A compiled executable that is suppposed to run in the background, and Web Shell by oRb (WSO) version 2.5 with a blob of added code.
I haven't looked at the executable, so I don't know what, if anything, it does.
Amazon AWS instance, not worth following up on.
p0f3 says it's "Windows 7 or 8":
[2018/03/17 14:00:59] mod=syn|cli=18.222.103.133/50472|srv=162.246.45.144/80|subj=cli|os=Windows 7 or 8|dist=19|params=fuzzy|raw_sig=4:109+19:0:1460:8192,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0
[2018/03/17 14:00:59] mod=mtu|cli=18.222.103.133/50472|srv=162.246.45.144/80|subj=cli|link=Ethernet or modem|raw_mtu=1500
[2018/03/17 14:00:59] mod=syn+ack|cli=18.222.103.133/50472|srv=162.246.45.144/80|subj=srv|os=???|dist=0|params=none|raw_sig=4:64+0:0:1460:mss*20,7:mss,nop,nop,sok,nop,ws:df:0
The attacker downloaded two Zip-format-files, one of them named customize-partial-refrewh.zip,
and customizer-ui-experimenks.zip via the update plugin WordPress
functionality. My WordPress honey pot just saved them. customizer-ui-experimenks.zip
contains a file named customizer-ui-experimenks.php which has the format "UTF-8 Unicode (with BOM) text",
so it made a trip through one of the stupider Microsoft text editors along the way.
customize-partial-refrewh.zip contains customize-partial-refrewh.php, and apache2.
The attacker assumed that the plugin upload part of WordPress would unzip both Zip-format-files.
Unzipping 18.222.103.133Wq1z-x2iJJ9Dd7fGpaoj4gAAAAI.0.file
gives a file customizer-ui-experimenks.phpcustomizer-ui-experimenks.php.
Unzipping 18.222.103.133WqvXLekLitkX3G-vql5EDAAAAAQ.0.file
yields apache1, an ELF file, and customize-partial-refrewh.php,
more PHP.
- Hand-edit
customizer-ui-experimenks.phpintodc1.php - Run PHP reverse engineering tool over
dc1.phpto getf1.php. - Edit
f1.phpto change "eval" to "print". - Invoke
php f1.php > dc2.php - Pretty print
dc2.phpto getf2.php, which I think is the final form.
- Hand-edit
customize-partial-refrewh.phpintobc1.php - Run PHP reverse engineering tool over
bc1.phpto getbc2.php. - Edit
bc2.phpto change "eval" to "print". - Invoke
php bc2.php > bc3.php - Pretty print
bc3.phpto getbc4.php
The original source for f2.php and bc4.php got obfuscated
by a program. The obfuscation was quite similar. Base64-encoded
gzip's of PHP source code with line feeds removed, and a
small decoding program get appended to a PHP comment. The
variable names in the decoding programs differ, but neither
decoding program has names a human would use.
customizer-ui-experimenks.php decoded to Web Shell by oRb, version 2.5.
Pretty stock WSO 2.5, only has a few mods, mostly in terms of using
hexadecimal numbers instead of decimal numbers.
When called with a HTTP POST parameter named "tc", an extra, non-standard-WSO
blob of code ends up taking a timestamp from "../../languages". If that doesn't
exist, it takes a random timestamp between Saturday, January 30, 2016 9:38:44 PM GMT-07:00
and Monday, January 30, 2017 9:38:44 PM GMT-07:00.
The code then finds all files at or below the current directory, and
changes the last-accessed timestamp of all those files to whatever timestamp
it initially came up with. I'm guessing this is to hide the presence of
customizer-ui-experimenks.php from human eyes by making all timestamps
the same: it won't show up in ls -ltr as glaringly. Possibly it's an
attempt to obfuscate when the attack took place.
The blob of code is obviously just stuck in the WSO file, right at the top. It does not fit in with the structure of the rest of the code, which is almost entirely driven by values of a few HTTP POST parameters.
