⚠️ Overview

BFAC (Backdoor File Access Cleaner) is an open-source security tool developed by security researcher @the-robot and maintained on GitHub (https://github.com/the-robot/bfac) for automated detection and removal of backdoor files on web servers. First released in 2018, BFAC is designed to scan web directories for suspicious files commonly used by attackers to maintain persistent access after a compromise.

🔧 Technical Capabilities

BFAC operates by crawling a given URL and recursively examining files for patterns indicative of backdoor code, such as eval(), base64_decode(), system(), and other dangerous PHP functions. It supports detection of obfuscated code, hidden iframes, and encoded payloads within common file types including .php, .asp, .jsp, .py, and .pl. The tool employs a signature-based engine complemented by heuristic analysis to identify both known backdoor frameworks (e.g., c99shell, r57shell, Weevely) and custom-crafted shells. BFAC can also scan for file permission anomalies, unexpected file sizes, and last-modified timestamps that deviate from normal site behavior. It allows users to specify scan depth, file size limits, and exclusion patterns. The tool outputs a report listing all potentially malicious files, with options to quarantine, rename, or delete them directly from the command line.

📜 History & Notable Incidents

BFAC gained recognition in 2020 when it was featured in several penetration testing guides and bug bounty resources. While no specific CVEs are attributed to BFAC itself, it has been widely used by incident response teams to clean up compromised WordPress and Joomla installations infected with web shells associated with CVE-2018-20718 (Joomla core vulnerability) and CVE-2020-11986 (Drupal file inclusion). The tool’s GitHub repository has over 1,200 stars and is referenced in multiple academic papers on web shell detection.

🔍 Detection Indicators

The official BFAC client sends HTTP requests with the User-Agent string BFAC/1.0 or BFAC/2.0 depending on the version, though this can be trivially modified. Its behavioral fingerprint includes rapid sequential file requests to directories like /uploads/, /images/, /tmp/, and /includes/ without requesting any associated HTML pages. Traffic often exhibits high volumes of HTTP 200 responses for non-existent files, as BFAC generates thousands of pattern-matching requests. The tool also sends HEAD requests before full GET requests to check file existence, creating a distinct request pattern of HEAD then GET for the same URI.

☠️ Risk & Impact

If BFAC is running on an attacker-controlled machine, it indicates the attacker is actively scanning a compromised server or performing post-exploitation reconnaissance to locate backdoor files. More critically, the presence of BFAC scan traffic from an internal IP suggests a network compromise where attackers are mapping persistence mechanisms. The tool can accelerate data exfiltration by identifying accessible shells, leading to full server takeover and lateral movement.

🛡️ Mitigation

BFAC is blocked immediately on detection because its sole purpose is to locate and manage backdoor files left by prior compromises, signaling an active or past security breach. Immediate response should include isolating the affected server, reviewing logs for unauthorized access, and performing comprehensive malware analysis.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.