One Article Review
| Source |  SANS Institute |
|---|---|
| Identifiant | 364561 |
| Date de publication | 2017-05-12 06:34:35 (vue: 2017-05-12 06:34:35) |
| Titre | When Bad Guys are Pwning Bad Guys..., (Fri, May 12th) |
| Texte | A few months ago, I wrote a diary about webshells[1] and the numerous interesting features they offer. Theyre plenty of web shells available, there are easy to find and install. They are usually delivered as one big obfuscated (read: Base64, ROT13 encoded and gzip width:801px" /> Im pretty sure that some people are using web shells as a remote administration tool. Is it really a good idea? Not sure When we install a software on our computer, one of the recommendations is to check the hash of the files/archives with the one provided by the developer to be sure that the software has not been altered by any means. It could be a good idea to make the same with web shells! While preparing a presentation about web shells and testing some of them in a lab, I found a specific version of the RC-Shell (v2.0.2011.0827) that started to generatesuspicious traffic. Almost at the same time, I was contacted by one of our readers that reported to me the same behaviour. He did some analysis on his side and the conclusion was thatthe web shell was backdoored! The PHP code contains anarray of Base64 encoded images which are icons used to identify the file types. In the backdoored version, the unknown padding:5px 10px"> $images = array( small_unk = iVBORw0KGgoAAAANSU ..., unknown = iVBORw0KGgoAAAANSU ... MD5 (unknown.png) = 1470521de78ef3d0795f83ea7af7c6ad If you have a look at the picture metadata, you will see that the unknown width:800px" /> Multiple functions have been added to the web shell to deploy the backdoor. padding:5px 10px"> function z8t($i, $o)//run backdoor { $r = @create_function($o, return @ . z7v($o, 0) . } Note: I found different versions of the web shell with different function names. The decoding of the PNG image comment and the installation of the backdoor is available here[3]. The code of the backdoor is located here[4]. Basically, it collects juicy information (local PHP variables and details about the web shell and phone home via two channels: SMTP is used to drop an email to peterlegere51@yahoo[.]com HTTP is used to post the same data to padding:5px 10px"> To: peterlegere51@yahoo.com Subject: Linux|http://shiva/lab/VW4Zy8Yg.php? X-PHP-Originating-Script: 1000:VW4Zy8Yg.php(830) : runtime-created function(1) : eval()d code Message-Id: 20170509202418.BE96124112C@shiva .NET CLR SERVER_NAME=xxxxxx SERVER_ADDR=192.168.254.8 SERVER_PORT=80 HTTP_REFERER=http://shiva/lab/ PHP_SELF=/lab/VW4Zy8Yg.php REQUEST_URI=/lab/VW4Zy8Yg.php SCRIPT_NAME=/lab/VW4Zy8Yg.php SCRIPT_FILENAME=/var/www/lab/VW4Zy8Yg.php REMOTE_ADDR=192.168.254.11 So, be warned when you download and use tools from unknown or unreliable sources. Even underground tools can be backdoored! [1]https://isc.sans.edu/forums/diary/The+Power+of+Web+Shells/21257 [2]http://entropymine.com/jason/tweakpng/ [3]https://gist.github.com/anonymous/319ef7124affebec67ebc56bc83cbe87 [4]https://pastebin.com/bgj7aH9u Xavier Mertens (@xme) ISC Handler - Freelance Security Consultant PGP Key (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. |
| Envoyé | Oui |
| Condensat | $images //run 0827 1000:vw4zy8yg 10px 12th 1470521de78ef3d0795f83ea7af7c6ad 168 2011 20170509202418 254 830 @create @xme about added addr=192 administration ago almost altered analysis anarray any are array attribution available backdoor backdoored bad base64 basically be96124112c@shiva been behaviour big can center channels: check clr code collects com com/anonymous/319ef7124affebec67ebc56bc83cbe87 com/bgj7ah9u com/jason/tweakpng/ comment commons computer conclusion consultant contacted contains could created creative data decoding delivered deploy details developer diary did different download drop easy edu edu/forums/diary/the+power+of+web+shells/21257 email encoded eval even features file filename=/var/www/lab/vw4zy8yg files/archives find found freelance fri from function functions generatesuspicious github good guys gzip handler has hash have here his home http http://entropymine https://gist https://isc https://pastebin icons id: idea identify image images information install installation interesting internet isc ivborw0kggoaaaansu juicy key lab license linux|http://shiva/lab/vw4zy8yg local located look make may md5 means mertens message metadata months multiple name=/lab/vw4zy8yg name=xxxxxx names net noncommercial not note: numerous obfuscated offer one originating padding:5px people peterlegere51@yahoo pgp phone php picture plenty png port=80 post preparing presentation pretty provided pwning read: readers really recommendations referer=http://shiva/lab/ remote reported request return rot13 runtime same sans script script: security see self=/lab/vw4zy8yg server shell shells side small smtp software some sources specific started states storm subject: sure testing thatthe them theyre time to: tool tools traffic two types underground united unk unknown unreliable uri=/lab/vw4zy8yg use used using usually variables version versions warned web webshells when which width:800px width:801px will wrote xavier z7v z8t |
| Tags | |
| Stories | Yahoo |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.