The attacker did invoke it with a POST parameter "tc", and then invoked the RC action of WSO, with a little piece of PHP that would only echo a few bytes. The attacker almost certainly just checks WSO access and function with this.
customize-partial-refrewh.php decode to PHP that runs a compiled program, apache2,
that WordPress would unzip along with customize-partial-refrewh.php.
apache2 would end up getting run at least partially in the background,
as its own process, leaving customize-partial-refrewh.php to tinker with
timestamps of the apache2 file, directories ".", "..", "../.." and a file
"../../upgrade", either to obfuscate when the attack took place, or to keep
human eyes from noticing.
/var/log/httpd/access_log entries:
18.222.103.133 - - [16/Mar/2018:08:39:37 -0600] "GET /wp-login.php HTTP/1.1" 200 3007 "https://www.google.com" "Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20120101 Firefox/29.0"
18.222.103.133 - - [16/Mar/2018:08:39:37 -0600] "POST /wp-login.php HTTP/1.1" 302 - "https://www.google.com" "Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20120101 Firefox/29.0"
18.222.103.133 - - [16/Mar/2018:08:39:37 -0600] "GET /wp-admin/ HTTP/1.1" 200 41033 "https://www.google.com" "Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20120101 Firefox/29.0"
18.222.103.133 - - [16/Mar/2018:08:39:37 -0600] "GET /wp-admin/plugins.php HTTP/1.1" 200 34427 "http://stratigery.com/wp-admin/index.php" "Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20120101 Firefox/29.0"
18.222.103.133 - - [16/Mar/2018:08:39:38 -0600] "GET /wp-admin/plugin-install.php HTTP/1.1" 200 22945 "http://stratigery.com/wp-admin/plugins.php" "Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20120101 Firefox/29.0"
18.222.103.133 - - [16/Mar/2018:08:39:39 -0600] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.1" 200 22578 "http://stratigery.com/wp-admin/plugin-install.php" "Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20120101 Firefox/29.0"
18.222.103.133 - - [16/Mar/2018:08:39:41 -0600] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.1" 200 16347 "http://stratigery.com/wp-admin/plugin-install.php" "Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20120101 Firefox/29.0"
18.222.103.133 - - [16/Mar/2018:08:39:45 -0600] "GET /wp-content/plugins/customize-partial-refrewh/customize-partial-refrewh.php HTTP/1.1" 200 120 "-" "-"
18.222.103.133 - - [17/Mar/2018:14:00:59 -0600] "GET /wp-login.php HTTP/1.1" 200 3007 "https://www.google.com" "Mozilla/5.0 (Windows NT 6.2; rv:33.0) Gecko/20100101 Firefox/33.0"
18.222.103.133 - - [17/Mar/2018:14:00:59 -0600] "POST /wp-login.php HTTP/1.1" 302 - "https://www.google.com" "Mozilla/5.0 (Windows NT 6.2; rv:33.0) Gecko/20100101 Firefox/33.0"
18.222.103.133 - - [17/Mar/2018:14:01:00 -0600] "GET /wp-admin/ HTTP/1.1" 200 41033 "https://www.google.com" "Mozilla/5.0 (Windows NT 6.2; rv:33.0) Gecko/20100101 Firefox/33.0"
18.222.103.133 - - [17/Mar/2018:14:01:00 -0600] "GET /wp-admin/plugins.php HTTP/1.1" 200 34427 "http://stratigery.com/wp-admin/index.php" "Mozilla/5.0 (Windows NT 6.2; rv:33.0) Gecko/20100101 Firefox/33.0"
18.222.103.133 - - [17/Mar/2018:14:01:00 -0600] "GET /wp-admin/plugin-install.php HTTP/1.1" 200 22945 "http://stratigery.com/wp-admin/plugins.php" "Mozilla/5.0 (Windows NT 6.2; rv:33.0) Gecko/20100101 Firefox/33.0"
18.222.103.133 - - [17/Mar/2018:14:01:01 -0600] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.1" 200 22578 "http://stratigery.com/wp-admin/plugin-install.php" "Mozilla/5.0 (Windows NT 6.2; rv:33.0) Gecko/20100101 Firefox/33.0"
18.222.103.133 - - [17/Mar/2018:14:01:03 -0600] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.1" 200 16347 "http://stratigery.com/wp-admin/plugin-install.php" "Mozilla/5.0 (Windows NT 6.2; rv:33.0) Gecko/20100101 Firefox/33.0"
18.222.103.133 - - [17/Mar/2018:14:01:06 -0600] "POST /wp-content/plugins/customizer-ui-experimenks/customizer-ui-experimenks.php HTTP/1.1" 200 120 "-" "-"
18.222.103.133 - - [17/Mar/2018:14:01:07 -0600] "POST /wp-content/plugins/customizer-ui-experimenks/customizer-ui-experimenks.php HTTP/1.1" 200 13743 "-" "-"
Notice that on the logins, the attacker sends a referer of https://www.google.com . Seems odd.
