[ How it starts ]
Today, my personal scanner found yet another PHP WebShell.
Since we at VXSecurity.sg haven’t write anything on PHP WebShell, I will be writing one on it today.
So what is a “PHP WebShell”?
A PHP WebShell can give a malicious hackers access to perform the following actions:
- Archive or extract files
- Brute-force logins for FTP, MySQL, pgsql
- Create or delete folders
- Download files
- Encode or decode files
- Open a bash shell command, which allows the remote attacker to execute remote commands
- Open files
- Rename files
- Run SQL commands
- Search folders
- Show active connections
- Show computers the infected computer had access to
- Show running services
- Show user accounts
- Show IP configuration
- Connects to certain servers
A PHP WebShell also allows attacker(s) to connect to the server(s) for the purpose of receiving arbitrary information, sent by a malicious hacker, about your PC and/or server.
Today, i found this PHP WebShell from http://www[.]motorossarkany[.]hu/images/hir_41_1[.]jpg
[ Sample used in the analysis ]
PHP WebShell Sample
The pw to the zip is “infected29A”
[ Tool Used ]
[ Analysis of the .JPG file ]
If we were to use any hex editor or Notepad++ to open up this .jpg file, the following image is what you will see.
We can see right here that it’s basically a .php file instead of a .jpg file.
In this case, we can safely say that the .htaccess file is set to run JPG as PHP files. This is why although the file extention is GIF or JPG the PHP code will be executed.
Let’s try decoding the top portion of the script and we should get back this..
Hmmm…seems like $_F and $_X is not used. Or is it?
As we reach the bottom of the file, we saw another interesting part of the script as shown in the image below.
As we can see here, we already got the value of “$OOO0000O0“. The value is “base64_decode”
So basically, it’s just base64 decoding of
Image 3 : String to be base64 decoded
After we had base64 decode it, we will get back the following piece of code.
To avoid anyone from accidentally running the script.
Just replace the above code snippet with the following code snippet.
$file1 = "file_x.txt";
$file2 = "file_R.txt";
Now if you run the script again, you should be able to get back 2 .txt files (“file_x.txt” & “file_R.txt”).
I did this just to show you what are the differences between the 2 for those who are not familiar with PHP.
So the things that i hope SysAdmins learnt here is that always do your due diligence checks on your webserver and check your .htaccess files if there are any.
If you see new image files and lots of entries in the access logs, do check the files.
I hope this is useful to someone out there.