A somewhat modified WSO 2.5 web shell. Apparently modified by an Algerian hacker crew. It claims to be "Jijle3 PHP Shell v 0.1.8".
- 2016-07-20
- 2015-02-06 - different strain?
- 2016-09-01
I include the 2015-02-06 version for comparison. The author(s) do appear to have done some ongoing development.
whois has the IP address owned by Algerie Telecom Mobile:
inetnum: 154.121.0.0 - 154.121.255.255
netname: MOBILIS-3G-NETWORK
descr: Algerie Telecom Mobile MOBILIS
country: DZ
This matches geoiplookup output.
Apparently, the attacker(s) believed they knew the URL of a WSO web shell
with the URI of "/wordpress//wp-content/plugins/wp-mobile-detector/cache/db.php".
The HTTP parameters include names "a", "c" and "p1" with values
stereotypical for WSO web shells.
The attacker(s) sent me this code as a "FilesMan" action, "uploadFile" subaction.
It would have ended up in a file named 2.php if my WSO honey pot honored
FilesMan actions.
The raw program starts out as a eval of a "\xNN"-encoded PHP string:
<?php
//############################
//Jijle3 Web PHP Shell 2015
//[email protected] | FB.com/J1jeI
//############################
eval("\x65\x76\x61\x6C\x28\x67\x7...
Deobfuscation was pretty straightforward - about 8 layers of intermixed PHP "\xNNN" encoding, base64-encoded gzips, and a final function:
function dohavj05411($str) {
$a = "\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65";
$b = "\x67\x7a\x69\x6e\x66\x6c\x61\x74\x65";
return $b($a($str));
}
Which ends up like this, decoded:
function dohavj05411($str)
{
$a = "base64_decode";
$b = "gzinflate";
return $b($a($str));
}
Some automatic obfuscator must exist that does a specified number of encodings. I've seen other PHP malware that uses the same multiple encodings.
I pretty-printed the final version for readability.
The code could show an incredibly cool logo:
The code claims it was "Coded By Phenomene Dz Algeria - Jijel"
Google says: "Jijel is the capital of Jijel Province in north-eastern Algeria."
That aligns with the whois data, and a comment about the author,
It is a WSO shell, claims to be WSO_VERSION 2.5.
Like all WSO variants, it decides what action to take based on the value of
the HTTP parameter named "a".
It ends up dispatching to a function using PHP's call_user_func().
The functions dispatched to all have names beginning with "action".
Jijle3 has all 13 "action" functions that WSO 2.5 has,
plus 32 more.
Most or all of these extra 32 functions are copied from other hacking tools.
Obvious examples include:
function actionlfiscan()appears in other WSO variants, and on its own.- The Perl code in
function actioncgi()is from priv8 bypass shell dated Jan 6, 2012 function actionftpsmtp()seems to be lifted wholesale from either the "webroot" web shell, or wherever "webroot" got the code for wpindex.php.function actionshellfind()appears to constitute minor modifications of a PHP shell finder dated Oct 12, 2016
I feel like the additional code is mostly modified from the "webroot" web shell, but I can only find a few exact parallels between the webroot I've got, and this code.
Jijle3 additional code is written in a different fashion than WSO variants.
The WSO author meticulously composed strings of HTML,
then used PHP's echo builtin to output.
Jijle3 author(s) include sections of HTML text separated from PHP
code by <?/<?php and ?> tokens.
They used short open tags in some places,
which probably limits the code's ability to run everywhere.
A lot of the apparently borrowed code uses
older, deprecated functions like ereg(), and mysql_query().
The borrowed code mostly assumes that it runs on Linux:
explicit use of awk occurs,
and unlike original WSO, it does distinguish between Windows and Linux
path separators.