A fairly intrusive redirector.
It injects PHP code in every theme-related file named header.php.
If the injected code decides, based on User Agent string,
that an invoker is a "bot",
it uses curl to retrieve material from a host zalroews.pw
and returns whatever that material may be.
Apparently if it decides you aren't a "bot",
you get to see the compromised blog,
assuming it still works after its theme's header.php files have been futzed with.
Code is related to that of nptzow, but is vastly simplified. It does not try to fill in HTML templates with material it retrieves from a ".pw" TLD host, it just returns material from that host.
Downloaded to URI /blog/wp-content/plugins/wp_bing/wp-ajax.php,
with 'a', 'c' and 'p1' HTTP parameters, indicating the attacker(s)
thought that wp-ajax.php was a WSO web shell.
The 'a' parameter had the value 'Php', which constitutes immediate
eval of PHP source code.
'p1' parameter's value was the PHP source code.
The HTTP request also contained a parameter named "pass", with a value "root". That would authenticate the request to a real WSO that had that password.
The IP address of the attacker accessed my web site and WordPress honey pot
about 50 times since 2018-06-25,
always invoking the URI /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php,
except for 9 times, where it asked for some semi-gibberish URIs:
| Timestamp | Semi-gibberish URI |
|---|---|
| 2018-06-25 03:34:11-06 | /multimedia/afternose_mahoganize.html |
| 2018-06-27 01:00:25-06 | /multimedia/Baluchitherium_ichthyophagan.html |
| 2018-06-27 14:40:13-06 | /multimedia/papulopustule_onward.html |
| 2018-07-03 00:24:27-06 | /multimedia/swanmarker_Cheapside.html |
| 2018-07-03 05:11:32-06 | /multimedia/Wenchowese_progeniture.html |
| 2018-07-04 02:48:45-06 | /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/s_Cladoniaceae_chirotherian.html |
| 2018-07-05 03:01:06-06 | /multimedia/bureaucratization_Chorai.html |
| 2018-07-05 08:10:20-06 | /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/r_Fumago_subescheator.html |
| 2018-07-07 02:12:03-06 | /multimedia/Tailte_crepe.html |
The semi-gibberish has a biological or maybe paleontological flavor to it.
The IP address always uses a User Agent string of Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48. 0.2564.109 Safari/537.36.
This is the same User Agent string that the downloaders of nptzow used.
45.227.252.251 reverse-lookups as hosting-by.net4web.org
hosting-by.net4web.org does not have an A record
whois for 45.227.252.251:
inetnum: 45.227.252/24 owner: NetForWeb LLC ownerid: CW-NELL-LACNIC responsible: Daniel Stenberg address: Kaya Seru Mahuma, z/n, --- address: 0000 - Willemstad - CW country: CW created: 20180313 changed: 20180313
CW is Curacao, a small Caribbean island nation off the north coast of South America.
geoiplookup says the IP address has a Panama location.
Not that far from Curacao on a global scale.
whois for net4web.org:
Domain Name: NET4WEB.ORG Updated Date: 2018-05-08T03:48:01Z Creation Date: 2018-03-08T14:09:08Z Registrant Organization: NetForWeb LLC Registrant State/Province: Willemstad Registrant Country: NL
Curacao used to be a possession/territory of Netherlands.
The PHP source code that a WSO web shell would eval comprised a "dropper".
The dropper would create a file named 180912692c2.php at the
Apache DocumentRoot directory, if it could.
The dropper would base64 decode a string in the the PHP source code
to obtain the file's contents.
The dropper would change 180912692c2.php access and modification time
to somewhere between 10 and 70 days in the past.
The attacker's might believe this camoflages the file a little.
I pretty-printed 180912692c2.php for ease of reading.
After "downloading" the file 180912692c2.php,
45.227.252.251 tried to invoke it via HTTP.
My WordPress honey pot code intercepted that request and answered with a 404 "file not found" status code.
A "test_url" HTTP parameter got sent, which should have caused 180912692c2.php to give back a string "file test okay".
Feedback to the invokers.
Upon successful invocation, 180912692c2.php would look through all the directories wp-content/themes/*/
for files named header.php. If a file named header.php existed,
and did not have the string "zalroews.pw" in it
(checked using obsolete PHP function eregi(), which doesn't work on PHP 7.x by default),
180912692c2.php tries to write a string from its source code into the header.php file.
The code in 180912692c2.php ends up deleting its source file.
Only the code written into header.php files would remain.
The code written in header.php files shares a lot with the code in nptzow's flvoaw.php.
Between header.php code and flvoaw.php,
variable names are identical, as is the list of regular expressions used to
decide if an invoker is a "bot" or not is the same.
header.php does not have the HTML template filling or
caching of the HTML that flvoaw.php has.
header.php code just passes control to the theme's PHP code,
where flvoaw.php would redirect browsers:
header("Location: http://caforyn.pw/for/77?d=$d&mykeys=$mykeys");
It looks like flvoaw.php had some mechanism for putting keywords
into the searches made to fill in HTML templates for bot's consumption.
header.php code sends the user agent string of the request to
zalroews.pw for material to send to a "bot".
I guess this would allow zalroews.pw code to tailor what it
sends to each bot.
When researching flvoaw.php, I found out about "vlomaw".
vlomaw appears more elaborate than nptzow or nowir flvoaw.php,
which appears more elaborate than the header.php code.
This may constitute a case of malware evolving towards simplicity,
where it usually just gets more elaborate,
often by wholesale code borrowing.
The PHP injected into header.php files uses PHP's curl library
to retrieve material from a host zalroews.pw.
nptzow and nowir also used hosts in ".pw" for the same purpose.
zalroews.pw has an A record of 5.45.73.46, which geoiplookup says has Netherlands location.
No reverse lookup for 5.45.73.46.
whois info on "zalroews.pw":
Domain Name: ZALROEWS.PW
Updated Date: 2018-08-05T00:40:51.0Z
Creation Date: 2018-03-02T11:41:38.0Z
Registry Expiry Date: 2019-03-02T23:59:59.0Z
inetnum: 5.45.72.0 - 5.45.75.255
netname: INFERNO-NL-DE
country: NL
org: ORG-ISPR1-RIPE
mnt-by: ISPIRIA-MNT
mnt-routes: serverius-mnt
remarks: ISPIRIA Networks Ltd.
address: 1885 Driftwood Bay, Suite 101, Belize city, Belize
created: 2018-05-03T08:12:15Z
last-modified: 2018-05-03T08:12:15Z
whois info on IP address 45.227.252.25:
route: 5.45.72.0/22
descr: Managed by ISPIRIA Networks
origin: AS50673
mnt-by: SERVERIUS-MNT
created: 2013-04-30T06:25:34Z
last-modified: 2018-05-03T13:15:35Z
source: RIPE
Hey, the IP address and the domain name match ISPs. That's fresh and new.
nptzow and nowir used domains boriskq.pw and caforyn.pw
where this code uses zalroews.pw.
The registrars for boriskq.pw and caforyn.pw are different than
for zalroews.pw.