Skip to content

Commit b6d46b9

Browse files
bediger4000bediger4000
committed
More analysis
1 parent 2c31db2 commit b6d46b9

File tree

6 files changed

+303
-74
lines changed

6 files changed

+303
-74
lines changed

backdoors/192.99.15.141-2019-09-04a/README.md

+36-5
Original file line numberDiff line numberDiff line change
@@ -6,14 +6,15 @@ object-oriented method of evaluating PHP code.
66
## Origin
77

88
The attacker(s) tried to replace the `404.php` file of the "twentytwelve" WordPress theme with a backdoored version.
9+
They tried to do this by emulating editing a theme's file.
910

10-
If you want to do this in a legit WordPress installation,
11+
If you want to edit a theme's file in a legit WordPress installation,
1112
rather than the kind of hacky honey pot that I've written,
1213
you have to log in to WordPress with an administrator ID.
1314
The attackers tried to do that, failed a few times,
14-
and proceeded to try to install the backdoor anyway.
15+
and proceeded to try to edit the theme anyway.
1516
My WordPress honey pot fakes a theme-editing function
16-
and does not check for a valid login cookie to edit themes,
17+
which does not check for a valid login cookie to edit themes,
1718
so it caught the theme edit.
1819

1920

@@ -31,7 +32,6 @@ Seven (7) requests in 0.267 seconds.
3132
This has to be automated,
3233
and poorly automated at that,
3334
as it doesn't detect that it has failed the logins.
34-
As we shall see futher down, this isn't the only shoddy programming going on.
3535

3636
### IP Address 192.99.15.141
3737

@@ -72,7 +72,9 @@ the original twentytwelve theme's `404.php` file.
7272

7373
### The back door
7474

75-
Here's pretty-printed backdoor code:
75+
Here's pretty-printed backdoor code.
76+
It may not be clear, but beyond meaningless class
77+
and variable names, no real obfuscation.
7678

7779
<?php
7880
class VONE
@@ -146,6 +148,35 @@ It ended up the same code every time:
146148

147149
This looks like the attacker(s) tried to verify that the backdoor got
148150
installed correctly, and that it's in working order.
151+
This is similar enough to other recon code I've encountered
152+
that my backdoor actually
153+
recognized it as recon code, and using text editing functions,
154+
gave back the string "->|5cd56e39aabfa5ec95b14b888735b69b|<-"
149155

150156
The last 3 URLs aren't properly formatted, so it's hard to say
151157
what was going on.
158+
It has to be confusing when the recon code *seems* to work.
159+
160+
## Other oddities
161+
162+
I include parts of my machine's Apache [access_log](http.txt)
163+
and [p0f3](http://lcamtuf.coredump.cx/p0f3/) [log file](p0f.txt),
164+
along with all the [captured files](accesses) from my honey pot
165+
for this IP.
166+
There's a few oddities.
167+
168+
1. There's a [captured file](accesses/192.99.15.141XW8iK76KjNbAEz@V22we6wAAAA0file) that doesn't have a matching
169+
honey pot metadata file. This probably shouldn't happen.
170+
`p0f3` recorded an activity at 2019-09-03T20:32:10, but it has the notation "host change"
171+
which I've never seen before.
172+
Apache logged nothing at that time,
173+
but the captured file got written out by the PHP of my honey pot, which has to be interpreted by
174+
the PHP module in the Apache daemon.
175+
2. The URLs record in honey pot meta data change from using "stratigery.com" to "162.246.45.144"
176+
and back, referring to the host name of which HTTP requests are made.
177+
The timestamps make clear that there's 3 "sessions", one from 2019-09-03T07:19:56 to 2019-09-03T07:19:57
178+
which uses "stratigery.com",
179+
one from 2019-09-03T11:22:04 to 2019-09-03T11:22:23, using 162.246.45.144,
180+
another from 2019-09-03T12:03:48 to 2019-09-03T12:03:50, back to "stratigery.com".
181+
The session using 162.246.45.144 lasts 19 seconds verus the other approximately 2-second sessions.
182+
All of these accesses are probably automated, but why use a DNS name in some, and an IP address in others?

