Skip to content

Hackers attack old ThinkPHP flaws to install ‘Dama’ web shells

  • by
  • 2 min read

Akamai researchers observed Chinese threat actors exploiting old ThinkPHP vulnerabilities, CVE-2018-20062 and CVE-2019-9082, to install a persistent web shell called Dama. The web shell allows the attackers to exploit the breached endpoints further, for example, enlisting them as a part of their infrastructure to evade detection.

While the first signs of activity were tracked back to October 2023, Akamai analysts found that the malicious activity has recently grown and become widespread.

The attackers emerged from various IP addresses associated with servers hosted on the Zenlayer cloud service provider, mainly in Hong Kong. “Attackers are exploiting known vulnerabilities, some of them several years old, and they are having success doing so. A prime example is the ThinkPHP remote code execution (RCE) vulnerabilities CVE-2018-20062 and CVE-2019-9082,” said Akamai.

Dama enables threat actors to navigate file systems on compromised servers, gather system data, and upload files, basically increasing privileges. It can also be used to scan network ports, access databases, and execute shell commands by bypassing disabled PHP functions. Akamai made an important observation about Dama’s lack of a command-line interface despite its extensive functionality.

On October 17, 2023, the attack used the vulnerabilities by instructing the targeted servers to install an obfuscated shell from a remote server under the threat actor’s control instead of using common ‘proof of concept’ commands.

ThinkPHP, which is popular in China, is an open-source web application development framework. CVE-2018-20062 is a problem discovered in NoneCMS 1.3 that allows remote execution of arbitrary PHP code through the use of the filter parameter. It was fixed in December 2018.

CVE-2019-9082, affecting ThinkPHP 3.2.4 and older, is a remote code execution issue used in Open Source BMS 1.1.1 that was addressed in February 2019.

In the detected attacks, the threat actors exploited the vulnerabilities to download a file named “public.txt” from a targeted server in China. The file is saved on the target system as, “roeter.php” which may be a misspelling of the word, ‘router.’ The attackers accessed the web shell using a simple password, “admin.”

While the most recent ThinkPHP version 8.0 is safe against known remote code execution, old versions remain vulnerable to attackers. As of April 2024, Akamai observed a similar campaign much larger than its predecessor.

In the News: DuckDuckGo announces anonymous access to popular AI chatbots

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: