Russian pharma spam ads using WSO web shell as a cut-out, with an interesting twist.
The fake WSO web shell of my WordPress honey pot caught this code. It's hard to say what web shell/backdoor the attacker was trying for because the HTTP POST parameters look like this:
[pass] => 1qazxsw23edc
[wp_wp] => 1qazxsw23edc
[l__J] => 1qazxsw23edc
[php] => eval(base64_decode(rawurldecode("ZWNoby ... Tc4cSc7")));
[sc] =>
[ev] => eval(base64_decode(rawurldecode("ZWNoby ... Tc4cSc7")));
[a] => Php
[p1] => eval(base64_decode(rawurldecode("ZWNoby ... Tc4cSc7")));
That is, the password gets sent in 3 different parameters, probably for
3 different web shells or backdoors. Similarly, the source code gets
sent in 3 different parameters. A real WSO web should would use the
a, p1 and pass parameters. The "Php" action of WSO would
execute the code in parameter p1.
It looks like the attacker intended this download to work in multiple web shells or backdoors.
Lots of other attacker have used the URL this attacker did (/wp-content/themes/sketch/404.php)
but usually as a WSO web shell, and never with the password "1qazxsw23edc".
If it was received by a real WSO web shell, it would have called the "Php" action of WSO. The "Php" action eval's the PHP source passed in, so the extra "eval" in parameters "p1", "ev" and "php" seem like overkill.
5.188.10.27 does not have a DNS name/A record.
whois says this about it:
role: CABLE COM DATA CABLING SERVICES Contact Role
address: 13 Bosworth Close, Milton Keynes, MK3 7UB
address: United Kingdom
abuse-mailbox: abuse@cablecom.org
nic-hdl: CCDC7-RIPE
mnt-by: cablecom-mnt
created: 2017-11-08T19:54:37Z
last-modified: 2017-11-08T19:54:37Z
route: 5.188.10.0/24
origin: AS58222
mnt-by: histate
created: 2017-11-08T18:05:47Z
last-modified: 2017-11-08T18:05:47Z
geoiplookup says this IP address is in Croatia.
traceroute outpute:
traceroute to 5.188.10.27 (5.188.10.27), 30 hops max, 60 byte packets
1 _gateway (162.246.45.129) 41.488 ms 41.453 ms 41.384 ms
2 10.100.100.1 (10.100.100.1) 44.315 ms 44.273 ms 44.270 ms
3 v231.core1.den1.he.net (216.66.73.25) 46.962 ms 46.928 ms 46.879 ms
4 100ge14-1.core1.mci3.he.net (184.105.64.50) 56.373 ms 56.353 ms 56.346 ms
5 100ge8-1.core2.chi1.he.net (184.105.81.210) 73.865 ms 73.861 ms 73.825 ms
6 100ge16-1.core1.nyc4.he.net (184.105.223.162) 98.932 ms 56.673 ms 63.999 ms
7 100ge4-1.core1.par2.he.net (184.105.81.78) 128.979 ms 125.732 ms 125.721 ms
8 100ge5-2.core1.vie1.he.net (184.105.65.6) 140.526 ms 144.580 ms 144.558 ms
9 100ge6-1.core1.bud1.he.net (184.105.213.250) 149.467 ms 159.731 ms 159.734 ms
10 100ge10-1.core1.buh1.he.net (184.105.65.46) 179.615 ms 179.625 ms 179.605 ms
11 * * *
12 as201133.0.28.netix.net (193.218.0.28) 179.511 ms 179.491 ms 179.445 ms
13 * * *
14 5.188.10.27 (5.188.10.27) 166.752 ms 166.686 ms 174.885 ms
geoiplookup says 193.218.0.28 is in Bulgaria, but 184.105.65.46 is in USA. Confusing.
Google says 193.218.0.28 is in Sofia, Bulgaria, while 5.188.10.27 is in Pula, Croatia. One hop between the two seems unlikely, but not impossible. One hop between Sofia, Bulgaria, and San Jose CA, where 184.105.65.46 is supposed to live seems impossible. Something fishy is going on here.
cp 5.188.10.27WsATaoqRMdiXOPvYjUHIkwAAAAM.php.file dc1.php- Hand-edit
dc1.php, add "<?php", make "eval" into "print" - Invoke
php dc1.php > dc2.php - Hand edit
dc2.phpto make it a bit more legible. Pretty-printing ruins the "\xNN" PHP byte value encoding.
Sends one SMTP email. The body seems like ASCII text with some 4-byte UTF-8 code points in it.
A few days after this PHP came through, my honey pot caught two other similar pieces of PHP. They included different email addresses than this one, and slightly customized text. Apparently this is spam sent through WSO web shell's "Php" action, which just evals the code sent in.
