Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Webshell looking for interesting files InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Webshell looking for interesting files

Published: 2018-04-18
Last Updated: 2018-04-18 07:05:02 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Yesterday, I found on Pastebin a bunch of samples of a webshell that integrates an interesting feature: It provides a console mode that you can use to execute commands on the victim host. The look and feel of the webshell is classic:

But the "Console" menu looked interesting. It gives access to a preset of commands used to search for juicy files. Here is the full list of “aliases” as defined in the source code. Note that the webshell supports both Linux and Windows:

"find all suid files" => "find / -type f -perm -04000 -ls",
"find suid files in current dir" => "find . -type f -perm -04000 -ls",
"find all sgid files" => "find / -type f -perm -02000 -ls",
"find sgid files in current dir" => "find . -type f -perm -02000 -ls",
"find config.inc.php files" => "find / -type f -name config.inc.php",
"find config* files" => "find / -type f -name \"config*\"",
"find config* files in current dir" => "find . -type f -name \"config*\"",
"find all writable folders and files" => "find / -perm -2 -ls",
"find all writable folders and files in current dir" => "find . -perm -2 -ls",
"find all service.pwd files" => "find / -type f -name service.pwd",
"find service.pwd files in current dir" => "find . -type f -name service.pwd",
"find all .htpasswd files" => "find / -type f -name .htpasswd",
"find .htpasswd files in current dir" => "find . -type f -name .htpasswd",
"find all .bash_history files" => "find / -type f -name .bash_history",
"find .bash_history files in current dir" => "find . -type f -name .bash_history",
"find all .fetchmailrc files" => "find / -type f -name .fetchmailrc",
"find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc",
"locate httpd.conf files" => "locate httpd.conf",
"locate vhosts.conf files" => "locate vhosts.conf",
"locate proftpd.conf files" => "locate proftpd.conf",
"locate psybnc.conf files" => "locate psybnc.conf",
"locate my.conf files" => "locate my.conf",
"locate admin.php files" =>"locate admin.php",
"locate cfg.php files" => "locate cfg.php",
"locate conf.php files" => "locate conf.php",
"locate config.dat files" => "locate config.dat",
"locate config.php files" => "locate config.php",
"locate config.inc files" => "locate config.inc",
"locate config.inc.php" => "locate config.inc.php",
"locate config.default.php files" => "locate config.default.php",
"locate config* files " => "locate config",
"locate .conf files"=>"locate '.conf'",
"locate .pwd files" => "locate '.pwd'",
"locate .sql files" => "locate '.sql'",
"locate .htpasswd files" => "locate '.htpasswd'",
"locate .bash_history files" => "locate '.bash_history'",
"locate .mysql_history files" => "locate '.mysql_history'",
"locate .fetchmailrc files" => "locate '.fetchmailrc'",
"locate backup files" => "locate backup",
"locate dump files" => "locate dump",
"locate priv files" => "locate priv”

For windows, the list is much smaller:

"Find index.php in current dir" => "dir /s /w /b index.php",
"Find *config*.php in current dir" => "dir /s /w /b *config*.php",

Note that other commands are available like the classic ‘ps’ or ‘netstat’ but I listed only command related to searches for juicy files.

The sample that I found was not available on VT but it was scored at 21/60[1]. I also found similar samples:

Webshells viper aXE0jHW2.php > fuzzy
[*] 6 relevant matches found
+-------+--------------+------------------------------------------------------------------+
| Score | Name         | SHA256                                                           |
+-------+--------------+------------------------------------------------------------------+
| 94%   | aSSzGh3w.php | 3c6bee8ae3e18600131913a5fb4fd3efe36742efd3533575756550054102b2b7 |
| 96%   | GSzBAdEj.php | 1f405d7be1b43c68f6623fb9f2ec1b5682509399c587570b3a6a9fc312b58db5 |
| 99%   | qTmUtjrQ.php | 5cbdbf9164ea0398e1bac1a7a99c305272e1e91928b67c5a948e590b39a467fa |
| 99%   | YLNem9K9.php | 42d1ac86f9391d36a8d02955f1bf430b7220833472c37edbfb0b119331ca6145 |
| 71%   | nTA4uxMM.php | 6d00a27c8d988a85147c0a2e32aca4ce158a0620efcd8acc53cee95e220d2c61 |
| 99%   | uQfnLbS7.php | 3abc47b7d3ea3d6d4265d78f94451803c2f2e73ad5b8081e98e845bc789a1d74 |
+-------+--------------+------------------------------------------------------------------+

To prevent webshells to access such kind of files, always run your web server with a dedicated UID that has restricted access to the underlying filesystem and chroot the process. Better, run your web server in a container.

[1] https://www.virustotal.com/en/file/ae0e586678910315c02739029b0f17efaaa12bbdbf61639f70aa6b3744970cc0/analysis/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

0 comment(s)
Diary Archives