Webshell with a Booby Trap

I came across three interesting PHP scripts that were presumably dropped by the same attacker. Perhaps this is old news but it’s something new to me.

Here’s the first one which looks innocent enough.

2015-07-24_01

However, if you put in the wrong password, you can end up at a malicious or phishing page.

2015-07-24_02

hxxp://d.pxer.tk/i.php
hxxp://a6shd.realshieldlinked.com
hxxp://zmkzz.allvideos.7664.info

Inspecting the traffic shows that the password you tried gets captured.

2015-07-24_03

Here’s what the panel looks like:

2015-07-24_04

This is the second script which looks like it failed to do anything:

2015-07-24_05

Nope, the script works just fine. It dropped a webshell in the folder.

2015-07-24_06

If you look closely, you can see that the initial file resembles a JPEG file. The file does open up as a normal graphic but embedded in it are scripts that can execute PHP, ASP, and JSP commands as well as drop a PHP webshell.

2015-07-24_07

The third script looks like this when you open it in the browser. It’s a seemingly benign page from the PHP Documentation website.

2015-07-24_08

However, if you append a certain value to the URL, a hidden feature is enabled at the bottom of the page and you can now upload any file of your choice.

2015-07-24_09

Ah, more things to be on the lookout for…

This entry was posted in Malscript and tagged , , . Bookmark the permalink.