The UTF-8 encoding is particularly legible in PHP's "\xNN" text encoding:
"\xF0\x9F\x99\x8F"
"\xF0\x9F\x8E\x88"
"\xF0\x9F\x98\x89"
"\xF0\x9F\x99\x8C"
"\xF0\x9F\x98\x89"
"\xF0\x9F\x98\x83"
"\xF0\x9F\x99\x8C"
"\xF0\x9F\x98\x8A"
| Hex bytes | Binary byte representation | Binary code point | Decimal | U+code point | Description |
|---|---|---|---|---|---|
| F09F998F | 11110000 10011111 10011001 10001111 | 0000011111011001001111 | 128591 | U+1F64F | Person praying glyph |
| F09F8E88 | 11110000 10011111 10001110 10001000 | 0000011111001110001000 | 127880 | U+1F388 | balloon glyph |
| F09F9889 | 11110000 10011111 10011000 10001001 | 0000011111011000001001 | 128521 | U+1F609 | winking smiley face glyph |
| F09F998C | 11110000 10011111 10011001 10001100 | 0000011111011001001100 | 128588 | U+1F64C | hands up person glyph |
| F09F9883 | 11110000 10011111 10011000 10000011 | 0000011111011000000011 | 128515 | U+1F603 | smiley face glyph |
| F09F988A | 11110000 10011111 10011000 10001010 | 0000011111011000001010 | 128522 | U+1F60A | smug smiley face glyph |
Doesn't really add much to the email body.
There is a URL in the email:
http://tamerpars.com/zzkwjuce/sotpie/f49z.php
Wow, the nptzow Zip file my honey pot caught had a directory named sotpie in it.
I'm not convinced that's more than a coincidence.
nptzow/sotpie just had XML and XHTML files in it that are probably templates for some "blackhat SEO",
maybe in Russian.
That directory did not have PHP files in it, just HTML templates.
Possibly "sotpie" is a transliteration of some Russian word.
I used wget to try to retrieve whatever this URL offered.
--2018-03-31 21:49:42-- http://tamerpars.com/zzkwjuce/sotpie/f49z.php
Resolving tamerpars.com (tamerpars.com)... 185.96.92.64
Connecting to tamerpars.com (tamerpars.com)|185.96.92.64|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://profmarket.su [following]
--2018-03-31 21:49:45-- http://profmarket.su/
Resolving profmarket.su (profmarket.su)... 185.147.14.244
Connecting to profmarket.su (profmarket.su)|185.147.14.244|:80... connected.
HTTP request sent, awaiting response... No data received.
While 185.96.92.64 lives in the UK, domain name "tamerpars.com" is registered to a physical address in Yasd, Iran.
185.147.14.244 is registered to a company in British Virgin Islands, but lives in
the Netherlands, and whois has it owned by some Russian.
That's roundabout and confusing.
Visited with Firefox browser,
profmarket.su is a Canadian Pharmacy website peddling ED medication.
The two subsequent email spams I caught and examined (many more actually got caught)
referenced two different URLs.
wget has those URLs redirecting to ".su" domains.
I'm not going to bother looking at those web pages: they're almost certainly canadian pharmacy scams.
% wget http://ezbarrel.com/Library/or84e.php
--2018-04-06 19:12:05-- http://ezbarrel.com/Library/or84e.php
Resolving ezbarrel.com (ezbarrel.com)... 192.254.232.71
Connecting to ezbarrel.com (ezbarrel.com)|192.254.232.71|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://webstoreinfo.su [following]
--2018-04-06 19:12:05-- http://webstoreinfo.su/
Resolving webstoreinfo.su (webstoreinfo.su)... 185.147.14.244
Connecting to webstoreinfo.su (webstoreinfo.su)|185.147.14.244|:80... connected.
HTTP request sent, awaiting response... No data received.
% wget http://onwebs.es/makeup/ecta/srj39.php
--2018-04-06 19:13:07-- http://onwebs.es/makeup/ecta/srj39.php
Resolving onwebs.es (onwebs.es)... 86.109.170.40
Connecting to onwebs.es (onwebs.es)|86.109.170.40|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://orderwebpro.su [following]
--2018-04-06 19:13:08-- http://orderwebpro.su/
Resolving orderwebpro.su (orderwebpro.su)... 185.147.14.244
Connecting to orderwebpro.su (orderwebpro.su)|185.147.14.244|:80... connected.
HTTP request sent, awaiting response... No data received.
Even though the DNS names differ, the ultimate IP addres remains the same for all 3 spams.
Resolving webstoreinfo.su (webstoreinfo.su)... 185.147.14.244
Resolving orderwebpro.su (orderwebpro.su)... 185.147.14.244
Resolving profmarket.su (profmarket.su)... 185.147.14.244
Yeah, this is part of some Russian pharma spam campaign.