Another backdoor installation campaign.
- 17 requests, 17 unique IP addresses
- All attacking computers run Linux
- HTTP/1.0 plus Connection: close
- Accept-Languge: en-US,en;q=0.8
- Vigilance committee cookie (salted MD5 hash of hostname as name and value)
| Timestamp | IP Address | DNS name | Remote port | p0f3 OS guess |
|---|---|---|---|---|
| 2019-07-07T02:11:23.227-0600 | 167.86.73.65 | vmi252586.contaboserver.net | 44542 | Linux 2.2.x-3.x |
| 2019-07-07T02:11:24.335-0600 | 47.88.25.132 | 56560 | Linux 3.11 and newer | |
| 2019-07-07T02:11:25.051-0600 | 108.167.189.53 | gator4227.hostgator.com. | 32083 | Linux 3.11 and newer |
| 2019-07-07T02:11:25.618-0600 | 162.144.252.89 | van.vanjoy.com | 47884 | |
| 2019-07-07T02:11:26.105-0600 | 160.153.147.134 | n3nlwpweb006.prod.ams3.secureserver.net | 45622 | |
| 2019-07-07T02:12:06.328-0600 | 185.87.123.34 | 34-123-87-185.ip.idealhosting.net.tr | 48122 | Linux 3.1-3.10 |
| 2019-07-07T02:12:46.901-0600 | 198.57.247.144 | gator3180.hostgator.com | 44444 | Linux 3.11 and newer |
| 2019-07-07T02:13:26.770-0600 | 2001:41d0:8:3c21:: | 60042 | ||
| 2019-07-07T02:13:29.858-0600 | 39.105.196.69 | Aliyun Computing Co., Zhejiang, CN | 40538 | Linux 3.11 and newer |
| 2019-07-07T02:13:31.165-0600 | 72.167.190.30 | p3nlwpweb263.prod.phx3.secureserver.net | 47815 | |
| 2019-07-07T02:13:31.977-0600 | 192.185.131.125 | mx48.hostgator.mx | 44178 | Linux 3.11 and newer |
| 2019-07-07T02:13:35.510-0600 | 14.29.35.4 | 59222 | CHINANET Guangdong province network | Linux 3.1-3.10 |
| 2019-07-07T02:13:36.585-0600 | 160.153.156.133 | n3nlwpweb067.prod.ams3.secureserver.net | 58733 | |
| 2019-07-07T02:13:39.048-0600 | 67.225.216.141 | host.hddpool6.net | 56316 | Linux 3.1-3.10 |
| 2019-07-07T02:13:42.563-0600 | 221.121.158.45 | host.spgraphics.com.au | 45896 | Linux 3.11 and newer |
| 2019-07-07T02:13:45.915-0600 | 199.204.248.128 | cp17.machighway.com | 49374 | Linux 3.1-3.10 |
| 2019-07-07T02:13:51.062-0600 | 157.7.44.201 | users011.phy.heteml.jp | 53124 | Linux 3.11 and newer |
| 2019-07-07T02:13:55.792-0600 | 45.119.212.212 | Long Van System Solution JSC - Hanoi | 52162 | Linux 3.11 and newer |
Globally distributed VPS and colo companies IP addresses.
Remote ports between 32083 and 60042. The default Linux ephemeral port range is 32768 to 60999, one port below the default port number range.
| IP Address | p1 param present | URL |
|---|---|---|
| 167.86.73.65 | /blog/wp-content/plugins/wp_bing/wp-ajax.php | |
| 47.88.25.132 | http://www.stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php | |
| 108.167.189.53 | /wordpress/wp-content/plugins/wp-mobile-detector/cache/dbd.php | |
| 162.144.252.89 | /blog/wp-content/themes/twentytwelve/404.php | |
| 160.153.147.134 | http://stratigery.com/wp-content/uploads/2015/11/mod_arcweb.php | |
| 185.87.123.34 | http://stratigery.com/wp-content/uploads/2015/11/mod_arcweb.php | |
| 198.57.247.144 | http://stratigery.com/wp-content/uploads/2015/11/mod_arcweb.php | |
| 2001:41d0:8:3c21:: | /wordpress/wp-content/plugins/wp-mobile-detector/cache/db.php | |
| 39.105.196.69 | http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php | |
| 72.167.190.30 | /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/ps.php | |
| 192.185.131.125 | /wp-content/plugins/apikey/settings.php | |
| 14.29.35.4 | /wordpress/wp-content/plugins/wp-mobile-detector/cache/db.php | |
| 160.153.156.133 | X | http://stratigery.com/blog/wp-content/plugins/wp_bing/wp-ajax.php |
| 67.225.216.141 | X | http://stratigery.com/blog/wp-content/plugins/wp_bing/wp-ajax.php |
| 221.121.158.45 | X | http://www.stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php |
| 199.204.248.128 | X | /wordpress/wp-content/plugins/wp-mobile-detector/cache/dbd.php |
| 157.7.44.201 | X | /blog/wp-content/themes/twentytwelve/404.php |
| 45.119.212.212 | X | /wordpress/wp-content/plugins/wp-mobile-detector/cache/db.php |
Chronologically, the first 10 requests arrive with an HTTP parameter named "a" that has a value "RC". The next 6 requests have parameter named "a" with value "RC", and a parameter named "p1" with a long string of PHP code as a value.
Parameters named "a" and "p1" are used in invoking WSO web shells.
Parameter "a" defines what action WSO will take when executing.
When parameter "a" has the value "RC",
WSO web shells later than version 2.2 will execute
PHP function actionRC() after verifying that an appropriate
login cookie appears.
PHP function actionRC() looks for HTTP paramter "p1".
If that parameter isn't present,
WSO web shells send back a serialized array containing
the output of php_uname(), phpversion(), WSO version,
and whether "safe mode" is on or off for the PHP installation.
When a parameter named "p1" is present,
WSO web shells call the PHP builtin eval on the value of "p1".
The first 10 requests ask for URLs where WSO is commonly hidden,
and the next 6 send PHP code for immediate eval to a subset
of those URLs.
Here's where a misfeature of my WSO emulator helps us out.
any URL ending in mod_arcweb.php causes my WSO emulator to
sleep for 120 seconds, then exit with no output.
URLs ending in "mod_arcweb.php" seem to also have
a backdoor commonly living on them,
and some IP addresses aggressively try to invoke those URLs.
I added the sleep(120); in an attempt to slow them down.
In this case, I seem to have convinced attacker(s)
that a WSO web shell was not available at that URL instead.
This isn't a great match between what URLs they probed, and what URLs they downloaded to.
Downloaded-to-URLs are missing mod_arcweb.php (3 probes), /wp-content/plugins/apikey/settings.php (1 probe), /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/ps.php (1 probe), but they sent duplicate download attempts for http://stratigery.com/blog/wp-content/plugins/wp_bing/wp-ajax.php
This seems like an odd URL. There's an apikey.php backdoor that my honey pot has caught in the past.
settings.php is a WSO 2.x downloaded through that apikey.php backdoor.
Seems to have gotten downloaded 2019-06-26.
The attacker(s) sent 5 (lexically) identical payloads, and one unique payload. Similarly, they sent 5 identical droppers, and one unique dropper.
The droppers are identical to the procedurally-oriented droppers used in the first backdoor install campaign.
Just like in the 2019-06-30 backdoor installation campaign, there are 5 functionally identical v1-01 extendable backdoors, each uniquely obfuscated by renaming all variables and function names to randomly-chosen strings.
There's a single, unique payload, which is also uniquely obfuscated in the same fashion, but functionally identical to the 2019-06-30 file downloader.