom a place other than %WINDIR%. The function then deletes them from disk.\r\n2. KillService stops and removes services whose names match the preset mask.\r\n3. Killer removes services, tasks, and processes by a list of names or by launch arguments.\r\n4. The Scanner function checks the content of each launched process and deletes any that contain strings typical of\r\ncryptocurrency miners.\r\n5. The lsass.exe miner is saved in the %TEMP% folder and launched.\r\nhttps://web.archive.org/web/20191223034907/http://blog.ptsecurity.com/2019/08/finding-neutrino.html\r\nPage 5 of 10\n\nTo generalize, the KillFake, KillService, Killer, and Scanner functions are responsible for getting rid of Neutrino's\r\ncompetitors. They will be described later on in this article. An example of the EnCommand script is available at\r\npastebin.com/bvkUU56w.\r\nAddresses of XMR wallets vary from sample to sample. On average, each address got 10–40 XMR. The first transactions\r\nstarted in December 2017. But some hosts were taken over by other malware. For instance, the address\r\n41xDYg86Zug9dwbJ3ysuyWMF7R6Un2Ko84TNfiCW7xghhbKZV6jh8Q7hJoncnLayLVDwpzbPQPi62bvPqe6jJouHAsGNkg2\r\nreceived 1 XMR a day starting February 2018, for a total of 346 XMR. The same address is mentioned in a June 2018 report\r\nfrom Palo Alto Networks (\"The Rise of Cryptocurrency Miners\"). The report describes the surge of malicious\r\ncryptocurrency mining. As of June 2018, such miners' estimated haul was $175 million, or five percent of total Monero\r\ncoins in circulation.\r\nMy php, your admin\r\nBecause the Neutrino bot itself does not exploit vulnerabilities, but only collects a list of servers, the infection mechanism\r\nremained unclear. Our bait consisting of a phpMyAdmin server with default account shed some light on the matter. We\r\nwatched in real time as our server was attacked and got infected.\r\nphpMyAdmin infection process\r\nInfection took place in several stages:\r\n1. First was login to phpMyAdmin. The credentials had been guessed earlier during scanning.\r\n2. Some reconnaissance. The attacker requests phpinfo scripts at different paths.\r\n3. The phpMyAdmin interface allows making SQL queries to a database. The attacker sends the following queries:\r\na. select '' into outfile ''\r\nb. SELECT \"\" INTO OUTFILE \"/home/wwwroot/default/images.php\"\r\nThe content of \"select\" is then saved to disk. The following queries serve in case of an error:\r\nSET GLOBAL general_log = 'OFF'\r\nSET GLOBAL general_log_file = '/home/wwwroot/default/images.php'\r\nSET GLOBAL general_log = 'ON'\r\nSELECT \"\"\r\nSET GLOBAL general_log = 'OFF'\r\nSET GLOBAL general_log_file = 'MySQL.log'\r\n4. And finally, some queries that we are familiar with already:\r\nPOST /images.php “a=just+for+fun\u0026code=ZGllKCJIZWxsbywgUGVwcGEhIik7”\r\nAn automatic script was written to hack phpMyAdmin. It tries using one of two mechanisms:\r\nSELECT INTO OUTFILE writes the content of the query to disk.\r\nThe log file is piped to a PHP script with the help of MySQL variables.\r\nThe first method is well known, and it usually fails, because of the --secure-file-priv option. But we had not seen the second\r\nmethod before. Usually MySQL does not allow piping a log file outside of the @@datadir variable, but this was possible in\r\nhttps://web.archive.org/web/20191223034907/http://blog.ptsecurity.com/2019/08/finding-neutrino.html\r\nPage 6 of 10\n\nan installation from the phpStudy package. This second method was what made Neutrino \"popular\" on phpMyAdmin\r\nservers. The web shell content will be different for the two infection methods.\r\nThis is what the web shell response looks like when created by the second method (piping of MySQL log):\r\nTo our delight, the log contains actual dates. They can be found in responses from some images.php shells, which allowed us\r\nto determine the actual time they were implanted. This is important, because the sent commands sometimes include the\r\nfollowing:\r\ntime = @strtotime(\"2015-07-16 17:32:32\");\r\n@touch($_SERVER[\"SCRIPT_FILENAME\"],$time,$time);\r\nWhere $_SERVER[SCRIPT_FILENAME] contains \"images.php\". This command changes the date of the most recent\r\nmodification of the file to July 16, 2015. Likely this is a (futile) attempt to complicate analysis of the Neutrino campaign\r\nBased on the content of some shells, it is possible to determine the dates of shell creation.