Deeply, yet simply obscured c99 web shell.
IP address 188.161.2.94 does not have a PTR record in DNS,
but whois says this comes from 188.161.2.0/23AS12975, assigned
to PALTEL (Palestine Telecommunications Co.).
The HTTP headers specify lanaguages of Arabic and US English, so the PALTEL identification makes sense.
Uploaded to a fake WSO web shell, via the uploadFile sub-action of
the FilesMan action. Files typically get uploaded
via WSO shells using this sub-action, but alternate methods exist.
WSO has a complicated history.
This is part of a larger session of WSO usage. See that directory for details. It looks like a human, rather than an automaton, was behind the session.
p0f3 can't identify the OS by a SYN packet: raw_sig=4:113+15:0:1400:mss*44,8:?77,mss,nop,ws,nop,nop,sok::0
The HTTP user agent string identifies the uploader as Windows 10.0.
- Hand editer
188.161.2.94WiV81s44pkwc1Rz6P1pckwAAABA.0.fileintodc1.php - De-obfuscate with revphp, yielding
f1.php - Hand edit
f1.phpintodc2.php - Execute
dc2.phpgivingdc3.php,dc3.phpgivingdc4.phpand so forth... - Work through N levels of
eval(gzinflate(base64_decode(...)))finally yieldingdc14.php - Pretty-print
dc14.phpintof2.php
Do the online PHP de-obfuscators stop at 13 layers of encoding?
Looks like a c99 web shell.