A program to perform sub-rosa administrative functions on WordPress and Joomla blogs.
The attacker(s) treated a URL, /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/ps.php
as a WSO web shell.
| Timestamp | Note |
|---|---|
| 2019-08-09 07:41:00-06 | HTTP GET, no cookies, no HTTP parameters |
| 2019-08-09 07:41:00-06 | Another plain HTTP GET |
| 2019-08-09 07:41:01-06 | HTTP POST, parameter named "pass" |
| 2019-08-09 07:41:02-06 | POST, parameter "a", value "FilesMAn" |
| 2019-08-09 07:41:02-06 | POST, parameter "a", value "FilesTools", "p1" value "wp-config.php" |
| 2019-08-09 07:41:03-06 | POST, "a" value "FilesMAn", "p1" value "uploadFile", sent a file "uploader.php" |
| 2019-08-09 07:41:07-06 | POST, "a" value "FilesMAn", "p1" value "uploadFile", sent a file "uploader.php" |
The first 6 accesses arrive very rapidly. They seen automated. The final access arrives after 4 second interval, might be manual.
This is all typical of WSO web shell use. Access the WSO URL, get a login screen. Send password. Look at "wp-config.php" with file manager. Upload a file or two. All the parameters match - the attacker(s) thought they were using a WSO web shell.
Looking for wp-config.php makes sense in light of the dropper code
deciding if the compromised site is a WordPress or a Joomla CMS.
91.132.2.152 has no DNS name.
inetnum: 91.132.2.0 - 91.132.3.255
netname: DEDIPATH-2019
descr: Dedipath
country: US
org: ORG-DA939-RIPE
created: 2019-01-11T17:23:10Z
last-modified: 2019-01-11T17:23:10Z
The dropper decodes 2 blocks of Base64-encoded text, one apparently for WordPress sites, one for Joomla sites.
If it finds "wp-config.php", it defines PLATFORM as "WORDPRESS". If it finds "configuration.php", it defines PLATFORM as "JOOMLA". If it finds neither file, it exits.
It tries to find files with well-known names, one set for WordPress, one set for Joomla.
Looks like it tries to inject either the base-64-encoded text inside an eval(base64_decode()) construct,
or the base64-decoded text.
It prints out the full file path, followed by "%lt;br%gt;",
of each file in which it injects PHP code.
The injected code is a webshell of sorts, with a few ordinary capabilities like "upload file", but it integrates closely with the CMS in question. I'm most familiar with WordPress, so that's the version of this code I'll look through.
It has these functions:
- Get blogs list
- Get users
- Create WordPress user
- Delete WordPress user
- Delete WordPress post
- Publish WordPress post
- Add 'Tell-a-friend' plugin, I think.
- List plugins
- Get categories of posts
- Get a list of "pages" (?)
- Get a list of posts
It does most of this by including WordPress files that have the code to perform the functions. It's quite tightly integrated into WordPress. I assume the same is true of the Joomla version.
The only real "non-WordPress" function it has is a file upload.
The output of the WordPress integration functions is through a
function array_to_json.
This does produce passable JSON-text-format array representations.
This output suggests that this CMS RAT is the back end of a GUI.