\r\nThe second malware campaign\r\nSurprisingly, we captured a record of images.php but also wuwu11.php, which had the body . Infection occurred with a\r\nsimilar mechanism. However, there were some interesting differences:\r\nSQL queries were not sent all at once, but one at a time.\r\nThe content of the web shells is completely different; wuwu11.php does not require authorization.\r\nThe payload is different, too. Those who wrote wuwu11 and others implanted Trojan.Downloader to chain-download\r\nmalware, but not the miner.\r\nThe difference in infection methods and shell bruteforcing in Neutrino itself indicate the existence of two simultaneous\r\nmalware campaigns. Neutrino is mining cryptocurrency, while the second campaign downloads malware.\r\nWe analyzed the dates when shells were created on the infected hosts, thanks to which we determined with certainty which\r\ncame first. The first shells with the self-explanatory name \"test.php\" date back to 2013, while \"db__.init\", \"db_session.init\",\r\nand \"db.init\" started showing up in 2014. Neutrino started infecting phpMyAdmin servers in January 2018 by means of\r\nvulnerabilities or competitor shells. The peak of Neutrino activity was in summer 2018. The following graph demonstrates\r\nthe creation dates of Neutrino shells and of the competitor.\r\nhttps://web.archive.org/web/20191223034907/http://blog.ptsecurity.com/2019/08/finding-neutrino.html\r\nPage 7 of 10\n\nBotnet structure\r\nAs we learned, the Neutrino botnet has a clear division of labor among infected hosts. Some mine cryptocurrency and scan\r\nthe Internet, while others act as proxy servers. The Gost utility on port 1443 is used for proxying. The shell on such hosts is\r\nnamed image.php (with no \"s\" at the end).\r\nsvchost.eXe 1388 SYSTEM C:\\Windows\\System\\svchost.exe  -L=https://GoST:GoST@:1443\r\nSuch proxy hosts are few. They are used to implant images.php on vulnerable servers found previously, as well as to send\r\nout commands, primarily for removing competitors from hosts and launching cryptominers. Commands are sent at a rate of\r\nup to1,000 unique IPs per hour.\r\nIn most cases, connections to proxy port 1443 originate from subnets of ChinaNet Henan Province Network (1.192.0.0/13,\r\n171.8.0.0/13 123.101.0.0/16, 123.52.0.0/14, and others).\r\nNow that we know the structure of the malware campaigns, we can scan the Internet for their shells and estimate the size of\r\nthe botnet.\r\nScanning the Internet\r\nAs mentioned already, the images.php web shell is implanted in the root WWW directory. Its presence and the HTTP\r\nresponse are clear indicators of infection. To estimate the size of the botnet, we need to send a query to images.php on all\r\nweb servers on the Internet. A list of servers with port 80 is readily available at scans.io. (Censys scans the Internet and\r\nupdates the list weekly.) It contains 65 million web servers, and we sent the query \"GET /images.php\" to each. We got a\r\npositive response from about 5,000 servers, which is only a portion of the botnet. Our honeypots were regularly scanned\r\nfrom new, previously unidentified IP addresses.\r\nBotnet composition\r\nSo what, and who, are all these servers? Shodan can help us find the answer. More than half of the servers return Win32 or\r\nWin64 in the \"Server\" header.\r\nhttps://web.archive.org/web/20191223034907/http://blog.ptsecurity.com/2019/08/finding-neutrino.html\r\nPage 8 of 10\n\nNote the Server header: Apache on Windows.