PHP malware that can keep a set of PHP and HTML files filled with designated contents.
This is apparently the "wp-darkshell" malware.
No previous accesses by 178.128.188.142
No DNS name for 178.128.188.142
It's a Digital Ocean IP address, kind of a dry well
p0f3 seems to think that a "Windows NT kernel" was driving 178.128.188.142.
All accesses made to a URL ending in /wp-content/plugins/revslider/temp/update_extract/revslider/db.php
| Timestamp | Remote Port | Elapsed Time | HTTP Parameters |
|---|---|---|---|
| 2019-06-25T07:00:20.092-0600 | 52710 | pass=nhzgrf | |
| 2019-06-25T07:00:22.010-0600 | 52710 | 1.918 | a=FilesMan, c=/var/www/html |
| 2019-06-25T07:00:26.944-0600 | 52710 | 4.934 | a=FilesMAn, c=/var/www/html/,p1=uploadFile |
Direct login with HTTP parameter pass=nhzgrf would seem to mean that this was an automated campaign, but the interval between requests is just large enough to cast doubt on that.
"nhzgrf" is an exceedingly popular WSO web shell password.
All HTTP parameters indicate that the attacker(s) thought they were dealing with a WSO (Web Shell by oRb) web shell. The third request even has the value of the "a" parameters as the oddly capitalized "FilesMAn", which is characteristic of requests made of WSO by itself, it's the default action of WSO.
The final HTTP request sent a file that was named getfile.php
on the attacker(s) computer.
No further requests, not even for getfile.php
Apparently you're supposed to invoke getfile.php with an HTTP GET request
containing a parameter named "use", and having a value of "1", "2" or "3".
This value of "use" determines how a function named curl_get_from_webpage_one_time()
works. For 1 and 3, it uses PHP's cURL library but in different ways.
For a value of 2, it uses PHP's file_get_contents() builtin,
which is often configured to not allow HTTP file access (allow_url_fopen).
You can also access getfile.php with an HTTP GET request, and a parameter named "check".
getfile.php code tries to open each of a list of file names.
If the code finds a string //file end in any of the list of file names,
it prints some HTML noting that "$values has successed!" where "$values" is the file name.
Otherwise, it prints HTML that says "file $values must be reload!",
or if it can't find the file name,
it says "file $values not found!".
Accessing getfile.php with a GET parameter named "urls" causes another action.
The code uses the value of parameter "urls" as a URL. Shocking, I know.
The URL get retrieved via a method chosen using the value of the HTTP parameter named "use". See above.
The contents of the URL so retrieved is treated as a set of URLs,
and the suffix (Unix basename style) is treated as a file name.
The code retrieves the contents of the URL and fills in the file name
with those contents.
There's an HTML notation about which retrievals and which file fills succeed and fail,
similar to the "check" action described above.
Files used in "check" and probably "urls" actions:
id0.php
id1.php
id2.php
id3.php
id4.php
id5.php
id6.php
id7.php
id8.php
id9.php
id10.php
id11.php
id12.php
id13.php
id14.php
id15.php
id16.php
id17.php
id18.php
id19.php
id20.php
id21.php
id22.php
id23.php
id24.php
id25.php
id26.php
id27.php
id28.php
id29.php
id30.php
id31.php
id32.php
id33.php
id34.php
id35.php
id36.php
id37.php
id38.php
id39.php
id40.php
id41.php
id42.php
id43.php
id44.php
id45.php
id46.php
id47.php
id48.php
id49.php
index.php
DeleteID.txt
moban.html
Looks like "Moban" is an anti-schizophrenia drug. Pastebin has a file moban.html dated 2018-04-07 that appears to be a template for a Chinese or Japanese language web page.
There's a malware capture
on github, dating from 2017, that contains much the same "moban.html" template,
and a file installer.php that bears a lot of similarity to getfile.php.
It's entirely possible that this is an evolution of the "wp-darkshell" malware.
The function curl_get_from_webpage() illustrates two
very common PHP malware phenomena.
function curl_get_from_webpage($url,$proxy='',$loop=10){
$data = false;
$i = 0;
while(!$data) {
$data = curl_get_from_webpage_one_time($url,$proxy);
if($i++ >= $loop) break;
}
return $data;
}
First, the rest of the file has tab-character indentation.
The author wasn't religiously careful about indent levels,
but it's all tabs.
This function has space-character indentation for the while-loop.
My guess is that the space-character-indented
part of curl_get_from_webpage() originally contained the body of
curl_get_from_webpage_one_time().
In order to execute different variants of cURL and file_get_contents(),
the coder moved the original body of curl_get_from_webpage()
into its own function, curl_get_from_webpage_one_time(),
and added the USEFUNCTION value to decide which variant of cURL to execute.
The second phenomenon is the repeated attempts to get something to work
exhibited by curl_get_from_webpage().
By default, it will try 10 times to successfully
retrieve the contents of a URL.
Lots of PHP malware repeatedly trying some action before giving up,
sometimes trying multiple equivalent variants to accomplish their goal.