Wednesday, March 4, 2015

C99Shell not dead


I recently got contacted on Twitter in regards to a hacked webpage:



After I received the files two things became apparent:

- the webserver (and thus the website) was infected with C99shell
- the webserver was infected with other PHP backdoors

PHP/c99shell or simply c99shell should be well known by now - it is a PHP backdoor that provides a lot of functionality, for example:

- download/upload files from and to the server (FTP functionality)
- run shell commands
- full access to all files on the hard disk
- ...

In short, it can pretty much do everything you want, which results in end-users getting malware onto their systems and/or data getting stolen and/or personal information compromised.

There's an excellent blog post over at Malwaremustdie in regards to C99shell, you can read it here:
How EVIL the PHP/C99Shell can be? From SQL Dumper, Hacktools, to Trojan Distributor Future?


Now, here's one of the files gathered from the webserver:




It's heavily obfuscated as one would expect; after some deobfuscating/decoding we get:




It also has a nice web interface:









Seems like we are dealing with a slightly updated version of C99shell, version 2.1:








And last but not least, some functionality:














You can find the decoded C99shell backdoor on Pastebin:
Decoded PHP/c99shell

Detections aren't too great for this PHP backdoor, but it surely has improved since Malwaremustdie started blogging about it, some VirusTotal results: 0, 1, 2.


As I mentioned before, other PHP backdoors were present, for example:








After some manual decoding, we turn up with the following interesting line:
getenv(HTTP_X_UP_CALLING_LINE_ID);

Another example:
getenv(HTTP_X_NOKIA_ALIAS);

The "x-headers" HTTP_X_UP_CALLING_LINE_ID and HTTP_X_NOKIA_ALIAS are actually part of WML, the Wireless Markup Language.

Thus, this PHP backdoor seems specifically designed to target mobile users. I've put a copy of the script in screenshot above on Pastebin as well:
Unknown PHP backdoor

Darryl from Kahu Security has written an excellent post on how to manually decode this kind of PHP obfuscation: Deobfuscating a Wicked-Looking Script

If you have any information on what kind of PHP backdoor this might be (if not generic), feel free to let me know.




Prevention

This shouldn't be repeated normally, but I will again just for good measure:

  • Create back-ups regularly! Yes, even for your website.
  • Keep your CMS up-to-date; whether you use WordPress, Joomla, Drupal, ... 
  • Keep your installed plugins up-to-date. Remove any unnecessary plugins.
  • Use strong passwords for your FTP account(s), as well as for your CMS/admin panel login.
  • Use appropriate file permissions - meaning don't use 777 everywhere. (seriously, don't)
  • Depending on how you manage your website - keep your operating system up-to-date and, if applicable, install and update antivirus software.
  • Consider using a tool like Splunk to monitor your access logs. 
  • Consider installing a security plugin. For WordPress, you have a plugin called All In One WordPress Security which has a ton of options to better secure your website.Don't forget to keep this one up-to-date as well.

More (extended) tips can be found over at StopBadware:
Preventing badware: Basics

There are also guides available on how to harden your specific CMS installation, for example:
WordPress: Hardening WordPress
Joomla: Security Checklist/Joomla! Setup
Drupal: Writing secure code




Disinfection

What if your website's already been hacked and serving up malware to the unknowing visitor? Best practice is to simply take your website offline and restore from an earlier back-up. (don't forget to verify if your back-up isn't infected as well)

If that's not a possibility for whatever reason, you'll first need to find where any malicious code was injected (or created) on your website, or how it was infected in the first place.

An easy way would be to simply check all recently changed files on your web server. However, those dates can be altered. So what's a better alternative? You can comb over the files one by one, or you can use an online tool to check your website.

A short overview:

http://sitecheck.sucuri.net/
You can use Sucuri's SiteCheck to quickly spot if they detect any malware, see if you're blacklisted and, the most useful part in this case is to check whether or not you have any outdated plugin or CMS running - as well as a list of links.

http://aw-snap.info/file-viewer/
Use Redleg's file viewer to easily see if any malicious iframes have been injected - you can even choose which Referrer and User Agent should be used (some malware requires you to visit the site via a specific Referrer or User Agent).

http://www.rexswain.com/httpview.html
Useful additional tool to Redleg's file viewer. Allows you to only fetch headers of a website, or fetch both header and content.

http://jsunpack.jeek.org/
Excellent tool in case any malicious Javascript (iframe) is injected into any of your web server files. Less intuitive, but provides a great overview.

http://urlquery.net/
Excellent tool and more graphical as opposed to JSunpack - especially useful is to see if any IDS was triggered as well as JavaScript and HTTP Transactions.

https://www.virustotal.com/
As usual, VirusTotal is a great resource as well - it can pinpoint which Antivirus (if any) is triggering an alert related to your website.

https://hackertarget.com/wordpress-security-scan/
Online WordPress Security Scanner to test vulnerabilities of a WordPress installation. Checks include application security, WordPress plugins, hosting environment and web server.

https://github.com/nbs-system/php-malware-finder
NBS System's PHP Malware Finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells.