backdoors/192.99.15.141-2019-09-04a/access.tbl

+90
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,90 @@
1+
2019-09-03T07:19:56.178-0600 http://www.stratigery.com/wp-login.php
2+
2019-09-03T07:19:56.178-0600 http://www.stratigery.com/wp-login.php
3+
2019-09-03T07:19:56.178-0600 http://www.stratigery.com/wp-login.php
4+
2019-09-03T07:19:56.178-0600 http://www.stratigery.com/wp-login.php
5+
2019-09-03T07:19:56.180-0600 http://www.stratigery.com/wp-login.php
6+
2019-09-03T07:19:56.180-0600 http://www.stratigery.com/wp-login.php
7+
2019-09-03T07:19:56.286-0600 http://www.stratigery.com/wp-login.php
8+
2019-09-03T07:19:56.286-0600 http://www.stratigery.com/wp-login.php
9+
2019-09-03T07:19:56.286-0600 http://www.stratigery.com/wp-login.php
10+
2019-09-03T07:19:56.286-0600 http://www.stratigery.com/wp-login.php
11+
2019-09-03T07:19:56.309-0600 http://www.stratigery.com/wp-login.php
12+
2019-09-03T07:19:56.309-0600 http://www.stratigery.com/wp-login.php
13+
2019-09-03T07:19:56.447-0600 http://www.stratigery.com/wp-admin/theme-editor.php
14+
2019-09-03T07:19:56.447-0600 http://www.stratigery.com/wp-admin/theme-editor.php
15+
2019-09-03T07:19:56.464-0600 http://www.stratigery.com/wp-admin/theme-editor.php
16+
2019-09-03T07:19:56.464-0600 http://www.stratigery.com/wp-admin/theme-editor.php
17+
2019-09-03T07:19:56.509-0600 http://www.stratigery.com/wp-admin/theme-editor.php
18+
2019-09-03T07:19:56.509-0600 http://www.stratigery.com/wp-admin/theme-editor.php
19+
2019-09-03T07:19:56.786-0600 http://www.stratigery.com/wp-admin/theme-editor.php
20+
2019-09-03T07:19:56.786-0600 http://www.stratigery.com/wp-admin/theme-editor.php
21+
2019-09-03T07:19:56.798-0600 http://www.stratigery.com/wp-admin/theme-editor.php
22+
2019-09-03T07:19:56.798-0600 http://www.stratigery.com/wp-admin/theme-editor.php
23+
2019-09-03T07:19:56.822-0600 http://www.stratigery.com/wp-admin/theme-editor.php
24+
2019-09-03T07:19:56.822-0600 http://www.stratigery.com/wp-admin/theme-editor.php
25+
2019-09-03T07:19:56.973-0600 http://www.stratigery.com/wp-admin/theme-editor.php
26+
2019-09-03T07:19:56.973-0600 http://www.stratigery.com/wp-admin/theme-editor.php
27+
2019-09-03T07:19:56.989-0600 http://www.stratigery.com/wp-admin/theme-editor.php
28+
2019-09-03T07:19:56.989-0600 http://www.stratigery.com/wp-admin/theme-editor.php
29+
2019-09-03T07:19:57.013-0600 http://www.stratigery.com/wp-admin/theme-editor.php
30+
2019-09-03T07:19:57.013-0600 http://www.stratigery.com/wp-admin/theme-editor.php
31+
2019-09-03T07:19:57.191-0600 http://www.stratigery.com/wp-content/themes/twentytwelve/404.php
32+
2019-09-03T07:19:57.191-0600 http://www.stratigery.com/wp-content/themes/twentytwelve/404.php
33+
2019-09-03T07:19:57.233-0600 http://www.stratigery.com/wp-content/themes/twentytwelve/404.php
34+
2019-09-03T07:19:57.233-0600 http://www.stratigery.com/wp-content/themes/twentytwelve/404.php
35+
2019-09-03T07:19:57.246-0600 http://www.stratigery.com/wp-content/themes/twentytwelve/404.php
36+
2019-09-03T07:19:57.246-0600 http://www.stratigery.com/wp-content/themes/twentytwelve/404.php
37+
2019-09-03T11:22:04.470-0600 http://162.246.45.144/wp-login.php
38+
2019-09-03T11:22:04.470-0600 http://162.246.45.144/wp-login.php
39+
2019-09-03T11:22:05.052-0600 http://162.246.45.144/wp-login.php
40+
2019-09-03T11:22:05.052-0600 http://162.246.45.144/wp-login.php
41+
2019-09-03T11:22:08.506-0600 http://162.246.45.144/wp-admin/theme-editor.php
42+
2019-09-03T11:22:08.506-0600 http://162.246.45.144/wp-admin/theme-editor.php
43+
2019-09-03T11:22:15.775-0600 http://162.246.45.144/wp-admin/theme-editor.php
44+
2019-09-03T11:22:15.775-0600 http://162.246.45.144/wp-admin/theme-editor.php
45+
2019-09-03T11:22:16.099-0600 http://162.246.45.144/wp-admin/theme-editor.php
46+
2019-09-03T11:22:16.099-0600 http://162.246.45.144/wp-admin/theme-editor.php
