Revealing Blackhat Web Shell Choices
Recently I received a call from a friend to inspect a web server attack incident. It was nothing more than a trivial web hacking case with an uploaded web shell and some proxy tools running under apache user. The disappointing part was that the entry point for the attacker was a WordPress setup hosted in the server which was vulnerable to the famous TimThumb Remote File Inclusion vulnerability. I considered it unthinkable (till that case) that there still exist hosts vulnerable to the Timthumb exploit after all this fame the last months. So I decided to conduct a further investigation to see if there still exist active bots seeking for vulnerable Timthumb versions in WordPress installations.
Knowing how the vulnerability is exploited it was easy to perform some simple regex searches in the NIDS alert databases and web log servers in order to obtain data for my analysis. Input has been gathered from production web servers and NIDS sensors running on the academic network infrastructure at work. The analysis processed evidence data from the past three months (1st January 2012 – 28th March 2012).
The first stage was to enumerate the RFI URL paths involved in the exploitation attempts from infected hosts. Full URL list is available at the download section in the end of the post.
Continuing the analysis, the URL list was accessed by a crawling script in order to separate alive and dead links. The original Timthumb script makes a GET request to the given URL with empty User-Agent and Referrer URL header fields. To avoid any protection settings in the malicious server hosts, the crawl script uses the curl tool with the correct arguments simulating the exact same behavior of the Timthumb script. The script has been run from a honeypot node and the output is as following:
[*] Checking URL status
-{ ERR }- http://img.youtube.com.ignorelist.com:55000/.google/byroe.php
-{ ERR }- http://img.youtube.com.ignorelist.com:55000/.google/wpengine.php
-{ 404 }- http://picasa.combo.opsetconsulting.com/byroe.php
-{ ERR }- http://blogger.com.autismactivism.org/get.php
-{ 404 }- http://blogger.com.herzelconsultores.com.ar/shell.php
-{ ERR }- http://blogger.com.mesco.com.vn/login.php
-{ 404 }- http://blogger.com.nilgirisrealty.com/cok.php
-{ 200 }- http://blogger.com.omahastorm.org/jek.php
-{ 200 }- http://blogger.com.pinkfc.com/thumb/id.php
-{ 200 }- http://blogger.com.pinkfc.com/thumb/jef.php
-{ 200 }- http://blogger.com.textrock.com/xcyb.php
-{ 200 }- http://blogger.community.thermomixphils.com/2.php
-{ 404 }- http://flickr.com.bpmohio.com/byroe_cpf.php
-{ 403 }- http://flickr.com.fashionandbeautyonline.cl/.stun.php
-{ 403 }- http://img.youtube.com.fashionandbeautyonline.cl/nxs.php
-{ ERR }- http://img.youtube.com.novedadesmarta.es/telek.php
-{ 404 }- http://picasa.com.afina.ro/bogel.php
-{ 200 }- http://picasa.com.dv9.demopm.com/crash.php
-{ 302 }- http://picasa.com.jcibuenosaires.com.ar/2.php
-{ 403 }- http://picasa.com.medo.ro/pilat.php
-{ ERR }- http://picasa.com.oeildupirate.com/yahoo.php
-{ ERR }- http://picasa.com.richcityidol.com/yahoo.php
-{ ERR }- http://picasa.com.supremovestibulares.com.br/yahoo.php
-{ 404 }- http://picasa.com.yourfashionchic.it/idlink.php
-{ 200 }- http://picasa.communication.mpgallery.info/2.php
-{ 200 }- http://wordpress.com.junglerumblepartyvenue.co.za/index.php
-{ ERR }- http://wordpress.com.usurnsonline.com/new.php
-{ 500 }- http://wordpress.company.travelagencymanila.com/2.php
[*] 'Alive' links will be downloaded for further inspection
So 8 out of 28 URLs are still active containing Timthumb exploitation PHP code. For further inspection the PHP source codes have been downloaded locally. Blackhats behind the PHP sources have used known obfuscation methods (rot13, gunzip, base64 etc) to hide their code. Some of them made some really insane choices by looping obfuscation functions for even 50 times. Consequently some obfuscation unroll scripts have been written to reveal the original PHP code.
The following 5 web shells have been identified:
- ANASKI PHP BOT Script (1 hits)
- r57 { KingDefacer 2.0.20 re-coded } (1 hits)
- c99 { s4l1ty re-coded } (1 hits)
- E-ZiNe Shell (2 hits)
- Unknown (3 hits)
What surprised me was the functionality and appearance details in almost all the discovered web shells, resulting in big noise at various system and network logs. None of the web shells care to operate in a stealth way exposing itself instantly to a decent sysadmin who monitors the web server appropriately.
Conclusions
The analysis revealed 28% alive bot activity with ~3.000 exploit attempts regarding the Timthumb vulnerability from January 1st 2012 to March 28th 2012 in the academic network. Numbers indicate that after 8 months (vulnerability disclosured at August 3rd 2011) botnet operators are still seeking for vulnerable WordPress installations. Such a number possibly indicates that there are still many vulnerable setups out there.
Download Evidence
Be very careful while processing the following data as it might harm your systems if not used properly. Run your tests in virtual machines or sandbox environments and do not hit the malicious URL from critical source IP addresses.
- Timthumb RFI URL list – md5sum:b3712f4dbb3436b9dee91d447b46ad01
- Gathered web shells – md5sum:497bb086749ddcec355886fe1888d0fe
PS: Local authority CERT has been informed about the occurred incidents.
PS2: Regularly updated list with all the gathered RFI URLs from monitor sensors is available here.
A. Bechtsoudis
Amazing analysis, and thank’s a million for the samples, which will be added to our “Web Malware Collection” within 24 hours.
You may find said collection here:
http://insecurety.net/projects/web-malware/
as for the scanning bots, I may have some samples of the IRC bot used in these attacks and will comment again if I find it. The obfustication methods used here seem to be gunzip and b64 mostly…
Appreciate the info as I wasn’t familiar with the “Web Malware Collection” project.
Any samples regarding relative bot actions are welcome. And of course you can send me a private email if data public disclosure is not the best option.