Hacking tools disguised as a plugin, implicating a Bangladeshi hacking crew. It claims to be from "United Bangladeshi Hackers", but the attacking IP address was Turkish, their website is registered out of Bangalore, India, and hosted in Australia. The most effective piece of code they downloaded appears to be from a Russian programmer. Quite a cosmopolitan conglomeration, but it doesn't scream "Bangladeshi" except for the possibly ironic title.
https://www.blackhatworld.com/seo/wordpress-site-hacked-by-bangladeshi-hacker.796306/
A file named ubh.zip got downloaded to my WordPress honey pot
via the plugin install page.
It is a zip-format file,
so I suppose that WordPress would have opened the zip file.
Address downloaded from 88.253.118.191 has DNS 88.253.118.191.dynamic.ttnet.com.tr
Apparently another TurkTelecom IP address
That makes sense. Traceroute goes through:
34-acibadem-xrs-t2-2---308-buk-col-1.statik.turktelekom.com.tr (212.156.139.107)
34-acibadem-t3-6---34-acibadem-xrs-t2-2.statik.turktelekom.com.tr (195.175.171.162)
whois for ubhteam.org:
Domain Name: UBHTEAM.ORG
Registrant Name: Domain Manager
Registrant Organization: samirnet -domain names for sale
Registrant Street: Flat No. 48 Cunningham Apts Edward Road
Registrant City: Bangalore
Registrant State/Province:
Registrant Postal Code: 560052
Registrant Country: IN
Wait, Bangalore? That's not in Bangladesh.
ubhteam.org → 103.224.212.222
103.224.212.222 → lb-212-222.above.com.
inetnum: 103.224.212.0 - 103.224.213.255
netname: TRELLIAN-AU
descr: Trellian Pty. Limited
descr: 8 East Concourse, Beaumaris Victoria 3193
country: AU
Hmmm... Australia.
The Zip file unzips into a directory containing 4 files:
ubh.php- plugin actions that referencescon.phpandup.phpcon.php- very obfuscated web console source codeindex.php- small amount of HTML displaying "United Bangladeshi Hackers"up.php- file uploader.
index.php and ubh.php are just trivial, up.php is nearly so.
This isn't the simplest file uploader I've seen. It does have a file browse button, an upload button, and it tells you where it put the file, should you successfully upload one. Keep it simple, stupid?
The original con.php file is a highly obscured piece of visual garbage.
After running my PHP deobfuscator over it, it becomes clearer. But not totally clear, whatever JavaScript minifier compressed this did a great job.
It's a very slightly modified version of a web console from github. Looks like the UBH have minified the JavaScript, as well as obfuscating the whole file.
User name and password are both "ubh".
The web console appears to lean heavily on eazy-jsonrpc, and it works pretty smoothly. I'm impressed. Nice job.