If nothing is found using any of these tools, but you are still receiving reports from either blacklists (eg. Google) or users, you'll have to manually go over all your files to see if any code was attached. Another method (and obviously not foolproof) is to copy over all your files to a Windows system and scan them with an antivirus. I think you're starting to realize why back-ups are important.

If you had any outdated plugins running, chances are very high the backdoor or script was created/added in that specific directory. For example for WordPress this is typically:
/www/wp-content/plugins/

You can also install a plugin for your CMS which can scan your web server for any infected files. (Which is ironic, but might still do the trick should you not be able to find anything manually.)

Last but not least: check your access logs! See any unauthorized (FTP) logins for example? Contact your hosting provider - they might be able to assist you as well. For Wordpress this is for example:
/var/log/httpd
var/log/nginx 
/var/log/apache

/var/log/apache2
You may also want to take a peek in:
/var/log

If you're still stuck, feel free to shoot me an email or contact me on Twitter. Otherwise, contact one of X companies which can help you assist in clean-up.

Don't forget: after clean-up, reset all your passwords (and don't use the same for everything) and follow the prevention tips above, or you'll simply get infected again.



Conclusion

C99shell is obviously not dead and neither are other PHP backdoors - or any other malware for that matter. Securing your website is not only beneficial for you, but also for your customers and other visitors. This blog post should have provided you with the essentials on securing your website and cleaning it up should it ever be infected

Repeating: best practice is to take it offline and restore from a back-up.




Resources

For webmasters:
StopBadware - My site has badware
Google - If your site is infected
Redleg - If you're having redirects ("Google says my site is redirecting to a malicious or spam site.")

For researchers:
Online JavaScript Beautifier - http://jsbeautifier.org/
PHP Formatter - http://beta.phpformatter.com/
Kahu Security tools - http://www.kahusecurity.com/tools/
(for this specific blog post, PHP Converter is a must-use and very effective tool)
Base 64 Decoder - http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/

Above list is obviously my own personal flavor, feel free to leave a comment with your favorite tool.

12 comments:

  1. need you some help in hacking a site

    ReplyDelete
  2. Don't forget that some intrusions are the result of exploits. If you are running an exploitable CMS, for example, returning to a previous back up won't do much good as you will get hacked again. Be sure to take the service offline if possible (a simple domain redirect should be satisfactory) then update it to a secure version.

    ReplyDelete
    Replies
    1. True, obviously you need to patch your CMS and any plugins as soon as possible after restoring from a previous back-up.

      Delete
  3. I tried all the links you provided plus clamscan to scan my site and looked at many urls there but I couldn't figure out where that C99Shell is hiding. It is shown in my website just like the screenshot in this blog. My hosting management also searched for it with no avail. I used firebug on my website and found a script with a link to http://r57shell.net/

    ReplyDelete
    Replies
    1. Hi Anonymous,

      Which CMS do you have installed? Usually it hides in/under an outdated plugin. Sometimes it is appended to your index.html file.

      In any case, feel free to send me the link to your website and I will take a look. As in regards to the website you mentioned: thanks, I will check it out.

      Cheers.

      Delete
  4. Hi thanks for the article! Do you please happen to have your c99 php code commented? I am studying on webshells and the php code is a bit tedious..any help(the commented code or advice on how to approach the code) would be appreciated. my email is weblearnerphp@gmail.com.
    Thanks

    ReplyDelete
    Replies
    1. Hi weblearnerphp,

      I do not have any commented c99 php code, but I'm sure that if you Google, you will find a ton of stuff :)

      Good luck!

      Cheers

      Delete
  5. The articles is great! but i have a little problem about the unknow phpshell,
    the paper you wrote said that it's for the mobile user to use,and i google,
    the function "getenv" is that get some variables from phpinfo(), i test it on my website seems "getenv" dosen't get anything .how did it get information from user?
    and sorry my English is bad. i hope you can answere me :)

    ReplyDelete
    Replies
    1. Hi Anonymous!

      You will need to specify a value - which is defined between brackets ().

      Have a look here for some extra information:
      http://php.net/manual/en/function.getenv.php

      Cheers

      Delete
    2. with the help of you i got it ,thx :)

      Delete
    3. My pleasure, happy to be of help :)

      Delete