I came across three interesting PHP scripts that were presumably dropped by the same attacker. Perhaps this is old news but it’s something new to me.
Here’s the first one which looks innocent enough.
However, if you put in the wrong password, you can end up at a malicious or phishing page.
Inspecting the traffic shows that the password you tried gets captured.
Here’s what the panel looks like:
This is the second script which looks like it failed to do anything:
Nope, the script works just fine. It dropped a webshell in the folder.
If you look closely, you can see that the initial file resembles a JPEG file. The file does open up as a normal graphic but embedded in it are scripts that can execute PHP, ASP, and JSP commands as well as drop a PHP webshell.
The third script looks like this when you open it in the browser. It’s a seemingly benign page from the PHP Documentation website.
However, if you append a certain value to the URL, a hidden feature is enabled at the bottom of the page and you can now upload any file of your choice.
Ah, more things to be on the lookout for…