[ Technical Teardown: PHP WebShell ]

[ How it starts ]
Today, my personal scanner found yet another PHP WebShell.
Since we at VXSecurity.sg haven’t write anything on PHP WebShell, I will be writing one on it today.
So what is a “PHP WebShell”?
A PHP WebShell can give a malicious hackers access to perform the following actions:

  • Archive or extract files
  • Brute-force logins for FTP, MySQL, pgsql
  • Create or delete folders
  • Download files
  • Encode or decode files
  • Open a bash shell command, which allows the remote attacker to execute remote commands
  • Open files
  • Rename files
  • Run SQL commands
  • Search folders
  • Show active connections
  • Show computers the infected computer had access to
  • Show running services
  • Show user accounts
  • Show IP configuration
  • Connects to certain servers

A PHP WebShell also allows attacker(s) to connect to the server(s) for the purpose of receiving arbitrary information, sent by a malicious hacker, about your PC and/or server.
Today, i found this PHP WebShell from http://www[.]motorossarkany[.]hu/images/hir_41_1[.]jpg

[ Sample used in the analysis ]
MD5: 379f63c3df8570a479017757c0826d2e
SHA1: 3f86bd230c01c54d356d910c5ba161b2857ee5fb
PHP WebShell Sample
The pw to the zip is “infected29A

[ Tool Used ]

[ Analysis of the .JPG file ]
If we were to use any hex editor or Notepad++ to open up this .jpg file, the following image is what you will see.

php.webshell.01 Image 1 : hir_41_1.jpg

We can see right here that it’s basically a .php file instead of a .jpg file.
In this case, we can safely say that the .htaccess file is set to run JPG as PHP files. This is why although the file extention is GIF or JPG the PHP code will be executed.

Let’s try decoding the top portion of the script and we should get back this..

Hmmm…seems like $_F and $_X is not used. Or is it?
As we reach the bottom of the file, we saw another interesting part of the script as shown in the image below.

php.webshell.02 Image 2 : Decoding 2nd part of the PHP WebShell

As we can see here, we already got the value of “$OOO0000O0“. The value is “base64_decode”
So basically, it’s just base64 decoding of

Image 3 : String to be base64 decoded

After we had base64 decode it, we will get back the following piece of code.

To avoid anyone from accidentally running the script.
Just replace the above code snippet with the following code snippet.

Now if you run the script again, you should be able to get back 2 .txt files (“file_x.txt” & “file_R.txt”).
I did this just to show you what are the differences between the 2 for those who are not familiar with PHP.

Ok we should be able to see the actual PHP WebShell as shown below.
Image 3 : Final Deobfuscated PHP WebShell

So the things that i hope SysAdmins learnt here is that always do your due diligence checks on your webserver and check your .htaccess files if there are any.
If you see new image files and lots of entries in the access logs, do check the files.

I hope this is useful to someone out there.

Happy Reversing
Jacob Soo

Leave a Reply