Securing online systems is tough work. A web design shop is learning this lesson the hard way. I was recently reviewing some traffic from one of our DET3CT appliances and came across a domain that I wanted to know more about. VirusTotal is a great resource for this so I started there. After plugging in the domain this is what came back:
For this one file the detections were high. The file is marked as a PHP file but the extension is a .jpg. Right away this looks very interesting. Is it a PHP file or image? This is definitely something that requires more investigation. The next step is to dig into this file. For reference this is what a regular jpg looks like:
And this is what the downloaded file looks like:
That doesn’t look like my reference image. In fact I’d say that is a PHP file renamed to .jpg. I wasn’t sure what that big long string was so I did a little digging and found a site called UnPHP. UnPHP is a free service for analyzing obfuscated and malicious PHP code. Plugging the entire contents of the fake jpg into unphp.net returns some fantastic results. This is the first few lines of the file:
A quick Google search for Fullmagic Community produces some leads on an Indonesian hacker group. Continuing on with the decoded file there’s some interesting strings:
Backdoor is definitely an interesting variable name. It makes me think that someone is attempting to find another way into a server. Later on in the file is the following:
The variable name $shell_data leads me to believe that this is some type of web shell. A web shell is a script that can be uploaded to a web server to enable remote administration of the machine. Getting back to the variable, that string looks to be base64 encoded. Let’s see if that’s the case:
Looks like it decoded to some pretty readable text. As an aside, .id is the TLD for Indonesia. Perhaps the email address belongs to someone from Fullmagic Community who is attempting to upload a web shell to the vulnerable server. Speaking of the server, I started having a look at it a little closer and right away noticed some issues. First off there are open directories:
And if that isn’t bad enough some of those file names are mighty suspicious. Especially xxxxx.pHp.png. Let’s navigate to some other folders:
It should be apparent that something is very wrong here. That shell.php is especially interesting. I wonder if it’s a..
Yep. That’s a web shell. With this the attackers can issue commands on the server itself. They have complete control over the machine. There are many things the attackers could do at this point. Perhaps malicious files could be uploaded and circulated throughout the ad network. At this point it’s hard to say how the attackers compromised the web server but one thing is for certain, the admin for this server needs to take action ASAP to fix this issue.