A medium-complexity, immediate evaluation backdoor. It can accept code in cookies or HTTP parameters. It has what looks like "polymorphic" obfuscation.
This is probably the same backdoor as this apikey variant downloaded, but it has the extra basic-block-separation obfuscation. It's almost identical up to variable names of this capture. This connection merits more examination.
The attacker(s) thought they made an apikey.php backdoor download
to file named sitemap-buffer-news.php
I made my WordPress honey pot act like an apikey.php backdoor
under what I hope are appropriate circumstances.
The attacker(s) seem to think they acheived a download via that backdoor.
88.214.26.34 has a DNS name of "hostby.fcloud.biz", which in turn, does not have a DNS name.
88.214.26.34 has routing information like this:
route: 88.214.26.0/24
origin: AS201912
mnt-by: FCLOUD-MNT
created: 2018-11-21T22:03:56Z
last-modified: 2018-11-21T22:03:56Z
It apparently belongs to an organization in Seychelles islands:
organisation: ORG-FI54-RIPE
org-name: FutureNow Incorporated
org-type: OTHER
address: National Cultural Centre 861 P.O. Box 1492, Victoria Mahe, Seychelles
88.214.26.34 is on some blacklists as of 2019-05-30.
The last few hops of a traceroute are weird:
6 100ge16-1.core1.nyc4.he.net (184.105.223.162) 140.518 ms 79.404 ms 79.285 ms
7 100ge4-1.core1.par2.he.net (184.105.81.78) 145.231 ms 145.180 ms 145.169 ms
8 100ge5-2.core1.vie1.he.net (184.105.65.6) 142.299 ms 142.290 ms 142.265 ms
9 100ge10-1.core1.sof1.he.net (184.105.65.134) 159.542 ms 182.320 ms 182.261 ms
10 216.66.85.58 (216.66.85.58) 184.971 ms 184.926 ms 184.918 ms
11 * * *
12 hostby.fcloud.biz (88.214.26.34) 189.744 ms 203.808 ms 203.799 ms
The route seems to go mostly over Hurricane Electric routers, and the host names of the routers would have one believe that packets route from Chicago, IL to New York city to Paris, then off to parts unknown, and finally to 88.214.26.34. According to this locator, 184.105.65.134, 100ge10-1.core1.sof1.he.net is on South Federal Street in Chicago, IL. I'm guessing that the fcloud.biz thing is a front company, 216.66.85.58 is a Hurricane Electric IP address.
I get consistent ping times of about 170 milliseconds to 88.214.26.34, so it can't be too far from 100ge10-1.core1.sof1.he.net.
This deobfuscation involved labor intensive manual editing.
This looks like it has "polymorphic" obfuscation on the first level. This is quite an achievment for PHP code.
A simple reformatting for readability gave me f1.php
It has basic blocks of code linked by goto statements.
I manually followed the jumps around, putting basic blocks of code in order in xd.php
This "polymorphism" requires a PHP parser to get basic blocks of code, a set of continuous lines of PHP that don't have a jump in or a jump out of the set of lines. These can be as small as a single line of code. There's no looping constructs in this code, so it's just barely possible it's done by hand. I think it's more likely that some kind of programmatic re-shaping of the code has taken place.
After straightening out all the gotos, I obtained xd.php,
probably something like the original code.
Someone obfuscated xd.php by visually confusing code:
- Randomly-selected-letters variable names:
$CnCHz - Use of randomly capitalized identifiers: "DEF0j", "DeF0j", "def0j", DeF0J"
- Composition of meaningless strings to make meaningful strings:
array("str_" . "rot13", "pack", "st" . "rrev") - Indirection through a function to get names of pieces of code, or function names
- Pieces of enciphered code can be in a cookie or an HTTP parameter.
- Meaningless names of cookies or HTTP parameters: "jweyc", "aeskoly", "owhggiku"
- Four pieces of ciphertext code concatenated via indirection through a function.
- Deciphering the code using function names stored in a
$GLOBALSarray element.
A lot of these techniques take advantage of PHP's ability to represent a given string in many ways. Function names are not case sensitive, for example.
This required hand-editing to get to something more-or-less sensible: xd1.php
This code comprises an immediate-execution backdoor. The code arrives as many as 4 strings of "hex-encoded" text, in either cookies or HTTP parameters named "jweyc", "aeskoly", "owhggiku" and "callbrhy". A user of this backdoor could mix it up, sending all strings in cookies, or all as HTTP parameters, or a mix. The user could break up the encoded text different ways, which just might help an attack fly under an intrusion detection system.
As an example, this will give you back "hello, world":
curl -d 'jweyc=b32216c517975626a602c22697972757220226570727' http://example.com/sitemap-buffer-news.php
So will this, and so will many other permutations:
curl -d 'jweyc=b32216c517' ---cookie 'callbrhy=975626a602c22697972757220226570727' http://example.com/sitemap-buffer-news.php
I've written an encoder and a decoder to test my understanding of the backdoor. I used the encoder to create the string of hex digits used in the examples above.