\r\nAccording to Shodan, the share of Windows among Apache servers is less than four percent. So the abnormally high number\r\nof Windows systems in our results must be caused by specific software. True enough, some servers return the following start\r\npage:\r\nphpStudy, main page\r\nphpStudy is an integrated learning environment popular not only in China. In a single click it installs the Apache web server,\r\nMySQL database, PHP interpreter, and phpMyAdmin panel. It also has several configurations for Windows and Linux. The\r\nlatest version of phpStudy 2017 from the official site is still vulnerable to log file piping. You can verify this for yourself.\r\nThe vulnerability in phpStudy is not the only major source of bots. The scan revealed over 20,000 servers vulnerable to\r\nCVE-2010-3055. This is also a vulnerability in phpMyAdmin, but related to the setup.php configuration script. The botnet\r\nsends them POST queries that contain malicious configurations. Next, in terms of bot sources, come servers with Cacti's\r\nNetwork Weathermap (CVE-2013-2618) and XAMPP with exposed WebDAV.\r\nHackers found a use even for phpMyAdmin panels that are patched but have weak passwords. A common technique for\r\nmonetization is to export the database to an attacker-controlled hard drive, delete the database from the phpMyAdmin, and\r\nleave a ransom message:\r\nMost likely, this has nothing to do with the Neutrino campaign.\r\nConclusions\r\nIn 2018, Neutrino development continued its march forward. The malware used to be distributed via email attachments and\r\nexploit kits, but in 2018 it debuted as a botnet.\r\nNow Neutrino scans are among the top three senders of queries to our honeypots. These \"leaders\" are bruteforcing of admin\r\npanels, shell bruteforcing, and exploitation of vulnerabilities By scanning for over ten vulnerabilities and competitors' shells,\r\nNeutrino has assembled tens of thousands of bots. Most of those are Windows systems running phpStudy, which Neutrino\r\nhttps://web.archive.org/web/20191223034907/http://blog.ptsecurity.com/2019/08/finding-neutrino.html\r\nPage 9 of 10\n\nuses to mine Monero. Checks for new exploits are regularly added to its code. The same day when an exploit for ThinkPHP\r\n(bit.ly/2IKAyhu), was published, we spotted a new version of Neutrino.\r\nBut the malware behaves in a careful way. First it finds vulnerable servers and then, after a while, selectively infects them\r\nwith the images.php shell. It uses a number of ways to hide:\r\nExecuting code from memory.\r\nChecking the shell in several stages before executing code.\r\nPlacing C2 on infected servers.\r\nWe can detect its presence based on specific network requests. At Positive Technologies, we develop detection rules for\r\nnetwork attacks. The rules are similar to antivirus signatures, but they check network traffic. We started this article by\r\ndescribing how PT NAD found strange requests based on some tell-tale attributes. Specifically, these were bruteforcing of\r\nphpMyAdmin and shells. This is how the rules trigger window looks in the PT NAD interface.\r\nSignature triggered during a scan by Neutrino bot\r\nEven though in the example the Neutrino bot was unsuccessful, our rules will detect exploitation of any vulnerability or\r\nserver infection. We have published some of our rules on GitHub (bit.ly/2IL3R3F).\r\nTo protect servers from Neutrino infection, we recommend that administrators: Check the password for the root account in\r\nphpMyAdmin. Make sure to patch services and install the latest updates. Remember, Neutrino is regularly updated with new\r\nexploits.\r\nAuthor: Kirill Shipulin, PT ESС\r\nSource: https://web.archive.org/web/20191223034907/http://blog.ptsecurity.com/2019/08/finding-neutrino.html\r\nhttps://web.archive.org/web/20191223034907/http://blog.ptsecurity.com/2019/08/finding-neutrino.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://web.archive.org/web/20191223034907/http://blog.ptsecurity.com/2019/08/finding-neutrino.html"
	],
	"report_names": [
		"finding-neutrino.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434164,
	"ts_updated_at": 1775791261,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e5d56a835c48c18daa2aa1b19e35896e568f1e24.pdf",
		"text": "https://archive.orkl.eu/e5d56a835c48c18daa2aa1b19e35896e568f1e24.txt",
		"img": "https://archive.orkl.eu/e5d56a835c48c18daa2aa1b19e35896e568f1e24.jpg"
	}
}