diff --git a/185.220.101.21-2018-01-01a/185.220.101.21WkjqapjoG7YwsaDQq38zLgAAAAE.0.file b/185.220.101.21-2018-01-01a/185.220.101.21WkjqapjoG7YwsaDQq38zLgAAAAE.0.file new file mode 100644 index 0000000..dedc04a Binary files /dev/null and b/185.220.101.21-2018-01-01a/185.220.101.21WkjqapjoG7YwsaDQq38zLgAAAAE.0.file differ diff --git a/185.220.101.21-2018-01-01a/185.220.101.21WkjqapjoG7YwsaDQq38zLgAAAAE.upload-plugin.scans b/185.220.101.21-2018-01-01a/185.220.101.21WkjqapjoG7YwsaDQq38zLgAAAAE.upload-plugin.scans new file mode 100644 index 0000000..f4567dd --- /dev/null +++ b/185.220.101.21-2018-01-01a/185.220.101.21WkjqapjoG7YwsaDQq38zLgAAAAE.upload-plugin.scans @@ -0,0 +1,77 @@ + +_SERVER +Array +( + [UNIQUE_ID] => WkjqapjoG7YwsaDQq38zLgAAAAE + [SCRIPT_URL] => /wp-admin/update.php + [SCRIPT_URI] => http://stratigery.com/wp-admin/update.php + [HTTP_HOST] => stratigery.com + [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0 + [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + [HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.5 + [HTTP_ACCEPT_ENCODING] => gzip, deflate + [HTTP_REFERER] => http://stratigery.com/wp-admin/plugin-install.php?tab=upload + [HTTP_COOKIE] => wordpress_d1514727868fuck=admind1514727868fuck; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_ind1514727868fuck=admind1514727868fuck + [HTTP_CONNECTION] => keep-alive + [HTTP_UPGRADE_INSECURE_REQUESTS] => 1 + [CONTENT_TYPE] => multipart/form-data; boundary=---------------------------172401349217777 + [CONTENT_LENGTH] => 1638559 + [PATH] => /usr/local/sbin:/usr/local/bin:/usr/bin + [SERVER_SIGNATURE] => + [SERVER_SOFTWARE] => Apache/2.4.29 (Unix) PHP/7.2.0 + [SERVER_NAME] => stratigery.com + [SERVER_ADDR] => 162.246.45.144 + [SERVER_PORT] => 80 + [REMOTE_ADDR] => 185.220.101.21 + [DOCUMENT_ROOT] => /srv/http/stratigery/htdocs + [REQUEST_SCHEME] => http + [CONTEXT_PREFIX] => + [CONTEXT_DOCUMENT_ROOT] => /srv/http/stratigery/htdocs + [SERVER_ADMIN] => bediger@stratigery.com + [SCRIPT_FILENAME] => /srv/http/stratigery/htdocs/fake_wp/wp-admin/update.php + [REMOTE_PORT] => 39843 + [GATEWAY_INTERFACE] => CGI/1.1 + [SERVER_PROTOCOL] => HTTP/1.1 + [REQUEST_METHOD] => POST + [QUERY_STRING] => action=upload-plugin + [REQUEST_URI] => /wp-admin/update.php?action=upload-plugin + [SCRIPT_NAME] => /wp-admin/update.php + [PHP_SELF] => /wp-admin/update.php + [REQUEST_TIME_FLOAT] => 1514728042.8 + [REQUEST_TIME] => 1514728042 +) + +_REQUEST +Array +( + [action] => upload-plugin + [_wpnonce] => 4f1202ce52 + [_wp_http_referer] => /wordpress/wp-admin/plugin-install.php?tab=upload + [install-plugin-submit] => Install Now +) + +_COOKIE + Array +( + [wordpress_d1514727868fuck] => admind1514727868fuck + [wordpress_test_cookie] => WP Cookie check + [wordpress_logged_ind1514727868fuck] => admind1514727868fuck +) + +_FILES + +UPLOADED FILE pluginzip + Array +( + [name] => file-manager.zip + [type] => application/x-zip-compressed + [tmp_name] => /tmp/php1SbsL2 + [error] => 0 + [size] => 1637950 +) + +END UPLOADED FILE pluginzip + Uploaded file: /var/tmp/185.220.101.21WkjqapjoG7YwsaDQq38zLgAAAAE.0.file + +END _FILES + $my_blog=http://stratigery.com/wp-admin diff --git a/185.220.101.21-2018-01-01a/README.md b/185.220.101.21-2018-01-01a/README.md new file mode 100644 index 0000000..9cce3a1 --- /dev/null +++ b/185.220.101.21-2018-01-01a/README.md @@ -0,0 +1,34 @@ +# File Manager Plugin + +## Origin + +### IP address 185.220.101.21 + +185.220.101.21 → 185.220.101.0/24AS200052 + +Appears to be a "Feral Hosting" IP address, located in London, UK + +### Download + +Downloaded to my honey pot as a WordPress plugin installation. +Downloaded a Zip file, so it probably would install on a real WordPress instance. + +## Analysis + +I could not find any obviously evil PHP code. + +No extra files. Downloaded current [File Manager](https://da.wordpress.org/plugins/file-manager/), +unzipped it, and matched file names with the honey pot download. + +Couldn't find anything fishy by + + find . -type f | xargs egrep -a 'eval|assert|base64_decode|preg|ereg' + +No "eval" or "assert" used in code, only a legit use of `base64_decode()`. Granted, +even simple obfuscation could overcome the regular expression based search. + +Nothing but CSS files seemed to have extremely long lines of text. + +However, a file manager, illegitimately installed, would have a lot of +use to someone covertly taking over a WordPress installation. About half +of WSO web shell functions are file management. diff --git a/185.220.101.21-2018-01-01a/file-manager.zip b/185.220.101.21-2018-01-01a/file-manager.zip new file mode 100644 index 0000000..154dd40 Binary files /dev/null and b/185.220.101.21-2018-01-01a/file-manager.zip differ diff --git a/README.md b/README.md index cbb75cc..28508bd 100644 --- a/README.md +++ b/README.md @@ -89,3 +89,8 @@ XOR string it was using in 2012. Somewhat modified Web Shell by oRb, derived from version 2.5, or possibly 2.9. Many levels of obfuscation. + +## [Legitimate File Manager Plugin](185.220.101.21-2018-01-01a) + +A real (albeit possibly off-license) file manager plugin, illegitimately +installed. Interesting dual use of COTS technology.