When Bad Guys are Pwning Bad Guys...
A few months ago, I wrote a diary about webshells[1] and the numerous interesting features they offer. They’re plenty of web shells available, there are easy to find and install. They are usually delivered as one big obfuscated (read: Base64, ROT13 encoded and gzip'd) PHP file that can be simply dropped on a compromised computer. Some of them are looking nice and professional like the RC-Shell:
I’m pretty sure that some people are using web shells as a remote administration tool. Is it really a good idea? Not sure… When we install a software on our computer, one of the recommendations is to check the hash of the files/archives with the one provided by the developer to be sure that the software has not been altered by any means. It could be a good idea to make the same with web shells!
While preparing a presentation about web shells and testing some of them in a lab, I found a specific version of the RC-Shell (v2.0.2011.0827) that started to generate suspicious traffic. Almost at the same time, I was contacted by one of our readers that reported to me the same behaviour. He did some analysis on his side and the conclusion was that the web shell was backdoored! The PHP code contains an array of Base64 encoded images which are icons used to identify the file types. In the backdoored version, the "unknown" file has been replaced by a rogue one.
$images = array( "small_unk" => "iVBORw0KGgoAAAANSU ...", "unknown" => "iVBORw0KGgoAAAANSU ..." );
MD5 (unknown.png) = 1470521de78ef3d0795f83ea7af7c6ad
If you have a look at the picture metadata, you will see that the 'unknown' one contains a very long and obfuscated comment (TweakPNG[2] is a very nice tool to play with PNG images metadata):
Multiple functions have been added to the web shell to deploy the backdoor. Once data decoded, they are passed to a create_function():
function z8t($i, $o)//run backdoor { $r = @create_function('$o', 'return @' . z7v($o, 0) . '($o);'); return $r($i); }
Note: I found different versions of the web shell with different function names.
The decoding of the PNG image comment and the installation of the backdoor is available here[3]. The code of the backdoor is located here[4]. Basically, it collects juicy information (local PHP variables and details about the web shell and phone home via two channels:
- SMTP is used to drop an email to peterlegere51@yahoo[.]com
- HTTP is used to post the same data to hxxp://peterlegere.byethost2[.]com/news/index.php
Here is an example of an email sent to the email address:
To: peterlegere51@yahoo.com Subject: Linux|http://shiva/lab/VW4Zy8Yg.php? X-PHP-Originating-Script: 1000:VW4Zy8Yg.php(830) : runtime-created function(1) : eval()'d code Message-Id: <20170509202418.BE96124112C@shiva> Date: Tue, 9 May 2017 22:24:18 +0200 (CEST) From: www-data@xxxxxx.rootshell.be (www-data) URL=http://shiva/lab/VW4Zy8Yg.php? version=2.0.2011.0827 auth use_auth=0 auth md5_user=098f6bcd4621d373cade4e832627b4f6 auth md5_pass=098f6bcd4621d373cade4e832627b4f6 default_vars language=en default_vars email=q_q_x_x@yahoo.com default_vars default_sort=0a default_vars default_act=tools default_vars bind_port=31337 default_vars bind_pass=xxxxxx default_vars backcon_port=31337 default_vars sql_host=localhost default_vars sql_user=root default_vars sql_db=mysql default_vars sql_table=users default_vars ftp_user=anonymous default_vars ftp_pass=anonymous@ftp.com default_vars downloada=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR SERVER_NAME=xxxxxx SERVER_ADDR=192.168.254.8 SERVER_PORT=80 HTTP_REFERER=http://shiva/lab/ PHP_SELF=/lab/VW4Zy8Yg.php REQUEST_URI=/lab/VW4Zy8Yg.php SCRIPT_NAME=/lab/VW4Zy8Yg.php SCRIPT_FILENAME=/var/www/lab/VW4Zy8Yg.php REMOTE_ADDR=192.168.254.11
So, be warned when you download and use tools from unknown or unreliable sources. Even underground tools can be backdoored!
[1] https://isc.sans.edu/forums/diary/The+Power+of+Web+Shells/21257
[2] http://entropymine.com/jason/tweakpng/
[3] https://gist.github.com/anonymous/319ef7124affebec67ebc56bc83cbe87
[4] https://pastebin.com/bgj7aH9u
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Reverse-Engineering Malware: Malware Analysis Tools and Techniques | Amsterdam | Jan 20th - Jan 25th 2025 |
Comments
not only is rc-shell v2.0.2011.0827 backdoored
but rc-shell v2.0.2011.1009 is backdoored as well
both of which call out to the same email address "peterlegere51@yahoo.com" as noted,
however, they contain different c2/logger domains that they both send info off to
neither of which are valid/existing on the hosts they are setup on
but im rather sure that these hosts both still do have logs for requests being made to them
this is not something new that i have discovered but something that i have known about for a few years now
when i saw xme was doing a piece involving this shell i decided it would be applicable to share this information with him as i never originally took the time to write up anything about it upon my initial discovery
Anonymous
May 14th 2017
7 years ago