47+
2019-09-03T11:22:23.357-0600 http://162.246.45.144/wp-content/themes/twentytwelve/404.php
48+
2019-09-03T11:22:23.357-0600 http://162.246.45.144/wp-content/themes/twentytwelve/404.php
49+
2019-09-03T12:03:48.141-0600 http://stratigery.com/wp-login.php
50+
2019-09-03T12:03:48.141-0600 http://stratigery.com/wp-login.php
51+
2019-09-03T12:03:48.229-0600 http://stratigery.com/wp-login.php
52+
2019-09-03T12:03:48.229-0600 http://stratigery.com/wp-login.php
53+
2019-09-03T12:03:48.253-0600 http://stratigery.com/wp-login.php
54+
2019-09-03T12:03:48.253-0600 http://stratigery.com/wp-login.php
55+
2019-09-03T12:03:48.349-0600 http://stratigery.com/wp-login.php
56+
2019-09-03T12:03:48.349-0600 http://stratigery.com/wp-login.php
57+
2019-09-03T12:03:48.457-0600 http://stratigery.com/wp-admin/theme-editor.php
58+
2019-09-03T12:03:48.457-0600 http://stratigery.com/wp-admin/theme-editor.php
59+
2019-09-03T12:03:48.493-0600 http://stratigery.com/wp-login.php
60+
2019-09-03T12:03:48.493-0600 http://stratigery.com/wp-login.php
61+
2019-09-03T12:03:48.561-0600 http://stratigery.com/wp-admin/theme-editor.php
62+
2019-09-03T12:03:48.561-0600 http://stratigery.com/wp-admin/theme-editor.php
63+
2019-09-03T12:03:48.759-0600 http://stratigery.com/wp-login.php
64+
2019-09-03T12:03:48.759-0600 http://stratigery.com/wp-login.php
65+
2019-09-03T12:03:49.003-0600 http://stratigery.com/wp-admin/theme-editor.php
66+
2019-09-03T12:03:49.003-0600 http://stratigery.com/wp-admin/theme-editor.php
67+
2019-09-03T12:03:49.013-0600 http://stratigery.com/wp-admin/theme-editor.php
68+
2019-09-03T12:03:49.013-0600 http://stratigery.com/wp-admin/theme-editor.php
69+
2019-09-03T12:03:49.085-0600 http://stratigery.com/wp-admin/theme-editor.php
70+
2019-09-03T12:03:49.085-0600 http://stratigery.com/wp-admin/theme-editor.php
71+
2019-09-03T12:03:49.230-0600 http://stratigery.com/wp-admin/theme-editor.php
72+
2019-09-03T12:03:49.230-0600 http://stratigery.com/wp-admin/theme-editor.php
73+
2019-09-03T12:03:49.457-0600 http://stratigery.com/wp-admin/theme-editor.php
74+
2019-09-03T12:03:49.457-0600 http://stratigery.com/wp-admin/theme-editor.php
75+
2019-09-03T12:03:49.578-0600 http://stratigery.com/wp-content/themes/twentytwelve/404.php
76+
2019-09-03T12:03:49.578-0600 http://stratigery.com/wp-content/themes/twentytwelve/404.php
77+
2019-09-03T12:03:49.655-0600 http://stratigery.com/wp-admin/theme-editor.php
78+
2019-09-03T12:03:49.655-0600 http://stratigery.com/wp-admin/theme-editor.php
79+
2019-09-03T12:03:49.940-0600 http://stratigery.com/wp-content/themes/twentytwelve/404.php
80+
2019-09-03T12:03:49.940-0600 http://stratigery.com/wp-content/themes/twentytwelve/404.php
81+
2019-09-03T12:03:50.145-0600 http://stratigery.com/wp-admin/theme-editor.php
82+
2019-09-03T12:03:50.145-0600 http://stratigery.com/wp-admin/theme-editor.php
83+
2019-09-03T12:03:50.401-0600 http://stratigery.com/wp-content/themes/twentytwelve/404.php
84+
2019-09-03T12:03:50.401-0600 http://stratigery.com/wp-content/themes/twentytwelve/404.php
85+
2019-09-05T12:22:13.098-0600 http://162.246.45.144/wp-content/themes/twentytwelve/404.php
86+
2019-09-05T12:22:13.098-0600 http://162.246.45.144/wp-content/themes/twentytwelve/404.php
87+
2019-09-05T12:22:15.312-0600 http://162.246.45.144/wp-content/themes/twentytwelve/404.php
88+
2019-09-05T12:22:15.312-0600 http://162.246.45.144/wp-content/themes/twentytwelve/404.php
89+
2019-09-05T12:22:17.927-0600 http://162.246.45.144/wp-content/themes/twentytwelve/404.php
90+
2019-09-05T12:22:17.927-0600 http://162.246.45.144/wp-content/themes/twentytwelve/404.php

backdoors/192.99.15.141-2019-09-04a/accesses/files

-55
This file was deleted.

backdoors/192.99.15.141-2019-09-04a/accesses/z0s

-14
This file was deleted.

0 commit comments

Comments
 (0)