Descendant of b374k v2.2.
A Saudi Telecom Company IP address.
inet6num: 2001:16a0::/29
netname: SA-STC-20031219
country: SA
created: 2012-07-10T11:40:59Z
last-modified: 2017-01-15T11:11:48Z
org-name: Saudi Telecom Company JSC
address: P.O Box 295997
address: 11351
address: Riyadh
address: SAUDI ARABIA
route6: 2001:16a2:4e00::/39
descr: Saudinet, Saudi Telecom Company ISP
origin: AS25019
created: 2017-05-21T12:06:31Z
last-modified: 2017-05-21T12:06:31Z
The attacker(s) clearly thought they had the URL and password for an instance of Web Shell by oRb (WSO or "FilesMan"). They made an HTTP POST request with stereotypical parameter names.
| Parameter name | Value |
|---|---|
| a | FilesMAn |
| c | /var/www/html/ |
| p1 | uploadFile |
| charset | Windows-1251 |
The file was named Lk.php on the attacker's machine.
No debofuscation required, the attackers downloaded cleartext. I did pretty-print it to increase reading comprehension.
IPv6 address 2001:16a2:4e5f:7800:8506:10f0:187e:f721 has made HTTP requests of my web server 65 times, all on 2019-02-14.
Of those 65 accesses, 12 were for URLs ending in "Lk.php". Oddly, every one of those 12 accesses appeared to assume a WSO shell as the receiver. Stereotypical WSO HTTP parameters named "a", "c", "p1", etc, arrived with every request of a URL ending in 'Lk.php'. I do not understand this.
Luckily, someone has collected b374k webshells because K4X is almost a dead ringer for b374k, v2.2. The variable names, the base64-encoded "back shell", favicon and so forth, match identically. In fact, K4X is mainly b374k v2.2 with "b374k" replaced by "K4X".
I found another instance of this shell on pastebin.