Just as a double check, I looked through all the associated files to see what the attacker did, and how fast.
1521211177.006 files/18.222.103.133WqvXKZUEHlRhnkimO@pX9wAAAAA.wp-login.scans: retrieve WP login page
1521211177.147 files/18.222.103.133WqvXKZUEHlRhnkimO@pX@AAAAAA.wp-login.scans: login as admin:adminadmin
1521211177.355 files/18.222.103.133WqvXKZUEHlRhnkimO@pX@QAAAAA.wp-admin.scans: retrieve wp-admin/index.php, as redirected
1521211177.775 files/18.222.103.133WqvXKekLitkX3G-vql5ECQAAAAQ.plugins.scans: retrieve wp-admin/plugins.php
1521211178.155 files/18.222.103.133WqvXKukLitkX3G-vql5ECgAAAAQ.plugin-install.scans: retrieve wp-admin/plugin-install.php
1521211179.418 files/18.222.103.133WqvXK@kLitkX3G-vql5ECwAAAAQ.plugin-install.scans: retrieve wp-admin/plugin-install.php, upload tab
1521211181.763 files/18.222.103.133WqvXLekLitkX3G-vql5EDAAAAAQ.upload-plugin.scans: call plugin-install.php?tab=uploa, send customize-partial-refrewh.zip
1521211185.487 files/18.222.103.133WqvXMb65DRaGtXtDSZGZSgAAAAg.wso.scans: retrieve /wp-content/plugins/customize-partial-refrewh/customize-partial-refrewh.php
In about 8.47 seconds, of which 4 seconds spent waiting on file transfer.
6 minutes later:
1521316859.652 files/18.222.103.133Wq1z@wx5hwr7RtImGeXZ2wAAAA0.wp-login.scans: retrieve /wp-login.php
1521316859.835 files/18.222.103.133Wq1z@wx5hwr7RtImGeXZ3AAAAA0.wp-login.scans: login as admin:adminadmin
1521316860.014 files/18.222.103.133Wq1z-Ax5hwr7RtImGeXZ3QAAAA0.wp-admin.scans: retrieve wp-admin/index.php as redirected
1521316860.415 files/18.222.103.133Wq1z-B2iJJ9Dd7fGpaoj3wAAAAI.plugins.scans: retrieve wp-admin/plugins.php
1521316860.654 files/18.222.103.133Wq1z-B2iJJ9Dd7fGpaoj4AAAAAI.plugin-install.scans: retrieve /wp-admin/plugin-install.php
1521316861.867 files/18.222.103.133Wq1z-R2iJJ9Dd7fGpaoj4QAAAAI.plugin-install.scans: retrieve /wp-admin/plugin-install.php, upload tab
1521316863.395 files/18.222.103.133Wq1z-x2iJJ9Dd7fGpaoj4gAAAAI.upload-plugin.scans: call /wp-admin/plugin-install.php?tab=upload, send customizer-ui-experimenks.zip
1521316866.675 files/18.222.103.133Wq10Atl0Y3ztKShZ9@HUgQAAAAg.wso.scans: call /wp-content/plugins/customizer-ui-experimenks/customizer-ui-experimenks.php, "tc" as POST parameter
1521316867.9 files/18.222.103.133Wq10A-rqgr4qxesssTQs0AAAAAc.wso.scans: invoke WSO RC action, password "root", PHP: echo '67436';
8.28 seconds, 3.28 seconds waiting on file transfer.
This looks like 2 automated attacks. The "adminadmin" password was previously guessed as a valid password on 2017-11-21T16:26:28-07:00 91.200.12.75 admin adminadmin
That password has been used to login to my honey pot by 20 or 30 different IP addresses.