On the daily routing of checking the systems, I noticed on nagios that a webserver of an old system was down. It’s not the first time that it’s happening the system is mainly used as mailserver and the webserver serves only the webmail interface, at least to my knowledge at that moment. System had problem before with apache service and semaphores, but today there was another issue, a process was running under www-data id, with the command ./prox –p5114 (proxy redirect). Interesting , we have a new backdoor !
First things first, I kept a copy of the instance with lsof and pcat for further analysis,
pcat (process cat) is part of tct, apt-get install tct will do the trick on ubuntu/debian systems.
Looking at the data from lsof I located easily the place where backdoor was installed and the actual file was the following
Php code obfuscated using rot13 base64 encoding and gzip compression. Using http://rot13-encoder-decoder.waraxe.us/ online rot13 decoder I converted the $code part in the following,
http://www.tareeinternet.com/scripts/decrypt.php is providing an easy way to decode gzipinflated base64 code, adding the needed strings on the $code part for their decrypt script to accept it properly,
The decoder gave me the following output,
Looking at the file from the web browser we notice the request for the password,
Easy to find out with a google search, 161498ff7b638f5e5c0d5e32fab5470b is “syurga”, and we have another php web shell installation.
Finally another file kindly uploaded from the attackers,
a php Bot with the attackers ip included on the source, ahlisyurga.no-ip.org. Oh hi there !